On Mon, Jun 20, 2016 at 9:38 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 06/20/2016 07:09 AM, Petr Lautrbach wrote: >> Snapper needs a way how to set a proper selinux context on btrfs >> subvolumes originating in snapshot create command. Fs can't handle it on >> its own so snapper will enforce .snapshots subvolume relabeling >> according to a file returned by selinux_snapperd_contexts_path(). >> >> The format of the file will be similar to other contexts file: >> >> snapperd_data = system_u:object_r:snapperd_data_t:s0 >> >> Fixes: >> https://bugzilla.redhat.com/show_bug.cgi?id=1247530 >> https://bugzilla.redhat.com/show_bug.cgi?id=1247532 > > Seems like there is a kernel bug here, if btrfs snapshots are being > created in unlabeled_t initially? I understand and agree that > ultimately something in userspace will have to assign a specific label, > but they shouldn't be defaulting to unlabeled_t. It's been too long since I've looked at this, but from what I recall the btrfs snapshots are a real mess from a SELinux perspective and setting an initial label was not an easy thing to do. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
