Context Navigation

← Previous Ticket
Next Ticket →

#388 closed defect (fixed)

xattr for sym-links not backed-up preventing normal system-boot after restore if SELINUX=enforced

Reported by:	kritzenthaler	Owned by:	Bruno Cornec
Priority:	high	Milestone:	2.2.9.2
Component:	mondo	Version:	2.2.9.1
Severity:	critical	Keywords:
Cc:

Description (last modified by Bruno Cornec)

This issue was observed on RHEL5.4 and is critical since we lose the capability to boot the system properly after restore if SELINUX=enforced.

The issue seem to have its root in the fact that sym-links xattr are not backed-up properly by Mondo. Because of that, it can prevent stuff from working after restore (boot/process/apps/...). At the moment, I do not know if the issue is RHEL5.4 specific or not. I do not see additional info from mondo log files since it seems the sym-links xattr are just skipped.

-------------------------
On a non-restored system:
-------------------------
# ll -Z /lib/libc.so.6
lrwxrwxrwx  root root system_u:object_r:lib_t          /lib/libc.so.6 -> libc-2.5.so

# ll -Z /lib/libc-2.5.so
-rwxr-xr-x  root root system_u:object_r:lib_t          /lib/libc-2.5.so

The LIB file and its sym-links are OK (same xattr)

---------------------------
On a mondo-restored system:
---------------------------
# ll -Z /lib/libc.so.6
lrwxrwxrwx  root root system_u:object_r:file_t         /lib/libc.so.6 -> libc-2.5.so

# ll -Z /lib/libc-2.5.so
-rwxr-xr-x  root root system_u:object_r:lib_t          /lib/libc-2.5.so

The LIB file is OK but its sym-links are not (lost xattr fro sym-links)

Because of that my RHEL5.4 system does not boot properly anylonger after mondo-restore if SELIUNX=enforced due to the following AVC access errors at boot on the following sym-links:

Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463460.671:3): avc:  denied  { read } for  pid=546 comm="restorecon" name="libc.so.6" dev=cciss/c0d0p3 ino=77288 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463460.851:4): avc:  denied  { read } for  pid=554 comm="hwclock" name="libaudit.so.0" dev=cciss/c0d0p3 ino=78962 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463461.647:5): avc:  denied  { read } for  pid=897 comm="pam_console_app" name="libpam.so.0" dev=cciss/c0d0p3 ino=79007 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463471.216:6): avc:  denied  { read } for  pid=2111 comm="pam_console_app" name="libpam.so.0" dev=cciss/c0d0p3 ino=79007 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463472.854:7): avc:  denied  { read } for  pid=2202 comm="microcode_ctl" name="libc.so.6" dev=cciss/c0d0p3 ino=77288 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.033:8): avc:  denied  { read } for  pid=2337 comm="mcstransd" name="libpthread.so.0" dev=cciss/c0d0p3 ino=77296 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.877:9): avc:  denied  { read } for  pid=2429 comm="ip" name="libresolv.so.2" dev=cciss/c0d0p3 ino=79009 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.892:10): avc:  denied  { read } for  pid=2439 comm="arping" name="libresolv.so.2" dev=cciss/c0d0p3 ino=79009 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file


Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463479.481:11): avc:  denied  { read } for  pid=2590 comm="auditd" name="libwrap.so.0" dev=cciss/c0d0p3 ino=78956 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file

Change History (4)

comment:1 by Bruno Cornec, 14 years ago

Description:	modified (diff)
Status:	new → assigned

comment:2 by Bruno Cornec, 14 years ago

Indeed it seems that on RHEL 5.4 no symlink are stored for xattr, not acl, even if they are in the filelist files. I continue investigating. At least reproduced.

comment:3 by Bruno Cornec, 14 years ago

I think this is fixed with rev [2549].

Please check with the version available at ftp://ftp.mondorescue.org/test/rhel/5/mondo-2.2.9.2-0.20100125130308.rhel5.x86_64.rpm (i386 version on its way as well).

comment:4 by Bruno Cornec, 14 years ago

Resolution:	→ fixed
Status:	assigned → closed

As of rev [2563], this problem should be completely solved. There was still an issue on setfattr which also required a -h.

Note: See TracTickets for help on using tickets.

Download in other formats: