Bug 452524 - Restoring selinux file context in rescue mode fails
Restoring selinux file context in rescue mode fails
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-06-23 11:03 EDT by Ralph Shepard
Modified: 2009-10-15 13:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-10-15 13:26:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ralph Shepard 2008-06-23 11:03:09 EDT
Description of problem:
Restoring selinux file context in rescue mode fails with errors (
tar: selinux: Cannot setfilecon: Invalid argument )

Version-Release number of selected component (if applicable):

How reproducible:
create a backup with on a system running selinux then restore the backup by
booting to redhat install disk1 and typing linux rescue at the prompt.
Steps to Reproduce:
1. create a backup to tape using tar -cj --xattrs -f /dev/st0 (or similar)
2. boot to redhat CD and type linux rescue create the new file system
3. restore data from tape using tar -pxvf /dev/nst0 --overwrite (or similar) 
Actual results:

Files are restored with incorrect context and error message is displayed for
each file restored

Expected results:

Files should be restored with appropriate file context

Additional info:

This appears to be the result of the file context not being available in rescue
mode and selinux not allowing file context that it doesn't know. 

I spoke with Dan Walsh at the RedHat Summit in Boston regarding this and asked
me to file this bug.  Not sure I choose the correct component so please redirect
as appropriate.
Comment 1 Daniel Walsh 2008-06-24 06:18:52 EDT
If you type load_policy before running the tar, does it work?  
Comment 2 Stephen Smalley 2008-07-02 15:01:17 EDT
Offhand, I'd say there are three options:
1) Boot from rescue CD with selinux disabled - then there is no conflict between
the policy and the file contexts.
2) Boot from the rescue CD with selinux enabled, then load policy from the disk
(e.g. chroot to the real root and then run load_policy from it), then extract
the archive.
3) Back port the set-unknown-context support to RHEL5 kernel and leverage it for
this purpose.
Comment 3 Daniel Walsh 2009-10-15 13:26:29 EDT
I think you need to use Option 1 or 2.

So closing as notabug since you have work arounds.

Note You need to log in before you can comment on or make changes to this bug.