Bug 573447

Summary: running restorecon in post takes hours if /var/lib/BackupPC contains many backed up files
Product: [Fedora] Fedora Reporter: Michael Ploujnikov <ploujj>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-19 10:58:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Ploujnikov 2010-03-14 21:25:24 UTC 
Description of problem:
I just started to upgrade selinux-policy-targeted and the installation process is stuck at running restorecond in the post step of the package. The reason for that is that restorecon is run on /var/lib/BackupPC which contains 200GB of files for me.

Version-Release number of selected component (if applicable):
installing selinux-policy-targeted-3.6.32-99.fc12.noarch
BackupPC-3.1.0-11.fc12.noarch

How reproducible:
Always

Steps to Reproduce:
1. backup a lot of files with BackupPC
2. upgrade selinux-policyt-targeted
3.
  
Actual results:
restorecon tries to relabel 200GB of files in /var/lib/BackupPC

Expected results:
restorecon should probably ignore the backups but maybe notify me that I should relabel them. Alternatively, BackupPC should store backups elsewhere by default.

Additional info:
Comment 1 Daniel Walsh 2010-03-16 13:22:51 UTC 
Is /var/lib/BackupPC on a separate file system?

If it is, you can mount it with a different file context and restorecon will not go onto the file system.

mount -o context="system_u:object_r:httpd_sys_content_t:s0" DEVICE /var/lib/BackupPC
Comment 2 Michael Ploujnikov 2010-03-16 21:58:41 UTC 
My /var/lib/BackupPC _is_ on a separate filesystem. However, I wonder if mounting it with a different context is totally correct and without implications. I've already had problems with backuppc not reading/writing files due to selinux denials and I want to be careful about setting an unintended/unexpected context on all of those files.
Comment 3 Daniel Walsh 2010-03-17 12:35:05 UTC 
Actually as long as you label it the same as it would be on disk, it should be fine.

matchpathcon /var/lib/BackupPC
/var/lib/BackupPC	system_u:object_r:var_lib_t:s0


mount -o context="system_u:object_r:var_lib_t:s0" DEVICE
/var/lib/BackupPC

Should work fine. 

Restorecon stops at any file system that does not have the seclabel flag set in /proc/mounts

Mounting a file system with the context flag, removes the seclabel flag.  
The flag tells SELinux to treat every file in /var/lib?BackupPC as if it was labeled var_lib_t.  The only problem would be if a file/dir inside of /var/lib/BackupPC needed to be labeled differently.

Which I do not believe to be the case.