fdupoux/fsarchiver

Errors while restoring FAT fs archive made on systems with SELinux

devegied-lamabpo opened this issue · 5 comments

SELinux can add file labeling to files even for filesystems that does not support any extended attributes (File System Labeling Statements).
FSArchiver saves this labeling information in archive (as provided by OS). When archive is restored FSArchiver tries to apply these saved extended attributes to files and directories but fails because underlying file system does not support extended attributes.
For example, in /dev/sda1 is EFI system partition (formatted as FAT16) and I am archiving live system (with active SELinux)

$ ls -dZ EFI/BOOT EFI/BOOT/BOOTX64.EFI EFI/BOOT/fbx64.efi
drwx------. root root system_u:object_r:dosfs_t:s0     .
drwx------. root root system_u:object_r:dosfs_t:s0     EFI/BOOT
-rwx------. root root system_u:object_r:dosfs_t:s0     EFI/BOOT/BOOTX64.EFI
-rwx------. root root system_u:object_r:dosfs_t:s0     EFI/BOOT/fbx64.efi
$ fsarchiver -A -v savefs fs.efi.fsa /dev/sda1
Analysing filesystem on /dev/sda1...
============= archiving filesystem /dev/sda1 =============
-[00][  0%][DIR     ] /
...
-[00][  100%][DIR     ] /EFI/BOOT
-[00][  100%][REGFILE ] /EFI/BOOT/BOOTX64.EFI
-[00][  100%][REGFILEM] /EFI/BOOT/fbx64.efi
Statistics for filesystem 0
* files successfully processed:....regfiles=17, directories=5, symlinks=0, hardlinks=0, specials=0
* files with errors:...............regfiles=0, directories=0, symlinks=0, hardlinks=0, specials=0

When restoring this archive in SystemRescue environment I get these errors

fsarchiver restfs -v fs.efi.fsa id=0,dest=/dev/sdb1
============= extracting filesystem 0 =============
executing [mkfs.vfat --help]...
command [mkfs.vfat --help] returned 0
executing [mkfs.vfat  -F 16  -n '           '  -i 'D6A90B8C'    /dev/sdb1]...
command [mkfs.vfat  -F 16  -n '           '  -i 'D6A90B8C'    /dev/sdb1] returned 0
Mount information: []
-[00][  0%][DIR     ] /
[errno=95, Operation not supported]: oper_restore.c#215,extractar_restore_attr_xattr(): xattr:lsetxattr(/,security.selinux) failed
...
-[00][ 83%][DIR     ] /EFI/BOOT
[errno=95, Operation not supported]: oper_restore.c#215,extractar_restore_attr_xattr(): xattr:lsetxattr(/EFI/BOOT,security.selinux) failed
-[00][ 95%][REGFILE ] /EFI/BOOT/BOOTX64.EFI
[errno=95, Operation not supported]: oper_restore.c#215,extractar_restore_attr_xattr(): xattr:lsetxattr(/EFI/BOOT/BOOTX64.EFI,security.selinux) failed
-[00][100%][REGFILEM] /EFI/BOOT/fbx64.efi
[errno=95, Operation not supported]: oper_restore.c#215,extractar_restore_attr_xattr(): xattr:lsetxattr(/EFI/BOOT/fbx64.efi,security.selinux) failed
Statistics for filesystem 0
* files successfully processed:....regfiles=0, directories=0, symlinks=0, hardlinks=0, specials=0
* files with errors:...............regfiles=17, directories=5, symlinks=0, hardlinks=0, specials=0

exit code from fsarchiver is 1 and there is no way to use it in automated restore because any error gives such exit code.
FSArchiver already have option

-a: allow to save a filesystem when acls and xattrs are not supported

that allows not to save attributes when filesystem mounted without options that exposes these attributes.

It would be nice to have option to do not restore attributes if underlying filesystem does not support them.
Or the option to ignore and do not report attribute restoration errors (at line 214 in oper_restore.c)

That is unfortunate. llistxattr() and friends return these fake extended attributes.

Can you test this? See also if it does not break things with filesystems supporting xattrs.

You will need to recreate the images.

diff --git a/src/oper_save.c b/src/oper_save.c
index ec540a9..8cdd3f9 100644
--- a/src/oper_save.c
+++ b/src/oper_save.c
@@ -615,9 +615,14 @@ int createar_save_file(csavear *save, char *root, char *relpath, struct stat64 *
     }

     // ---- backup other file attributes (xattr + winattr)
-    if (createar_item_xattr(save, root, relpath, statbuf, dicoattr)!=0)
-    {   msgprintf(MSG_STACK, "backup_item_xattr() failed: cannot prepare xattr-dico for item %s\n", relpath);
-        attrerrors++;
+    // selinux can present fake xattrs
+    // do not try to save them if not supported by the filesystem, otherwise restoration will fail
+    if (filesys[save->fstype].support_for_xattr==true)
+    {
+        if (createar_item_xattr(save, root, relpath, statbuf, dicoattr)!=0)
+        {   msgprintf(MSG_STACK, "backup_item_xattr() failed: cannot prepare xattr-dico for item %s\n", relpath);
+            attrerrors++;
+        }
     }

     if (filesys[save->fstype].winattr==true)

(updated patch)

I compiled fsarchiver-0.8.6 from source with patch applied.
I made Oracle Linux 7.9 /boot (xfs) and /boot/efi (fat) filesystems backup with patched fsarchiver.
I restored new archive with unpatched fsarchiver (0.8.6). There was no error messages and restore command finished with exit code 0.
Files in /boot (xfs) filesystem were restored with correct extended attributes (at least I can see the same SELinux attributes after I boot restored system).
I think functionality of this patch should be a part of next fsarchiver release.

@fdupoux What do you think?

@marcosfrm Yes I think this is the right thing to do. Can you please raise a pull request ?