Bug 1218872 - Cannot create snapper snapshots with SELinux
Summary: Cannot create snapper snapshots with SELinux
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other (show other bugs)
Version: Current
Hardware: x86-64 Other
: P5 - None : Minor (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-16 19:21 UTC by Harry Tse
Modified: 2024-01-17 13:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Harry Tse 2024-01-16 19:21:26 UTC 
Overview: Cannot utilize snapper-timeline to create a snapper configuration in a non-exempt location, and snapshot a btrfs subvolume without from interference from SELinux.

Steps to Reproduce:
1. Create a Subvolume.
btrfs subvolume create /srv/foo

2. Create a snapper configuration for subvolume
snapper --config foo create-config /srv/foo

3. Examine SELinux File Context. SELinux File Context Type is as expected snapper_data_t
ls -laz

4. snapper-timeline fails with IO Error (mkdir failed errno:13 (Permission denied)) 
journalctl --unit snapper-timeline.service --since today

5. When snapper-timeline.service runs, the SELinux File Context Type on the subvolume is changed to var_t.
ls -laZ.

Actual Results
Snapper Timeline Fails, No Snapshots are created. 

Expected Results
Snapshots are Created, preserving the SELinux File Context.

Additional Information: This issue involves multiple components snapper, systemd, semanage, Startup

SELinux exempts only certain directories for snapshots, observed via
semanage fcontext --list |grep .snapshots
One file context entry sets the snapshot directory to snapper_data_t and another entry to ignore the SELinux File Context of the snapshot Contents via <<none>>

semanage fcontext allows you to add additional paths set to context to snapper_data_t, however semanage fcontext has no facility to set to <<none>>, the command requires a --type must be defined.

the file context of the .snapshot directory can be manually changed to snapper_data_t, this allows snapper-timeline to create snapshots. However during a SELinux relabel on startup, this causes errors on system startup, and drop to Emergency Maintenance. This is caused by the system unable to relabel the read-only snapshot.
Comment 1 Cathy Hu 2024-01-17 09:05:03 UTC 
Thanks for the detailed bugreport, i was able to reproduce it and will have a look.
Comment 2 Cathy Hu 2024-01-17 11:06:17 UTC 
Since you are using a non-default path, I think the right way is to add the file context via semanage, as you already tried to do. I think semanage can set the file context to <<none>> though. Try using this on your custom directory /srv/foo before running your commands:

semanage fcontext -a -t '<<none>>' '/srv/foo/\.snapshots/[^/]*/snapshot(/.*)?'
semanage fcontext -a -t 'snapperd_data_t' '/srv/foo/\.snapshots(/.*)?'

I think that should resolve your issue as this then should not relabel the snapshot content. 
Please let me know if your issue still persists, thanks!
Comment 4 Harry Tse 2024-01-17 12:47:53 UTC 
Thanks, looking back at the command history, of all the permutations I was trying I was having trouble with how to specify <<none>>.