Re: [PATCH userspace] fixfiles: do not exclude /dev and /run in -C mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:

> On Thu, Mar 4, 2021 at 3:44 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:
>>
>> > I can't think of a good reason why they should be excluded. On the
>> > contrary, excluding them can cause trouble very easily if some labeling
>> > rules for these directories change. For example, we changed the label
>> > for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
>> > (updating the allow rules accordingly) and after policy update they
>> > ended up with an invalid context, causing denials.
>>
>> I guess that /dev/ is there in order to avoid relabeling tty devices and block
>> the user from access:
>>
>> [root@localhost ~]# ls -Z /dev/tty1
>> user_u:object_r:user_tty_device_t:s0 /dev/tty1
>>
>> [root@localhost ~]# matchpathcon /dev/tty1
>> /dev/tty1       system_u:object_r:tty_device_t:s0

user_tty_device_t is probably a customizable_type and so as long as you dont
`--force` it should not reset.

>
> $ sudo chcon user_u:object_r:user_tty_device_t:s0 /dev/tty21
> $ ll -Z /dev/tty21
> crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb
> 26 15:13 /dev/tty21
> $ sudo restorecon -v /dev/tty21
> /dev/tty21 not reset as customized by admin to
> user_u:object_r:user_tty_device_t:s0
> $ ll -Z /dev/tty21
> crw--w----. 1 root tty user_u:object_r:user_tty_device_t:s0 4, 21 feb
> 26 15:13 /dev/tty21
>
> $ cat /etc/selinux/targeted/contexts/customizable_types
> container_file_t
> sandbox_file_t
> svirt_image_t
> svirt_home_t
> svirt_sandbox_file_t
> virt_content_t
> httpd_user_htaccess_t
> httpd_user_script_exec_t
> httpd_user_rw_content_t
> httpd_user_ra_content_t
> httpd_user_content_t
> git_session_content_t
> home_bin_t
> user_tty_device_t
>
> restorecon also doesn't change the user portion of the label if I only
> change that to user_u (leaving the type as tty_device_t).

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux