Description of problem: On x86_64 (at least): # modprobe nvme-fabrics # ls -Z /dev/nvme-fabrics system_u:object_r:device_t:s0 /dev/nvme-fabrics Version-Release number of selected component (if applicable): RHEL-9.0.0-20220108.3 selinux-policy-34.1.20-1.el9.noarch
Ondrej, Is fixed_disk_device_t the proper type for /dev/nvme-fabrics device? Also supposing it will be a char device. I managed to locate it to drivers/nvme/host like here fabrics:c 1120 static struct miscdevice nvmf_misc = { 1121 .minor = MISC_DYNAMIC_MINOR, 1122 .name = "nvme-fabrics", 1123 .fops = &nvmf_dev_fops, 1124 }; 1125 Refer also to our previous discussion in https://bugzilla.redhat.com/show_bug.cgi?id=2027994
(Sorry for late reply - I thought I had already replied, but the needinfo nag from BZ proved me wrong :) What I said in https://bugzilla.redhat.com/show_bug.cgi?id=2027994#c3 still applies - I'd prefer to see fixed_disk_device_t used only for block devices (that are used as storage of some kind) and have something like nvme_device_t for the control NVME char devices. That said, I understand that it would be non-trivial to refactor this in the policy, so I'm fine with re-using fixed_disk_device_t here (for now). And yes, it looks like this will always be a char device.
Thank you, adding this note to the todo-refactor-list. I've just submitted a Fedora draft PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1035
To backport: commit a1703c8636c686a30736446a5047abce75e33d11 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Fri Jan 28 17:59:01 2022 +0100 Label /dev/nvme-fabrics with fixed_disk_device_t
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918