Re: [PATCH] restorecon: Only log error on readonly fs (bsc#1257996)

[Petr Lautrbach <lautrbach@redhat.com>]

Cathy Hu <cahu@suse.de> writes:

> On 4/27/26 6:52 PM, Petr Lautrbach wrote:
>> Cathy Hu <cahu@suse.de> writes:
>> 
>>> Signed-off-by: Cathy Hu <cahu@suse.de>
>>> ---
>>> RFC Patch for the issue described in thread "Question regarding restorecon and btrfs read-only snapshots"
>>>
>> 
>> Could you point me where I can find the thread and is bsc#1257996?
>
> "Question regarding restorecon and btrfs read-only snapshots" Thread:
> https://lore.kernel.org/selinux/98f87fd6-6d3e-4539-ad8f-1a0dc09aa890@suse.de/
>
> bsc#1257996: Good point, that is the wrong bug number, the right one is:
> https://bugzilla.suse.com/show_bug.cgi?id=1232226
> I will refresh the patch after the discussion
>
>
>> 
>> What's the expected outcome? Before this change I see:
>> 
>> $ sudo restorecon -R -v /mnt/
>> restorecon: Could not set context for /mnt:  Read-only file system
>> restorecon: Could not set context for /mnt/lost+found:  Read-only file system
>> restorecon: Could not set context for /mnt/a:  Read-only file system
>> restorecon: Could not set context for /mnt/1:  Read-only file system
>> 
>> After:
>> 
>> $ sudo restorecon -R -v /mnt/
>> Read only filesystem, relabel not possible: /mnt
>> Read only filesystem, relabel not possible: /mnt/lost+found
>> Read only filesystem, relabel not possible: /mnt/a
>> Read only filesystem, relabel not possible: /mnt/1
>> 
>> This seems to be only a cosmetic change.
>
> return value should be 0 with the change, before that it was 255.
> So before it was failing, now it is traverse and log only
>

thanks for the pointers, it's clear now.

Is it expected that it would work only in first level of subdirectories?

$ mount | grep /mnt
/dev/loop0 on /mnt type ext4 (ro,relatime,seclabel)
/dev/loop1 on /mnt/rw type ext4 (rw,relatime,seclabel)
/dev/loop2 on /mnt/a/b/c/d/rw type ext4 (rw,relatime,seclabel)

$ sudo restorecon -R -v /mnt
Read only filesystem, relabel not possible: /mnt
Read only filesystem, relabel not possible: /mnt/lost+found
Read only filesystem, relabel not possible: /mnt/a
Relabeled /mnt/rw from system_u:object_r:user_home_t:s0 to system_u:object_r:mnt_t:s0
Read only filesystem, relabel not possible: /mnt/1

It seems to be useful just for one specific use case.

Also could you please improve the commit message so it contains some
reason, uses case and the final effect? it will help future reviewers to better
understand this change.


Petr


>> 
>> Petr
>> 
>> 
>>>   libselinux/src/selinux_restorecon.c | 8 ++++++--
>>>   1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
>>> index 8fadf4d2..e8545e27 100644
>>> --- a/libselinux/src/selinux_restorecon.c
>>> +++ b/libselinux/src/selinux_restorecon.c
>>> @@ -774,10 +774,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
>>>   		if (!flags->nochange) {
>>>   			if (lsetfilecon(pathname, newcon) < 0) {
>>>   				/* Ignore files removed during relabeling if ignore_noent is set */
>>> -				if (flags->ignore_noent && errno == ENOENT)
>>> +				if (flags->ignore_noent && errno == ENOENT) {
>>>   					goto out;
>>> -				else
>>> +				} else if (errno == EROFS) {
>>> +					selinux_log(SELINUX_INFO, "Read only filesystem, relabel not possible: %s\n", pathname);
>>> +					goto out;
>>> +				} else {
>>>   					goto err;
>>> +				}
>>>   			}
>>>   
>>>   			updated = true;
>>> -- 
>>> 2.53.0
>>