Bug 119322

Summary: SELinux and device access
Product: [Fedora] Fedora Reporter: Deji <aking>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: netdragon, pgraner, walters
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-20 18:01:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
avc messages none

Description Deji 2004-03-29 14:35:17 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312

Description of problem:
This is not really a bug report but a RFE. With the current fedora
devel. installed, system devices like the floppy and CD-ROM doesn't
get  mounted automatically when logged in as an ordinary user, as they
use to do before selinux. Also attempt to format a floppy as a user
was denied. In summary, I can't at all access either a floppy or cd
with current selinux enabled as i used to be able to do before.

PS: I tried to changed one user to have an admin role in the
policy.conf, with this, the user can perfomr some root roles like
start-up up2date, and the system-config*, but still not able to access
those devices.  

Version-Release number of selected component (if applicable):
policy-1.9-15

How reproducible:
Always

Steps to Reproduce:
1. Insert a diskette or a cd into the system (as ordinary user)
2. Open floppy-formatter to format the floppy
3.
    

Actual Results:  Access denied

Expected Results:  1. Device content should open up in nautilus
2. Format a floppy disk

Additional info:
Comment 1 Colin Walters 2004-03-29 20:01:04 UTC 
Hm.  I haven't actually checked yet (need to find a floppy), but I'm
guessing that this is likely because sysadm_t doesn't have raw device
access.  So we either need to run applications like gfloppy in a
separate domain, or give sysadm_t the requisite access.
Comment 2 Colin Walters 2004-03-29 20:23:31 UTC 
Actually I'm not sure what's going on here.  As uid 500 in
user_r/user_t, I inserted a floppy, opened gfloppy, and clicked
"Format", and it worked correctly.

Are you using a different floppy formatting program?
Comment 3 Deji 2004-03-29 23:26:17 UTC 
No, I'm was using same gfloppy. I've just installed FC2-test2 (fresh
installation), and now gfoppy start up with this warning;
"You do not have the proper permissions to write to /dev/floppy/0 or
/dev/fd0, formatting will not be possible.
Contact your system administrator about getting write permissions."
I changed the permission and now it works, Thanks.
But I still can't mount/unmount any device as a user as I used to be
able to do before, I'm not sure anymore if it's due to selinux enabled
or not
Comment 4 Colin Walters 2004-03-30 15:43:57 UTC 
I assume the warning is because you weren't in the "floppy" group,
correct?  That doesn't have anything to do with SELinux.

I'll investigate the mount/unmount issue now.
Comment 5 Deji 2004-03-30 16:05:10 UTC 
You're probably right about the floppy stuff, however I can now
confirm the mount/unmount issue is due to SELinux; because the issue
disappear after disabling it (SELinux).
Comment 6 Daniel Walsh 2004-03-30 19:11:50 UTC 
Check the /var/log/messages to see if there are any denial messages
when this happens.  Also you can do setenforce 0 to turn off SELinux
enforcing mode and see if it works.  If it does then it is an selinux
problem.  Send us the avc messages if you are seeing a problem.

Thanks, 

Dan
Comment 7 Deji 2004-03-30 23:51:30 UTC 
Created attachment 98984 [details]
avc messages
Comment 8 Deji 2004-03-30 23:52:33 UTC 
I did setenforce 0 and the problem persists, after that i followed an
instruction i saw on the mailing list, changing attribute owner to
user in /etc/fstab which then allowed me to mount.
Attached is tail-end of /var/log/messages, i've included some other
avc messages that might interest you in the upper part :), the mount
avc messages are towards the end
Comment 9 Brian "netdragon" Bober 2004-04-05 17:11:02 UTC 
I had the same issue, but set my /etc/fstab lines like this and then
the problem went away:

/dev/cdrom              /mnt/cdrom              udf,iso9660
noauto,user,kudzu,ro 0 0
/dev/hdc4               /mnt/zip                auto   
noauto,user,kudzu 0 0
/dev/fd0                /mnt/floppy             auto   
noauto,user,kudzu 0 0

This appears to be not a bug with SELinux. Should this bug be closed?
Comment 10 Deji 2004-04-06 21:20:48 UTC 
I didn't open this as a bug report but as RFE, my concern is that pple
should be able to mount their devices with the default setup. You
don't expect pple just starting into linux to know about /etc/fstab or
understand what the 'noauto,owner,kudzu, etc' in there means (it took
me some times before I can look into /etc after being exposed to linux).
Comment 11 Colin Walters 2004-04-20 18:01:12 UTC 
The SELinux-related issues in this bug appear to have been fixed.  As
for mounting as a user, I investigated this a bit and it turns out
pam_console should set ownership of the device to you when you log in,
and the "owner" property should allow you to mount CDROMs.