On 27/01/16 03:06 PM, Stefan G. Weichinger wrote:
Am 2016-01-27 um 00:04 schrieb Uwe Menges:
On 01/26/16 12:27, Stefan G. Weichinger wrote:
fedora tells me to use star:
https://fedoraproject.org/wiki/SELinux_FAQ#How_can_I_back_up_files_from_an_SELinux_file_system.3F
I think this is outdated, GNU tar seems to be able to preserve SELinux
contexts with GNU tar as well in the meanwhile (--selinux option, see
info pages, it's not mentioned in the man page).
Ok, this might be worth more tests after having selinux turned off or at
least permissive. The --selinux option would have to be explicitly
enabled in a specific dumptype? Or does amanda use it with gnu-tar anyway?
$ man amgtar
SELINUX
Default "NO". If "YES", gnutar will preserve SELinux extended
attributes on Linux. This corresponds to the --selinux gnutar
option. Requires a GNU Tar with nonstandard extended attribute
patches from the Fedora Project.
Aside from the details here, is there a recommended howto for this?
I think running in permissive and fixing the issues that appear in
audit.log is the way to go (by either labeling the FS correctly, or by
changing the policy). I'm a bit puzzled because you get different
SELinux messages than me. I opened a BZ for fowner capability of tar:
https://bugzilla.redhat.com/show_bug.cgi?id=1280526 (that was on F22, I
updated to F23 in the meanwhile).
Sorry, I'm not a SELinux expert.
When amgtar execute tar, then that tar must be able to read all files.
your bz seems without echo .. :(
I don't know where our F23-systems might differ, this is a bit OT here
maybe?
My current workaround is to setenforce permissive at the beginning of my
backup script and reset it to enforcing at the end.
worth a try.
FWIW, there is also a bug with the F23-shipped amanda (or with perl,
someone with deeper perl knowledge than me needs to judge that):
https://bugzilla.redhat.com/show_bug.cgi?id=1262571
use: my $to_report = !defined $tries || !@$tries;
Jean-Louis
