On 02/19/2014 04:54 PM, Jan Pazdziora wrote: > On Wed, Feb 19, 2014 at 04:37:05PM +0100, Tomas Babej wrote: >> Hi, >> >> When restoring files from backup, we do use an incorrect order of >> operations - we first restore SELinux context and then copy the >> files from backup, when we need to do the exact opposite. >> >> https://fedorahosted.org/freeipa/ticket/4133 >> >> >From 3c1da9e7265bfb303cd4b9751c5b32b04d502431 Mon Sep 17 00:00:00 2001 >> From: Tomas Babej <[email protected]> >> Date: Wed, 19 Feb 2014 16:31:12 +0100 >> Subject: [PATCH] ipatests: Fix incorrect order of operations when restoring >> backup >> >> When restoring files from backup, we do use an incorrect order of >> operations - we first restore SELinux context and then copy the >> files from backup, when we need to do the exact opposite. >> >> https://fedorahosted.org/freeipa/ticket/4133 >> --- >> ipatests/test_integration/tasks.py | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/ipatests/test_integration/tasks.py >> b/ipatests/test_integration/tasks.py >> index >> 9a6ea3fa548a53d6e5ab6d19783227c2d956a001..b785f28190ed39a0ac45ff5b69e3b474e2634278 >> 100644 >> --- a/ipatests/test_integration/tasks.py >> +++ b/ipatests/test_integration/tasks.py >> @@ -137,7 +137,7 @@ def restore_files(host): >> >> # Run both commands in one session. For more information, see: >> # https://fedorahosted.org/freeipa/ticket/4133 >> - host.run_command('%s ; (%s ||:)' % (restorecon_command, >> copyfiles_command)) >> + host.run_command('%s ; (%s ||:)' % (copyfiles_command, >> restorecon_command)) > ACK -- having the files in place is definitely useful if we then want > to find them there. > > However: since this is about restoring a backup, can't the backup > contain the extended attributes, so that the SELinux context gets > restored to the original state (which could be different from what > the restorecon will give you)? > Yes, it could. Preserving the context is not hard, we can just use:
cp --preserve=context for backup & restore. But as others mention, we rather work with a "return-to-the-sane-state" rather than "return-to-the-previous-state" assumption here. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
