Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.14.6-29.fc33.noarch selinux-policy-targeted-3.14.6-29.fc33.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 33 machine (targeted policy is active) 2. look for block or character devices in /dev which are labeled *:device_t:* Actual results: /dev/zram0 system_u:object_r:device_t:s0 /dev/udmabuf system_u:object_r:device_t:s0 /dev/dma_heap/system system_u:object_r:device_t:s0 Expected results: * these devices are labeled with some more specific label Additional info: https://rhel7stig.readthedocs.io/en/latest/medium.html#v-72039-all-system-device-files-must-be-correctly-labeled-to-prevent-unauthorized-modification-rhel-07-020900
# ls -lZ /dev/zram0 brw-rw----. 1 root disk system_u:object_r:device_t:s0 251, 0 Nov 5 11:53 /dev/zram0 # ls -lZ /dev/udmabuf crw-rw----. 1 root kvm system_u:object_r:device_t:s0 10, 62 Nov 5 11:53 /dev/udmabuf # ls -lZ /dev/dma_heap/system crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 Nov 5 11:53 /dev/dma_heap/system # matchpathcon /dev/zram0 Deprecated, use selabel_lookup /dev/zram0 system_u:object_r:device_t:s0 # matchpathcon /dev/udmabuf Deprecated, use selabel_lookup /dev/udmabuf system_u:object_r:device_t:s0 # matchpathcon /dev/dma_heap/system Deprecated, use selabel_lookup /dev/dma_heap/system system_u:object_r:device_t:s0 #
*** Bug 1902655 has been marked as a duplicate of this bug. ***
Inquiring available resources, I haven't managed to find the appropriate type for device files that currently have no particular one assigned. Refpolicy only defines zram: policy/modules/kernel/storage.fc:/dev/zram[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) On my laptop, there also is acpi_thermal_rel. Ondrej, do you know what is the right type or where to find it out? # ls -lZ /dev/zram0 /dev/udmabuf /dev/dma_heap/system /dev/acpi_thermal_rel crw-------. 1 root root system_u:object_r:device_t:s0 10, 124 May 2 22:57 /dev/acpi_thermal_rel crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 May 2 22:57 /dev/dma_heap/system crw-rw----. 1 root kvm system_u:object_r:device_t:s0 10, 126 May 2 22:57 /dev/udmabuf brw-rw----. 1 root disk system_u:object_r:device_t:s0 252, 0 May 2 22:57 /dev/zram0
(In reply to Zdenek Pytela from comment #4) > Inquiring available resources, I haven't managed to find the appropriate > type for device files that currently have no particular one assigned. > Refpolicy only defines zram: > > policy/modules/kernel/storage.fc:/dev/zram[0-9]+ -b > gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > > On my laptop, there also is acpi_thermal_rel. > > Ondrej, do you know what is the right type or where to find it out? /dev/zram<n> is a virtual block device that is used for in-memory compressed swap (i.e. a swap device that just compresses pages and stores them in RAM). Given its almost exclusive use as a swap device, fixed_disk_device_t sounds OK. > > # ls -lZ /dev/zram0 /dev/udmabuf /dev/dma_heap/system /dev/acpi_thermal_rel > crw-------. 1 root root system_u:object_r:device_t:s0 10, 124 May 2 22:57 > /dev/acpi_thermal_rel This one is for a HW thermal probe. According to the relevant Kconfig, it isn't part of the CPU, so something like acpi_device_t (would be a new type) would fit it the best. > crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 May 2 22:57 > /dev/dma_heap/system This one is for creating some DMA buffers shared between drivers... Also doesn't seem to fall under any existing type. Could be dma_device_t? > crw-rw----. 1 root kvm system_u:object_r:device_t:s0 10, 126 May 2 22:57 > /dev/udmabuf This one is a bit related to the above; could have the same type. The Kconfig text says "Qemu can use this to create host dmabufs for guest framebuffers.", so we should check that QEMU domains can access it (perhaps the virt team has some relevant test?).
FEDORA-2021-e2de9e9e55 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2de9e9e55` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.