user guide drafts: Archiving Files with tar/star

user guide drafts: Archiving Files with tar/star

[Murray McAllister]

Hi,

The following are the first few drafts of the "Archiving Files with 
tar/star" sections. Any comments and corrections are appreciated.

Thanks.

Archiving Files with tar

tar does not retain extended attributes by default. Since SELinux 
contexts are stored in extended attributes, contexts can be lost when 
archiving files. Use tar --selinux to create archives that retain contexts.

The following example demonstrates creating a Tar archive that retains 
SELinux contexts:

1. As the Linux root user, run the touch /var/www/html/file{1,2,3} 
command to create three files (file1, file2, and file3). These files 
inherit the httpd_sys_content_t type from the /var/www/html/ directory:

[example output from ls -Z /var/www/html/]

2. Run the cd /var/www/html/ command to change into the /var/www/html/ 
directory. Once in this directory, as the Linux root user, run the tar 
--selinux -cf test.tar file{1,2,3} command to create a Tar archive named 
test.tar.

3. As the Linux root user, run the mkdir /test command to create a new 
directory, and then, run the chmod 777 /test/ command to allow all users 
full-access to the /test/ directory.

# I don't know if this is a bad idea. I thought it would prevent running 
all steps as root (I used /var/www/html/ to 'simulate' real world, 
instead of using home directory).

4. Run the cp /var/www/html/test.tar /test/ command to copy the test.tar 
file in to the /test/ directory.

5. Run the cd /test/ command to change into the /test/ directory. Once 
in this directory, run the tar -xf test.tar command to extract the Tar 
archive.

6. Run the ls -lZ /test/ command to view the SELinux contexts. The 
httpd_sys_content_t type has been retained, rather than being changed to 
default_t, which would have happened had the --selinux not been used:

[example output from ls -Z /test/]

7. If the /test/ directory is no longer required, as the Linux root 
user, run the  rm -ri /test/ command to remove it, as well as all files 
in it.

Refer to the tar(1) manual page for further information about tar, such 
as the --xattrs option that retains all extended attributes.

The following section is the same example, but uses "star -xattr 
-H=exustar" instead of tar --selinux.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Hi,
> 
> The following are the first few drafts of the "Archiving Files with
> tar/star" sections. Any comments and corrections are appreciated.
> 
> Thanks.
> 
> Archiving Files with tar
> 
> tar does not retain extended attributes by default. Since SELinux
> contexts are stored in extended attributes, contexts can be lost when
> archiving files. Use tar --selinux to create archives that retain contexts.
> 
> The following example demonstrates creating a Tar archive that retains
> SELinux contexts:
> 
> 1. As the Linux root user, run the touch /var/www/html/file{1,2,3}
> command to create three files (file1, file2, and file3). These files
> inherit the httpd_sys_content_t type from the /var/www/html/ directory:
> 
> [example output from ls -Z /var/www/html/]
> 
> 2. Run the cd /var/www/html/ command to change into the /var/www/html/
> directory. Once in this directory, as the Linux root user, run the tar
> --selinux -cf test.tar file{1,2,3} command to create a Tar archive named
> test.tar.
> 
> 3. As the Linux root user, run the mkdir /test command to create a new
> directory, and then, run the chmod 777 /test/ command to allow all users
> full-access to the /test/ directory.
> 
> # I don't know if this is a bad idea. I thought it would prevent running
> all steps as root (I used /var/www/html/ to 'simulate' real world,
> instead of using home directory).
> 
> 4. Run the cp /var/www/html/test.tar /test/ command to copy the test.tar
> file in to the /test/ directory.
> 
> 5. Run the cd /test/ command to change into the /test/ directory. Once
> in this directory, run the tar -xf test.tar command to extract the Tar
> archive.
> 
> 6. Run the ls -lZ /test/ command to view the SELinux contexts. The
> httpd_sys_content_t type has been retained, rather than being changed to
> default_t, which would have happened had the --selinux not been used:
> 
> [example output from ls -Z /test/]
> 
> 7. If the /test/ directory is no longer required, as the Linux root
> user, run the  rm -ri /test/ command to remove it, as well as all files
> in it.
> 
> Refer to the tar(1) manual page for further information about tar, such
> as the --xattrs option that retains all extended attributes.
> 
> The following section is the same example, but uses "star -xattr
> -H=exustar" instead of tar --selinux.
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
The only point I often bring up is if you have a tar file without
extended attributes, or want the extended attributes to match the policy
of the destination machine, you should run it through restorecon.


