Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

There is an interesting reading about pros/cons of backing up selinux context http://danwalsh.livejournal.com/48936.html. I'm not sure this helps, but I've made some experiments with tar/rsync (see http://www.cyberciti.biz/faq/linux-tar-rsync-preserving-acls-selinux-contexts/) and they seem to work "more or less" for incremental backups with selinux enforcing. I have noticed that the context is not handled correctly for making backups of some directories, depending if run as root or not (directories like /tmp, but who wants to backup /tmp?). This, and the fact that there are complete tutorials how to handle backups with selinux are hard to find, suggests that the problem is tricky.

Example for Fedora 19, for reference, in case someone wants to experiment more:

su -
cd
# tar wont get the correct selinux context if "cd /tmp" instead, run as root or not!
# rsync will get the correct context if "cd /tmp" and run as root!
mkdir d1
touch d1/f{1,2}

ls -lZ d1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f2

# initial backup with tar
# see http://www.gnu.org/software/tar/manual/html_node/Incremental-Dumps.html
tar --listed-incremental=/tmp/d1.snar --selinux --acls --xattrs -cvf /tmp/d1.00.tar d1
# tar: d1: Directory is new
# d1/
# d1/f1
# d1/f2
cp -p /tmp/d1.snar /tmp/d1.00.snar

# initial backup with rsync
rsync -av -A -X d1 /tmp/rsyncbackup
# ...
# created directory /tmp/rsyncbackup
# d1/
# d1/f1
# d1/f2
# ...

# now change a context of a file
chcon system_u:object_r:rpm_tmp_t:s0 d1/f2

tar --listed-incremental=/tmp/d1.snar --selinux --acls --xattrs -cvf /tmp/d1.01.tar d1
# d1/
# d1/f2
cp -p /tmp/d1.snar /tmp/d1.01.snar

rsync -avv -A -X d1 /tmp/rsyncbackup
# ...
# d1/f1 is uptodate
# d1/f2 is uptodate  # rscync reports uptodate, but copies the file anyway
# ...

mkdir /tmp/tarbackup&& cd /tmp/tarbackup
tar --listed-incremental=/dev/null --selinux --acls --xattrs -xvf /tmp/d1.00.tar
tar --listed-incremental=/dev/null --selinux --acls --xattrs -xvf /tmp/d1.01.tar

ls -lZ /tmp/{rsync,tar}backup/d1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f1
# -rw-r--r--. root root system_u:object_r:rpm_tmp_t:s0   f2
# ...

Bacula is also supposed to support selinux http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3037344

There is an interesting reading about pros/cons of backing up selinux context http://danwalsh.livejournal.com/48936.html. I'm not sure this helps, but I've made some experiments with tar/rsync (see http://www.cyberciti.biz/faq/linux-tar-rsync-preserving-acls-selinux-contexts/) and they seem to work "more or less" for incremental backups with selinux enforcing. I have noticed that the context is not handled correctly for making backups of some directories, depending if run as root or not (directories like /tmp, but who wants to backup /tmp?). This, and the fact that there are complete tutorials how to handle backups with selinux are hard to find, suggests that the problem is tricky.

Example for Fedora 19, for reference, in case someone wants to experiment more:

su -
cd
# tar wont get the correct selinux context if "cd /tmp" instead, run as root or not!
# rsync will get the correct context if "cd /tmp" and run as root!
mkdir d1
touch d1/f{1,2}

ls -lZ d1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f2

# initial backup with tar
# see http://www.gnu.org/software/tar/manual/html_node/Incremental-Dumps.html
tar --listed-incremental=/tmp/d1.snar --selinux --acls --xattrs -cvf /tmp/d1.00.tar d1
# tar: d1: Directory is new
# d1/
# d1/f1
# d1/f2
cp -p /tmp/d1.snar /tmp/d1.00.snar

# initial backup with rsync
rsync -av -A -X d1 /tmp/rsyncbackup
# ...
# created directory /tmp/rsyncbackup
# d1/
# d1/f1
# d1/f2
# ...

# now change a context of a file
chcon system_u:object_r:rpm_tmp_t:s0 d1/f2

tar --listed-incremental=/tmp/d1.snar --selinux --acls --xattrs -cvf /tmp/d1.01.tar d1
# d1/
# d1/f2
cp -p /tmp/d1.snar /tmp/d1.01.snar

rsync -avv -A -X d1 /tmp/rsyncbackup
# ...
# d1/f1 is uptodate
# d1/f2 is uptodate  # rscync reports uptodate, but copies the file anyway
# ...

mkdir /tmp/tarbackup&& cd /tmp/tarbackup
tar --listed-incremental=/dev/null --selinux --acls --xattrs -xvf /tmp/d1.00.tar
tar --listed-incremental=/dev/null --selinux --acls --xattrs -xvf /tmp/d1.01.tar

ls -lZ /tmp/{rsync,tar}backup/d1
# -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 f1
# -rw-r--r--. root root system_u:object_r:rpm_tmp_t:s0   f2
# ...

Bacula is also supposed to support selinux http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3037344