Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > On Thu, Mar 4, 2021 at 3:44 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: >> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: >> >> > I can't think of a good reason why they should be excluded. On the >> > contrary, excluding them can cause trouble very easily if some labeling >> > rules for these directories change. For example, we changed the label >> > for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora >> > (updating the allow rules accordingly) and after policy update they >> > ended up with an invalid context, causing denials. >> >> I guess that /dev/ is there in order to avoid relabeling tty devices and block >> the user from access: >> >> [root@localhost ~]# ls -Z /dev/tty1 >> user_u:object_r:user_tty_device_t:s0 /dev/tty1 >> >> [root@localhost ~]# matchpathcon /dev/tty1 >> /dev/tty1 system_u:object_r:tty_device_t:s0 user_tty_device_t is probably a customizable_type and so as long as you dont `--force` it should not reset. > > $ sudo chcon user_u:object_r:user_tty_device_t:s0 /dev/tty21 > $ ll -Z /dev/tty21 > crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb > 26 15:13 /dev/tty21 > $ sudo restorecon -v /dev/tty21 > /dev/tty21 not reset as customized by admin to > user_u:object_r:user_tty_device_t:s0 > $ ll -Z /dev/tty21 > crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb > 26 15:13 /dev/tty21 > > $ cat /etc/selinux/targeted/contexts/customizable_types > container_file_t > sandbox_file_t > svirt_image_t > svirt_home_t > svirt_sandbox_file_t > virt_content_t > httpd_user_htaccess_t > httpd_user_script_exec_t > httpd_user_rw_content_t > httpd_user_ra_content_t > httpd_user_content_t > git_session_content_t > home_bin_t > user_tty_device_t > > restorecon also doesn't change the user portion of the label if I only > change that to user_u (leaving the type as tty_device_t). -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift