Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1323754 - selinux will prevent snapperd from relabeling btrfs .snapshots subvolume
Summary: selinux will prevent snapperd from relabeling btrfs .snapshots subvolume
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 25
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-04 15:33 UTC by Ondrej Kozina
Modified: 2016-09-21 00:37 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.13.1-184.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-21 00:37:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ondrej Kozina 2016-04-04 15:33:06 UTC
Description of problem:

This bug report doesn't affect current snapper yet, but while testing a fix for a bug 1247530 I've found selinux is preventing snapperd from relabeling the btrfs .snapshots subvolume:

The core of the fix is to allow snapper to relabel btrfs subvolumes with correct context read from /etc/selinux/targeted/contexts/snapperd_contexts file
which snapperd is unable to do:

type=AVC msg=audit(1459780976.185:680): avc:  denied  { relabelfrom } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1459780976.185:681): avc:  denied  { relabelto } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=1

Comment 1 Ondrej Kozina 2016-04-04 15:34:08 UTC
Also related to bug 1247532

Comment 2 Jan Kurik 2016-07-26 04:37:45 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 3 Fedora Update System 2016-09-15 17:23:35 UTC
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 4 Fedora Update System 2016-09-16 01:23:50 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 5 Fedora Update System 2016-09-21 00:37:01 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.