From: bigon@debian.org (Laurent Bigonville)
Date: Tue, 4 Mar 2014 17:12:37 +0100
Subject: [refpolicy] resotorecon/setfiles generating avc: denied { getattr }
 on pseudo filesystems
Message-ID: <20140304171237.41758378@soldur.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

Currently if you are running restorecon/fixfiles on a pseudo
filesystem (sysfs_t, device_t, tmpfs_t) we are getting the following
kind of AVC:

type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

This is happening because these file systems are not of the type fs_t.
However these pseudo fs are supporting xattrs. 

Talking a bit with Dominick, he proposed to create a new
"xattrfs" attribute attach it to all the filesystems and then use it
instead of fs_t in the allow rules. This should probably also
simplify/fix situations where files are moved around these pseudo-fs
and real fs.

Does anybody have comments on this?

Cheers,

Laurent Bigonville

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682