Bug 447049 - relabeling of old disks and preserved data during anaconda
Summary: relabeling of old disks and preserved data during anaconda
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-17 12:41 UTC by Guy L. Allgood
Modified: 2008-07-02 19:33 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-07-02 19:33:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Guy L. Allgood 2008-05-17 12:41:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008043010 Fedora/3.0-0.60.beta5.fc9 Firefox/3.0b5

Description of problem:
I, unfortunately corrupted my / partition playing around with rawhide, the other partitions were in-tact.  I did a reinstall to preserve my data, formatted the /, /home, /usr, /usr/local, /opt, swap, /tmp, and other standard mount points. I had already moved my data to a seperate physical drive/partition, and tried to remount this disk into my /home/username directory.  

I quickly had to unmount the disk as I had no access to the subdirectories within the disk, only at the root of that partition.  I believe the old data was not relabeled during setup, likely becuase there was not a username/userid to coincide with the subdirectories that existed previously, which begs to ask, should that be a optional installation option offered in anaconda.  For now, I need some training material on SEL as I don't know how to relabel this disk so I can use the data I stored here.  

I know this one is a little off the wall, but makes sense to me as every time I do a build/rebuild, I already have the exact, options, email, etc exactly to what makes sense to me.  Anaconda should be able to preserve these settings and users by simply extracting that information via sed, awk, or perl and appending  these lines to configuration files as it creates them.  Fortunately, I do this already, but this would help many inexperienced users.  If they could learn to read Windows(r) configuration files, that may help some people move to Linux in general as well.  Just a thought.

Something else I noticed in this reinstall, or didn't see an option to change at the time, was the ability to change or create the partition label during setup, so it was relabeled automatically during setup to /home/username, just an interesting tidbit.  It had a different label prior to setup.

Thanks, 
Guy

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-42.fc9.noarch

How reproducible:
Didn't try


Steps to Reproduce:
1. cp -pR /home/username/*.* /directory/at-mount-point (yes, there is reasoning to use this wildcard sequence, it isn't from bad windows habits, copy all files including . files/directories)  Don't disable selinux prior to this.
2. run anaconda from whatever media except live disks.
3. mount /dev/s?! on /home/username 
4. when you run firstboot, create username, should be userid 500 as in my case.

Actual Results:
thousands of SE Linux write errors, such as:

Summary:

SELinux is preventing updatedb (locate_t) "getattr" to
/home/Guy/odisk/.bogofilter (unlabeled_t).

Detailed Description:

SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home/Guy/odisk/.bogofilter,

restorecon -v '/home/Guy/odisk/.bogofilter'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /home/Guy/odisk/.bogofilter [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          nonnies-box.guyshouse
Source RPM Packages           mlocate-0.20-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     nonnies-box.guyshouse
Platform                      Linux nonnies-box.guyshouse 2.6.25.3-18.fc9.i686
                              #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Sat 17 May 2008 04:45:02 AM AST
Last Seen                     Sat 17 May 2008 04:45:02 AM AST
Local ID                      659124b0-be86-4184-b5b6-d73c29305519
Line Numbers                  

Raw Audit Messages            

host=nonnies-box.guyshouse type=AVC msg=audit(1210988702.609:193): avc:  denied  { getattr } for  pid=8586 comm="updatedb" path="/home/Guy/odisk/.bogofilter" dev=sdb2 ino=3850241 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

host=nonnies-box.guyshouse type=SYSCALL msg=audit(1210988702.609:193): arch=40000003 syscall=196 success=no exit=-13 a0=83c2b1d a1=bfeeab38 a2=8c4ff4 a3=bfeeacb8 items=0 ppid=8580 pid=8586 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=14 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)




Expected Results:
This is probably what should have happened, but not an optimal solution to what I was trying to accomplish, so I have trouble calling it a bug, but something that should have an addtional option.  It may be something that needs to go to anaconda as a request for allowing this type of recovery effort, or perhaps another setup program altogether, but anaconda makes sense to me.

Additional info:
My only work around to fix this was to move the other partition and begin the cp -p routine, but even this has some problems as access to these files required root access and further required a lot of chown/chgrps and chmods.

Please forward me to a site to learn about SE Linux from beginning to end, but I really need one for relabeling this disk quickly.  

Thank In Advance,
Guy
Comment 1 Daniel Walsh 2008-05-19 18:44:46 UTC 
You can use a context mount option to assign a single SELinux context to the
entire mount.  So you could have mounted with a context of user_home_t.
Comment 2 Guy L. Allgood 2008-05-19 21:09:33 UTC 
Daniel,

Where can I read on how to do this?  The only user options I found were in the
mount command and that is obviously not nearly enough.  What I really need is a
good place to read up on SEL, but thanks for the clue, I'll see where google and
others get me with this.

Guy
Comment 3 Daniel Walsh 2008-05-20 00:28:45 UTC 
I like danwalsh.livejournal.com

Read from the beginning...
Note You need to log in before you can comment on or make changes to this bug.