* [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) @ 2026-03-10 15:32 Cathy Hu 2026-04-27 16:52 ` Petr Lautrbach 0 siblings, 1 reply; 5+ messages in thread From: Cathy Hu @ 2026-03-10 15:32 UTC (permalink / raw) To: selinux; +Cc: Cathy Hu Signed-off-by: Cathy Hu <cahu@suse.de> --- RFC Patch for the issue described in thread "Question regarding restorecon and btrfs read-only snapshots" libselinux/src/selinux_restorecon.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index 8fadf4d2..e8545e27 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -774,10 +774,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, if (!flags->nochange) { if (lsetfilecon(pathname, newcon) < 0) { /* Ignore files removed during relabeling if ignore_noent is set */ - if (flags->ignore_noent && errno == ENOENT) + if (flags->ignore_noent && errno == ENOENT) { goto out; - else + } else if (errno == EROFS) { + selinux_log(SELINUX_INFO, "Read only filesystem, relabel not possible: %s\n", pathname); + goto out; + } else { goto err; + } } updated = true; -- 2.53.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) 2026-03-10 15:32 [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) Cathy Hu @ 2026-04-27 16:52 ` Petr Lautrbach 2026-04-28 9:18 ` Cathy Hu 0 siblings, 1 reply; 5+ messages in thread From: Petr Lautrbach @ 2026-04-27 16:52 UTC (permalink / raw) To: Cathy Hu, selinux; +Cc: Cathy Hu Cathy Hu <cahu@suse.de> writes: > Signed-off-by: Cathy Hu <cahu@suse.de> > --- > RFC Patch for the issue described in thread "Question regarding restorecon and btrfs read-only snapshots" > Could you point me where I can find the thread and is bsc#1257996? What's the expected outcome? Before this change I see: $ sudo restorecon -R -v /mnt/ restorecon: Could not set context for /mnt: Read-only file system restorecon: Could not set context for /mnt/lost+found: Read-only file system restorecon: Could not set context for /mnt/a: Read-only file system restorecon: Could not set context for /mnt/1: Read-only file system After: $ sudo restorecon -R -v /mnt/ Read only filesystem, relabel not possible: /mnt Read only filesystem, relabel not possible: /mnt/lost+found Read only filesystem, relabel not possible: /mnt/a Read only filesystem, relabel not possible: /mnt/1 This seems to be only a cosmetic change. Petr > libselinux/src/selinux_restorecon.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c > index 8fadf4d2..e8545e27 100644 > --- a/libselinux/src/selinux_restorecon.c > +++ b/libselinux/src/selinux_restorecon.c > @@ -774,10 +774,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, > if (!flags->nochange) { > if (lsetfilecon(pathname, newcon) < 0) { > /* Ignore files removed during relabeling if ignore_noent is set */ > - if (flags->ignore_noent && errno == ENOENT) > + if (flags->ignore_noent && errno == ENOENT) { > goto out; > - else > + } else if (errno == EROFS) { > + selinux_log(SELINUX_INFO, "Read only filesystem, relabel not possible: %s\n", pathname); > + goto out; > + } else { > goto err; > + } > } > > updated = true; > -- > 2.53.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) 2026-04-27 16:52 ` Petr Lautrbach @ 2026-04-28 9:18 ` Cathy Hu 2026-04-28 10:44 ` Petr Lautrbach 0 siblings, 1 reply; 5+ messages in thread From: Cathy Hu @ 2026-04-28 9:18 UTC (permalink / raw) To: Petr Lautrbach, selinux [-- Attachment #1.1: Type: text/plain, Size: 2525 bytes --] On 4/27/26 6:52 PM, Petr Lautrbach wrote: > Cathy Hu <cahu@suse.de> writes: > >> Signed-off-by: Cathy Hu <cahu@suse.de> >> --- >> RFC Patch for the issue described in thread "Question regarding restorecon and btrfs read-only snapshots" >> > > Could you point me where I can find the thread and is bsc#1257996? "Question regarding restorecon and btrfs read-only snapshots" Thread: https://lore.kernel.org/selinux/98f87fd6-6d3e-4539-ad8f-1a0dc09aa890@suse.de/ bsc#1257996: Good point, that is the wrong bug number, the right one is: https://bugzilla.suse.com/show_bug.cgi?id=1232226 I will refresh the patch after the discussion > > What's the expected outcome? Before this change I see: > > $ sudo restorecon -R -v /mnt/ > restorecon: Could not set context for /mnt: Read-only file system > restorecon: Could not set context for /mnt/lost+found: Read-only file system > restorecon: Could not set context for /mnt/a: Read-only file system > restorecon: Could not set context for /mnt/1: Read-only file system > > After: > > $ sudo restorecon -R -v /mnt/ > Read only filesystem, relabel not possible: /mnt > Read only filesystem, relabel not possible: /mnt/lost+found > Read only filesystem, relabel not possible: /mnt/a > Read only filesystem, relabel not possible: /mnt/1 > > This seems to be only a cosmetic change. return value should be 0 with the change, before that it was 255. So before it was failing, now it is traverse and log only > > Petr > > >> libselinux/src/selinux_restorecon.c | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c >> index 8fadf4d2..e8545e27 100644 >> --- a/libselinux/src/selinux_restorecon.c >> +++ b/libselinux/src/selinux_restorecon.c >> @@ -774,10 +774,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, >> if (!flags->nochange) { >> if (lsetfilecon(pathname, newcon) < 0) { >> /* Ignore files removed during relabeling if ignore_noent is set */ >> - if (flags->ignore_noent && errno == ENOENT) >> + if (flags->ignore_noent && errno == ENOENT) { >> goto out; >> - else >> + } else if (errno == EROFS) { >> + selinux_log(SELINUX_INFO, "Read only filesystem, relabel not possible: %s\n", pathname); >> + goto out; >> + } else { >> goto err; >> + } >> } >> >> updated = true; >> -- >> 2.53.0 > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 870 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) 2026-04-28 9:18 ` Cathy Hu @ 2026-04-28 10:44 ` Petr Lautrbach 2026-04-30 10:58 ` Cathy Hu 0 siblings, 1 reply; 5+ messages in thread From: Petr Lautrbach @ 2026-04-28 10:44 UTC (permalink / raw) To: Cathy Hu, selinux Cathy Hu <cahu@suse.de> writes: > On 4/27/26 6:52 PM, Petr Lautrbach wrote: >> Cathy Hu <cahu@suse.de> writes: >> >>> Signed-off-by: Cathy Hu <cahu@suse.de> >>> --- >>> RFC Patch for the issue described in thread "Question regarding restorecon and btrfs read-only snapshots" >>> >> >> Could you point me where I can find the thread and is bsc#1257996? > > "Question regarding restorecon and btrfs read-only snapshots" Thread: > https://lore.kernel.org/selinux/98f87fd6-6d3e-4539-ad8f-1a0dc09aa890@suse.de/ > > bsc#1257996: Good point, that is the wrong bug number, the right one is: > https://bugzilla.suse.com/show_bug.cgi?id=1232226 > I will refresh the patch after the discussion > > >> >> What's the expected outcome? Before this change I see: >> >> $ sudo restorecon -R -v /mnt/ >> restorecon: Could not set context for /mnt: Read-only file system >> restorecon: Could not set context for /mnt/lost+found: Read-only file system >> restorecon: Could not set context for /mnt/a: Read-only file system >> restorecon: Could not set context for /mnt/1: Read-only file system >> >> After: >> >> $ sudo restorecon -R -v /mnt/ >> Read only filesystem, relabel not possible: /mnt >> Read only filesystem, relabel not possible: /mnt/lost+found >> Read only filesystem, relabel not possible: /mnt/a >> Read only filesystem, relabel not possible: /mnt/1 >> >> This seems to be only a cosmetic change. > > return value should be 0 with the change, before that it was 255. > So before it was failing, now it is traverse and log only > thanks for the pointers, it's clear now. Is it expected that it would work only in first level of subdirectories? $ mount | grep /mnt /dev/loop0 on /mnt type ext4 (ro,relatime,seclabel) /dev/loop1 on /mnt/rw type ext4 (rw,relatime,seclabel) /dev/loop2 on /mnt/a/b/c/d/rw type ext4 (rw,relatime,seclabel) $ sudo restorecon -R -v /mnt Read only filesystem, relabel not possible: /mnt Read only filesystem, relabel not possible: /mnt/lost+found Read only filesystem, relabel not possible: /mnt/a Relabeled /mnt/rw from system_u:object_r:user_home_t:s0 to system_u:object_r:mnt_t:s0 Read only filesystem, relabel not possible: /mnt/1 It seems to be useful just for one specific use case. Also could you please improve the commit message so it contains some reason, uses case and the final effect? it will help future reviewers to better understand this change. Petr >> >> Petr >> >> >>> libselinux/src/selinux_restorecon.c | 8 ++++++-- >>> 1 file changed, 6 insertions(+), 2 deletions(-) >>> >>> diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c >>> index 8fadf4d2..e8545e27 100644 >>> --- a/libselinux/src/selinux_restorecon.c >>> +++ b/libselinux/src/selinux_restorecon.c >>> @@ -774,10 +774,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, >>> if (!flags->nochange) { >>> if (lsetfilecon(pathname, newcon) < 0) { >>> /* Ignore files removed during relabeling if ignore_noent is set */ >>> - if (flags->ignore_noent && errno == ENOENT) >>> + if (flags->ignore_noent && errno == ENOENT) { >>> goto out; >>> - else >>> + } else if (errno == EROFS) { >>> + selinux_log(SELINUX_INFO, "Read only filesystem, relabel not possible: %s\n", pathname); >>> + goto out; >>> + } else { >>> goto err; >>> + } >>> } >>> >>> updated = true; >>> -- >>> 2.53.0 >> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) 2026-04-28 10:44 ` Petr Lautrbach @ 2026-04-30 10:58 ` Cathy Hu 0 siblings, 0 replies; 5+ messages in thread From: Cathy Hu @ 2026-04-30 10:58 UTC (permalink / raw) To: Petr Lautrbach, selinux [-- Attachment #1.1: Type: text/plain, Size: 2704 bytes --] On 4/28/26 12:44 PM, Petr Lautrbach wrote: > > thanks for the pointers, it's clear now. > > Is it expected that it would work only in first level of subdirectories? > > $ mount | grep /mnt > /dev/loop0 on /mnt type ext4 (ro,relatime,seclabel) > /dev/loop1 on /mnt/rw type ext4 (rw,relatime,seclabel) > /dev/loop2 on /mnt/a/b/c/d/rw type ext4 (rw,relatime,seclabel) > > $ sudo restorecon -R -v /mnt > Read only filesystem, relabel not possible: /mnt > Read only filesystem, relabel not possible: /mnt/lost+found > Read only filesystem, relabel not possible: /mnt/a > Relabeled /mnt/rw from system_u:object_r:user_home_t:s0 to system_u:object_r:mnt_t:s0 > Read only filesystem, relabel not possible: /mnt/1 > > It seems to be useful just for one specific use case. No, so it will continue traversing. The problem in this test case is that /mnt/a/b does not have a default label, therefore it will not continue: $ matchpathcon /mnt/a/b /mnt/a/b <<none>> If you try it on another directory that does have a default label it will continue. For example with this test case in /var/lib/data2 it works: mkdir -p /tmp/source_base /tmp/source_rw1 /tmp/source_rw2 mkdir -p /tmp/source_base/rw mkdir -p /tmp/source_base/a/b/c/d/rw touch /tmp/source_rw1/foo chcon -t httpd_exec_t /tmp/source_rw1/foo touch /tmp/source_rw2/foo chcon -t httpd_exec_t /tmp/source_rw2/foo mount --bind /tmp/source_base /var/lib/data2 mount -o remount,ro,bind /var/lib/data2 mount --bind /tmp/source_rw1 /var/lib/data2/rw mount --bind /tmp/source_rw2 /var/lib/data2/a/b/c/d/rw Output: $ restorecon -Rv /var/lib/data2 Read only filesystem, relabel not possible: /var/lib/data2 Read only filesystem, relabel not possible: /var/lib/data2/a Read only filesystem, relabel not possible: /var/lib/data2/a/b Read only filesystem, relabel not possible: /var/lib/data2/a/b/c Read only filesystem, relabel not possible: /var/lib/data2/a/b/c/d Relabeled /var/lib/data2/a/b/c/d/rw from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:var_lib_t:s0 Relabeled /var/lib/data2/a/b/c/d/rw/foo from unconfined_u:object_r:httpd_exec_t:s0 to unconfined_u:object_r:var_lib_t:s0 Relabeled /var/lib/data2/rw from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:var_lib_t:s0 Relabeled /var/lib/data2/rw/foo from unconfined_u:object_r:httpd_exec_t:s0 to unconfined_u:object_r:var_lib_t:s0 > > Also could you please improve the commit message so it contains some > reason, uses case and the final effect? it will help future reviewers to better > understand this change. Thanks, yes will do, I will send a updated patch with a more descriptive commit message later. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 870 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-30 10:58 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-10 15:32 [PATCH] restorecon: Only log error on readonly fs (bsc#1257996) Cathy Hu 2026-04-27 16:52 ` Petr Lautrbach 2026-04-28 9:18 ` Cathy Hu 2026-04-28 10:44 ` Petr Lautrbach 2026-04-30 10:58 ` Cathy Hu
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.