Some questions about /dev/twe* and selinux context

Daniel J Walsh dwalsh at redhat.com
Tue Aug 28 10:24:21 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ali Nebi wrote:
> Hi all,
> 
> i have some problems with selinux context about /dev/twe*
> 
> I get these messages: 
> 
> Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc:  denied
> { getattr } for  pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaem
> on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc:  denied
> { read } for  pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaemon_
> t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc:  denied
> { ioctl } for  pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268
> scontext=system_u:system_r:fsdaemon
> _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> 
> I know that /dev/twe* must have fixed_disk_device_t context.
> 
> When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop
> to audit for this. Everything works ok. When i restarted the system, the
> context changed to device_t again. I wrote in rc.local the command to
> change cotentext, but it returned me "no such file or directory". I know
> that twe* devices are created automatically on boot, so let's say that
> this is no problem. I decided to use semanage to add rule for /dev/twe*
> like this:
> /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*"
> 
THe syntax here is wrong /dev/twe.* would be correct, although there is
aleady context for this, so this is not necessary.
> After reboot, the result was the same, the context is device_t :( 
> When i used restorecon command:
> /sbin/restorecon /dev/twe* 
> it changed the context to fixed_disk_device_t
> 
> So the questions are:
> 
> 1. Where i make mistake
> 2. What can i do to fix this problem ? 
> 
> Regards, Ali Nebi!
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Who is creating the /dev/twe devices?  This is the problem.  This app
should be made SELinux aware, or use udev or execute restorecon after
creating the device.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG0/fVrlYvE4MpobMRAkn/AJ4k2dzUjU96V/ERb6/pg2SDQEfoUQCfb9Zl
jFcX5QI1RnmveDkSaJ24KqI=
=wcCF
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list