An example is mmcblk0rpmb, which is for the replay protected memory block
subsystem.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.
Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.
By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> From my understanding of the FUSE website, the data from the userland FS
> is transferred through this device. Since the data may go up to system
> high, I believe the device should still be system high.
>
Making it systemhigh will generate lots of AVC messages on every login
at X Since fusefs is mounted at ~/.gfs. It will also make it unusable I
believe on an MLS machine. Mostly I have seen fusefs used for remote
access to data. sshfs for example.
Chris PeBenito
Chris PeBenito
Jason Zaman
Chris PeBenito
Nicolas Iooss
Chris PeBenito
Matthew Thode
Sven Vermeulen
Mika Pflüger