Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > On Thu, Mar 4, 2021 at 3:44 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: >> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: >> >> > I can't think of a good reason why they should be excluded. On the >> > contrary, excluding them can cause trouble very easily if some labeling >> > rules for these directories change. For example, we changed the label >> > for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora >> > (updating the allow rules accordingly) and after policy update they >> > ended up with an invalid context, causing denials. >> >> I guess that /dev/ is there in order to avoid relabeling tty devices and block >> the user from access: >> >> [root@localhost ~]# ls -Z /dev/tty1 >> user_u:object_r:user_tty_device_t:s0 /dev/tty1 >> >> [root@localhost ~]# matchpathcon /dev/tty1 >> /dev/tty1 system_u:object_r:tty_device_t:s0 > > $ sudo chcon user_u:object_r:user_tty_device_t:s0 /dev/tty21 > $ ll -Z /dev/tty21 > crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb > 26 15:13 /dev/tty21 > $ sudo restorecon -v /dev/tty21 > /dev/tty21 not reset as customized by admin to > user_u:object_r:user_tty_device_t:s0 > $ ll -Z /dev/tty21 > crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb > 26 15:13 /dev/tty21 > > $ cat /etc/selinux/targeted/contexts/customizable_types > container_file_t > sandbox_file_t > svirt_image_t > svirt_home_t > svirt_sandbox_file_t > virt_content_t > httpd_user_htaccess_t > httpd_user_script_exec_t > httpd_user_rw_content_t > httpd_user_ra_content_t > httpd_user_content_t > git_session_content_t > home_bin_t > user_tty_device_t > > restorecon also doesn't change the user portion of the label if I only > change that to user_u (leaving the type as tty_device_t). > Right. But what is the reason why /dev/ was listed, and /run? And /dev was there twice so it was probably important to skip /dev/. Could be the reason that both /dev and /run are important for running system? There are about 350 file contexts entries related to /dev and more than 600 to /run. But the only customizable file is user_tty_device_t. I don't know. I'd like to avoid such change it there's no clear confirmation it's not needed anymore.