Opened 15 years ago
Last modified 14 years ago
#388 closed defect
xattr for sym-links not backed-up preventing normal system-boot after restore if SELINUX=enforced — at Version 1
Reported by: | kritzenthaler | Owned by: | Bruno Cornec |
---|---|---|---|
Priority: | high | Milestone: | 2.2.9.2 |
Component: | mondo | Version: | 2.2.9.1 |
Severity: | critical | Keywords: | |
Cc: |
Description (last modified by )
This issue was observed on RHEL5.4 and is critical since we lose the capability to boot the system properly after restore if SELINUX=enforced.
The issue seem to have its root in the fact that sym-links xattr are not backed-up properly by Mondo. Because of that, it can prevent stuff from working after restore (boot/process/apps/...). At the moment, I do not know if the issue is RHEL5.4 specific or not. I do not see additional info from mondo log files since it seems the sym-links xattr are just skipped.
------------------------- On a non-restored system: ------------------------- # ll -Z /lib/libc.so.6 lrwxrwxrwx root root system_u:object_r:lib_t /lib/libc.so.6 -> libc-2.5.so # ll -Z /lib/libc-2.5.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/libc-2.5.so
The LIB file and its sym-links are OK (same xattr)
--------------------------- On a mondo-restored system: --------------------------- # ll -Z /lib/libc.so.6 lrwxrwxrwx root root system_u:object_r:file_t /lib/libc.so.6 -> libc-2.5.so # ll -Z /lib/libc-2.5.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/libc-2.5.so
The LIB file is OK but its sym-links are not (lost xattr fro sym-links)
Because of that my RHEL5.4 system does not boot properly anylonger after mondo-restore if SELIUNX=enforced due to the following AVC access errors at boot on the following sym-links:
Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463460.671:3): avc: denied { read } for pid=546 comm="restorecon" name="libc.so.6" dev=cciss/c0d0p3 ino=77288 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463460.851:4): avc: denied { read } for pid=554 comm="hwclock" name="libaudit.so.0" dev=cciss/c0d0p3 ino=78962 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463461.647:5): avc: denied { read } for pid=897 comm="pam_console_app" name="libpam.so.0" dev=cciss/c0d0p3 ino=79007 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463471.216:6): avc: denied { read } for pid=2111 comm="pam_console_app" name="libpam.so.0" dev=cciss/c0d0p3 ino=79007 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463472.854:7): avc: denied { read } for pid=2202 comm="microcode_ctl" name="libc.so.6" dev=cciss/c0d0p3 ino=77288 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.033:8): avc: denied { read } for pid=2337 comm="mcstransd" name="libpthread.so.0" dev=cciss/c0d0p3 ino=77296 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.877:9): avc: denied { read } for pid=2429 comm="ip" name="libresolv.so.2" dev=cciss/c0d0p3 ino=79009 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463475.892:10): avc: denied { read } for pid=2439 comm="arping" name="libresolv.so.2" dev=cciss/c0d0p3 ino=79009 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file Jul 13 07:38:13 myhost kernel: type=1400 audit(1247463479.481:11): avc: denied { read } for pid=2590 comm="auditd" name="libwrap.so.0" dev=cciss/c0d0p3 ino=78956 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file