'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided

Tue Jun 15 22:07:36 UTC 2004

Relabeling works in permissive mode.

I worked around a broken sysklogd to get AVCs for this.  These were 
produced by running 'restorecon -v /dev/ircomm0; setenforce 0; 
restorecon -v /dev/ircomm0':

audit(1087336052.916:0): avc:  denied  { relabelto } for  pid=4459 
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t 
tclass=chr_file
audit(1087336122.785:0): avc:  granted  { setenforce } for  pid=4461 
exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t 
tcontext=system_u:object_r:security_t tclass=security
audit(1087336125.404:0): avc:  denied  { relabelto } for  pid=4462 
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075 
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t 
tclass=chr_file

I'm confused.... restorecon.te has entries:
allow restorecon_t device_type:{ chr_file blk_file } { getattr 
relabelfrom relabelto };
allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom };

The AVCs imply 'relabelto' is needed on the second line too, or is this 
an issue with MAKEDEV creating the files improperly?

tom

Tom London wrote:

> Running off of the development tree, MAKEDEV-3.7-2 creates lots of new 
> files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates 
> lots of error messages like:
>
> /dev/ptyu7: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptyu7 to 
> system_u:object_r:device_t
> /dev/ptyd7: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptyd7 to 
> system_u:object_r:device_t
> /dev/ptyde: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptyde to 
> system_u:object_r:device_t
> /dev/ptyac: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptyac to 
> system_u:object_r:device_t
> /dev/ptys1: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptys1 to 
> system_u:object_r:device_t
> /dev/ircomm9: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ircomm9 to 
> system_u:object_r:device_t
> /dev/ptyre: Permission denied
> /usr/sbin/setfiles:  unable to relabel /dev/ptyre to 
> system_u:object_r:device_t
>
> Here is an 'ls -l' of one of the files:
> [root at dell dev]# ls -l ptyu7
> crw-rw-rw-  1 root tty 2, 87 Jun 14 12:42 ptyu7
> [root at dell dev]# ls -lZ $_
> crw-rw-rw-  root     tty      root:object_r:device_t           ptyu7
> [root at dell dev]#
>
> I'm running selinux-policy-strict-1.13.4-6, with file_contexts 
> augmented with Russell Coker's fix for /udev/microcode.
>
> tom
>