From 1668ffb2442bc16aeff7b79c2ceae708cfde35e2 Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Tue, 15 Nov 2011 10:45:45 +0100 Subject: [PATCH] Mark temporary block device as fixed_disk_device_t When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they get by default marked as device_t. However, in case of software raid devices, the mdadm application (running in mdadm_t) does not hold the proper privileges to access this for its auto-assembly of the raids. Other block device applications, like blkid (running in fsadm_t) use these temporary block devices as well, but already hold the necessary privileges on device_t to continue their work. By marking the temporary block device as a fixed_disk_device_t, all these block device handling applications (such as blkid, but also mdadm) now hold the proper privileges. Since udev is selinux-aware, the created files are immediately restorecon'ed before the rules are applied. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/storage.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 57c4a6acd..54f182702 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -1,4 +1,4 @@ - +/dev/\.tmp-block-.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)