Re: SELinux attrs

2008-08-01 Thread Aaron J. Grier 
On Mon, Jul 28, 2008 at 08:08:52AM -0500, Nickolas Gray wrote:
> Does anyone have more information on Amanda and SELinux?

doesn't dump preserve all metadata?

-- 
  Aaron J. Grier | "Not your ordinary poofy goof." | [EMAIL PROTECTED]

Re: SELinux attrs

2008-07-29 Thread Dustin J. Mitchell 
On Tue, Jul 29, 2008 at 1:05 PM, Albrecht Dreß <[EMAIL PROTECTED]> wrote:
> Finally, rebuild amanda with the configure option
> "--with-gnutar=/usr/sbin/amgtar" (this should be easier with 2.6, where an
> application can be defined in the runtime config?  Is that correct?).  In a
> first quick test, this /seems/ to work.  I didn't test it thoroughly, so
> *please* be careful if you want to go ahead with it on a production system!

Yes, easier in 2.6.0.

Dustin

-- 
Storage Software Engineer
http://www.zmanda.com

Re: SELinux attrs

2008-07-29 Thread Albrecht Dreß 

Am 28.07.08 20:27 schrieb(en) C. Chan:

The GNU tar in RHEL 5 seems to have been patched to allow backing up
ACLs and XATTRs.


Ah!  *That* was a good hint!  I'm running Ubuntu, and the gtar coming  
with it doesn't have support for it.



So here's a short compilation of the steps to get Amanda 2.5.2p1  
(coming with Ubuntu) happily back up and restore xattrs...



First, check if your version of GNU tar supports xattrs.  If you use  
recent RHEL (e.g. 5) or Fedora (e.g. 9) systems, you tar has already  
been patched.  However, on Ubuntu and probably Debian, it isn't...  You  
can check your tar by trying the "--xattr" flag.  If it says



$ tar --xattr
tar: unrecognized option `--xattr'


then you tar does *not* support extended attributes.  If it says


$ tar --xattr
tar: You must specify one of the `-Acdtrux' options


then you're fine!  In order to get a selinux-enabled tar on Ubuntu  
Hardy, I grabbed the tar source rpm for Fedora 9  
(tar-1.19-4.fc9.src.rpm, from Updates), and built it on a FC box.  I  
then copied the source tree (which has the Fedora patches attached) to  
my Ubuntu box, installed some missing development libs


apt-get install libselinux1-dev libacl1-dev

and then built a SELinux/extended attributes enabled tar in /opt:


./configure --program-prefix=se --prefix=/opt --sysconfdir=/etc  
--localstatedir=/var

make clean all


The resulting patched tar will be /opt/bin/setar.

Now create a wrapper script, e.g. /usr/sbin/amgtar, to include the  
"--xattr" option:



#!/bin/sh
/opt/bin/setar --xattr "$@"


Finally, rebuild amanda with the configure option  
"--with-gnutar=/usr/sbin/amgtar" (this should be easier with 2.6, where  
an application can be defined in the runtime config?  Is that  
correct?).  In a first quick test, this /seems/ to work.  I didn't test  
it thoroughly, so *please* be careful if you want to go ahead with it  
on a production system!


Hope this helps,
Albrecht.


pgpWkb8RfCF3z.pgp
Description: PGP signature

Re: SELinux attrs

2008-07-29 Thread Dustin J. Mitchell 
On Tue, Jul 29, 2008 at 10:22 AM, Nick Smith <[EMAIL PROTECTED]> wrote:
> I've just experimented with 2.6.0p1 and found the the Application API *does*
> work - cool!! Maybe it's just the configuration for the application and
> properties that wasn't included.

I was wrong, sorry.  It's an early version, and misses a lot of
functionality that turns out to be necessary.  If it works for you,
great!  If you encounter bugs or need more features, please consider
building against HEAD.

The Application API is designed with your needs in mind.  We would
absolutely *love* to have any feedback you can provide.

Dustin

-- 
Storage Software Engineer
http://www.zmanda.com

Re: SELinux attrs

2008-07-29 Thread Dustin J. Mitchell 
On Tue, Jul 29, 2008 at 6:21 AM, Nick Smith <[EMAIL PROTECTED]> wrote:
> Is the Application API in Amanda 2.6.0p1? I'm asking because I cannot
> configure my application for ZFS dumping as per description from Zmanda
> site? I get the following error when I try to test the configuration:

No -- we cut 2.6.0 to *include* the Device API but *exclude* the
Application API, on the grounds that adding two significant new chunks
of code in one release would introduce too many bugs.  The App API is
present in trunk, however, and will be in 2.6.1.

Dustin

-- 
Storage Software Engineer
http://www.zmanda.com

Re: SELinux attrs

2008-07-29 Thread Nick Smith 


Hi Dustin,


Dustin J. Mitchell wrote:

On Tue, Jul 29, 2008 at 6:21 AM, Nick Smith <[EMAIL PROTECTED]> wrote:

Is the Application API in Amanda 2.6.0p1? I'm asking because I cannot
configure my application for ZFS dumping as per description from Zmanda
site? I get the following error when I try to test the configuration:


No -- we cut 2.6.0 to *include* the Device API but *exclude* the
Application API, on the grounds that adding two significant new chunks
of code in one release would introduce too many bugs.  The App API is
present in trunk, however, and will be in 2.6.1.

Dustin



I've just experimented with 2.6.0p1 and found the the Application API 
*does* work - cool!! Maybe it's just the configuration for the 
application and properties that wasn't included.


Regards & Many Thanks,

Nick

selfcheck.xxx.debug with mix of 'ZFS' and 'UFS' DLEs

1217340440.912603: selfcheck: pid 24919 ruid 6004 euid 6004: start at 
Tue Jul 29 16:07:20 2008

1217340440.912686: selfcheck: version 2.6.0p1
1217340440.913188: selfcheck: warning: errors processing config file 
"/usr/local/etc/amanda/test/amanda-clie!
1217340440.913254: selfcheck: pid 24919 ruid 6004 euid 6004: rename at 
Tue Jul 29 16:07:20 2008

1217340440.913375: selfcheck: checking disk /export/software
1217340440.913445: selfcheck: Spawning 
"/usr/local/libexec/amanda/application/zfsdump zfsdump support --conf!

1217340441.962946: selfcheck: checking disk /export/home
1217340441.963042: selfcheck: Spawning 
"/usr/local/libexec/amanda/application/zfsdump zfsdump support --conf!

1217340442.850605: selfcheck: checking disk /opt
1217340442.906812: selfcheck: device /dev/rdsk/c1t0d0s4
1217340442.906864: selfcheck: disk /opt OK
1217340442.906867: selfcheck: amdevice /opt OK
1217340442.906870: selfcheck: device /dev/rdsk/c1t0d0s4 OK
1217340442.906909: selfcheck: checking disk /var
1217340442.907159: selfcheck: device /dev/rdsk/c1t0d0s3
1217340442.907173: selfcheck: disk /var OK
1217340442.907176: selfcheck: amdevice /var OK
1217340442.907178: selfcheck: device /dev/rdsk/c1t0d0s3 OK
1217340442.907198: selfcheck: checking disk /usr
1217340442.907372: selfcheck: device /dev/rdsk/c1t0d0s1
1217340442.907387: selfcheck: disk /usr OK
1217340442.907390: selfcheck: amdevice /usr OK
1217340442.907392: selfcheck: device /dev/rdsk/c1t0d0s1 OK
1217340442.907411: selfcheck: checking disk /
1217340442.907542: selfcheck: device /dev/rdsk/c1t0d0s0
1217340442.907557: selfcheck: disk / OK
1217340442.907560: selfcheck: amdevice / OK
1217340442.907562: selfcheck: device /dev/rdsk/c1t0d0s0 OK
1217340442.907758: selfcheck: pid 24919 finish time Tue Jul 29 16:07:22 2008

Re: SELinux attrs

2008-07-29 Thread Nick Smith 


Dustin J. Mitchell wrote:
[snip]


You should take a look at the application API -- it will make such a
creation much easier!

Is the Application API in Amanda 2.6.0p1? I'm asking because I cannot 
configure my application for ZFS dumping as per description from Zmanda 
site? I get the following error when I try to test the configuration:


# amcheck test
"/usr/local/etc/amanda/test/amanda.conf", line 363: DUMPTYPE, INTERFACE 
or TAPETYPE expected

"/usr/local/etc/amanda/test/amanda.conf", line 363: end of line is expected

From amanda.conf lines 363-366 :

define application-tool zfsdump {
 comment "ZFS dumper"
 plugin "zfsdump"
}


Dustin



Regards,

Nick

Re: SELinux attrs

2008-07-28 Thread Nickolas Gray 

It works on my MLS test system

On Jul 28, 2008, at 1:27 PM, C. Chan wrote:


The GNU tar in RHEL 5 seems to have been patched to allow backing up
ACLs and XATTRs.

