RHEL 7 restored from ReaR doesn't boot if custom backup excludes were used for backup

Solution Unverified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 7 system restored by ReaR
SELinux in enforcing mode
Custom content of BACKUP_PROG_EXCLUDE variable in ReaR configuration was used to create the backup

Issue

RHEL 7 system restored from ReaR doesn't finish the boot after relabelling the filesystem.
Many files from /usr/lib64 are reported as having SELinux label system_u:object_r:tmp_t:s0 during boot after ReaR restore.

Resolution

Approach 1

When adding paths to BACKUP_PROG_EXCLUDE variable for ReaR, don't omit the defaults or include the path to /tmp.

To add path /excluded_folder_1/ and file /excluded_file_2 to excludes, use the following syntax that preserves the default values.

BACKUP_PROG_EXCLUDE=("${BACKUP_PROG_EXCLUDE[@]}" '/excluded_folder_1/' '/excluded_file_2')

Approach 2

Ensure that RHSA-2018:0913 - Security Advisory is applied to the system before making backup.

Root Cause

The issue appears when content of /tmp was not excluded from backup. Once the backup is restored along with /tmp content, the structure of files in /tmp causes the /sbin/fixfiles script failing to relabel all files needed for proper boot. Issue with /sbin/fixfiles investigated in This content is not included.Bugzilla 1458831 showed that issue was impacting SELinux context of files symlinked from /tmp and /var/tmp directories.

By default ReaR excludes content of /tmp and other directories from backups as seen from file /usr/share/rear/conf/default.conf so if default excludes are not removed this issue can be avoided.

...
BACKUP_PROG_EXCLUDE=( '/tmp/*' '/dev/shm/*' $VAR_DIR/output/\* )
...

Diagnostic Steps

The boot after relabelling the filesystem contains many failures to start the needed services and there are many files from /usr/lib64 that are mislabelled as system_u:object_r:tmp_t:s0.

         Starting Journal Service...
[  ] type=1400 audit(1496829081.229:4): avc:  denied  { open } for  pid=482 comm="systemd-sysctl" path="/usr/lib64/libgcc_s-4.8.5-20150702.so.1" dev="dm-0" ino=9237443 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ] type=1400 audit(1496829081.232:5): avc:  denied  { open } for  pid=487 comm="systemd-journal" path="/usr/lib64/liblzma.so.5.2.2" dev="dm-0" ino=9237594 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ] type=1400 audit(1496829081.233:6): avc:  denied  { open } for  pid=482 comm="systemd-sysctl" path="/usr/lib64/libgcc_s-4.8.5-20150702.so.1" dev="dm-0" ino=9237443 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ] type=1400 audit(1496829081.233:7): avc:  denied  { open } for  pid=482 comm="systemd-sysctl" path="/usr/lib64/libgcc_s-4.8.5-20150702.so.1" dev="dm-0" ino=9237443 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ] type=1400 audit(1496829081.238:8): avc:  denied  { open } for  pid=487 comm="systemd-journal" path="/usr/lib64/liblzma.so.5.2.2" dev="dm-0" ino=9237594 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[FAILED] Failed to start Journal Service.
...
[FAILED] Failed to start Import network configuration from initramfs.
[FAILED] Failed to start Create Volatile Files and Directories.
[FAILED] Failed to start Security Auditing Service.
[  ]  type=1400 audit(1496829131.755:33): avc:  denied  { open } for  pid=650 comm="gssproxy" path="/usr/lib64/libpopt.so.0.0.0" dev="dm-0" ino=9237456 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.756:34): avc:  denied  { open } for  pid=648 comm="irqbalance" path="/usr/lib64/libcap-ng.so.0.0.0" dev="dm-0" ino=9237615 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.756:35): avc:  denied  { open } for  pid=648 comm="irqbalance" path="/usr/lib64/libcap-ng.so.0.0.0" dev="dm-0" ino=9237615 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.756:36): avc:  denied  { open } for  pid=648 comm="irqbalance" path="/usr/lib64/libcap-ng.so.0.0.0" dev="dm-0" ino=9237615 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.762:37): avc:  denied  { open } for  pid=650 comm="gssproxy" path="/usr/lib64/libpopt.so.0.0.0" dev="dm-0" ino=9237456 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.765:38): avc:  denied  { open } for  pid=649 comm="systemd-logind" path="/usr/lib64/librt-2.17.so" dev="dm-0" ino=9237583 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.767:39): avc:  denied  { open } for  pid=649 comm="systemd-logind" path="/usr/lib64/librt-2.17.so" dev="dm-0" ino=9237583 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.769:40): avc:  denied  { open } for  pid=649 comm="systemd-logind" path="/usr/lib64/librt-2.17.so" dev="dm-0" ino=9237583 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.771:41): avc:  denied  { open } for  pid=650 comm="gssproxy" path="/usr/lib64/libpopt.so.0.0.0" dev="dm-0" ino=9237456 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[  ]  type=1400 audit(1496829131.773:42): avc:  denied  { open } for  pid=656 comm="dmesg" path="/usr/lib64/libc-2.17.so" dev="dm-0" ino=9237504 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[FAILED] Failed to start Login Service.
[FAILED] Failed to start Dump dmesg to /var/log/dmesg.
[FAILED] Failed to start GSSAPI Proxy Daemon.
[FAILED] Failed to start Authorization Manager.

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

rear

Category

Troubleshoot

Tags

selinux

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.