From: Petr Lautrbach <lautrbach@redhat.com>
To: Cathy Hu <cahu@suse.de>, selinux@vger.kernel.org
Cc: fvogt@suse.com, selinux@suse.de
Subject: Re: Question regarding restorecon and btrfs read-only snapshots
Date: Mon, 17 Mar 2025 15:29:27 +0100 [thread overview]
Message-ID: <87senb7mt4.fsf@redhat.com> (raw)
In-Reply-To: <98f87fd6-6d3e-4539-ad8f-1a0dc09aa890@suse.de>
Cathy Hu <cahu@suse.de> writes:
> Hi all,
>
> I have a question regarding restorecon and btrfs read-only snapshot handling.
>
> restorecon is failing with "restorecon: Could not set context for <path>: Read-only file system"
> and return code 255 on btrfs read-only snapshots.
>
> Currently we are setting <<none>> for those read-only btrfs snapshots in the selinux policy, as
> we use restorecon in our autorelabelling [0] during boot and restorecon would fail with code 255 otherwise.
> We do not want to ignore non-zero return codes, since issues might be overlooked.
>
> However, this is also not optimal as we have to write every possible path into the policy or asking
> users to set the <<none>> tag manually.
>
> I was wondering if there was interest/plans in implementing to skip read-only btrfs subvolumes in restorecon
> entirely or provide a different return code other than the catchall LABEL_FILE_KIND_INVALID?
> Or is there another way that we did not see?
>
> For more context, this is the bug on our side: https://bugzilla.suse.com/show_bug.cgi?id=1232226
> There was also some comments about possible implementation, see comment 1 in the bug.
You could use `-e <directory>` to exclude read only subdirectories.
Petr
>
> Thanks :)
>
> Kind regards,
>
> Cathy
>
> [0] https://github.com/openSUSE/microos-tools/blob/master/selinux/selinux-autorelabel-generator
>
> --
> Cathy Hu <cahu@suse.de>
> SELinux Security Engineer
> GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A
>
> SUSE Software Solutions Germany GmbH
> Frankenstrasse 146
> 90461 Nürnberg
>
> Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich
> (HRB 36809, AG Nürnberg)
next prev parent reply other threads:[~2025-03-17 14:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 13:49 Question regarding restorecon and btrfs read-only snapshots Cathy Hu
2025-03-17 14:29 ` Petr Lautrbach [this message]
2025-03-17 14:55 ` Cathy Hu
2025-03-17 17:29 ` Petr Lautrbach
2025-03-18 8:17 ` Cathy Hu
2025-03-18 12:24 ` Stephen Smalley
2025-03-18 13:10 ` Petr Lautrbach
2025-03-19 13:16 ` Stephen Smalley
2025-03-19 13:25 ` Stephen Smalley
2025-03-19 14:35 ` William Roberts
2025-03-19 15:20 ` Fabian Vogt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87senb7mt4.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=cahu@suse.de \
--cc=fvogt@suse.com \
--cc=selinux@suse.de \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.