Hi, I'm running Fedora 35, and I'm trying to replicate a Fedora 36 root snapshot from one Btrfs file system to another, but it fails. This is what I see on CLI (with verbose logging) set_xattr etc/NetworkManager/dispatcher.d - name=security.selinux data_len=56 data=system_u:object_r:NetworkManager_dispatcher_script_t:s0 ERROR: lsetxattr etc/NetworkManager/dispatcher.d security.selinux=system_u:object_r:NetworkManager_dispatcher_script_t:s0 failed: Invalid argument This is the AVC error: [25325.074972] audit[23509]: AVC avc: denied { mac_admin } for pid=23509 comm="btrfs" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 [25325.075188] audit: SELINUX_ERR op=setxattr invalid_context="system_u:object_r:NetworkManager_dispatcher_script_t:s0" I think what's going on is, Fedora 35's SELinux is preventing `btrfs receive` from setting a label it doesn't know. If so, is this definitely the correct behavior? Or is there something `btrfs receive` could do to allow setting this unfamiliar label anyway, or is this an unacceptable risk to set arbitrary labels?

I filed a btrfs-progs bug, feel free to answer there (or here) https://github.com/kdave/btrfs-progs/issues/447 Thanks, -- Chris Murphy _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

On Wed, Feb 9, 2022 at 12:16 AM Chris Murphy <lists(a)colorremedies.com&gt; wrote: > > Hi, > > I'm running Fedora 35, and I'm trying to replicate a Fedora 36 root snapshot from one Btrfs file system to another, but it fails. > > This is what I see on CLI (with verbose logging) > > set_xattr etc/NetworkManager/dispatcher.d - name=security.selinux data_len=56 data=system_u:object_r:NetworkManager_dispatcher_script_t:s0 > ERROR: lsetxattr etc/NetworkManager/dispatcher.d security.selinux=system_u:object_r:NetworkManager_dispatcher_script_t:s0 failed: Invalid argument > > This is the AVC error: > > [25325.074972] audit[23509]: AVC avc: denied { mac_admin } for pid=23509 comm="btrfs" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 > [25325.075188] audit: SELINUX_ERR op=setxattr invalid_context="system_u:object_r:NetworkManager_dispatcher_script_t:s0" > > > I think what's going on is, Fedora 35's SELinux is preventing `btrfs receive` from setting a label it doesn't know. If so, is this definitely the correct behavior? Or is there something `btrfs receive` > could do to allow setting this unfamiliar label anyway, or is this an unacceptable risk to set arbitrary labels? Hi, I cannot speak for btrfs, but from SELinux PoV this seems to be correct: When a file is restored including extended attributes and the SELinux type is not known, it should fail, probably unlabeled_t will be seen there. If there is no better solution, I'd go with not setting labels at all and restore them later using fixfiles onboot -F