Re: Copying a system: no login possible
On 03/21/2017 06:49 AM, Lars Behrens wrote: Hi there, After copying a system like I have done a million times before (but only with debianic, suse or arch systems) by * starting a live system on the target * copy the origin to mounted target device * chroot afterwards * adapt /etc/fstab and hosts/hostname files * install and config grub. after reboot I cannot log in to the resulting system neither as root nor as user. When I set selinux to permissive it works. So I am missing some basic thing. Internet search didn't help me and in the selinux docs I don't know what to search for. Maybe someone, here could help me? TIA! Cheerz, Lars There may be clues in your log files if you can access them from live media. You could also try using restorecon to reset the selinux policies. I believe doing a 'touch /.autorelabel' will cause selinux to do it on reboot as well.
Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 7:49 AM, Lars Behrens wrote: > Hi there, > > After copying a system like I have done a million times before (but only > with debianic, suse or arch systems) by > > * starting a live system on the target This is not defined. What does "starting a live system" mean? Starting from a boot CD or DVD? Using PXE to run a rescue Linux? Or something else? > * copy the origin to mounted target device How did you "copy the system"? Tar, for example, does not carry along SELinux permissions. The "star" tool can. > * chroot afterwards > * adapt /etc/fstab and hosts/hostname files > * install and config grub. > > after reboot I cannot log in to the resulting system neither as root nor > as user. > > When I set selinux to permissive it works. So I am missing some basic thing. I'd definitely look at /var/log/secure on the new system to see what is grousing. > Internet search didn't help me and in the selinux docs I don't know what > to search for. > > Maybe someone, here could help me? > > TIA! > > Cheerz, > Lars > >
Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 7:49 AM, Lars Behrens wrote: > > After copying a system like I have done a million times before (but only > with debianic, suse or arch systems) by > > * starting a live system on the target > * copy the origin to mounted target device > * chroot afterwards > * adapt /etc/fstab and hosts/hostname files > * install and config grub. > > after reboot I cannot log in to the resulting system neither as root nor > as user. > > When I set selinux to permissive it works. So I am missing some basic thing. It's probably a relabel issue. You can either run, while chrooted, "touch ./autorelabel" (and the relabel will happen at reboot) or "fixfiles relabel" (and the relabel will happen within the chroot).
Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 9:05 AM, Nico Kadel-Garcia wrote: > On Tue, Mar 21, 2017 at 7:49 AM, Lars Behrens wrote: >> >> * copy the origin to mounted target device > > How did you "copy the system"? Tar, for example, does not carry along > SELinux permissions. The "star" tool can. tar has an "--selinux" option. AFAIR, star doesn't preserve contexts in SL5 but it does in SL7 (I can't remember whether the SL6 version does); there is an xattr option for doing so. cpio and rsync don't preserve labels (if the OP used them) but "cp -a" does.
Re: Copying a system: no login possible
Am 21.03.2017 um 14:05 schrieb Nico Kadel-Garcia: > This is not defined. What does "starting a live system" mean? > Starting from a boot CD or DVD? Using PXE to run a rescue Linux? Or > something else? Live-ISO of Fedora-Xfce, the system is running in a VM. > How did you "copy the system"? Tar, for example, does not carry > along SELinux permissions. The "star" tool can. Yes, I forgot about the SELinux permissions, you're right. I did an 'rsync -xzav --numeric-ids' Where it seems that I should have added an '-X' when selinux comes into play, as I have learned now. > I'd definitely look at /var/log/secure on the new system to see what > is grousing. Nothing helpfull there, alas. Thank you! Cheerz, Lars smime.p7s Description: S/MIME Cryptographic Signature
Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 10:06 AM, Lars Behrens wrote: > Am 21.03.2017 um 14:05 schrieb Nico Kadel-Garcia: >> >> How did you "copy the system"? Tar, for example, does not carry >> along SELinux permissions. The "star" tool can. > > Yes, I forgot about the SELinux permissions, you're right. > > I did an 'rsync -xzav --numeric-ids' > > Where it seems that I should have added an '-X' when selinux comes into > play, as I have learned now. Thanks. I'd searched in the past for "selinux" in "man rsync" and not found anything so I assumed that it couldn't preserve selinux contexts. I'd also run "ldd /usr/bin/rsync" and not seen libselinux listed. I'll have to recheck.
Re: Copying a system: no login possible
On 21/03/2017 9:06 AM, Lars Behrens wrote: Yes, I forgot about the SELinux permissions, you're right. I did an 'rsync -xzav --numeric-ids' Where it seems that I should have added an '-X' when selinux comes into play, as I have learned now. I usually use this... rsync -vaxHAXS --numeric-ids ... to ensure things are exactly copied. All of the "HAXS" options need to be added explicitly as they're not included in the "a" option, and all are needed to get an exact copy of all meta-data. -- Gilbert E. Detillieux E-mail: Dept. of Computer Science Web:http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: (204)474-8161 Winnipeg MB CANADA R3T 2N2 Fax:(204)474-7609
Re: Copying a system: no login possible
Am 21.03.2017 um 16:37 schrieb Gilbert E. Detillieux: > I usually use this... > > rsync -vaxHAXS --numeric-ids Ok, thank you. vaxHAXS also makes up a good mnemonic, at least for a south german :) Cheerz, Lars -- Karlsruher Institut für Technologie (KIT) Physikalisches Institut +49 721 608-43448 lars.behr...@kit.edu smime.p7s Description: S/MIME Cryptographic Signature
Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 11:04 AM, Tom H wrote: > On Tue, Mar 21, 2017 at 10:06 AM, Lars Behrens wrote: >> Am 21.03.2017 um 14:05 schrieb Nico Kadel-Garcia: >>> >>> How did you "copy the system"? Tar, for example, does not carry >>> along SELinux permissions. The "star" tool can. >> >> Yes, I forgot about the SELinux permissions, you're right. >> >> I did an 'rsync -xzav --numeric-ids' >> >> Where it seems that I should have added an '-X' when selinux comes into >> play, as I have learned now. > > Thanks. I'd searched in the past for "selinux" in "man rsync" and not > found anything so I assumed that it couldn't preserve selinux > contexts. I'd also run "ldd /usr/bin/rsync" and not seen libselinux > listed. I'll have to recheck. On Fedora 25: th@localhost ~ $ ldd /usr/bin/cp | egrep 'attr|selinux' libselinux.so.1 => /lib64/libselinux.so.1 (0x7f75e1f51000) libattr.so.1 => /lib64/libattr.so.1 (0x7f75e1b43000) th@localhost ~ $ ldd /usr/bin/rsync | egrep 'attr|selinux' libattr.so.1 => /lib64/libattr.so.1 (0x7f30e1ea9000) th@localhost ~ $ ldd /usr/bin/star | egrep 'attr|selinux' libattr.so.1 => /lib64/libattr.so.1 (0x7f5523fea000) libselinux.so.1 => /lib64/libselinux.so.1 (0x7f5523dc3000) th@localhost ~ $ ldd /usr/bin/tar | egrep 'attr|selinux' libselinux.so.1 => /lib64/libselinux.so.1 (0x7fe38906e000) libattr.so.1 => /lib64/libattr.so.1 (0x7fe388aa3000) So I assumed, wrongly, that rsync needs to be linked to libselinux for it to be able to preserve selinux labels.
[solved] Re: Copying a system: no login possible
Am 21.03.2017 um 14:14 schrieb Tom H: > It's probably a relabel issue. > > You can either run, while chrooted, "touch ./autorelabel" (and the > relabel will happen at reboot) or "fixfiles relabel" (and the relabel > will happen within the chroot). Thanks a lot Tom and Mark, relabeling did it. Will have a look in the docs what exactly has been going on there :) Cheerz, Lars smime.p7s Description: S/MIME Cryptographic Signature
Re: [solved] Re: Copying a system: no login possible
On Tue, Mar 21, 2017 at 9:50 AM, Lars Behrens wrote: > Am 21.03.2017 um 14:14 schrieb Tom H: >> It's probably a relabel issue. >> >> You can either run, while chrooted, "touch ./autorelabel" (and the >> relabel will happen at reboot) or "fixfiles relabel" (and the relabel >> will happen within the chroot). > > Thanks a lot Tom and Mark, You're welcome. > relabeling did it. > > Will have a look in the docs what exactly has been going on there :) You need to use a copy method that preserves labels; cp/star/tar.
