Relabel /dev/nvme* explicitly

In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit, the type of nvme device files has changed from nvme_device_t to fixed_disk_device_t. This cannot currently be resolved in specfile selinux macros as fixfiles excludes /dev entries. For files in /dev with changed context, restorecon needs to be run explicitly to restore the context. This is a temporary workaround till April 2021 when the updated policy can be considered spread enough.
2021-03-01 09:38:19 +01:00 · 2021-03-01 09:38:19 +01:00 · c7794d90ee
commit c7794d90ee
parent 2faa5c2293
1 changed files with 4 additions and 0 deletions
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -279,6 +279,10 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
     rm -f ${FILE_CONTEXT}.pre; \
 fi; \
+# the /dev/nvme* device files type changed, therefore explicit relabeling \
+# of /dev/nvme* is needed as fixfiles excludes /dev \
+# this is a temporary workaround till April 2021 \
+[ -f /dev/nvme0 ] && %{_sbindir}/restorecon /dev/nvme* \
 if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
    continue; \
 fi;