Bug 814933

Summary: emacs cannot edit files with selinux contexts mounted using guestmount
Product: [Community] Virtualization Tools Reporter: Richard W.M. Jones <rjones>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: dyasny, mbooth, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-21 14:54:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2012-04-21 11:39:51 UTC 
Description of problem:

Mount an image with guestmount (note the --selinux option makes
no difference):

  mkdir /tmp/mnt
  guestmount -a disk.img -i [--selinux] /tmp/mnt

Now edit a file like /etc/shadow in the disk image:

  emacs -nw /tmp/mnt/etc/shadow

When you come to save it, emacs complains:

  Doing lsetfilecon: operation not supported, /tmp/mnt/etc/shadow

and refuses to save the file.

Version-Release number of selected component (if applicable):

1.17.32

How reproducible:

100%
Comment 1 Richard W.M. Jones 2012-04-21 12:43:33 UTC 
lsetfilecon is a library function in selinux:

  int lsetfilecon_raw(const char *path, const security_context_t context)
  {
        return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
                         0);
  }

  int lsetfilecon(const char *path, const security_context_t context)
  {
        int ret;
        security_context_t rcontext;

        if (selinux_trans_to_raw_context(context, &rcontext))
                return -1;

        ret = lsetfilecon_raw(path, rcontext);

        freecon(rcontext);

        return ret;
  }

strace confirms this:

chmod("/tmp/mnt/etc/shadow", 0200)      = 0
lgetxattr("/tmp/mnt/etc/shadow", "security.selinux", "system_u:object_r:fusefs_t:s0", 255) = 30
lsetxattr("/tmp/mnt/etc/shadow", "security.selinux", "system_u:object_r:fusefs_t:s0", 30, 0) = -1 EOPNOTSUPP (Operation not supported)

So it's more accurate to say that 'lsetxattr' doesn't
work in guestmount.

We do implement this in guestmount, so it's not entirely
clear why it doesn't work / isn't being called.
Comment 2 Richard W.M. Jones 2012-04-21 14:54:28 UTC 

*** This bug has been marked as a duplicate of bug 691389 ***