Cannot create a new snapshot with snapper
Environment
- Red Hat Enterprise Linux (RHEL) 7.6
- selinux-policy-3.13.1-210.el7
- snapper-0.2.8-4.el7
Issue
- Cannot create a new snapshot with
snapper
-
Receiving permission denied errors in
/var/log/snapper.log
even though command is run asroot
2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/snap_test 2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/snaptest 2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:FSTYPE value:lvm(xfs) 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(SystemCmd):46 - constructor SystemCmd:"/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'" 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(execute):82 - SystemCmd Executing:"/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'" 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(addLine):523 - Adding Line 1 " Vwi-aotz-- thin" 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(getUntilEOF):487 - pid:3046 added lines:1 stderr:false 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(doExecute):267 - stopwatch 0.042125s for "/sbin/lvs --noheadings -o lv_attr,segtype 'vgsnap/lvsnap'" 2019-02-13 16:26:40 MIL libsnapper(3038) SystemCmd.cc(doExecute):287 - system() Returns:0 2019-02-13 16:26:40 MIL libsnapper(3038) AsciiFile.cc(getValue):235 - key:SYNC_ACL value:no 2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(Snapper):114 - subvolume:/snaptest filesystem:lvm(xfs) 2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(loadIgnorePatterns):163 - number of ignore patterns:8 2019-02-13 16:26:40 MIL libsnapper(3038) Snapshot.cc(read):223 - found 1 snapshots 2019-02-13 16:26:40 ERR libsnapper(3038) Lvm.cc(deleteConfig):189 - rmdir failed errno:13 (Permission denied) 2019-02-13 16:26:40 MIL libsnapper(3038) Snapper.cc(~Snapper):125 - Snapper destructor 2019-02-13 16:27:40 MIL libsnapper(3038) snapperd.cc(main):291 - Exiting
Resolution
- Update to
selinux-policy-3.13.1-229.el7_6.9
shipped with Advisory RHBA-2019:0192 or newer. -
Alternatively, manually set the SELinux context for the relevant
/.snapshots
files.# semanage fcontext -a -t snapperd_data_t '/snaptest/.snapshots(/.*)?' # restorecon -R -v /snaptest/.snapshots
-
Confirm the correct context is now present
# ls -laZ /snaptest/.snapshots/ drwxr-x---. root root system_u:object_r:snapperd_data_t:s0 . drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 .. drwxr-xr-x. root root system_u:object_r:snapperd_data_t:s0 1
Root Cause
- Prior to this update, an allow rule for the snapper daemon (
snapperd
) was missing in theSELinux policy
. Consequently, snapper was not able to create a configuration file for a new snapshot withSELinux
in enforcing mode. With this update, the missing rule has been added, andSELinux
now allowssnapperd
to manage all non-security directories.
Diagnostic Steps
-
Check the audit logs for signs of
avc denial
messages.type=AVC msg=audit(1549664874.523:57): avc: denied { create } for pid=4649 comm="snapperd" name="1" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
-
Check SELinux contexts of the
/.snapshots
file to determine if thesnapperd_data_t
context is set.# ls -laZ /snaptest/.snapshots/ drwxr-x---. root root system_u:object_r:default_t:s0 . drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 .. drwxr-xr-x. root root system_u:object_r:default_t:s0 1
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments