http://bugzilla.opensuse.org/show_bug.cgi?id=1185864 Bug ID: 1185864 Summary: setting selinux label works on read only btrfs subvolumes Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: lnussel@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On a read-only(!) btrfs subvolume it is possible to change SELinux labels. dhcp144:~ # findmnt |grep ro, / /dev/vda2[/@/.snapshots/323/snapshot] btrfs ro,relatime,seclabel,space_cache,subvolid=750,subvol=/@/.snapshots/323/snapshot dhcp144:~ # btrfs prop get -t s / ro=true dhcp144:~ # getfilecon /usr/bin/znew /usr/bin/znew system_u:object_r:bin_t:s0 dhcp144:~ # setfilecon system_u:object_r:etc_t:s0 /usr/bin/znew setfilecon: setfilecon(/usr/bin/znew,system_u:object_r:etc_t:s0) failed dhcp144:~ # mount -o remount,rw / dhcp144:~ # touch /usr/bin/foo touch: cannot touch '/usr/bin/foo': Read-only file system dhcp144:~ # chmod 644 /usr/bin/znew chmod: changing permissions of '/usr/bin/znew': Read-only file system dhcp144:~ # setfilecon system_u:object_r:etc_t:s0 /usr/bin/znew dhcp144:~ # Oops! It worked indeed: dhcp144:~ # getfilecon /usr/bin/znew /usr/bin/znew system_u:object_r:etc_t:s0 dhcp144:~ # btrfs prop get -t s / ro=true Shouldn't setfilecon fail? -- You are receiving this mail because: You are the assignee for the bug.