Re: 'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided

Tom London <selinux@xxxxxxxxxxx> · Tue, 15 Jun 2004 15:07:36 -0700

Relabeling works in permissive mode.

I worked around a broken sysklogd to get AVCs for this.  These were 
produced by running 'restorecon -v /dev/ircomm0; setenforce 0; 
restorecon -v /dev/ircomm0':

audit(1087336052.916:0): avc:  denied  { relabelto } for  pid=4459 
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t 
tclass=chr_file

audit(1087336122.785:0): avc:  granted  { setenforce } for  pid=4461 
exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t 
tcontext=system_u:object_r:security_t tclass=security

audit(1087336125.404:0): avc:  denied  { relabelto } for  pid=4462 
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t 
tclass=chr_file

I'm confused.... restorecon.te has entries:

allow restorecon_t device_type:{ chr_file blk_file } { getattr 
relabelfrom relabelto };

allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom };

The AVCs imply 'relabelto' is needed on the second line too, or is this 
an issue with MAKEDEV creating the files improperly?

tom

Tom London wrote:

Running off of the development tree, MAKEDEV-3.7-2 creates lots of new 
files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates 
lots of error messages like:

/dev/ptyu7: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptyu7 to 
system_u:object_r:device_t

/dev/ptyd7: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptyd7 to 
system_u:object_r:device_t

/dev/ptyde: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptyde to 
system_u:object_r:device_t

/dev/ptyac: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptyac to 
system_u:object_r:device_t

/dev/ptys1: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptys1 to 
system_u:object_r:device_t

/dev/ircomm9: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ircomm9 to 
system_u:object_r:device_t

/dev/ptyre: Permission denied

/usr/sbin/setfiles:  unable to relabel /dev/ptyre to 
system_u:object_r:device_t

Here is an 'ls -l' of one of the files:
[root@dell dev]# ls -l ptyu7
crw-rw-rw-  1 root tty 2, 87 Jun 14 12:42 ptyu7
[root@dell dev]# ls -lZ $_
crw-rw-rw-  root     tty      root:object_r:device_t           ptyu7
[root@dell dev]#

I'm running selinux-policy-strict-1.13.4-6, with file_contexts 
augmented with Russell Coker's fix for /udev/microcode.

tom