Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1538545 - SELinux error creating swap file
SELinux error creating swap file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: util-linux (Show other bugs)
7.4
All All
urgent Severity high
: pre-dev-freeze
: ---
Assigned To: Karel Zak
Radka Skvarilova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-25 04:26 EST by Nilesh
Modified: 2018-04-10 13:28 EDT (History)
15 users (show)

See Also:
Fixed In Version: util-linux-2.23.2-51.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 13:27:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0936 None None None 2018-04-10 13:28 EDT

  None (edit)
Comment 7 Matthew Booth 2018-01-26 07:07:11 EST 
I've changed the component to util-linux as the immediate cause is the failure of mkswap when it can't perform a relabel. However, I had a quick look at the selinux related code in mkswap in RHEL 7.4 (fails) and F27 (does not fail) and it doesn't seem very different. Consequently I wouldn't be surprised to find that the actual difference is in libselinux.

For context to the mkswap maintainer, in Openstack Nova, a user can request that a VM is presented with a variety of disks. They have the option to specify that one of these disks is pre-formatted as a swap disk. On the hypervisor, we create a file to contain the disk's data, run mkswap on that file, then attach it to the VM when it starts.

The issue here seems to be that mkswap wants to relabel the file to swapfile_t. This is actually not necessary or desirable in this case, as the hypervisor is never going to try to use it as a swap file; we're just formatting it. When the hypervisor is hosting VM data on NFS, the relabel fails on RHEL 7.4. The impact of this is that the user cannot launch their VM, which is high.

I've also noted that this does not fail on F27. Although mkswap does attempt the relabel, which does fail, mkswap does not exit with an error.

Ideally RHEL 7.4 would gain the same behaviour as F27, which would then just work for us. Alternatively there would be some flag to mkswap to indicate that the relabel behaviour is not required. This would require a patch to OpenStack to use this flag, but it would allow customers to enable the swap behaviour.
Comment 10 Karel Zak 2018-01-30 05:24:36 EST 
The difference between RHEL7 and upstream is 

-                       if (fsetfilecon(DEV, context_string))
+                       if (fsetfilecon(ctl.fd, context_string) && errno != ENOTSUP)

The ENOTSUP errno has been added by:

commit d97dc0ee2505e80c8e9fca89aa2001b2ec2c3695
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Mon Apr 18 09:01:23 2016 +0200

    mkswap: tolerate ENOTSUP when failing to relabel
    
    It might be that the underlying filesystem just doesn't support SELinux
    labeling. This fixes creating swap on vfat live media:
    
      # livecd-iso-to-disk.sh --msdos --swap-size-mb 666 ...
    
    Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>


I guess we need to backport this patch to RHEL7.
Comment 26 errata-xmlrpc 2018-04-10 13:27:15 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0936
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.