Bug 1341765

Summary: Snapper permission denied by SELinux when deleting snapshot
Product: [Fedora] Fedora Reporter: Anthony Gargiulo <anthony>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: agk, dwalsh, jsegitz, lvm-team, lvrabec, msnitzer, okozina
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.19.fc23 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-29 22:52:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Gargiulo 2016-06-01 17:41:13 UTC 
Description of problem:
snapper delete fails to delete snapshots because of SELinux permission issues


Version-Release number of selected component (if applicable):
snapper-0.2.8-1.fc23.x86_64

How reproducible:
All the time

Steps to Reproduce:
1. configure snapper dnf plugin to make snapshot every dnf run
2. at later date run `snapper delete 1-50`

Actual results:
* "Deleting snapshot failed" printed to shell
* "2016-06-01 13:28:53 ERR libsnapper(2559) Btrfs.cc(deleteSnapshot):363 - delete snapshot failed, ioctl(BTRFS_IOC_SNAP_DESTROY) failed, errno:1 (Operation not permitted" shows up in /var/log/snapper.log

Expected results:
snapshot(s) should be deleted

Additional info:
from /var/log/messages:
Jun  1 13:16:47 catbug setroubleshoot: SELinux is preventing snapperd from using the sys_admin capability. For complete SELinux messages. run sealert -l d0d54b64-f937-499a-aa06-a1ffcfc4a79e

running that command gave me:
SELinux is preventing snapperd from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapperd should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp


Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          catbug
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.15.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     catbug
Platform                      Linux catbug 4.4.9-300.fc23.x86_64 #1
                              SMP Wed May 4 23:56:27 UTC 2016 x86_64 x86_64
Alert Count                   8
First Seen                    2016-06-01 13:16:44 EDT
Last Seen                     2016-06-01 13:29:56 EDT
Local ID                      d0d54b64-f937-499a-aa06-a1ffcfc4a79e

Raw Audit Messages
type=AVC msg=audit(1464802196.171:2857): avc:  denied  { sys_admin } for  pid=858 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: snapperd,snapperd_t,snapperd_t,capability,sys_admin
Comment 1 Fedora Update System 2016-09-16 08:37:46 UTC 
selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
Comment 2 Fedora Update System 2016-09-17 00:53:17 UTC 
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
Comment 3 Fedora Update System 2016-09-29 22:52:49 UTC 
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.