Ask Your Question
1

How can I copy Fedora instance to different machine with SELinux enforcing

asked 2017-11-21 23:46:52 -0500

theroark gravatar image

updated 2017-11-22 19:12:38 -0500

I have a fully operational and somewhat customized instance of Fedora 27 on a partition of a Lenovo laptop (two other partitions run Windows and another Linux distro), and my goal is to copy that instance to another computer.

My Fedora 27 instance on that partition includes all files in /, with only /boot/efi/ on a separate partition (i.e., the EFI partition). I use rEFInd as my boot manager rather than GRBU2. I want to copy the entire partition from my Lenovo and install it on a partition of another machine. But doing so with SELinux set to enforcing leads to a "failed to start user manager for uid 42" error on startup.

I can do this using tar if I set SELinux to permissive before making the copy. Then I just do a variant of this command to tar the partition and copy it to a USB drive: sudo tar -cvpzf /media/USB/Lenovo.tar.gz /. The resulting file can be extracted to a formatted partition on a separate computer using: sudo tar -xvpzf /path/to/backup.tar.gz -C /mnt/path/to/destination/partition --numeric-owner. This works only if (1) SELinux was set to permissive whenacreating the initial tar file and (2) I copy the hex(?) directory (e.g., dd4c76acf7654c97A07a024c5b8946222) in the source computer's /boot/efi/ to the destination machine's /boot/efi directory. [Note: you also have to change the UUID on the destination machine's /etc/fstab and /boot/refind-linux.conf files to match that partition's UUID].

The problem with this approach is that I cannot then set SELinux to enforcing on the new machine. It will get the same error as if I had copied the source machine with SELinux set to enforcing. I am new to SELinux, so perhaps there is a way to essentially reset the SELinux labels for the new machine. If so, that would be close enough to a solution.

I was coming at it from the other direction, however, by trying to tar the files on the source machine in a manner that maintains the SELinux settings. I tried sudo tar --selinux --acls --xattrs -cvpzf /media/USB/Lenovo.tar.gz / to achieve that end, but it did not work.

I am hoping someone out there in the Fedora world has multiple computers and likes to move instances of there favorite, fully-functioning distro across machines. If so, please help?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
3

answered 2017-11-23 02:02:45 -0500

Maybe this helps: run touch /.autorelabel on the target machine and reboot. This sets all SELinux file contexts accordingly on startup (and therefore takes some time).

edit flag offensive delete link more

Comments

Thanks @linuxfabrik. Just so I'm clear, do I run the touch command after installing the SELinux disabled tar? Or after installing the SELinux enabled tar? The problem with the latter is that it won't boot. I did just try it with chroot, but it went too fast (instantaneous) to have worked. But it threw no errors. Please let me know the sequence and SELInux you are suggesting?

theroark gravatar imagetheroark ( 2017-11-23 14:16:47 -0500 )edit

Actually, the chroot option worked fine. Though the command issues instantaneously, it is on reboot that the touch /.autorelabel command does its stuff. It took about 5 mins to spin through and then boot. All is good with the copied install on the target machine, with SELinux functioning. Thank you!!!

Note: Just to be clear, when I say chroot I mean booting the target machine on another partition (or using a Live USB) and then using chroot to access the Fedora install on a separate partition of the target.

theroark gravatar imagetheroark ( 2017-11-23 16:21:01 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2017-11-21 23:46:52 -0500

Seen: 394 times

Last updated: Nov 23 '17