Am 24.10.2016 um 23:44 schrieb Gordon Messmer gordon.messmer@gmail.com:
On 10/24/2016 09:53 AM, Leon Fauster wrote:
Any suggestions to avoid the default labeling "unconfined_u:object_r:locale_t:s0"?
Not off the top of my head. I think you need to either a) not try to preserve the labels or b) run the backup as a user which can manage labels. What is the rsync command you are currently using, and what user does rsync run as on the backup server?
Plain rsync -aHAX with some excludes and executed as root on the backup system.
Doing so I get: <snip> rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.alias","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ccwmap","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.dep","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ieee1394map","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.inputmap","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.isapnpmap","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ofmap","security.selinux") failed: Permission denied (13) rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.pcimap","security.selinux") failed: Permission denied (13) <snip>
The thing is, that files from the source system that doesn't have a label get a new one on the destination system. Here is some kind of inheritance in place.
client# ls -laZ /lib/modules/2.6.18-412.el5/modules.* -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.alias -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.ccwmap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.dep -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.ieee1394map -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.inputmap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.isapnpmap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.ofmap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.pcimap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.seriomap -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.symbols -rw-r--r-- root root /lib/modules/2.6.18-412.el5/modules.usbmap
backupserver# ls -laZ daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.* -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.alias -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ccwmap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.dep -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ieee1394map -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.inputmap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.isapnpmap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ofmap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.pcimap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.seriomap -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.symbols -rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.usbmap
Using rsync -aHA (without X) circumvent the output but its still unclear what exactly triggers the above output. The next weekend seems to be reserved for a SElinux dive thought ...
-- LF