573447 – running restorecon in post takes hours if /var/lib/BackupPC contains many backed up files

Bug 573447 - running restorecon in post takes hours if /var/lib/BackupPC contains many backed up files

Summary: running restorecon in post takes hours if /var/lib/BackupPC contains many bac...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-14 21:25 UTC by Michael Ploujnikov
Modified:	2010-08-19 10:58 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-19 10:58:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Ploujnikov 2010-03-14 21:25:24 UTC

Description of problem:
I just started to upgrade selinux-policy-targeted and the installation process is stuck at running restorecond in the post step of the package. The reason for that is that restorecon is run on /var/lib/BackupPC which contains 200GB of files for me.

Version-Release number of selected component (if applicable):
installing selinux-policy-targeted-3.6.32-99.fc12.noarch
BackupPC-3.1.0-11.fc12.noarch

How reproducible:
Always

Steps to Reproduce:
1. backup a lot of files with BackupPC
2. upgrade selinux-policyt-targeted
3.
  
Actual results:
restorecon tries to relabel 200GB of files in /var/lib/BackupPC

Expected results:
restorecon should probably ignore the backups but maybe notify me that I should relabel them. Alternatively, BackupPC should store backups elsewhere by default.

Additional info:

Comment 1 Daniel Walsh 2010-03-16 13:22:51 UTC

Is /var/lib/BackupPC on a separate file system?

If it is, you can mount it with a different file context and restorecon will not go onto the file system.

mount -o context="system_u:object_r:httpd_sys_content_t:s0" DEVICE /var/lib/BackupPC

Comment 2 Michael Ploujnikov 2010-03-16 21:58:41 UTC

My /var/lib/BackupPC _is_ on a separate filesystem. However, I wonder if mounting it with a different context is totally correct and without implications. I've already had problems with backuppc not reading/writing files due to selinux denials and I want to be careful about setting an unintended/unexpected context on all of those files.

Comment 3 Daniel Walsh 2010-03-17 12:35:05 UTC

Actually as long as you label it the same as it would be on disk, it should be fine.

matchpathcon /var/lib/BackupPC
/var/lib/BackupPC	system_u:object_r:var_lib_t:s0


mount -o context="system_u:object_r:var_lib_t:s0" DEVICE
/var/lib/BackupPC

Should work fine. 

Restorecon stops at any file system that does not have the seclabel flag set in /proc/mounts

Mounting a file system with the context flag, removes the seclabel flag.  
The flag tells SELinux to treat every file in /var/lib?BackupPC as if it was labeled var_lib_t.  The only problem would be if a file/dir inside of /var/lib/BackupPC needed to be labeled differently.

Which I do not believe to be the case.

Note You need to log in before you can comment on or make changes to this bug.