Bug 119322
Summary: | SELinux and device access | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Deji <aking> | ||||
Component: | policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | netdragon, pgraner, walters | ||||
Target Milestone: | --- | Keywords: | FutureFeature | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Enhancement | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-04-20 18:01:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Deji
2004-03-29 14:35:17 UTC
Hm. I haven't actually checked yet (need to find a floppy), but I'm guessing that this is likely because sysadm_t doesn't have raw device access. So we either need to run applications like gfloppy in a separate domain, or give sysadm_t the requisite access. Actually I'm not sure what's going on here. As uid 500 in user_r/user_t, I inserted a floppy, opened gfloppy, and clicked "Format", and it worked correctly. Are you using a different floppy formatting program? No, I'm was using same gfloppy. I've just installed FC2-test2 (fresh installation), and now gfoppy start up with this warning; "You do not have the proper permissions to write to /dev/floppy/0 or /dev/fd0, formatting will not be possible. Contact your system administrator about getting write permissions." I changed the permission and now it works, Thanks. But I still can't mount/unmount any device as a user as I used to be able to do before, I'm not sure anymore if it's due to selinux enabled or not I assume the warning is because you weren't in the "floppy" group, correct? That doesn't have anything to do with SELinux. I'll investigate the mount/unmount issue now. You're probably right about the floppy stuff, however I can now confirm the mount/unmount issue is due to SELinux; because the issue disappear after disabling it (SELinux). Check the /var/log/messages to see if there are any denial messages when this happens. Also you can do setenforce 0 to turn off SELinux enforcing mode and see if it works. If it does then it is an selinux problem. Send us the avc messages if you are seeing a problem. Thanks, Dan Created attachment 98984 [details]
avc messages
I did setenforce 0 and the problem persists, after that i followed an instruction i saw on the mailing list, changing attribute owner to user in /etc/fstab which then allowed me to mount. Attached is tail-end of /var/log/messages, i've included some other avc messages that might interest you in the upper part :), the mount avc messages are towards the end I had the same issue, but set my /etc/fstab lines like this and then the problem went away: /dev/cdrom /mnt/cdrom udf,iso9660 noauto,user,kudzu,ro 0 0 /dev/hdc4 /mnt/zip auto noauto,user,kudzu 0 0 /dev/fd0 /mnt/floppy auto noauto,user,kudzu 0 0 This appears to be not a bug with SELinux. Should this bug be closed? I didn't open this as a bug report but as RFE, my concern is that pple should be able to mount their devices with the default setup. You don't expect pple just starting into linux to know about /etc/fstab or understand what the 'noauto,owner,kudzu, etc' in there means (it took me some times before I can look into /etc after being exposed to linux). The SELinux-related issues in this bug appear to have been fixed. As for mounting as a user, I investigated this a bit and it turns out pam_console should set ownership of the device to you when you log in, and the "owner" property should allow you to mount CDROMs. |