Hi all, I have a question regarding restorecon and btrfs read-only snapshot handling. restorecon is failing with "restorecon: Could not set context for <path>: Read-only file system" and return code 255 on btrfs read-only snapshots. Currently we are setting <<none>> for those read-only btrfs snapshots in the selinux policy, as we use restorecon in our autorelabelling [0] during boot and restorecon would fail with code 255 otherwise. We do not want to ignore non-zero return codes, since issues might be overlooked. However, this is also not optimal as we have to write every possible path into the policy or asking users to set the <<none>> tag manually. I was wondering if there was interest/plans in implementing to skip read-only btrfs subvolumes in restorecon entirely or provide a different return code other than the catchall LABEL_FILE_KIND_INVALID? Or is there another way that we did not see? For more context, this is the bug on our side: https://bugzilla.suse.com/show_bug.cgi?id=1232226 There was also some comments about possible implementation, see comment 1 in the bug. Thanks :) Kind regards, Cathy [0] https://github.com/openSUSE/microos-tools/blob/master/selinux/selinux-autorelabel-generator -- Cathy Hu <cahu@xxxxxxx> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
Attachment:
OpenPGP_0x062A10161505A08A.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
