Bug 677989

Summary: /dev/dasd_eer does not have SELinux label
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ksrot
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 677986 Environment:
Last Closed: 2011-05-19 11:57:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 677986    
Bug Blocks:    

Description Milos Malik 2011-02-16 12:41:17 UTC 
Description of problem:
inspired by bz#675996

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-70.el6.noarch
selinux-policy-3.7.19-70.el6.noarch

How reproducible:
always

Steps to Reproduce:
# cat /proc/partitions 
major minor  #blocks  name

  94        0    7212240 dasda
  94        1    7212144 dasda1
  94        4    7212240 dasdb
  94        5    7212144 dasdb1
  94        8    7212240 dasdc
  94        9    7212144 dasdc1
  94       12    7212240 dasdd
  94       13    7212144 dasdd1
 253        0   27308032 dm-0
 253        1    1015808 dm-1
 253        2     512000 dm-2
# find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
/dev/dasd_eer system_u:object_r:device_t:s0
#
Comment 2 Daniel Walsh 2011-02-16 20:19:03 UTC 
What ever created these is not labelling them correctly, or udev is not labeling them.


matchpathcon /dev/dm-0
/dev/dm-0	system_u:object_r:fixed_disk_device_t:s0

matchpathcon /dev/dasda
/dev/dasda	system_u:object_r:fixed_disk_device_t:s0
Comment 3 Harald Hoyer 2011-02-17 07:30:38 UTC 
(In reply to comment #0)
> Description of problem:
> inspired by bz#675996
> 
> Version-Release number of selected component (if applicable):
> selinux-policy-targeted-3.7.19-70.el6.noarch
> selinux-policy-3.7.19-70.el6.noarch
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> # cat /proc/partitions 
> major minor  #blocks  name
> 
>   94        0    7212240 dasda
>   94        1    7212144 dasda1
>   94        4    7212240 dasdb
>   94        5    7212144 dasdb1
>   94        8    7212240 dasdc
>   94        9    7212144 dasdc1
>   94       12    7212240 dasdd
>   94       13    7212144 dasdd1
>  253        0   27308032 dm-0
>  253        1    1015808 dm-1
>  253        2     512000 dm-2
> # find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
> /dev/dasd_eer system_u:object_r:device_t:s0
> #

what is /dev/dasd_eer ???

# ls -l /dev/dasd_eer
Comment 5 Harald Hoyer 2011-02-17 09:24:12 UTC 
# matchpathcon /dev/dasd_err
/dev/dasd_err	system_u:object_r:fixed_disk_device_t:s0

It's a char device..
# ls -lZ /dev/dasd_eer 
crw-rw----. root root system_u:object_r:device_t:s0    /dev/dasd_eer


# rm /dev/dasd_eer
# echo add > /sys/devices/virtual/misc/dasd_eer/uevent 
# ls -lZ /dev/dasd_eer 
crw-rw----. root root system_u:object_r:device_t:s0    /dev/dasd_eer

Hmm... but udev definitely calls (ltrace)
[pid 922] matchpathcon(0x8003b040, 8624, 0x3ffffe87688, 0x200001d0638, 0) = 0
[pid 922] setfscreatecon(0x8003b060, 0x200000eae66, 0x2000004379e, 0x8003b050, 0) = 0
[pid 922] freecon(0x8003b060, 0x2000020af90, 0x200000497c4, 49, 0) = 0x80043770
[pid 922] __xmknod(0, 0x8003b040, 8624, 0x3ffffe877f8, 0) = 0
[pid 922] setfscreatecon(0, 8624, 2619, 0x3ffffe877f8, 0) = 0
[pid 922] chmod("/dev/dasd_eer", 020660)         = 0
[pid 922] chown("/dev/dasd_eer", 0, 0)           = 0

strace:
[pid   922] open("/selinux/context", O_RDWR) = 3
[pid   922] write(3, "system_u:object_r:device_t:s0\0", 30) = 30
[pid   922] read(3, "system_u:object_r:device_t:s0\0", 4095) = 30
[pid   922] close(3)                    = 0
[pid   922] gettid()                    = 922
[pid   922] open("/proc/self/task/922/attr/fscreate", O_RDWR) = 3
[pid   922] write(3, "system_u:object_r:device_t:s0\0", 30) = 30
[pid   922] close(3)                    = 0
[pid   922] mknod("/dev/dasd_eer", S_IFCHR|0660, makedev(10, 59)) = 0
[pid   922] gettid()                    = 922
[pid   922] open("/proc/self/task/922/attr/fscreate", O_RDWR) = 3
[pid   922] write(3, NULL, 0)           = 0
Comment 6 Daniel Walsh 2011-02-17 13:34:39 UTC 
grep /dev/das /etc/selinux/targeted/contexts/files/file_contexts
/dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t:s0

Ok the regex only matches block devices.

We need to add

/dev/dasd[^/]*	-c	system_u:object_r:fixed_disk_device_t:s0
Comment 7 Miroslav Grepl 2011-02-17 15:22:19 UTC 
Fixed in selinux-policy-3.7.19-71.el6
Comment 11 errata-xmlrpc 2011-05-19 11:57:43 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html