tar xvf file.tgz | restorecon -f -

Would reset the file context on disk after the extraction.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjt77kACgkQrlYvE4MpobP9FQCffl1FbiIlxnnkPhQ9i5tqdHVQ
2xcAmQHjfItzd0pmno9j74wqmVRDHXMy
=p+Qj
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Murray McAllister]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Murray McAllister wrote:

> The only point I often bring up is if you have a tar file without
> extended attributes, or want the extended attributes to match the policy
> of the destination machine, you should run it through restorecon.
> 
> 
> tar xvf file.tgz | restorecon -f -
> 
> Would reset the file context on disk after the extraction.
Does this only apply to the tar file itself, not the files in it? On 
rawhide the extracted files (that have extended attributes) inherit the 
type of the directory they are being extracted in.

Thanks.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Russell Coker]

On Friday 10 October 2008 10:30, Murray McAllister <mmcallis@redhat.com> 
wrote:
> > tar xvf file.tgz | restorecon -f -
> >
> > Would reset the file context on disk after the extraction.
>
> Does this only apply to the tar file itself, not the files in it? On
> rawhide the extracted files (that have extended attributes) inherit the
> type of the directory they are being extracted in.

The "v" option of tar causes it to list on stdout all the files it extracts.

The -f- option of restorecon makes it take a list of files to relabel on 
stdin.  So it relabels all files extracted from the tar file.

The inheriting of file contexts from a directory (in the absence of policy 
rules specifying otherwise) has AFAIK always been the design of SE Linux.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Murray McAllister]

Russell Coker wrote:
> On Friday 10 October 2008 10:30, Murray McAllister <mmcallis@redhat.com> 
> wrote:
>>> tar xvf file.tgz | restorecon -f -
>>>
>>> Would reset the file context on disk after the extraction.
>> Does this only apply to the tar file itself, not the files in it? On
>> rawhide the extracted files (that have extended attributes) inherit the
>> type of the directory they are being extracted in.
> 
> The "v" option of tar causes it to list on stdout all the files it extracts.
> 
> The -f- option of restorecon makes it take a list of files to relabel on 
> stdin.  So it relabels all files extracted from the tar file.
> 
> The inheriting of file contexts from a directory (in the absence of policy 
> rules specifying otherwise) has AFAIK always been the design of SE Linux.

When would "tar | restorecon -f -" be used if files inherit contexts 
from parent directories (if policy has not be changed)? Sorry, I am a 
bit slow :)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Russell Coker]

On Friday 10 October 2008 13:08, Murray McAllister <mmcallis@redhat.com> 
wrote:
> > The inheriting of file contexts from a directory (in the absence of
> > policy rules specifying otherwise) has AFAIK always been the design of SE
> > Linux.
>
> When would "tar | restorecon -f -" be used if files inherit contexts
> from parent directories (if policy has not be changed)? Sorry, I am a
> bit slow :)

For the case where the desired context for a file does not match the default 
context.

One example (which is probably covered by restorecond) is /etc/shadow.  If you 
extract a tar file which has a file named shadow with the current directory 
being /etc then it will get the type etc_t (while such things are not 
generally recommended they are in the range of tasks which are not uncommon 
for sysadmins).  The command described previously would result in the file 
being relabelled as shadow_t.  Of course it would have a race condition, but 
let's assume for the sake of discussion that the machine is in single-user 
mode.

The above example assumes that the file /etc/shadow does not exist at the time 
the tar file is extracted (tar will truncate an existing file and keep the 
same context).

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Stephen Smalley]

On Fri, 2008-10-10 at 12:08 +1000, Murray McAllister wrote:
> Russell Coker wrote:
> > On Friday 10 October 2008 10:30, Murray McAllister <mmcallis@redhat.com> 
> > wrote:
> >>> tar xvf file.tgz | restorecon -f -
> >>>
> >>> Would reset the file context on disk after the extraction.
> >> Does this only apply to the tar file itself, not the files in it? On
> >> rawhide the extracted files (that have extended attributes) inherit the
> >> type of the directory they are being extracted in.
> > 
> > The "v" option of tar causes it to list on stdout all the files it extracts.
> > 
> > The -f- option of restorecon makes it take a list of files to relabel on 
> > stdin.  So it relabels all files extracted from the tar file.
> > 
> > The inheriting of file contexts from a directory (in the absence of policy 
> > rules specifying otherwise) has AFAIK always been the design of SE Linux.
> 
> When would "tar | restorecon -f -" be used if files inherit contexts 
> from parent directories (if policy has not be changed)? Sorry, I am a 
> bit slow :)

restorecon consults the file_contexts configuration, which maps pathname
regular expressions to the appropriate security context to assign to a
file when it is installed.  tar xf foo.tar by itself will merely apply
the usual runtime creation logic for file labeling, i.e. compute the
context of the new files from the combination of the creating process
context (user, level) and the parent directory (type) or type_transition
rule.  tar xvf foo.tar | restorecon -f - should reset the file contexts
to the original install-time file contexts defined by the file contexts
configuration.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Murray McAllister]

