Bug 1365555 - Revert workaround for issues with snapper and btrfs subvolume labels [NEEDINFO]
Summary: Revert workaround for issues with snapper and btrfs subvolume labels
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-09 14:18 UTC by Ondrej Kozina
Modified: 2018-10-30 10:00 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-197.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:59:15 UTC
Target Upstream Version:
lvrabec: needinfo? (okozina)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1069312 None None None Never
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:00:02 UTC

Internal Links: 1069312

Description Ondrej Kozina 2016-08-09 14:18:35 UTC
Starting with snapper-0.2.8-2.el7 we relabel snapper created btrfs subvolumes (or directories) with proper selinux type. The workaround bypassing the issue described in bug #1063150 is, in my opinion, no longer needed. The snapperd_t domain should be made confined/more restrictive again. Without making snapperd_t restricted again, testing the fix for bug #1069312 is very difficult

Comment 1 Ondrej Kozina 2016-08-09 14:31:14 UTC
Probably not good idea to backport this update to 7.2 z-stream. Note that update of selinux-policy resolving this bz and skipping update of snapper to 0.2.8-2 version in the same time would result in a regression.

Comment 3 Lukas Vrabec 2016-08-09 20:40:04 UTC
Ondrej, 

Did you test it without unconfined_domain() interface? If not, I can provide scratch builds and could you test it? 

Thank you.

Comment 4 Ondrej Kozina 2016-08-10 12:42:18 UTC
I did but not in any up-to-date RHEL-7.3 build. Anyway it'd be great to provide the build for QA contact for #bug #1069312. Adding him on CC'ed. I'm afraid there may be some dragons hidden waking up after we confine snapperd...

Comment 13 Milos Malik 2018-02-08 20:20:31 UTC
RHEL-7.4
========
# rpm -qa snapper\* selinux-policy\* | sort
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
snapper-0.2.8-4.el7.x86_64
snapper-libs-0.2.8-4.el7.x86_64
# ps -efZ | grep snapper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10451 10312  0 15:15 pts/0 00:00:00 grep --color=auto snapper
# gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null
# ps -efZ | grep snapper
system_u:system_r:snapperd_t:s0-s0:c0.c1023 root 10456 1  0 15:15 ?    00:00:00 /usr/sbin/snapperd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10458 10312  0 15:15 pts/0 00:00:00 grep --color=auto snapper
# 

If the snapperd process was started by D-bus server then it was running as snapperd_t.

RHEL-7.5
========
# rpm -qa snapper\* selinux-policy\* | sort
selinux-policy-3.13.1-186.el7.noarch
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
snapper-0.2.8-4.el7.x86_64
snapper-libs-0.2.8-4.el7.x86_64
# ps -efZ | grep snapper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27059 8085  0 15:14 pts/0 00:00:00 grep --color=auto snapper
# gdbus introspect --system --object-path / --dest org.opensuse.Snapper >& /dev/null
# ps -efZ | grep snapper
system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 root 27064 1  0 15:14 ? 00:00:00 /usr/sbin/snapperd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27066 8085  0 15:14 pts/0 00:00:00 grep --color=auto snapper
# 

If the snapperd process was started by D-bus server then it was running as unconfined_service_t. This is a regression.

Comment 20 errata-xmlrpc 2018-10-30 09:59:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.