Bug 1247532 - Provide libselinux function to get a path to custom selinux context for snapperd
Provide libselinux function to get a path to custom selinux context for snapperd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
24
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1247530
  Show dependency treegraph
 
Reported: 2015-07-28 05:11 EDT by Ondrej Kozina
Modified: 2016-07-19 20:21 EDT (History)
4 users (show)

See Also:
Fixed In Version: libselinux-2.5-9.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1247533 (view as bug list)
Environment:
Last Closed: 2016-07-19 20:21:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
add selinux_snapperd_contexts_path() (3.12 KB, patch)
2015-11-20 06:35 EST, Petr Lautrbach
no flags Details | Diff
libselinux: add selinux_snapperd_contexts_path() (3.65 KB, text/plain)
2016-06-20 07:13 EDT, Petr Lautrbach
no flags Details

  None (edit)
Description Ondrej Kozina 2015-07-28 05:11:29 EDT
Description of problem:

Please provide such function. Such api would be a part of a fix for another issue we have with snapper running on btrfs backend.
Comment 1 Petr Lautrbach 2015-07-28 05:28:55 EDT
Does it mean you need selinux_snapperd_contexts_path() function which returns '/etc/selinux/targeted/contexts/snapperd_contexts' and you'll read this file to get a context?
Comment 2 Miroslav Grepl 2015-07-28 05:42:06 EDT
(In reply to Petr Lautrbach from comment #1)
> Does it mean you need selinux_snapperd_contexts_path() function which
> returns '/etc/selinux/targeted/contexts/snapperd_contexts' and you'll read
> this file to get a context?

Petr,
yes. We have been discussing it with Ondrej. Basically he needs to get contexts for mountpoints.
Comment 3 Petr Lautrbach 2015-11-20 06:35 EST
Created attachment 1097124 [details]
add selinux_snapperd_contexts_path()

Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. snapperd_contexts
file should contain types supposed to be set in .snapshots directory.

The snapperd_contexts file should be provided by selinux-policy packages. The format of the file is up to snaperd. 

A scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=11920303

Usage:

# python3
>>> import selinux
>>> selinux.selinux_snapperd_contexts_path()
'/etc/selinux/targeted/contexts/snapperd_contexts'
Comment 4 Petr Lautrbach 2015-11-20 06:38:59 EST
Ondrej, is the proposed solution suitable for you? Is it still relevant?
Comment 5 Jan Kurik 2016-02-24 08:29:04 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 6 Ondrej Kozina 2016-03-21 08:49:26 EDT
Hi Petr,

yes I believe so. I already have a prototype code implementing a fix for bug #1247530. Just a question about a contexts file format:

What will be the content? I've tested with a file containing single line:

"system_u:object_r:snapperd_data_t:s0"

Is it correct?

Also, what would content look like in case we'd like to set various selinux contexts in future? Would it be like this?

key0 = "system_u:object_r:snapperd_data_t:s0"
key1 = "system_u:object_r:snapperd_another_data_t:s0"
Comment 7 Ondrej Kozina 2016-03-21 09:34:16 EDT
(In reply to Ondrej Kozina from comment #6)
> Hi Petr,
> 
> yes I believe so. I already have a prototype code implementing a fix for bug
> #1247530. Just a question about a contexts file format:
> 
> What will be the content? I've tested with a file containing single line:
> 
> "system_u:object_r:snapperd_data_t:s0"
> 
> Is it correct?

Ah, I see... answering myself though. For starters let's stick with:

snapperd_data = system_u:object_r:snapperd_data_t:s0

Provided the right side of '=' is correct. Also this way I can add more contexts later if needed...
Comment 8 Ondrej Kozina 2016-06-13 09:04:30 EDT
Hi, what's the ETA for the patch to get merged? Doesn't have to be f24, but at least for rawhide...
Comment 9 Petr Lautrbach 2016-06-20 07:13 EDT
Created attachment 1169846 [details]
libselinux: add selinux_snapperd_contexts_path()

This patch was sent upstream to review. I'll be merged to Fedora as soon as it's accepted.

Sorry for the delay.
Comment 10 Petr Lautrbach 2016-06-20 07:19:51 EDT
https://marc.info/?l=selinux&m=146642121022426&w=2
Comment 11 Ondrej Kozina 2016-06-23 09:46:00 EDT
Hi Petr,

what about man page for snapperd_contexts file? Do you want me to write it down?
Comment 12 Petr Lautrbach 2016-06-27 07:43:12 EDT
It will be built in rawhide in a while - libselinux-2.5-9.fc25

I will push an update to F24 soon as well.
Comment 13 Petr Lautrbach 2016-06-27 07:55:19 EDT
(In reply to Ondrej Kozina from comment #11)
> Hi Petr,
> 
> what about man page for snapperd_contexts file? Do you want me to write it
> down?

We already have snapperd_selinux man page which is generated from selinux-policy. But I don't think there's an easy way to add an section there. For now, I'd go with comments directly in the contexts file.
Comment 14 Fedora Update System 2016-07-15 07:54:19 EDT
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-84d1f77e58
Comment 15 Fedora Update System 2016-07-19 20:20:49 EDT
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.