policy/modules/kernel/devices.fc in serefpolicy-3.13.1 contains this rule:
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
But on some of our systems, we also have a /dev/tpmrm0 device file.
Because there are no file contexts that specifically target /dev/tmprm[0-9]* device files, this device file inherits the default device_t label.
While this is a very minor SELinux labeling issue, we run RHEL7 on hosts where we must comply with various third-party security guidelines, such as the Defense Information Systems Agency (DISA) RHEL7 Secure Technical Implementation Guide (STIG). We must proactively report on areas where we fail conformance, and propose a plan of action to achieve conformance. Furthermore, we are regularly inspected and audited on our conformance to these guidelines.
The RHEL7 STIG requires that all device files in /dev have specific SELinux file types other than the device_t type:
Because the /dev/tpmrm0 file has the device_t file type, instead of a more specific file type, we fail conformance to the RHEL-07-020900 STIG rule on hosts with this device file.
We've worked around this issue in our custom SELinux policy:
# We need this until Red Hat adds this upstream.
/dev/tpmrm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.