Bug 1323754

Summary: selinux will prevent snapperd from relabeling btrfs .snapshots subvolume
Product: [Fedora] Fedora Reporter: Ondrej Kozina <okozina>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 25CC: dwalsh, lvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-184.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-21 00:37:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Kozina 2016-04-04 15:33:06 UTC 
Description of problem:

This bug report doesn't affect current snapper yet, but while testing a fix for a bug 1247530 I've found selinux is preventing snapperd from relabeling the btrfs .snapshots subvolume:

The core of the fix is to allow snapper to relabel btrfs subvolumes with correct context read from /etc/selinux/targeted/contexts/snapperd_contexts file
which snapperd is unable to do:

type=AVC msg=audit(1459780976.185:680): avc:  denied  { relabelfrom } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1459780976.185:681): avc:  denied  { relabelto } for  pid=3346 comm="snapperd" name=".snapshots" dev="dm-15" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=1
Comment 1 Ondrej Kozina 2016-04-04 15:34:08 UTC 
Also related to bug 1247532
Comment 2 Jan Kurik 2016-07-26 04:37:45 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 3 Fedora Update System 2016-09-15 17:23:35 UTC 
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
Comment 4 Fedora Update System 2016-09-16 01:23:50 UTC 
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
Comment 5 Fedora Update System 2016-09-21 00:37:01 UTC 
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.