Bug 1561028 - SELinux is preventing snapperd from unmount access on the filesystem
Summary: SELinux is preventing snapperd from unmount access on the filesystem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1561424
TreeView+ depends on / blocked
 
Reported: 2018-03-27 13:22 UTC by Jakub Krysl
Modified: 2018-10-30 10:04 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, a rule for the Snapper module was missing in the SELinux policy. Consequently, the snapperd daemon was not able to unmount a file system. With this update, the missing rule has been added to the selinux-policy packages, and snapperd is now able to unmount a file system with SELinux in enforcing mode.
Clone Of:
: 1561424 (view as bug list)
Environment:
Last Closed: 2018-10-30 10:03:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:04:01 UTC

Description Jakub Krysl 2018-03-27 13:22:12 UTC
Description of problem:
Same issue as in BZ 1556798, but this time unmount. Manually umounting and re-running the delete works.

# sealert -l 520a00d3-d160-4278-9e36-7d34379aaa41
SELinux is preventing snapperd from unmount access on the filesystem .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapperd should be allowed unmount access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -i my-snapperd.pp


Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fs_t:s0
Target Objects                 [ filesystem ]
Source                        snapperd
Source Path                   snapperd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-192.el7_5.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     storageqe-74.lab.eng.brq.redhat.com
Platform                      Linux storageqe-74.lab.eng.brq.redhat.com
                              3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51
                              EDT 2018 x86_64 x86_64
Alert Count                   8
First Seen                    2018-03-27 14:53:56 CEST
Last Seen                     2018-03-27 15:01:25 CEST
Local ID                      520a00d3-d160-4278-9e36-7d34379aaa41

Raw Audit Messages
type=AVC msg=audit(1522155685.760:10010): avc:  denied  { unmount } for  pid=26201 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem


Hash: snapperd,snapperd_t,fs_t,filesystem,unmount


Before and after log:
INFO: Creating post snapshot
INFO: [2018-02-25 17:27:44] Running: 'snapper -c bugtest list'...
Type   | # | Pre # | Date                            | User | Cleanup | Description | Userdata
-------+---+-------+---------------------------------+------+---------+-------------+---------
single | 0 |       |                                 | root |         | current     |         
single | 1 |       | Sun 25 Feb 2018 05:27:43 PM CET | root |         |             |         
pre    | 2 |       | Sun 25 Feb 2018 05:27:43 PM CET | root |         |             |         
post   | 3 | 2     | Sun 25 Feb 2018 05:27:44 PM CET | root |         |             |
INFO: [2018-02-25 17:27:44] Running: 'snapper -c bugtest status 2..3'...
c..... /mnt/snapper_test/dir_0/file_0
+..... /mnt/snapper_test/dir_1
+..... /mnt/snapper_test/dir_1/file_1
INFO: [2018-02-25 17:27:45] Running: 'snapper -c bugtest diff 2..3'...
--- /mnt/snapper_test/.snapshots/2/snapshot/dir_0/file_0	2018-02-25 17:27:43.605881522 +0100
+++ /mnt/snapper_test/.snapshots/3/snapshot/dir_0/file_0	2018-02-25 17:27:44.185878369 +0100
@@ -0,0 +1 @@
+going to create snapshot
INFO: Deleting post snapshot
INFO: [2018-02-25 17:27:45] Running: 'snapper -c bugtest list'...
Type   | # | Pre # | Date                            | User | Cleanup | Description | Userdata
-------+---+-------+---------------------------------+------+---------+-------------+---------
single | 0 |       |                                 | root |         | current     |         
single | 1 |       | Sun 25 Feb 2018 05:27:43 PM CET | root |         |             |         
pre    | 2 |       | Sun 25 Feb 2018 05:27:43 PM CET | root |         |             |
INFO: Deleting pre snapshot
INFO: Deleting config



INFO: Creating post snapshot
INFO: [2018-03-27 14:53:56] Running: 'snapper -c bugtest list'...
Type   | # | Pre # | Date                             | User | Cleanup | Description | Userdata
-------+---+-------+----------------------------------+------+---------+-------------+---------
single | 0 |       |                                  | root |         | current     |
single | 1 |       | Tue 27 Mar 2018 02:53:55 PM CEST | root |         |             |
pre    | 2 |       | Tue 27 Mar 2018 02:53:55 PM CEST | root |         |             |
post   | 3 | 2     | Tue 27 Mar 2018 02:53:56 PM CEST | root |         |             |
INFO: [2018-03-27 14:53:56] Running: 'snapper -c bugtest status 2..3'...
c..... /mnt/snapper_test/dir_0/file_0
+..... /mnt/snapper_test/dir_1
+..... /mnt/snapper_test/dir_1/file_1
INFO: [2018-03-27 14:53:56] Running: 'snapper -c bugtest diff 2..3'...
--- /mnt/snapper_test/.snapshots/2/snapshot/dir_0/file_0        2018-03-27 14:53:55.876711891 +0200
+++ /mnt/snapper_test/.snapshots/3/snapshot/dir_0/file_0        2018-03-27 14:53:56.258710021 +0200
@@ -0,0 +1 @@
+going to create snapshot
INFO: Deleting post snapshot
FAIL:(libsan.host.snapper)  snapper_delete() - Could not delete snap 3
Failure (error.umount_snapshot).
ERROR: Could not delete POST snapshot FS(ext4) on /dev/mapper/vgtest-thin1 with snapper_debug_mode=False

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-191.el7.noarch works
selinux-policy-3.13.1-192.el7.noarch is hiden by BZ 1556798
reproducible with selinux-policy-3.13.1-192.el7_5.2.noarch

How reproducible:
100%

Steps to Reproduce:
1. snapper -c 'config' delete-config

Actual results:
Snapper config could not be deleted using 'delete-config' and must be manually umounted.

Expected results:
Snapper config is deleted.

Additional info:

Comment 10 errata-xmlrpc 2018-10-30 10:03:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.