Description of problem: Mount an image with guestmount (note the --selinux option makes no difference): mkdir /tmp/mnt guestmount -a disk.img -i [--selinux] /tmp/mnt Now edit a file like /etc/shadow in the disk image: emacs -nw /tmp/mnt/etc/shadow When you come to save it, emacs complains: Doing lsetfilecon: operation not supported, /tmp/mnt/etc/shadow and refuses to save the file. Version-Release number of selected component (if applicable): 1.17.32 How reproducible: 100%
lsetfilecon is a library function in selinux: int lsetfilecon_raw(const char *path, const security_context_t context) { return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); } int lsetfilecon(const char *path, const security_context_t context) { int ret; security_context_t rcontext; if (selinux_trans_to_raw_context(context, &rcontext)) return -1; ret = lsetfilecon_raw(path, rcontext); freecon(rcontext); return ret; } strace confirms this: chmod("/tmp/mnt/etc/shadow", 0200) = 0 lgetxattr("/tmp/mnt/etc/shadow", "security.selinux", "system_u:object_r:fusefs_t:s0", 255) = 30 lsetxattr("/tmp/mnt/etc/shadow", "security.selinux", "system_u:object_r:fusefs_t:s0", 30, 0) = -1 EOPNOTSUPP (Operation not supported) So it's more accurate to say that 'lsetxattr' doesn't work in guestmount. We do implement this in guestmount, so it's not entirely clear why it doesn't work / isn't being called.
*** This bug has been marked as a duplicate of bug 691389 ***