Bug 811532 - feature request: add zfs to the list of xattr supported file systems
Summary: feature request: add zfs to the list of xattr supported file systems
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-11 10:56 UTC by Phil
Modified: 2014-09-30 23:33 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-146.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 977047 (view as bug list)
Environment:
Last Closed: 2012-06-20 12:33:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Internal Links: 977047

Description Phil 2012-04-11 10:56:16 UTC 
Description of problem:

selinux-policy doesn't know about zfs so it uses selinux mountpoint labeling instead of xattr.

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-126.el6.10

How reproducible:

try to use selinux contexts on a zfs filesystem

Steps to Reproduce:
1. compile & install spl/zfs 0.6.0-rc8 (http://zfsonlinux.org/)
2. add a zpool / zfs and mount it
3. see dmesg "SELinux: initialized (dev zfs, type zfs), uses mountpoint labeling"
4. chcon ...
  
Actual results:

permission denied when trying to set a selinux context

Expected results:

the context to be changed/applied

Additional info:

see also: https://github.com/zfsonlinux/zfs/issues/220
Comment 2 Daniel Walsh 2012-04-11 19:43:03 UTC 
Does zfs supports Xattrs?
Comment 3 Phil 2012-04-11 21:21:52 UTC 
Yes it does. Since 0.6.0-rc7 sa based xattrs are implemented: https://github.com/zfsonlinux/zfs/issues/443
Comment 4 Miroslav Grepl 2012-04-16 12:46:53 UTC 
I believe we should add it to RHEL6.3.
Comment 6 Michal Trunecka 2012-05-07 13:07:50 UTC 
VERIFIED - see following steps

Using selinux-policy-3.7.19-147.el6.noarch

1. Installed zfs0.6.0-rc8 downloaded from http://zfsonlinux.org/

2. Made zfs filesystem with "nocontext" => using xattr for selinux context
     mkdir -p /usr/images
     mkdir -p /mnt/zfs
     cd /usr/images
     dd if=/dev/zero of=image.zfs count=409600
     zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs 

3. Successfully changed the context of a file within the ZFS file system

     [root@dhcp-24-198 images]# cd /mnt/zfs/
     [root@dhcp-24-198 zfs]# touch file.txt
     [root@dhcp-24-198 zfs]# ls -laZ file.txt
     -rw-r--r--. root root unconfined_u:object_r:tmp_t:s0   file.txt
     [root@dhcp-24-198 zfs]# chcon system_u:object_r:usr_t:s0 file.txt
     [root@dhcp-24-198 zfs]# ls -laZ file.txt
     -rw-r--r--. root root system_u:object_r:usr_t:s0       file.txt
Comment 7 Phil 2012-05-07 13:51:43 UTC 
Thanks for your feedback.

just for curiosity -- how did you manage to create a filesystem with "nocontext"?

$ zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs
missing '=' for -o option

I suppose you were not affected by https://github.com/zfsonlinux/zfs/issues/671 and you were trying this on a "real" RHEL 6.x (!= (centos|sl)), right?
Comment 8 errata-xmlrpc 2012-06-20 12:33:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.