Bug 430138 - /dev/dmmidi has default label; rpc.mountd causes SELinux error audits
/dev/dmmidi has default label; rpc.mountd causes SELinux error audits
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-01-24 13:43 EST by Mats Andtbacka
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-05 17:17:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mats Andtbacka 2008-01-24 13:43:21 EST
Description of problem:

SELinux has denied the /usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device
/dev/dmmidi. /dev/dmmidi is mislabeled, this device has the default label of the
/dev directory, which should not happen. All Character and/or Block Devices
should have a label. You can attempt to change the label of the file using
restorecon -v /dev/dmmidi. If this device remains labeled device_t, then this is
a bug in SELinux policy. Please file a bug report against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR,
and find a type that would work for /dev/dmmidi, you can use chcon -t
SIMILAR_TYPE /dev/dmmidi, If this fixes the problem, you can make this permanent
by executing semanage fcontext -a -t SIMILAR_TYPE /dev/dmmidi If the restorecon
changes the context, this indicates that the application that created the
device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this application.

Version-Release number of selected component (if applicable):


How reproducible:

export a directory over NFS (i exported a sub-tree of /media) while SELinux is
in enforcing mode. mount it remotely and access files on it. rpc.mountd will
begin generating denial audit messages at a rate of (in my case) several per hour.

Additional info:

no apparent ill effects other than the audit messages --- the NFS-exported
directory works well and is accessible. hence, low priority.

however, this also seems like a low-hanging fruit; adding a file label to the
default policy should fix it. i do not know what label would best work,
Comment 1 Daniel Walsh 2008-01-24 14:10:37 EST
Fixed in selinux-policy-2.6.4-71.fc7
Comment 2 Daniel Walsh 2008-03-05 17:17:32 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.