Hide Forgot
Description of problem: (Regression) selinux denies snapper from creating snapshots under /home for lvm-thin setups. This used to work earlier, but started giving errors perhaps after the update from 7.5 to 7.6. Version-Release number of selected component (if applicable): snapper-libs-0.2.8-4.el7.x86_64 snapper-0.2.8-4.el7.x86_64 selinux-policy-3.13.1-229.el7_6.6.noarch selinux-policy-targeted-3.13.1-229.el7_6.6.noarch policycoreutils-python-2.5-29.el7.x86_64 policycoreutils-2.5-29.el7.x86_64 checkpolicy-2.5-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Enable snapper snapshots for /home with a config file /etc/snapper/configs/home_snapper_config Actual results: found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/snapperd from create access on the directory 17796. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapperd should be allowed create access on the 17796 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd # semodule -i my-snapperd.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Context system_u:object_r:user_home_dir_t:s0 Target Objects 17796 [ dir ] Source snapperd Source Path /usr/sbin/snapperd Port <Unknown> Host <Unknown> Source RPM Packages snapper-0.2.8-4.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example.com Platform Linux example.com 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 15 17:36:42 UTC 2018 x86_64 x86_64 Alert Count 27 First Seen 2018-12-08 14:01:01 EST Last Seen 2018-12-09 16:01:02 EST Local ID f66db7c9-6b8f-40ea-a9e8-14039ac6efa1 Raw Audit Messages type=AVC msg=audit(1544389262.163:51817): avc: denied { create } for pid=1155 comm="snapperd" name="17796" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1544389262.163:51817): arch=x86_64 syscall=mkdirat success=no exit=EACCES a0=7 a1=7f6be0091ec8 a2=1ff a3=7f6be645b5b0 items=0 ppid=1 pid=1155 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null) Hash: snapperd,snapperd_t,user_home_dir_t,dir,create Expected results: Snapper creates snapshots as expected Additional info: Note that this only affects snapshots for /home. root snapshots are working fine. Also seems related: https://bugzilla.redhat.com/show_bug.cgi?id=1556798
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1465729 Related PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/19
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
This is a fairly basic failure of selinux policy on an entirely unrelated system, i.e. the storage subsystem. Is Red Hat's official position that lvm thin provisioned snapshots by snapper are not supported ? The underlying issues have already been fixed upstream. If the linked PR is the only fix required, it looks like a small fix. This is major breakage for a critical system (i.e., data backups) which further trains people to disable selinux. I would like to propose reopening this.
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.