Description of problem: Please provide such function. Such api would be a part of a fix for another issue we have with snapper running on btrfs backend.
Does it mean you need selinux_snapperd_contexts_path() function which returns '/etc/selinux/targeted/contexts/snapperd_contexts' and you'll read this file to get a context?
(In reply to Petr Lautrbach from comment #1) > Does it mean you need selinux_snapperd_contexts_path() function which > returns '/etc/selinux/targeted/contexts/snapperd_contexts' and you'll read > this file to get a context? Petr, yes. We have been discussing it with Ondrej. Basically he needs to get contexts for mountpoints.
Created attachment 1097124 [details] add selinux_snapperd_contexts_path() Snapper needs a way how to set a proper selinux context on btrfs subvolumes originating in snapshot create command. snapperd_contexts file should contain types supposed to be set in .snapshots directory. The snapperd_contexts file should be provided by selinux-policy packages. The format of the file is up to snaperd. A scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=11920303 Usage: # python3 >>> import selinux >>> selinux.selinux_snapperd_contexts_path() '/etc/selinux/targeted/contexts/snapperd_contexts'
Ondrej, is the proposed solution suitable for you? Is it still relevant?
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Hi Petr, yes I believe so. I already have a prototype code implementing a fix for bug #1247530. Just a question about a contexts file format: What will be the content? I've tested with a file containing single line: "system_u:object_r:snapperd_data_t:s0" Is it correct? Also, what would content look like in case we'd like to set various selinux contexts in future? Would it be like this? key0 = "system_u:object_r:snapperd_data_t:s0" key1 = "system_u:object_r:snapperd_another_data_t:s0"
(In reply to Ondrej Kozina from comment #6) > Hi Petr, > > yes I believe so. I already have a prototype code implementing a fix for bug > #1247530. Just a question about a contexts file format: > > What will be the content? I've tested with a file containing single line: > > "system_u:object_r:snapperd_data_t:s0" > > Is it correct? Ah, I see... answering myself though. For starters let's stick with: snapperd_data = system_u:object_r:snapperd_data_t:s0 Provided the right side of '=' is correct. Also this way I can add more contexts later if needed...
Hi, what's the ETA for the patch to get merged? Doesn't have to be f24, but at least for rawhide...
Created attachment 1169846 [details] libselinux: add selinux_snapperd_contexts_path() This patch was sent upstream to review. I'll be merged to Fedora as soon as it's accepted. Sorry for the delay.
https://marc.info/?l=selinux&m=146642121022426&w=2
Hi Petr, what about man page for snapperd_contexts file? Do you want me to write it down?
It will be built in rawhide in a while - libselinux-2.5-9.fc25 I will push an update to F24 soon as well.
(In reply to Ondrej Kozina from comment #11) > Hi Petr, > > what about man page for snapperd_contexts file? Do you want me to write it > down? We already have snapperd_selinux man page which is generated from selinux-policy. But I don't think there's an easy way to add an section there. For now, I'd go with comments directly in the contexts file.
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-84d1f77e58
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.