Bug 811532

Summary:	feature request: add zfs to the list of xattr supported file systems
Product:	Red Hat Enterprise Linux 6	Reporter:	Phil <beaaegicfqmq6rykaqaakty3lqcg6btv>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Michal Trunecka <mtruneck>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	6.2	CC:	dwalsh, ebenes, mmalik, mtruneck
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-146.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	977047 (view as bug list)		Environment:
Last Closed:	2012-06-20 12:33:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Phil 2012-04-11 10:56:16 UTC

Description of problem:

selinux-policy doesn't know about zfs so it uses selinux mountpoint labeling instead of xattr.

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-126.el6.10

How reproducible:

try to use selinux contexts on a zfs filesystem

Steps to Reproduce:
1. compile & install spl/zfs 0.6.0-rc8 (http://zfsonlinux.org/)
2. add a zpool / zfs and mount it
3. see dmesg "SELinux: initialized (dev zfs, type zfs), uses mountpoint labeling"
4. chcon ...
  
Actual results:

permission denied when trying to set a selinux context

Expected results:

the context to be changed/applied

Additional info:

see also: https://github.com/zfsonlinux/zfs/issues/220

Comment 2 Daniel Walsh 2012-04-11 19:43:03 UTC

Does zfs supports Xattrs?

Comment 3 Phil 2012-04-11 21:21:52 UTC

Yes it does. Since 0.6.0-rc7 sa based xattrs are implemented: https://github.com/zfsonlinux/zfs/issues/443

Comment 4 Miroslav Grepl 2012-04-16 12:46:53 UTC

I believe we should add it to RHEL6.3.

Comment 6 Michal Trunecka 2012-05-07 13:07:50 UTC

VERIFIED - see following steps

Using selinux-policy-3.7.19-147.el6.noarch

1. Installed zfs0.6.0-rc8 downloaded from http://zfsonlinux.org/

2. Made zfs filesystem with "nocontext" => using xattr for selinux context
     mkdir -p /usr/images
     mkdir -p /mnt/zfs
     cd /usr/images
     dd if=/dev/zero of=image.zfs count=409600
     zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs 

3. Successfully changed the context of a file within the ZFS file system

     [root@dhcp-24-198 images]# cd /mnt/zfs/
     [root@dhcp-24-198 zfs]# touch file.txt
     [root@dhcp-24-198 zfs]# ls -laZ file.txt
     -rw-r--r--. root root unconfined_u:object_r:tmp_t:s0   file.txt
     [root@dhcp-24-198 zfs]# chcon system_u:object_r:usr_t:s0 file.txt
     [root@dhcp-24-198 zfs]# ls -laZ file.txt
     -rw-r--r--. root root system_u:object_r:usr_t:s0       file.txt

Comment 7 Phil 2012-05-07 13:51:43 UTC

Thanks for your feedback.

just for curiosity -- how did you manage to create a filesystem with "nocontext"?

$ zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs
missing '=' for -o option

I suppose you were not affected by https://github.com/zfsonlinux/zfs/issues/671 and you were trying this on a "real" RHEL 6.x (!= (centos|sl)), right?

Comment 8 errata-xmlrpc 2012-06-20 12:33:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html