Open cmurf opened 2 years ago
Posted inquiry to selinux@lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/YTGX66CCJLDVMFFOGBV2CUS637NCAQR6/
Perhaps another possibility is backporting new security labels to older release versions of a distribution, so that the receive command can fully succeed.
How I came across this bug: I have some new backups using btrbk that were failing because of new selinux labels that weren't supported on the backup server. The "workaround" was to synchronise the installstate of those offending packages on the backup server* even though those packages are otherwise unnecessary on the backup server.
A good fix is for selinux to have some mechanism to allow the backup (and restore) to succeed cleanly without any extra steps on btrfs' part - even if the server doesn't understand the contexts - but I don't think that will happen any time soon. :-/
It'd be convenient if btrfs-progs made it easy to ignore this problem with an --ignore-setxattr-invalid-context
type flag. A full relabel isn't such a bad extra step if restoring a server from backup - as long as you're aware of it of course!
* this also necessitated doing a dnf system-upgrade
on the backup server a bit earlier than planned. 🤪
For anyone who struggles with allowing access in SELinux as I did:
# ausearch -c 'btrfs' --raw | audit2allow -M my-btrfs
# semodule -X 300 -i my-btrfs.pp
Now you should be able to rerun btrfs send without issues
another plain, temporary fix is to just set SELinux to permissive mode (kinda obviously lol)
Problem: When doing send|receive with a source snapshot that contains unsupported SELinux labels on the host: (a) the receive fails (b) using
-E0
option permits successful receive but "received UUID" is not set.Arguably (b) is correct behavior, in that we don't want to say something is successfully received if it's not actually fully replicated, including xattr. But is there something that btrfs send/receive can do to (force) set the label anyway? Or is there a legitimate reason for SELinux to prevent
btrfs receive
from setting what it thinks are arbitrary labels?With -E0, the receive succeeds but the label is not set:
AVC denial is reported.
Full journal entry for the event:
The use case is to replicate an updated root file system. I'm trying to upgrade from 35 to 36, while running 35, using a snapshot of 36.
btrfs-progs-5.16.1-1.fc35.x86_64 kernel-5.16.5-200.fc35.x86_64 selinux-policy-35.13-1.fc35.noarch