* lsetxattr error when doing send/receive @ 2014-05-13 23:44 Bernardo Donadio 2014-05-14 1:57 ` David Brown 0 siblings, 1 reply; 7+ messages in thread From: Bernardo Donadio @ 2014-05-13 23:44 UTC (permalink / raw) To: linux-btrfs Hi! I'm trying to do a send/receive of a snapshot between two disks on Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and SELinux disabled, and then I'm receiving the following error: [root@darwin /]# btrfs subvolume snapshot -r / @.$(date +%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in './@.2014-05-13-203532' [root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/ At subvol @.2014-05-13-203532 At subvol @.2014-05-13-203532 ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. Operation not supported I'm missing something? Is this a bug? -- Bernardo Donadio ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-13 23:44 lsetxattr error when doing send/receive Bernardo Donadio @ 2014-05-14 1:57 ` David Brown 2014-05-14 3:16 ` Bernardo Donadio 2014-05-14 6:52 ` Chris Murphy 0 siblings, 2 replies; 7+ messages in thread From: David Brown @ 2014-05-14 1:57 UTC (permalink / raw) To: Bernardo Donadio; +Cc: linux-btrfs On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote: >Hi! > >I'm trying to do a send/receive of a snapshot between two disks on >Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and >SELinux disabled, and then I'm receiving the following error: > >[root@darwin /]# btrfs subvolume snapshot -r / @.$(date >+%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in >'./@.2014-05-13-203532' >[root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/ >At subvol @.2014-05-13-203532 >At subvol @.2014-05-13-203532 >ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 >failed. Operation not supported > >I'm missing something? Is this a bug? Is selinux 'disabled' or just non-enforcing? If it is enabled, but even non-enforcing, it still won't allow the security attributes to be set. $ selinuxenabled; echo $? should give '1' if it is truly disabled. I believe you have to disable it at startup time, so if you've changed the config file, you might need to reboot. David ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-14 1:57 ` David Brown @ 2014-05-14 3:16 ` Bernardo Donadio 2014-05-14 6:56 ` Chris Murphy 2014-05-14 6:52 ` Chris Murphy 1 sibling, 1 reply; 7+ messages in thread From: Bernardo Donadio @ 2014-05-14 3:16 UTC (permalink / raw) To: linux-btrfs On 05/13/2014 10:57 PM, David Brown wrote: > $ selinuxenabled; echo $? It does return '1'. I know SELinux is disabled because I can't boot with it on (and I have no fucking clue why). What exactly is the error complaining about, BTW? A guy at #selinux@freenode said something about btrfs not supporting the FS security extensions, but he didn't know how to elaborate more. Thanks. -- Bernardo Donadio ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-14 3:16 ` Bernardo Donadio @ 2014-05-14 6:56 ` Chris Murphy 0 siblings, 0 replies; 7+ messages in thread From: Chris Murphy @ 2014-05-14 6:56 UTC (permalink / raw) To: Bernardo Donadio; +Cc: linux-btrfs On May 13, 2014, at 9:16 PM, Bernardo Donadio <bcdonadio@gmail.com> wrote: > On 05/13/2014 10:57 PM, David Brown wrote: >> $ selinuxenabled; echo $? > > It does return '1'. I know SELinux is disabled because I can't boot with it on (and I have no fucking clue why). > > What exactly is the error complaining about, BTW? How are you disabling it? I suggest enabling it. Then setting enforcing=0 so that it can maintain the proper labeling, and see if you still get the error. > A guy at #selinux@freenode said something about btrfs not supporting the FS security extensions, but he didn't know how to elaborate more. Oh dear, well that's wrong. There appear to be some xattrs that are not being restored on receive, there's another thread on that, but they aren't selinux labels. Chris Murphy ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-14 1:57 ` David Brown 2014-05-14 3:16 ` Bernardo Donadio @ 2014-05-14 6:52 ` Chris Murphy 2014-05-14 14:41 ` David Brown 2014-05-15 5:06 ` Bernardo Donadio 1 sibling, 2 replies; 7+ messages in thread From: Chris Murphy @ 2014-05-14 6:52 UTC (permalink / raw) To: David Brown; +Cc: Bernardo Donadio, linux-btrfs On May 13, 2014, at 7:57 PM, David Brown <davidb@davidb.org> wrote: > On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote: >> Hi! >> >> I'm trying to do a send/receive of a snapshot between two disks on Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and SELinux disabled, and then I'm receiving the following error: >> >> [root@darwin /]# btrfs subvolume snapshot -r / @.