lsetxattr failed, SELINUX_ERR op=setxattr invalid_context
by Chris Murphy
Hi,
I'm running Fedora 35, and I'm trying to replicate a Fedora 36 root snapshot from one Btrfs file system to another, but it fails.
This is what I see on CLI (with verbose logging)
set_xattr etc/NetworkManager/dispatcher.d - name=security.selinux data_len=56 data=system_u:object_r:NetworkManager_dispatcher_script_t:s0
ERROR: lsetxattr etc/NetworkManager/dispatcher.d security.selinux=system_u:object_r:NetworkManager_dispatcher_script_t:s0 failed: Invalid argument
This is the AVC error:
[25325.074972] audit[23509]: AVC avc: denied { mac_admin } for pid=23509 comm="btrfs" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
[25325.075188] audit: SELINUX_ERR op=setxattr invalid_context="system_u:object_r:NetworkManager_dispatcher_script_t:s0"
I think what's going on is, Fedora 35's SELinux is preventing `btrfs receive` from setting a label it doesn't know. If so, is this definitely the correct behavior? Or is there something `btrfs receive`
could do to allow setting this unfamiliar label anyway, or is this an unacceptable risk to set arbitrary labels?
I filed a btrfs-progs bug, feel free to answer there (or here)
https://github.com/kdave/btrfs-progs/issues/447
Thanks,
--
Chris Murphy
1 year, 3 months
- 2
- 3
Error while running setsebool
by Geert Janssens
Hi,
I have a minimal Fedora 35 box that's configured as a mail server. It started
life as a Fedora 33 system and got upgraded to 35 yesterday in an attempt to
fix the following error I was getting.
I am trying to set an selinux boolean using the following command:
setsebool -P rsync_client 1
This returns the following output:
libsepol.context_from_record: type avahi_conf_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:avahi_conf_t:s0 to sid
invalid context system_u:object_r:avahi_conf_t:s0
Failed to commit changes to booleans: Success
Aside from the last line being very confusing the boolean seems to be set but
the setting won't persist across reboots. I suspect the error lines hint at
the problem but a search on the net didn't reveal what's going on.
As mentioned this was already happening while the system was still Fedora 33
(though the undefined type then was something with dns). I hoped it would get
fixed with an upgrade to Fedora 35, but it only changed the type that's
undefined.
What's going on here and how can I solve this ?
1 year, 3 months
- 4
- 7
- ← Newer
- 1
- Older →