Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452524 - Restoring selinux file context in rescue mode fails
Summary: Restoring selinux file context in rescue mode fails
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-23 15:03 UTC by Ralph Shepard
Modified: 2009-10-15 17:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-15 17:26:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Ralph Shepard 2008-06-23 15:03:09 UTC
Description of problem:
Restoring selinux file context in rescue mode fails with errors (
tar: selinux: Cannot setfilecon: Invalid argument )

Version-Release number of selected component (if applicable):

How reproducible:
create a backup with on a system running selinux then restore the backup by
booting to redhat install disk1 and typing linux rescue at the prompt.
Steps to Reproduce:
1. create a backup to tape using tar -cj --xattrs -f /dev/st0 (or similar)
2. boot to redhat CD and type linux rescue create the new file system
3. restore data from tape using tar -pxvf /dev/nst0 --overwrite (or similar) 
Actual results:

Files are restored with incorrect context and error message is displayed for
each file restored

Expected results:

Files should be restored with appropriate file context

Additional info:

This appears to be the result of the file context not being available in rescue
mode and selinux not allowing file context that it doesn't know. 

I spoke with Dan Walsh at the RedHat Summit in Boston regarding this and asked
me to file this bug.  Not sure I choose the correct component so please redirect
as appropriate.

Comment 1 Daniel Walsh 2008-06-24 10:18:52 UTC
If you type load_policy before running the tar, does it work?  

Comment 2 Stephen Smalley 2008-07-02 19:01:17 UTC
Offhand, I'd say there are three options:
1) Boot from rescue CD with selinux disabled - then there is no conflict between
the policy and the file contexts.
2) Boot from the rescue CD with selinux enabled, then load policy from the disk
(e.g. chroot to the real root and then run load_policy from it), then extract
the archive.
3) Back port the set-unknown-context support to RHEL5 kernel and leverage it for
this purpose.

Comment 3 Daniel Walsh 2009-10-15 17:26:29 UTC
I think you need to use Option 1 or 2.

So closing as notabug since you have work arounds.

Note You need to log in before you can comment on or make changes to this bug.