-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ali Nebi wrote:
> Hi all,
>
> i have some problems with selinux context about /dev/twe*
>
> I get these messages:
>
> Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc: denied
> { getattr } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaem
> on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc: denied
> { read } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaemon_
> t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc: denied
> { ioctl } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaemon
> _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> I know that /dev/twe* must have fixed_disk_device_t context.
>
> When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop
> to audit for this. Everything works ok. When i restarted the system, the
> context changed to device_t again. I wrote in rc.local the command to
> change cotentext, but it returned me "no such file or directory". I know
> that twe* devices are created automatically on boot, so let's say that
> this is no problem. I decided to use semanage to add rule for /dev/twe*
> like this:
> /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*"
>
THe syntax here is wrong /dev/twe.* would be correct, although there is
aleady context for this, so this is not necessary.
> After reboot, the result was the same, the context is device_t :(
> When i used restorecon command:
> /sbin/restorecon /dev/twe*
> it changed the context to fixed_disk_device_t
>
> So the questions are:
>
> 1. Where i make mistake
> 2. What can i do to fix this problem ?
>
> Regards, Ali Nebi!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Who is creating the /dev/twe devices? This is the problem. This app
should be made SELinux aware, or use udev or execute restorecon after
creating the device.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG0/fVrlYvE4MpobMRAkn/AJ4k2dzUjU96V/ERb6/pg2SDQEfoUQCfb9Zl
jFcX5QI1RnmveDkSaJ24KqI=
=wcCF
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
