Bug 1894939 - some devices are labeled device_t
Summary: some devices are labeled device_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1902655 (view as bug list)
Depends On:
Blocks: 1954116
TreeView+ depends on / blocked
 
Reported: 2020-11-05 13:12 UTC by Milos Malik
Modified: 2021-06-16 01:07 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.6-38.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1954116 (view as bug list)
Environment:
Last Closed: 2021-06-16 01:07:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Milos Malik 2020-11-05 13:12:23 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-29.fc33.noarch
selinux-policy-targeted-3.14.6-29.fc33.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. look for block or character devices in /dev which are labeled *:device_t:*

Actual results:
/dev/zram0 system_u:object_r:device_t:s0
/dev/udmabuf system_u:object_r:device_t:s0
/dev/dma_heap/system system_u:object_r:device_t:s0

Expected results:
 * these devices are labeled with some more specific label

Additional info:
https://rhel7stig.readthedocs.io/en/latest/medium.html#v-72039-all-system-device-files-must-be-correctly-labeled-to-prevent-unauthorized-modification-rhel-07-020900
Comment 1 Milos Malik 2020-11-05 13:14:32 UTC 
# ls -lZ /dev/zram0 
brw-rw----. 1 root disk system_u:object_r:device_t:s0 251, 0 Nov  5 11:53 /dev/zram0
# ls -lZ /dev/udmabuf 
crw-rw----. 1 root kvm system_u:object_r:device_t:s0 10, 62 Nov  5 11:53 /dev/udmabuf
# ls -lZ /dev/dma_heap/system 
crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 Nov  5 11:53 /dev/dma_heap/system
# matchpathcon /dev/zram0 
Deprecated, use selabel_lookup
/dev/zram0	system_u:object_r:device_t:s0
# matchpathcon /dev/udmabuf 
Deprecated, use selabel_lookup
/dev/udmabuf	system_u:object_r:device_t:s0
# matchpathcon /dev/dma_heap/system 
Deprecated, use selabel_lookup
/dev/dma_heap/system	system_u:object_r:device_t:s0
#
Comment 3 Zdenek Pytela 2020-11-30 20:09:02 UTC 
*** Bug 1902655 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2021-05-13 19:16:52 UTC 
Inquiring available resources, I haven't managed to find the appropriate type for device files that currently have no particular one assigned. Refpolicy only defines zram:

policy/modules/kernel/storage.fc:/dev/zram[0-9]+                -b      gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

On my laptop, there also is acpi_thermal_rel.

Ondrej, do you know what is the right type or where to find it out?

  # ls -lZ /dev/zram0 /dev/udmabuf /dev/dma_heap/system /dev/acpi_thermal_rel
crw-------. 1 root root system_u:object_r:device_t:s0  10, 124 May  2 22:57 /dev/acpi_thermal_rel
crw-------. 1 root root system_u:object_r:device_t:s0 251,   0 May  2 22:57 /dev/dma_heap/system
crw-rw----. 1 root kvm  system_u:object_r:device_t:s0  10, 126 May  2 22:57 /dev/udmabuf
brw-rw----. 1 root disk system_u:object_r:device_t:s0 252,   0 May  2 22:57 /dev/zram0
Comment 5 Ondrej Mosnacek 2021-05-14 08:18:44 UTC 
(In reply to Zdenek Pytela from comment #4)
> Inquiring available resources, I haven't managed to find the appropriate
> type for device files that currently have no particular one assigned.
> Refpolicy only defines zram:
> 
> policy/modules/kernel/storage.fc:/dev/zram[0-9]+                -b     
> gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> 
> On my laptop, there also is acpi_thermal_rel.
> 
> Ondrej, do you know what is the right type or where to find it out?

/dev/zram<n> is a virtual block device that is used for in-memory compressed swap (i.e. a swap device that just compresses pages and stores them in RAM). Given its almost exclusive use as a swap device, fixed_disk_device_t sounds OK.

> 
>   # ls -lZ /dev/zram0 /dev/udmabuf /dev/dma_heap/system /dev/acpi_thermal_rel
> crw-------. 1 root root system_u:object_r:device_t:s0  10, 124 May  2 22:57
> /dev/acpi_thermal_rel

This one is for a HW thermal probe. According to the relevant Kconfig, it isn't part of the CPU, so something like acpi_device_t (would be a new type) would fit it the best.

> crw-------. 1 root root system_u:object_r:device_t:s0 251,   0 May  2 22:57
> /dev/dma_heap/system

This one is for creating some DMA buffers shared between drivers... Also doesn't seem to fall under any existing type. Could be dma_device_t?

> crw-rw----. 1 root kvm  system_u:object_r:device_t:s0  10, 126 May  2 22:57
> /dev/udmabuf

This one is a bit related to the above; could have the same type. The Kconfig text says "Qemu can use this to create host dmabufs for guest framebuffers.", so we should check that QEMU domains can access it (perhaps the virt team has some relevant test?).
Comment 6 Fedora Update System 2021-05-31 18:33:06 UTC 
FEDORA-2021-e2de9e9e55 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55
Comment 7 Fedora Update System 2021-06-01 00:59:31 UTC 
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2de9e9e55`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-06-16 01:07:10 UTC 
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.