[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] [Bacula-users] Backup xattrs (SELinux)?


Kern Sibbald wrote:
> On Sunday 07 September 2008 22:53:47 Frank Sweetser wrote:
>> For the most part, the kernel itself doesn't pay any particular attention
>> to extended attributes.  The one major exception (that I know of, anyway)
>> is SELinux.
> 
> OK, so the main point here that interested me is that these attributes need to 
> be backed up in addition to or at the same time as the normal acls are backed 
> up.

Right.

>> If a file is missing the extended attribute that defines its label, it's
>> roughly equivalent to having permissions of 000.
> 
> Thanks.  I ran Selinux for perhaps 6 months in FC4, but found it was a big 
> pain and extremely complicated.  When I upgraded to FC5 I had to turn it off 
> because the system would not run with it in enforce mode, and in permissive 
> mode it was generating thousands of events -- a few I could have fixed but 
> thousands was out of the question.  It has been off since.

That's a pretty common experience, especially back in FC4.  FC9 is much, much
better, in that most things run in "unconfined" mode, where basically SELinux
doesn't add any additional protections.  For the most part, only sensitive
external facing services, such as apache, are locked down.  The reporting and
analysis tools are also much better, though still a work in progress.

> I was hoping this would be easy, but it is looking more complex than I 
> imagined due to the need to handle both acls and xattrs.  The ifdefing of the 
> current acl implementation is complicated because it attempts to handle every 
> favor of Unix. Saving/restoring both acls and extended attributes might 
> require a new Volume stream which requires more work than I had planned for 
> this project.    At least I know what it involves from the acl/xattr side, 
> and the API for getting and setting the xattrs is straight forward 
> (essentially the same as how Bacula handles acls, but with different 
> subroutine names).  Now I need to look at the Bacula code more in detail to 
> see if it is possible to implement it for version 3.0.0 ...

>From what I've read, the extended attributes API was stolen from other unices,
so should be relatively standard.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-devel mailing list
Bacula-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/bacula-devel


This mailing list archive is a service of Copilot Consulting.