selinux backups

selinux backups

[david carvalho]

[-- Attachment #1: Type: text/plain, Size: 585 bytes --]

Good afternoon.
Wich is the best way to make a backup of a system running lvm and selinux ?
It seems that with lvm systems, the best way is to take a snapshot (wich seems a waste
of space in a Volume Group). But with Selinux ?  tar-1.15 doesn't apply the right 
permissions when extracting (at least of what I tested). 
I've bee using "dump" for a while, and I tested it right now and it preserves the "extended attributes" so it seems to be the right option for me since the scripts I'm using, use "dump"
Is it possible/preferable to use tar or star ?

Thanks.
Regards
David

[-- Attachment #2: Type: text/html, Size: 1229 bytes --]

Re: selinux backups

[Stephen Smalley]

On Wed, 2007-06-13 at 18:32 +0100, david carvalho wrote:
> Good afternoon.
> Wich is the best way to make a backup of a system running lvm and
> selinux ?
> It seems that with lvm systems, the best way is to take a snapshot
> (wich seems a waste
> of space in a Volume Group). But with Selinux ?  tar-1.15 doesn't
> apply the right 
> permissions when extracting (at least of what I tested). 
> I've bee using "dump" for a while, and I tested it right now and it
> preserves the "extended attributes" so it seems to be the right option
> for me since the scripts I'm using, use "dump"
> Is it possible/preferable to use tar or star ?

What's your distribution and release?  star was the first to support
preserving xattrs and selinux, dump/restore later added support, and I
think that even tar now has support at least in Fedora.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux backups

[Kazuki Omo]

Hi,

I checked some backup program for writing selinux article;
http://www.atmarkit.co.jp/fsecurity/rensai/selinux202/selinux01.html
(Available on next week, but it has Japanese character only.)

Current dump/restore and star are supporting SELinux.
If you want to use "cp", you have to use "-c" option for copying 
xattrs. 

Also, I couldn't take xattrs by "tar" and "rsync" on CentOS4.4.
I didn't check "tar" on Fedora, so it might be able to take xattr.
I don't know how we can take xattr with "rsync":-(

Regards,

OMO

On Wed, Jun 13, 2007 at 02:18:21PM -0400, Stephen Smalley wrote:
> On Wed, 2007-06-13 at 18:32 +0100, david carvalho wrote:
> > Good afternoon.
> > Wich is the best way to make a backup of a system running lvm and
> > selinux ?
> > It seems that with lvm systems, the best way is to take a snapshot
> > (wich seems a waste
> > of space in a Volume Group). But with Selinux ?  tar-1.15 doesn't
> > apply the right 
> > permissions when extracting (at least of what I tested). 
> > I've bee using "dump" for a while, and I tested it right now and it
> > preserves the "extended attributes" so it seems to be the right option
> > for me since the scripts I'm using, use "dump"
> > Is it possible/preferable to use tar or star ?
> 
> What's your distribution and release?  star was the first to support
> preserving xattrs and selinux, dump/restore later added support, and I
> think that even tar now has support at least in Fedora.
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

-- 
Kazuki Omo: omok@honto.info
LIDS Japanese Information:
Japanese: http://www.selinux.gr.jp/LIDS-JP/index.html
English:  http://www.selinux.gr.jp/LIDS-JP/LIDS_en/index.html
Diary: http://omok.livejournal.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux backups

[Russell Coker]

On Thursday 14 June 2007 03:32, "david carvalho" <david@di.ubi.pt> wrote:
> Good afternoon.
> Wich is the best way to make a backup of a system running lvm and selinux ?
> It seems that with lvm systems, the best way is to take a snapshot (wich
> seems a waste of space in a Volume Group). But with Selinux ?  tar-1.15
> doesn't apply the right permissions when extracting (at least of what I
> tested).

Create a file that contains zeros using most of the free space on the 
filesystem in question (EG dd from /dev/zero) and then unlink it.  Then gzip 
compress the filesystem, the zero blocks will compress well.

For my laptop I use cryptsetup to encrypt the LVM volumes so I can't usefully 
compress them (encrypted data is almost uncompressable), but this does give 
me encrypted backups which I consider useful.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux backups

[Stephen Smalley]

On Thu, 2007-06-14 at 11:49 +0900, Kazuki Omo wrote:
> Hi,
> 
> I checked some backup program for writing selinux article;
> http://www.atmarkit.co.jp/fsecurity/rensai/selinux202/selinux01.html
> (Available on next week, but it has Japanese character only.)
> 
> Current dump/restore and star are supporting SELinux.
> If you want to use "cp", you have to use "-c" option for copying 
> xattrs. 
> 
> Also, I couldn't take xattrs by "tar" and "rsync" on CentOS4.4.
> I didn't check "tar" on Fedora, so it might be able to take xattr.
> I don't know how we can take xattr with "rsync":-(

Try rsync -X or --xattrs.  Requires a modern version of rsync though.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELinux backups

[Nick Gray]

All,

I would like to speak to anyone who has worked on, has experience  
with, or just has a general interest in system/database backups on  
SELinux.

I searched my mail folder going back to about 2003 and found very  
little said about it.

I have been assigned this by the company I am working for and would  
like to get a little insight into what has been done so far, methods  
and issues encountered.

Nick G.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux backups

[Vikram Ambrose]

Nick Gray wrote:
> All,
>
> I would like to speak to anyone who has worked on, has experience 
> with, or just has a general interest in system/database backups on 
> SELinux.
>
What do you mean exactly?
a) Backing up the SELinux policy store on the system?
b) Backing up a system that runs SELinux?
c) Backing up a database running in an SELinux environment?
d) Storing system backups on an SELinux enabled filesystem?

> I searched my mail folder going back to about 2003 and found very 
> little said about it.
>
> I have been assigned this by the company I am working for and would 
> like to get a little insight into what has been done so far, methods 
> and issues encountered.
>
> Nick G.
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


-- 
Vikram Ambrose | Linux Products Division | WindRiver Corporation


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux backups

[Nick Gray]

On Jun 26, 2008, at 5:06 PM, Nick Gray wrote:

>
> On Jun 26, 2008, at 3:03 PM, Vikram Ambrose wrote:
>
>> Nick Gray wrote:
>>> All,
>>>
>>> I would like to speak to anyone who has worked on, has experience  
>>> with, or just has a general interest in system/database backups on  
>>> SELinux.
>>>
>> What do you mean exactly?
>> a) Backing up the SELinux policy store on the system?
>> b) Backing up a system that runs SELinux?
>> c) Backing up a database running in an SELinux environment?
>> d) Storing system backups on an SELinux enabled filesystem?
>
> Yes :-)
>
> Primarily 2 & 3, but certainly not to exclude 1 & 4. I am interested  
> in a encompassing DRP. The prior system could do something akin to  
> an LVM snapshot and produce a bootable copy. I would like to know if  
> there has been any experimentation with SELinux along those lines.  
> Once that has been accomplished, I would move on to database backups  
> and incrementals.
>
>>
>>
>>> I searched my mail folder going back to about 2003 and found very  
>>> little said about it.
>>>
>>> I have been assigned this by the company I am working for and  
>>> would like to get a little insight into what has been done so far,  
>>> methods and issues encountered.
>>>
>>> Nick G.
>>>
>>> -- 
>>> This message was distributed to subscribers of the selinux mailing  
>>> list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
>>>  with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> -- 
>> Vikram Ambrose | Linux Products Division | WindRiver Corporation
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing  
>> list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
>>  with
>> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.