On Wed, Feb 9, 2022 at 9:24 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
On Wed, Feb 9, 2022 at 12:16 AM Chris Murphy <lists(a)colorremedies.com> wrote:
>
> Hi,
>
> I'm running Fedora 35, and I'm trying to replicate a Fedora 36 root snapshot
from one Btrfs file system to another, but it fails.
>
> This is what I see on CLI (with verbose logging)
>
> set_xattr etc/NetworkManager/dispatcher.d - name=security.selinux data_len=56
data=system_u:object_r:NetworkManager_dispatcher_script_t:s0
> ERROR: lsetxattr etc/NetworkManager/dispatcher.d
security.selinux=system_u:object_r:NetworkManager_dispatcher_script_t:s0 failed: Invalid
argument
>
> This is the AVC error:
>
> [25325.074972] audit[23509]: AVC avc: denied { mac_admin } for pid=23509
comm="btrfs" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
permissive=0
> [25325.075188] audit: SELINUX_ERR op=setxattr
invalid_context="system_u:object_r:NetworkManager_dispatcher_script_t:s0"
>
>
> I think what's going on is, Fedora 35's SELinux is preventing `btrfs receive`
from setting a label it doesn't know. If so, is this definitely the correct behavior?
Or is there something `btrfs receive`
> could do to allow setting this unfamiliar label anyway, or is this an unacceptable
risk to set arbitrary labels?
Hi,
I cannot speak for btrfs, but from SELinux PoV this seems to be correct: When a file is
restored including extended attributes and the SELinux type is not known, it should fail,
probably unlabeled_t will be seen there. If there is no better solution, I'd go with
not setting labels at all and restore them later using
fixfiles onboot -F
Yep, it's a question of which consequences to go with :)
The command is:
# btrfs send $snapshot | btrfs receive $path
The send portion produces a stream, which does contain xattr, which
includes SELinux labels. And it's up to receive to preserve everything
in the stream, or else error and fail because ostensibly the concept
of send|receive is snapshot replication. And if xattr are missing in
the destination, the snapshot isn't really replicated. The receive
subcommand has a flag -E0 which means to ignore all errors and receive
anyway. So it can be received, but the "received UUID" is not set on
the replicated snapshot because it's not an exact copy, so we're
unable to do incremental receive without "received UUID".
So it's an interesting dilemma.
--
Chris Murphy