Bug 1465729 - SELinux is preventing snapperd from 'relabelfrom' accesses on the file info.xml.
SELinux is preventing snapperd from 'relabelfrom' accesses on the file info.xml.
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
25
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:d8b044c4b7ff8b3cee8da8dabce...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 00:18 EDT by Mike Goodwin
Modified: 2017-11-16 13:33 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Goodwin 2017-06-28 00:18:29 EDT
Description of problem:
`snappert-timeline.timer` is enabled with the following configs: 

sudo snapper list-configs
Config | Subvolume
-------+----------
home   | /home
root   | /
usr    | /usr
SELinux is preventing snapperd from 'relabelfrom' accesses on the file info.xml.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapperd should be allowed relabelfrom access on the info.xml file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp

Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:snapperd_data_t:s0
Target Objects                info.xml [ file ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.19.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.6-201.fc25.x86_64 #1 SMP Tue
                              Jun 20 20:21:11 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-06-28 00:00:01 EDT
Last Seen                     2017-06-28 00:00:01 EDT
Local ID                      d3241565-60bb-46bf-9b73-6875dd6adbf1

Raw Audit Messages
type=AVC msg=audit(1498622401.852:825): avc:  denied  { relabelfrom } for  pid=16926 comm="snapperd" name="info.xml" dev="dm-0" ino=260 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=file permissive=0


Hash: snapperd,snapperd_t,snapperd_data_t,file,relabelfrom

Version-Release number of selected component:
selinux-policy-3.13.1-225.19.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.11.6-201.fc25.x86_64
type:           libreport
Comment 1 Mike Goodwin 2017-06-28 01:05:36 EDT
So here is the `sudo ausearch -c snapper | audit2allow` output after setting SELinux permissive. 

Bear in mind that the tool snapper is the one creating those files initially anyway, so in theory they should not be mislabled? 



#============= snapperd_t ==============
allow snapperd_t self:capability fowner;
allow snapperd_t snapperd_data_t:dir relabelfrom;
allow snapperd_t snapperd_data_t:file relabelfrom;

#!!!! The file '/.snapshots' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /.snapshots
#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
#       Possible cause is the source level (s0-s0:c0.c1023) and target level (s0) are different.
allow snapperd_t user_home_dir_t:dir relabelto;
allow snapperd_t user_home_dir_t:dir create;
allow snapperd_t user_home_dir_t:file { create rename write };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
#       Possible cause is the source level (s0-s0:c0.c1023) and target level (s0) are different.
allow snapperd_t user_home_t:dir relabelto;
allow snapperd_t user_home_t:file relabelto;
Comment 2 rodrigo 2017-07-30 02:51:41 EDT
Hi, I submitted a PR that addresses this issue (and also BZ-1180876, partially) some weeks ago, perhaps someone can review it and merge it to the appropriate branch? Fortunately, the issue was simple to solve, the problem was the context definitions for the home directory were wrong; they were simply not using the HOME_ROOT variable (and therefore they were not being moved to the file_contexts.homedirs file which has a "higher priority" than the file_contexts file).

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/19

Thank you.
Comment 3 Chris Murphy 2017-08-02 20:52:31 EDT
Aug 02 18:00:04 f26s.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snapper-timeline comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 02 18:00:05 f26s.localdomain dbus-daemon[663]: [system] Activating service name='org.opensuse.Snapper' requested by ':1.798' (uid=0 pid=14446 comm="/usr/libexec/snapper/systemd-helper --timeline " label="system_u:system_r:unconfined_service_t:s0") (using servicehelper)
Aug 02 18:00:05 f26s.localdomain audit[14450]: AVC avc:  denied  { relabelto } for  pid=14450 comm="snapperd" name="info.xml" dev="dm-4" ino=258 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
Aug 02 18:00:05 f26s.localdomain audit[14450]: AVC avc:  denied  { create } for  pid=14450 comm="snapperd" name="2" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Aug 02 18:00:05 f26s.localdomain systemd[1]: snapper-timeline.service: Main process exited, code=exited, status=1/FAILURE
Aug 02 18:00:05 f26s.localdomain systemd[1]: snapper-timeline.service: Unit entered failed state.
Aug 02 18:00:05 f26s.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snapper-timeline comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 02 18:00:05 f26s.localdomain systemd[1]: snapper-timeline.service: Failed with result 'exit-code'.
Aug 02 18:00:45 f26s.localdomain setroubleshoot[14453]: SELinux is preventing snapperd from relabelto access on the file info.xml. For complete SELinux messages run: sealert -l 0ba67353-c577-469a-bfb8-22785e525a0c
Aug 02 18:00:45 f26s.localdomain python3[14453]: SELinux is preventing snapperd from relabelto access on the file info.xml.
                                                 If you want to allow snapperd to have relabelto access on the info.xml file
                                                 If you believe that snapperd should be allowed relabelto access on the info.xml file by default.
                                                 # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
                                                 # semodule -X 300 -i my-snapperd.pp



Except these two commands do not resolve the problem, error remains. Relabling doesn't fix it either.

selinux-policy-3.13.1-260.3.fc26.noarch
snapper-0.5.0-1.fc26.x86_64
Comment 4 Fedora End Of Life 2017-11-16 13:33:34 EST
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.