Security/Tizen 5.X db policy recovery

From Tizen Wiki
Jump to: navigation, search

Security-Manager DB recovery

From security-manager version 1.4.3, security-manager DB (/opt/dbspace/.security-manager.db) recovery is provided.

Precondition

Security-Manager DB should be stored in RO area with below command.

# security-manager-cmd --backup

Then, backup DB files are stored under "/usr/share/security-manager/.security-manager.db. Generally, "/usr/share/..." is set as RO only in a run time, therefore this cmd should be run when an image is being created. For example "generic-security.post" in kickstart (ks).

Workflow

When security-manager service is being started, it verifies DB files are broken or not. Broken Condition :

  1. DB integrity check fail
  2. If DB is empty or not exist.
  3. Fail to finish running a sample DB queries.
  4. DB update is failed.

If broken...

  • Copy backup DB (/usr/share/security-manager/.security-manager.db) to /opt/dbspace/.security-manager.db
  • Create flag file "/opt/dbspace/.security-manager.db-recovered".

Please note that, backup DB contains rules for pre-loaded applications.

Recover user-installed application rules.

As backup DB contains only rules for pre-loaded applications, if you want to recover those for user-installed applications additional procedures are required.

1. Check whether "/opt/dbspace/.security-manager.db-recovered" exists or not.
2. If exists, run below command to initialize rules for user-installed applications.
# /usr/bin/pkg_initdb --rw --keep-db
3. After the above, remove "/opt/dbspace/.security-manager.db-recovered"
# rm -f /opt/dbspace/.security-manager.db-recovered

Cynara policy (buckets) recovery

From cynara version 0.14.24, cynara DB (rule files written as text in /var/cynara/db/*) recovery is provided.

Precondition

Cynara DB should be stored in RO area with below command.

# cyad --backup

This command needs to be run when image is being created as it only supports off-line mode. For example "generic-security.post" in kickstart (ks). Then, backup DB file is stored in "/usr/share/security-manager/.security-manager.db".

Workflow

When cynara service is being started, it verifies DB files are broken or not. If broken...

  • broken DB (/var/cynara/db/) is copied to "/var/cynara/db-broken". (It is not used anymore, just for debugging purpose.)
  • Backup DB files (/usr/share/cynara/db/*) to /var/cynara/db/, and creates flag file "/var/cynara/db-restored".

Please note that, backup DB contains rules for pre-loaded applications.

Recover user-installed application rules.

As backup DB contains only rules for pre-loaded applications, if you want to recover those for user-installed applications additional procedures are required.

1. Check whether "/var/cynara/db-restored" exists or not.
2. If exists, run below command to initialize rules for user-installed applications.
# /usr/bin/pkg_initdb --rw --keep-db
3. After the above, remove "/var/cynara/db-restored".
# rm -f /var/cynara/db-restored