$(date +%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in './@.2014-05-13-203532' >> [root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/ >> At subvol @.2014-05-13-203532 >> At subvol @.2014-05-13-203532 >> ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. Operation not supported >> >> I'm missing something? Is this a bug? > > Is selinux 'disabled' or just non-enforcing? If it is enabled, but > even non-enforcing, it still won't allow the security attributes to be > set. Reverse that. If selinux is disabled, labels can't be set. If not enforcing, you won't get AVC denials for the vast majority of events, but labels can be set and e.g. restorecon will still work. selinux=0 kernel param is disabled. enforcing=0 kernel param is enabled but not enforcing (for most things). selinux=0 isn't recommended. enforcing=0 is better, and then ausearch -m AVC to find denials and report them so they get fixed. Chris Murphy ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-14 6:52 ` Chris Murphy @ 2014-05-14 14:41 ` David Brown 2014-05-15 5:06 ` Bernardo Donadio 1 sibling, 0 replies; 7+ messages in thread From: David Brown @ 2014-05-14 14:41 UTC (permalink / raw) To: Chris Murphy; +Cc: Bernardo Donadio, linux-btrfs On Wed, May 14, 2014 at 12:52:50AM -0600, Chris Murphy wrote: > >On May 13, 2014, at 7:57 PM, David Brown <davidb@davidb.org> wrote: > >> On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote: >>> Hi! >>> >>> I'm trying to do a send/receive of a snapshot between two disks on Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and SELinux disabled, and then I'm receiving the following error: >>> >>> [root@darwin /]# btrfs subvolume snapshot -r / @.$(date +%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in './@.2014-05-13-203532' >>> [root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/ >>> At subvol @.2014-05-13-203532 >>> At subvol @.2014-05-13-203532 >>> ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. Operation not supported >>> >>> I'm missing something? Is this a bug? >> >> Is selinux 'disabled' or just non-enforcing? If it is enabled, but >> even non-enforcing, it still won't allow the security attributes to be >> set. > >Reverse that. If selinux is disabled, labels can't be set. If not >enforcing, you won't get AVC denials for the vast majority of events, >but labels can be set and e.g. restorecon will still work. $ selinuxenabled ; echo $? 0 $ touch /var/tmp/foo $ sudo setfattr -n security.selinux -v system_u:object_r:bin_t:s0 /var/tmp/foo $ ls -lZ /var/tmp/foo -rw-rw-r--. davidb davidb system_u:object_r:bin_t:s0 /var/tmp/foo and on a machine with selinux disabled: $ selinuxenabled ; echo $? 1 $ touch /var/tmp/foo $ sudo setfattr -n security.selinux -v system_u:object_r:bin_t:s0 /var/tmp/foo $ ls -lZ /var/tmp/foo -rw-rw-r--. davidb davidb system_u:object_r:bin_t:s0 /var/tmp/foo so it doesn't actually seem to matter. At this point, I'm suspecting this was actually a bug in a kernel I was running at some point, and I just haven't bothered trying to enable selinux since then. I definitely have received errors in the past from rsync that look like the above error that I could fix by booting with selinux disabled. David ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: lsetxattr error when doing send/receive 2014-05-14 6:52 ` Chris Murphy 2014-05-14 14:41 ` David Brown @ 2014-05-15 5:06 ` Bernardo Donadio 1 sibling, 0 replies; 7+ messages in thread From: Bernardo Donadio @ 2014-05-15 5:06 UTC (permalink / raw) To: linux-btrfs On 05/14/2014 03:52 AM, Chris Murphy wrote: > Reverse that. If selinux is disabled, labels can't be set. If not enforcing, you won't get AVC denials for the vast majority of events, but labels can be set and e.g. restorecon will still work. Indeed, enabling SELinux into permissive mode solved the problem. Thanks. -- Bernardo Donadio ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-05-15 5:06 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-05-13 23:44 lsetxattr error when doing send/receive Bernardo Donadio 2014-05-14 1:57 ` David Brown 2014-05-14 3:16 ` Bernardo Donadio 2014-05-14 6:56 ` Chris Murphy 2014-05-14 6:52 ` Chris Murphy 2014-05-14 14:41 ` David Brown 2014-05-15 5:06 ` Bernardo Donadio
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).