Bug 1365555
Summary: | Revert workaround for issues with snapper and btrfs subvolume labels | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ondrej Kozina <okozina> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, okozina, plautrba, pvrabec, ssekidde, xifeng |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-197.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 09:59:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ondrej Kozina
2016-08-09 14:18:35 UTC
Probably not good idea to backport this update to 7.2 z-stream. Note that update of selinux-policy resolving this bz and skipping update of snapper to 0.2.8-2 version in the same time would result in a regression. Ondrej, Did you test it without unconfined_domain() interface? If not, I can provide scratch builds and could you test it? Thank you. I did but not in any up-to-date RHEL-7.3 build. Anyway it'd be great to provide the build for QA contact for #bug #1069312. Adding him on CC'ed. I'm afraid there may be some dragons hidden waking up after we confine snapperd... RHEL-7.4 ======== # rpm -qa snapper\* selinux-policy\* | sort selinux-policy-3.13.1-166.el7.noarch selinux-policy-targeted-3.13.1-166.el7.noarch snapper-0.2.8-4.el7.x86_64 snapper-libs-0.2.8-4.el7.x86_64 # ps -efZ | grep snapper unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10451 10312 0 15:15 pts/0 00:00:00 grep --color=auto snapper # gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null # ps -efZ | grep snapper system_u:system_r:snapperd_t:s0-s0:c0.c1023 root 10456 1 0 15:15 ? 00:00:00 /usr/sbin/snapperd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10458 10312 0 15:15 pts/0 00:00:00 grep --color=auto snapper # If the snapperd process was started by D-bus server then it was running as snapperd_t. RHEL-7.5 ======== # rpm -qa snapper\* selinux-policy\* | sort selinux-policy-3.13.1-186.el7.noarch selinux-policy-devel-3.13.1-186.el7.noarch selinux-policy-targeted-3.13.1-186.el7.noarch snapper-0.2.8-4.el7.x86_64 snapper-libs-0.2.8-4.el7.x86_64 # ps -efZ | grep snapper unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27059 8085 0 15:14 pts/0 00:00:00 grep --color=auto snapper # gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null # ps -efZ | grep snapper system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 root 27064 1 0 15:14 ? 00:00:00 /usr/sbin/snapperd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27066 8085 0 15:14 pts/0 00:00:00 grep --color=auto snapper # If the snapperd process was started by D-bus server then it was running as unconfined_service_t. This is a regression. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |