Hi, Two questions as it relates to btrfs subvolumes created by users on Fedora. Question 1, should new subvolumes within the ~/ hierarchy have the same label as a new directory? $ mkdir hi $ btrfs subvolume create hi2 $ ls -lZ drwxrwxr-x. 1 chris chris unconfined_u:object_r:user_home_t:s0 0 Jun 13 15:55 hi drwxrwxr-x. 1 chris chris system_u:object_r:unlabeled_t:s0 0 Jun 13 15:55 hi2 Is this expected? Or should I file a bug? Question 2, should users be allowed to remove subvolumes (including subvolume snapshots) they own? There's a bit of background here: * Users can 'btrfs subvolume create' without privileges * Users can't 'btrfs subvolume delete' without privileges, unless the Btrfs file system is mounted with option "user_subvol_rm_allowed" * Users can remove empty subvolumes without privileges, e.g. rmdir or rm -rf so long as the user owns all the items contained in the subvolume. OK a bit more background. A subvolume is a file b-tree. It's where all file and directory metadata is located: inode, datetime, permissions, xattr, compression info, extent info. When deleting a subvolume, none of the contents are checked for permissions at all - the tree is just snipped off the file system, and the extents are later freed by a kernel cleaner thread. So it's essentially an immediately returning command, with the expensive backref walk done by a dedicated kernel thread later. On any file system when deleting a directory, all the contents have permissions checked. If the user can't delete an item, then the directory won't be empty, and they won't be able to remove it. This is the same for btrfs subvolumes when using the same commands, rmdir and rm -rf. The subvolume can't be deleted until it's empty. This can be quite alot more expensive than just a subvolume delete. I'm wondering if anyone can imagine problems with enabling user_subvol_rm_allowed mount option on Fedora desktops by default? And whether SELinux can or should have some role in preventing mistakes? Like if SELinux could distinguish between an active user home directory that is also a btrfs subvolume - don't allow the user to stab themselves in the foot. But let them delete any other subvolume they own. Or maybe it's low enough risk. Thanks, -- Chris Murphy _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
