Hide Forgot
Starting with snapper-0.2.8-2.el7 we relabel snapper created btrfs subvolumes (or directories) with proper selinux type. The workaround bypassing the issue described in bug #1063150 is, in my opinion, no longer needed. The snapperd_t domain should be made confined/more restrictive again. Without making snapperd_t restricted again, testing the fix for bug #1069312 is very difficult
Probably not good idea to backport this update to 7.2 z-stream. Note that update of selinux-policy resolving this bz and skipping update of snapper to 0.2.8-2 version in the same time would result in a regression.
Ondrej, Did you test it without unconfined_domain() interface? If not, I can provide scratch builds and could you test it? Thank you.
I did but not in any up-to-date RHEL-7.3 build. Anyway it'd be great to provide the build for QA contact for #bug #1069312. Adding him on CC'ed. I'm afraid there may be some dragons hidden waking up after we confine snapperd...
RHEL-7.4 ======== # rpm -qa snapper\* selinux-policy\* | sort selinux-policy-3.13.1-166.el7.noarch selinux-policy-targeted-3.13.1-166.el7.noarch snapper-0.2.8-4.el7.x86_64 snapper-libs-0.2.8-4.el7.x86_64 # ps -efZ | grep snapper unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10451 10312 0 15:15 pts/0 00:00:00 grep --color=auto snapper # gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null # ps -efZ | grep snapper system_u:system_r:snapperd_t:s0-s0:c0.c1023 root 10456 1 0 15:15 ? 00:00:00 /usr/sbin/snapperd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10458 10312 0 15:15 pts/0 00:00:00 grep --color=auto snapper # If the snapperd process was started by D-bus server then it was running as snapperd_t. RHEL-7.5 ======== # rpm -qa snapper\* selinux-policy\* | sort selinux-policy-3.13.1-186.el7.noarch selinux-policy-devel-3.13.1-186.el7.noarch selinux-policy-targeted-3.13.1-186.el7.noarch snapper-0.2.8-4.el7.x86_64 snapper-libs-0.2.8-4.el7.x86_64 # ps -efZ | grep snapper unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27059 8085 0 15:14 pts/0 00:00:00 grep --color=auto snapper # gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null # ps -efZ | grep snapper system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 root 27064 1 0 15:14 ? 00:00:00 /usr/sbin/snapperd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27066 8085 0 15:14 pts/0 00:00:00 grep --color=auto snapper # If the snapperd process was started by D-bus server then it was running as unconfined_service_t. This is a regression.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111