lsetxattr error when doing send/receive

lsetxattr error when doing send/receive

[Bernardo Donadio]

Hi!

I'm trying to do a send/receive of a snapshot between two disks on 
Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and 
SELinux disabled, and then I'm receiving the following error:

[root@darwin /]# btrfs subvolume snapshot -r / @.$(date 
+%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in 
'./@.2014-05-13-203532'
[root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/
At subvol @.2014-05-13-203532
At subvol @.2014-05-13-203532
ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. 
Operation not supported

I'm missing something? Is this a bug?

--
Bernardo Donadio

Re: lsetxattr error when doing send/receive

[David Brown]

On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote:
>Hi!
>
>I'm trying to do a send/receive of a snapshot between two disks on 
>Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and 
>SELinux disabled, and then I'm receiving the following error:
>
>[root@darwin /]# btrfs subvolume snapshot -r / @.$(date 
>+%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in 
>'./@.2014-05-13-203532'
>[root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/
>At subvol @.2014-05-13-203532
>At subvol @.2014-05-13-203532
>ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 
>failed. Operation not supported
>
>I'm missing something? Is this a bug?

Is selinux 'disabled' or just non-enforcing?  If it is enabled, but
even non-enforcing, it still won't allow the security attributes to be
set.

   $ selinuxenabled; echo $?

should give '1' if it is truly disabled.  I believe you have to
disable it at startup time, so if you've changed the config file, you
might need to reboot.

David

Re: lsetxattr error when doing send/receive

[Bernardo Donadio]

On 05/13/2014 10:57 PM, David Brown wrote:
> $ selinuxenabled; echo $?

It does return '1'. I know SELinux is disabled because I can't boot with 
it on (and I have no fucking clue why).

What exactly is the error complaining about, BTW? A guy at 
#selinux@freenode said something about btrfs not supporting the FS 
security extensions, but he didn't know how to elaborate more.

Thanks.

--
Bernardo Donadio

Re: lsetxattr error when doing send/receive

[Chris Murphy]

On May 13, 2014, at 7:57 PM, David Brown <davidb@davidb.org> wrote:

> On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote:
>> Hi!
>> 
>> I'm trying to do a send/receive of a snapshot between two disks on Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and SELinux disabled, and then I'm receiving the following error:
>> 
>> [root@darwin /]# btrfs subvolume snapshot -r / @.$(date +%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in './@.2014-05-13-203532'
>> [root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/
>> At subvol @.2014-05-13-203532
>> At subvol @.2014-05-13-203532
>> ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. Operation not supported
>> 
>> I'm missing something? Is this a bug?
> 
> Is selinux 'disabled' or just non-enforcing?  If it is enabled, but
> even non-enforcing, it still won't allow the security attributes to be
> set.

Reverse that. If selinux is disabled, labels can't be set. If not enforcing, you won't get AVC denials for the vast majority of events, but labels can be set and e.g. restorecon will still work.

selinux=0 kernel param is disabled.
enforcing=0 kernel param is enabled but not enforcing (for most things).

selinux=0 isn't recommended. enforcing=0 is better, and then ausearch -m AVC to find denials and report them so they get fixed.


Chris Murphy

Re: lsetxattr error when doing send/receive

[Chris Murphy]

On May 13, 2014, at 9:16 PM, Bernardo Donadio <bcdonadio@gmail.com> wrote:

> On 05/13/2014 10:57 PM, David Brown wrote:
>> $ selinuxenabled; echo $?
> 
> It does return '1'. I know SELinux is disabled because I can't boot with it on (and I have no fucking clue why).
> 
> What exactly is the error complaining about, BTW?

How are you disabling it? I suggest enabling it. Then setting enforcing=0 so that it can maintain the proper labeling, and see if you still get the error.


> A guy at #selinux@freenode said something about btrfs not supporting the FS security extensions, but he didn't know how to elaborate more.

Oh dear, well that's wrong. There appear to be some xattrs that are not being restored on receive, there's another thread on that, but they aren't selinux labels.


Chris Murphy

Re: lsetxattr error when doing send/receive

[David Brown]

On Wed, May 14, 2014 at 12:52:50AM -0600, Chris Murphy wrote:
>
>On May 13, 2014, at 7:57 PM, David Brown <davidb@davidb.org> wrote:
>
>> On Tue, May 13, 2014 at 08:44:44PM -0300, Bernardo Donadio wrote:
>>> Hi!
>>>
>>> I'm trying to do a send/receive of a snapshot between two disks on Fedora 20 with Linux 3.15-rc5 (and also tried with 3.14 and 3.11) and SELinux disabled, and then I'm receiving the following error:
>>>
>>> [root@darwin /]# btrfs subvolume snapshot -r / @.$(date +%Y-%m-%d-%H%M%S)Create a readonly snapshot of '/' in './@.2014-05-13-203532'
>>> [root@darwin /]# btrfs send @.2014-05-13-203532 | btrfs receive /mnt/cold/
>>> At subvol @.2014-05-13-203532
>>> At subvol @.2014-05-13-203532
>>> ERROR: lsetxattr bin security.selinux=system_u:object_r:bin_t:s0 failed. Operation not supported
>>>
>>> I'm missing something? Is this a bug?
>>
>> Is selinux 'disabled' or just non-enforcing?  If it is enabled, but
>> even non-enforcing, it still won't allow the security attributes to be
>> set.
>
>Reverse that. If selinux is disabled, labels can't be set. If not
>enforcing, you won't get AVC denials for the vast majority of events,
>but labels can be set and e.g. restorecon will still work.

   $ selinuxenabled ; echo $?
   0
   $ touch /var/tmp/foo
   $ sudo setfattr -n security.selinux -v system_u:object_r:bin_t:s0 /var/tmp/foo
   $ ls -lZ /var/tmp/foo
   -rw-rw-r--. davidb davidb system_u:object_r:bin_t:s0      /var/tmp/foo

and on a machine with selinux disabled:

   $ selinuxenabled ; echo $?
   1
   $ touch /var/tmp/foo
   $ sudo setfattr -n security.selinux -v system_u:object_r:bin_t:s0 /var/tmp/foo
   $ ls -lZ /var/tmp/foo
   -rw-rw-r--. davidb davidb system_u:object_r:bin_t:s0      /var/tmp/foo

so it doesn't actually seem to matter.  At this point, I'm suspecting
this was actually a bug in a kernel I was running at some point, and I
just haven't bothered trying to enable selinux since then.  I
definitely have received errors in the past from rsync that look like
the above error that I could fix by booting with selinux disabled.

David

Re: lsetxattr error when doing send/receive

[Bernardo Donadio]

On 05/14/2014 03:52 AM, Chris Murphy wrote:
> Reverse that. If selinux is disabled, labels can't be set. If not enforcing, you won't get AVC denials for the vast majority of events, but labels can be set and e.g. restorecon will still work.

Indeed, enabling SELinux into permissive mode solved the problem.

Thanks.
-- 
Bernardo Donadio