Stephen Smalley wrote:
> On Fri, 2008-10-10 at 12:08 +1000, Murray McAllister wrote:
>> Russell Coker wrote:
>>> On Friday 10 October 2008 10:30, Murray McAllister <mmcallis@redhat.com> 
>>> wrote:
>>>>> tar xvf file.tgz | restorecon -f -
>>>>>
>>>>> Would reset the file context on disk after the extraction.
>>>> Does this only apply to the tar file itself, not the files in it? On
>>>> rawhide the extracted files (that have extended attributes) inherit the
>>>> type of the directory they are being extracted in.
>>> The "v" option of tar causes it to list on stdout all the files it extracts.
>>>
>>> The -f- option of restorecon makes it take a list of files to relabel on 
>>> stdin.  So it relabels all files extracted from the tar file.
>>>
>>> The inheriting of file contexts from a directory (in the absence of policy 
>>> rules specifying otherwise) has AFAIK always been the design of SE Linux.
>> When would "tar | restorecon -f -" be used if files inherit contexts 
>> from parent directories (if policy has not be changed)? Sorry, I am a 
>> bit slow :)
> 
> restorecon consults the file_contexts configuration, which maps pathname
> regular expressions to the appropriate security context to assign to a
> file when it is installed.  tar xf foo.tar by itself will merely apply
> the usual runtime creation logic for file labeling, i.e. compute the
> context of the new files from the combination of the creating process
> context (user, level) and the parent directory (type) or type_transition
> rule.  tar xvf foo.tar | restorecon -f - should reset the file contexts
> to the original install-time file contexts defined by the file contexts
> configuration.
> 
How about:

If a Tar archive contains files without extended attributes, or if you 
want the extended attributes to match the original, install-time file 
contexts defined by SELinux policy, run the archive through restorecon:

tar xvf file.tgz | restorecon -f -

Would it be better to always recommend using tar with restorecon?

Cheers.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide drafts: Archiving Files with tar/star

[Daniel J Walsh]

Murray McAllister wrote:
> Stephen Smalley wrote:
>> On Fri, 2008-10-10 at 12:08 +1000, Murray McAllister wrote:
>>> Russell Coker wrote:
>>>> On Friday 10 October 2008 10:30, Murray McAllister
>>>> <mmcallis@redhat.com> wrote:
>>>>>> tar xvf file.tgz | restorecon -f -
>>>>>>
>>>>>> Would reset the file context on disk after the extraction.
>>>>> Does this only apply to the tar file itself, not the files in it? On
>>>>> rawhide the extracted files (that have extended attributes) inherit
>>>>> the
>>>>> type of the directory they are being extracted in.
>>>> The "v" option of tar causes it to list on stdout all the files it
>>>> extracts.
>>>>
>>>> The -f- option of restorecon makes it take a list of files to
>>>> relabel on stdin.  So it relabels all files extracted from the tar
>>>> file.
>>>>
>>>> The inheriting of file contexts from a directory (in the absence of
>>>> policy rules specifying otherwise) has AFAIK always been the design
>>>> of SE Linux.
>>> When would "tar | restorecon -f -" be used if files inherit contexts
>>> from parent directories (if policy has not be changed)? Sorry, I am a
>>> bit slow :)
>>
>> restorecon consults the file_contexts configuration, which maps pathname
>> regular expressions to the appropriate security context to assign to a
>> file when it is installed.  tar xf foo.tar by itself will merely apply
>> the usual runtime creation logic for file labeling, i.e. compute the
>> context of the new files from the combination of the creating process
>> context (user, level) and the parent directory (type) or type_transition
>> rule.  tar xvf foo.tar | restorecon -f - should reset the file contexts
>> to the original install-time file contexts defined by the file contexts
>> configuration.
>>
> How about:
> 
> If a Tar archive contains files without extended attributes, or if you
> want the extended attributes to match the original, install-time file
want the extended attributes to match the system defaults, ...
> contexts defined by SELinux policy, run the archive through restorecon:
> 
> tar xvf file.tgz | restorecon -f -
> 
> Would it be better to always recommend using tar with restorecon?
> 
> Cheers.
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.