On Thu, Mar 4, 2021 at 3:44 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > > > I can't think of a good reason why they should be excluded. On the > > contrary, excluding them can cause trouble very easily if some labeling > > rules for these directories change. For example, we changed the label > > for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora > > (updating the allow rules accordingly) and after policy update they > > ended up with an invalid context, causing denials. > > I guess that /dev/ is there in order to avoid relabeling tty devices and block > the user from access: > > [root@localhost ~]# ls -Z /dev/tty1 > user_u:object_r:user_tty_device_t:s0 /dev/tty1 > > [root@localhost ~]# matchpathcon /dev/tty1 > /dev/tty1 system_u:object_r:tty_device_t:s0 $ sudo chcon user_u:object_r:user_tty_device_t:s0 /dev/tty21 $ ll -Z /dev/tty21 crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb 26 15:13 /dev/tty21 $ sudo restorecon -v /dev/tty21 /dev/tty21 not reset as customized by admin to user_u:object_r:user_tty_device_t:s0 $ ll -Z /dev/tty21 crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb 26 15:13 /dev/tty21 $ cat /etc/selinux/targeted/contexts/customizable_types container_file_t sandbox_file_t svirt_image_t svirt_home_t svirt_sandbox_file_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_content_t git_session_content_t home_bin_t user_tty_device_t restorecon also doesn't change the user portion of the label if I only change that to user_u (leaving the type as tty_device_t). -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.