Bug 442074

Summary: can't mount regular filesystems in GNOME under the livecd
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: davidz, jkubin, petrosyan, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-14 13:26:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bill Nottingham 2008-04-11 16:00:35 UTC
Description of problem:

When booting the livecd, my box's /boot shows up both in 'Computer' and in the
'Places' menu. However, clicking on it doesn't do anything, and setroubleshoot says:

Raw Audit Messages :host=localhost.localdomain type=AVC
msg=audit(1207943537.35:16): avc: denied { getattr } for pid=3661
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=process host=localhost.localdomain
type=SYSCALL msg=audit(1207943537.35:16): arch=c000003e syscall=0 success=no
exit=-13 a0=4 a1=1e432f0 a2=fff a3=0 items=0 ppid=2791 pid=3661 auid=4294967295
uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none)
ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:hald_t:s0

Version-Release number of selected component (if applicable):


Comment 1 Josef Kubin 2008-04-11 19:09:14 UTC
My proposed fix:

--- serefpolicy-3.3.1/policy/modules/services/hal.te    2008-04-11
21:03:36.000000000 +0200
+++ serefpolicy-3.3.1.myFix/policy/modules/services/hal.te      2008-04-11
21:07:05.000000000 +0200
@@ -152,6 +152,8 @@

Comment 2 petrosyan 2008-04-12 03:12:26 UTC
*** Bug 442130 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2008-04-14 13:26:37 UTC
It is probably better to add

allow hald_t self:process getattr;

Rather then use the interface.

Fixed in selinux-policy-3.3.1-35.fc9