Bug 2039759

Summary: nvme-fabrics has device_t
Product: Red Hat Enterprise Linux 9 Reporter: Jiri Jaburek <jjaburek>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, omosnace, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.23-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:50:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Jaburek 2022-01-12 11:49:04 UTC 
Description of problem:

On x86_64 (at least):

# modprobe nvme-fabrics

# ls -Z /dev/nvme-fabrics 
system_u:object_r:device_t:s0 /dev/nvme-fabrics


Version-Release number of selected component (if applicable):
RHEL-9.0.0-20220108.3
selinux-policy-34.1.20-1.el9.noarch
Comment 1 Zdenek Pytela 2022-01-24 15:22:05 UTC 
Ondrej,

Is fixed_disk_device_t the proper type for /dev/nvme-fabrics device?
Also supposing it will be a char device.
I managed to locate it to drivers/nvme/host like here

fabrics:c
1120 static struct miscdevice nvmf_misc = {
1121         .minor          = MISC_DYNAMIC_MINOR,
1122         .name           = "nvme-fabrics",
1123         .fops           = &nvmf_dev_fops,
1124 };
1125

Refer also to our previous discussion in
https://bugzilla.redhat.com/show_bug.cgi?id=2027994
Comment 2 Ondrej Mosnacek 2022-01-28 16:59:54 UTC 
(Sorry for late reply - I thought I had already replied, but the needinfo nag from BZ proved me wrong :)

What I said in https://bugzilla.redhat.com/show_bug.cgi?id=2027994#c3 still applies - I'd prefer to see fixed_disk_device_t used only for block devices (that are used as storage of some kind) and have something like nvme_device_t for the control NVME char devices. That said, I understand that it would be non-trivial to refactor this in the policy, so I'm fine with re-using fixed_disk_device_t here (for now).

And yes, it looks like this will always be a char device.
Comment 3 Zdenek Pytela 2022-01-28 17:09:11 UTC 
Thank you, adding this note to the todo-refactor-list.

I've just submitted a Fedora draft PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1035
Comment 4 Zdenek Pytela 2022-01-31 15:18:28 UTC 
To backport:
commit a1703c8636c686a30736446a5047abce75e33d11 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Jan 28 17:59:01 2022 +0100

    Label /dev/nvme-fabrics with fixed_disk_device_t
Comment 12 errata-xmlrpc 2022-05-17 15:50:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918