Bug 1365555

Summary: Revert workaround for issues with snapper and btrfs subvolume labels
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Kozina <okozina>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: lvrabec, mgrepl, mmalik, okozina, plautrba, pvrabec, ssekidde, xifeng
Target Milestone: rcFlags: lvrabec: needinfo? (okozina)
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-197.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:59:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Kozina 2016-08-09 14:18:35 UTC
Starting with snapper-0.2.8-2.el7 we relabel snapper created btrfs subvolumes (or directories) with proper selinux type. The workaround bypassing the issue described in bug #1063150 is, in my opinion, no longer needed. The snapperd_t domain should be made confined/more restrictive again. Without making snapperd_t restricted again, testing the fix for bug #1069312 is very difficult

Comment 1 Ondrej Kozina 2016-08-09 14:31:14 UTC
Probably not good idea to backport this update to 7.2 z-stream. Note that update of selinux-policy resolving this bz and skipping update of snapper to 0.2.8-2 version in the same time would result in a regression.

Comment 3 Lukas Vrabec 2016-08-09 20:40:04 UTC
Ondrej, 

Did you test it without unconfined_domain() interface? If not, I can provide scratch builds and could you test it? 

Thank you.

Comment 4 Ondrej Kozina 2016-08-10 12:42:18 UTC
I did but not in any up-to-date RHEL-7.3 build. Anyway it'd be great to provide the build for QA contact for #bug #1069312. Adding him on CC'ed. I'm afraid there may be some dragons hidden waking up after we confine snapperd...

Comment 13 Milos Malik 2018-02-08 20:20:31 UTC
RHEL-7.4
========
# rpm -qa snapper\* selinux-policy\* | sort
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
snapper-0.2.8-4.el7.x86_64
snapper-libs-0.2.8-4.el7.x86_64
# ps -efZ | grep snapper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10451 10312  0 15:15 pts/0 00:00:00 grep --color=auto snapper
# gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null
# ps -efZ | grep snapper
system_u:system_r:snapperd_t:s0-s0:c0.c1023 root 10456 1  0 15:15 ?    00:00:00 /usr/sbin/snapperd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10458 10312  0 15:15 pts/0 00:00:00 grep --color=auto snapper
# 

If the snapperd process was started by D-bus server then it was running as snapperd_t.

RHEL-7.5
========
# rpm -qa snapper\* selinux-policy\* | sort
selinux-policy-3.13.1-186.el7.noarch
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
snapper-0.2.8-4.el7.x86_64
snapper-libs-0.2.8-4.el7.x86_64
# ps -efZ | grep snapper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27059 8085  0 15:14 pts/0 00:00:00 grep --color=auto snapper
# gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null
# ps -efZ | grep snapper
system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 root 27064 1  0 15:14 ? 00:00:00 /usr/sbin/snapperd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27066 8085  0 15:14 pts/0 00:00:00 grep --color=auto snapper
# 

If the snapperd process was started by D-bus server then it was running as unconfined_service_t. This is a regression.

Comment 20 errata-xmlrpc 2018-10-30 09:59:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111