[CentOS] SElinux suggestions needed: migrating backup service

Leon Fauster leonfauster at googlemail.com
Mon Oct 24 23:43:15 UTC 2016 

Am 24.10.2016 um 23:44 schrieb Gordon Messmer <gordon.messmer at gmail.com>:
> On 10/24/2016 09:53 AM, Leon Fauster wrote:
>> Any suggestions to avoid the default labeling "unconfined_u:object_r:locale_t:s0"?
> 
> 
> Not off the top of my head.  I think you need to either a) not try to preserve the labels or b) run the backup as a user which can manage labels.  What is the rsync command you are currently using, and what user does rsync run as on the backup server?


Plain rsync -aHAX with some excludes and executed as root on the backup system.

Doing so I get:
<snip>
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.alias","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ccwmap","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.dep","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ieee1394map","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.inputmap","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.isapnpmap","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.ofmap","security.selinux") failed: Permission denied (13)
rsync: rsync_xal_clear: lremovexattr("lib/modules/2.6.18-412.el5/modules.pcimap","security.selinux") failed: Permission denied (13)
<snip>
 

The thing is, that files from the source system that doesn't have a label get a new 
one on the destination system. Here is some kind of inheritance in place.

client# ls -laZ /lib/modules/2.6.18-412.el5/modules.*
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.alias
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.ccwmap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.dep
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.ieee1394map
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.inputmap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.isapnpmap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.ofmap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.pcimap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.seriomap
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.symbols
-rw-r--r--  root root                                  /lib/modules/2.6.18-412.el5/modules.usbmap


backupserver# ls -laZ daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.*
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.alias
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ccwmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.dep
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ieee1394map
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.inputmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.isapnpmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.ofmap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.pcimap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.seriomap
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.symbols
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 daily.0/ee-sl1/lib/modules/2.6.18-412.el5/modules.usbmap


Using rsync -aHA (without X) circumvent the output but its still unclear what exactly triggers 
the above output.  The next weekend seems to be reserved for a SElinux dive thought ...

--
LF

More information about the CentOS mailing list