Hide Forgot
Description of problem: selinux-policy doesn't know about zfs so it uses selinux mountpoint labeling instead of xattr. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6.10 How reproducible: try to use selinux contexts on a zfs filesystem Steps to Reproduce: 1. compile & install spl/zfs 0.6.0-rc8 (http://zfsonlinux.org/) 2. add a zpool / zfs and mount it 3. see dmesg "SELinux: initialized (dev zfs, type zfs), uses mountpoint labeling" 4. chcon ... Actual results: permission denied when trying to set a selinux context Expected results: the context to be changed/applied Additional info: see also: https://github.com/zfsonlinux/zfs/issues/220
Does zfs supports Xattrs?
Yes it does. Since 0.6.0-rc7 sa based xattrs are implemented: https://github.com/zfsonlinux/zfs/issues/443
I believe we should add it to RHEL6.3.
VERIFIED - see following steps Using selinux-policy-3.7.19-147.el6.noarch 1. Installed zfs0.6.0-rc8 downloaded from http://zfsonlinux.org/ 2. Made zfs filesystem with "nocontext" => using xattr for selinux context mkdir -p /usr/images mkdir -p /mnt/zfs cd /usr/images dd if=/dev/zero of=image.zfs count=409600 zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs 3. Successfully changed the context of a file within the ZFS file system [root@dhcp-24-198 images]# cd /mnt/zfs/ [root@dhcp-24-198 zfs]# touch file.txt [root@dhcp-24-198 zfs]# ls -laZ file.txt -rw-r--r--. root root unconfined_u:object_r:tmp_t:s0 file.txt [root@dhcp-24-198 zfs]# chcon system_u:object_r:usr_t:s0 file.txt [root@dhcp-24-198 zfs]# ls -laZ file.txt -rw-r--r--. root root system_u:object_r:usr_t:s0 file.txt
Thanks for your feedback. just for curiosity -- how did you manage to create a filesystem with "nocontext"? $ zpool create -m /mnt/zfs -o nocontext pool1 /usr/images/image.zfs missing '=' for -o option I suppose you were not affected by https://github.com/zfsonlinux/zfs/issues/671 and you were trying this on a "real" RHEL 6.x (!= (centos|sl)), right?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html