Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1657549 - selinux prevents snapper from creating /home snapshots for lvm thin provisioning setups
Summary: selinux prevents snapper from creating /home snapshots for lvm thin provision...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-09 21:31 UTC by prasun.gera
Modified: 2019-08-13 15:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-13 15:23:22 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description prasun.gera 2018-12-09 21:31:04 UTC
Description of problem:

(Regression) selinux denies snapper from creating snapshots under /home for lvm-thin setups. This used to work earlier, but started giving errors perhaps after the update from 7.5 to 7.6. 

Version-Release number of selected component (if applicable):

snapper-libs-0.2.8-4.el7.x86_64
snapper-0.2.8-4.el7.x86_64
selinux-policy-3.13.1-229.el7_6.6.noarch
selinux-policy-targeted-3.13.1-229.el7_6.6.noarch
policycoreutils-python-2.5-29.el7.x86_64
policycoreutils-2.5-29.el7.x86_64
checkpolicy-2.5-8.el7.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Enable snapper snapshots for /home with a config file /etc/snapper/configs/home_snapper_config


Actual results:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/snapperd from create access on the directory 17796.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapperd should be allowed create access on the 17796 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -i my-snapperd.pp


Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_dir_t:s0
Target Objects                17796 [ dir ]
Source                        snapperd
Source Path                   /usr/sbin/snapperd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           snapper-0.2.8-4.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     example.com
Platform                      Linux example.com
                              3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 15
                              17:36:42 UTC 2018 x86_64 x86_64
Alert Count                   27
First Seen                    2018-12-08 14:01:01 EST
Last Seen                     2018-12-09 16:01:02 EST
Local ID                      f66db7c9-6b8f-40ea-a9e8-14039ac6efa1

Raw Audit Messages
type=AVC msg=audit(1544389262.163:51817): avc:  denied  { create } for  pid=1155 comm="snapperd" name="17796" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1544389262.163:51817): arch=x86_64 syscall=mkdirat success=no exit=EACCES a0=7 a1=7f6be0091ec8 a2=1ff a3=7f6be645b5b0 items=0 ppid=1 pid=1155 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)

Hash: snapperd,snapperd_t,user_home_dir_t,dir,create


Expected results:

Snapper creates snapshots as expected

Additional info:

Note that this only affects snapshots for /home. root snapshots are working fine.

Also seems related: https://bugzilla.redhat.com/show_bug.cgi?id=1556798

Comment 3 Zdenek Pytela 2019-03-12 08:26:37 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 4 prasun.gera 2019-03-12 08:40:53 UTC
This is a fairly basic failure of selinux policy on an entirely unrelated system, i.e. the storage subsystem. Is Red Hat's official position that lvm thin provisioned snapshots by snapper are not supported ? The underlying issues have already been fixed upstream. If the linked PR is the only fix required, it looks like a small fix. This is major breakage for a critical system (i.e., data backups) which further trains people to disable selinux. I would like to propose reopening this.

Comment 5 Zdenek Pytela 2019-08-13 15:23:22 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.