Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Label /dev/dma_heap with dma_device_dir_t
With commit a091bcd (Label /dev/dma_heap/* char devices with dma_device_t) a new dma_device_t type was assigned to the /dev/dma_heap directory and all files in it. The basic dev_node() interface called for dma_device_t just assigns the type to the device_node attribute, which prevents many domains from searching the directory with the same label. This commits labels the /dev/dma_heap directory with the new dma_device_dir_t type and adds it to the file_type, non_auth_file_type, and non_security_file_type attributes, allowing the access for domains requiring this access, and adds unnamed file transition to dma_device_t for block files created in this directory. An example AVC denial after the directory was labeled dma_device_t: type=PROCTITLE msg=audit(05/31/2021 09:03:08.452:397) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f type=PATH msg=audit(05/31/2021 09:03:08.452:397) : item=0 name=/dev/dma_heap/* nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(05/31/2021 09:03:08.452:397) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fd607775ec0 a2=0x7fd60774bf60 a3=0x0 items=1 ppid=1 pid=2498 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 type=AVC msg=audit(05/31/2021 09:03:08.452:397) : avc: denied { search } for pid=2498 comm=setroubleshootd name=dma_heap dev="devtmpfs" ino=102 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:dma_device_t:s0 tclass=dir permissive=0 Resolves: rhbz#1965743
- Loading branch information