Has anyone actually tried using this new feature in GNU tar and
been successful in restoring the ACLs/XATTRs?


Also Sprach Albrecht Dreß:


Am 28.07.08 15:08 schrieb(en) Nickolas Gray:
New to list, looking for a good solution to backing up SELinux  
systems with MLS policues
The reference in the Amanda documentation regarding SELinux xattrs  
is a rather cryptic one-liner


The problem is that amanda relies upon GNU tar which is not able to  
back up extended attributes, including ACL's as well as SELinux ones.




--
C. Chan 
GPG Public Key registered at pgp.mit.edu

Re: SELinux attrs

2008-07-28 Thread C. Chan 

The GNU tar in RHEL 5 seems to have been patched to allow backing up
ACLs and XATTRs.

Has anyone actually tried using this new feature in GNU tar and
been successful in restoring the ACLs/XATTRs?


Also Sprach Albrecht Dreß:


Am 28.07.08 15:08 schrieb(en) Nickolas Gray:
New to list, looking for a good solution to backing up SELinux systems with 
MLS policues


The reference in the Amanda documentation regarding SELinux xattrs is a 
rather cryptic one-liner


The problem is that amanda relies upon GNU tar which is not able to back up 
extended attributes, including ACL's as well as SELinux ones.




--
C. Chan 
GPG Public Key registered at pgp.mit.edu

Re: SELinux attrs

2008-07-28 Thread Dustin J. Mitchell 
On Mon, Jul 28, 2008 at 12:52 PM, Albrecht Dreß <[EMAIL PROTECTED]> wrote:
> A while ago I started to write a simple wrapper script for star (you have to
> re-build amanda, as the "tar" application it calls is hard-coded in the
> executable), but did not yet succeed.  I probably have to look deeper into
> the sources to see which options might be used with gtar, so the proper star
> replacements are mapped.  Of course, it would also make sense to include a
> "star" backup mode into amanda, as the extended attributes problem ist
> rather common.  If anyone else did that work already, I would highly
> appreciate any pointers!

You should take a look at the application API -- it will make such a
creation much easier!

Dustin

-- 
Storage Software Engineer
http://www.zmanda.com

Re: SELinux attrs

2008-07-28 Thread Albrecht Dreß 

Am 28.07.08 15:08 schrieb(en) Nickolas Gray:
New to list, looking for a good solution to backing up SELinux  
systems with MLS policues


The reference in the Amanda documentation regarding SELinux xattrs is  
a rather cryptic one-liner


The problem is that amanda relies upon GNU tar which is not able to  
back up extended attributes, including ACL's as well as SELinux ones.


Star  is an alternative to  
GNU tar which *does* include perfect (afaict) extended attribute  
support using the "exustar" format, but it's options are somewhat  
different from gtar's.  In particular, iirc it lacks gtar's  
'--ignore-failed-read' option which is important for amanda.


A while ago I started to write a simple wrapper script for star (you  
have to re-build amanda, as the "tar" application it calls is  
hard-coded in the executable), but did not yet succeed.  I probably  
have to look deeper into the sources to see which options might be used  
with gtar, so the proper star replacements are mapped.  Of course, it  
would also make sense to include a "star" backup mode into amanda, as  
the extended attributes problem ist rather common.  If anyone else did  
that work already, I would highly appreciate any pointers!


Sorry for the "mixed" news,
Albrecht.


pgpFR98SOBrGv.pgp
Description: PGP signature

SELinux attrs

2008-07-28 Thread Nickolas Gray 

All,

New to list, looking for a good solution to backing up SELinux systems  
with MLS policues


The reference in the Amanda documentation regarding SELinux xattrs is  
a rather cryptic one-liner


Does anyone have more information on Amanda and SELinux?

This is something I am required to do. And could dedicate paid time to  
it, If I feel it is going somewhere.


I would like to discuss this with other interested parties, off-line  
if necessary.


Thanks

--
Nick Gray
Magitek LTD.