Cannot create a new snapshot with snapper

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.6
  • selinux-policy-3.13.1-210.el7
  • snapper-0.2.8-4.el7

Issue

  • Cannot create a new snapshot with snapper

  • Receiving permission denied errors in /var/log/snapper.log even though command is run as root

    2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/snap_test
2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/snaptest
2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:FSTYPE value:lvm(xfs)
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(SystemCmd):46 - constructor SystemCmd:"/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'"
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(execute):82 - SystemCmd Executing:"/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'"
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(addLine):523 - Adding Line 1 "  Vwi-aotz-- thin"
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(getUntilEOF):487 - pid:3046 added lines:1 stderr:false
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(doExecute):267 - stopwatch 0.042125s for "/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'"
2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(doExecute):287 - system() Returns:0
2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:SYNC_ACL value:no
2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(Snapper):114 - subvolume:/snaptest filesystem:lvm(xfs)
2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(loadIgnorePatterns):163 - number of ignore patterns:8
2019-02-13 16:26:40 MIL libsnapper(3038) Snapshot.cc(read):223 - found 1 snapshots
2019-02-13 16:26:40 ERR libsnapper(3038) Lvm.cc(deleteConfig):189 - rmdir failed errno:13 (Permission denied)
2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(~Snapper):125 - Snapper destructor
2019-02-13 16:27:40 MIL libsnapper(3038) snapperd.cc(main):291 - Exiting

Resolution

  • Update to selinux-policy-3.13.1-229.el7_6.9 shipped with Advisory RHBA-2019:0192 or newer.

  • Alternatively, manually set the SELinux context for the relevant /.snapshots files.

    # semanage fcontext -a -t snapperd_data_t '/snaptest/.snapshots(/.*)?'
# restorecon -R -v /snaptest/.snapshots

  • Confirm the correct context is now present

    # ls -laZ /snaptest/.snapshots/
drwxr-x---. root root system_u:object_r:snapperd_data_t:s0 .
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 ..
drwxr-xr-x. root root system_u:object_r:snapperd_data_t:s0 1

Root Cause

  • Prior to this update, an allow rule for the snapper daemon (snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows snapperd to manage all non-security directories.

Diagnostic Steps

  • Check the audit logs for signs of avc denial messages.

    type=AVC msg=audit(1549664874.523:57): avc:  denied  { create } for  pid=4649 comm="snapperd" name="1" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0

  • Check SELinux contexts of the /.snapshots file to determine if the snapperd_data_t context is set.

    # ls -laZ /snaptest/.snapshots/
drwxr-x---. root root system_u:object_r:default_t:s0   .
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 ..
drwxr-xr-x. root root system_u:object_r:default_t:s0   1

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments