Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1323754

Summary: selinux will prevent snapperd from relabeling btrfs .snapshots subvolume
Product: [Fedora] Fedora Reporter: Ondrej Kozina <okozina>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 25CC: dwalsh, lvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-184.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-21 00:37:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Kozina 2016-04-04 15:33:06 UTC
Description of problem:

This bug report doesn't affect current snapper yet, but while testing a fix for a bug 1247530 I've found selinux is preventing snapperd from relabeling the btrfs .snapshots subvolume:

The core of the fix is to allow snapper to relabel btrfs subvolumes with correct context read from /etc/selinux/targeted/contexts/snapperd_contexts file
which snapperd is unable to do:

type=AVC msg=audit(1459780976.185:680): avc:  denied  { relabelfrom } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1459780976.185:681): avc:  denied  { relabelto } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=1

Comment 1 Ondrej Kozina 2016-04-04 15:34:08 UTC
Also related to bug 1247532

Comment 2 Jan Kurik 2016-07-26 04:37:45 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 3 Fedora Update System 2016-09-15 17:23:35 UTC
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 4 Fedora Update System 2016-09-16 01:23:50 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 5 Fedora Update System 2016-09-21 00:37:01 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.