Red Hat Bugzilla – Bug 119322
SELinux and device access
Last modified: 2007-11-30 17:10:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312
Description of problem:
This is not really a bug report but a RFE. With the current fedora
devel. installed, system devices like the floppy and CD-ROM doesn't
get mounted automatically when logged in as an ordinary user, as they
use to do before selinux. Also attempt to format a floppy as a user
was denied. In summary, I can't at all access either a floppy or cd
with current selinux enabled as i used to be able to do before.
PS: I tried to changed one user to have an admin role in the
policy.conf, with this, the user can perfomr some root roles like
start-up up2date, and the system-config*, but still not able to access
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Insert a diskette or a cd into the system (as ordinary user)
2. Open floppy-formatter to format the floppy
Actual Results: Access denied
Expected Results: 1. Device content should open up in nautilus
2. Format a floppy disk
Hm. I haven't actually checked yet (need to find a floppy), but I'm
guessing that this is likely because sysadm_t doesn't have raw device
access. So we either need to run applications like gfloppy in a
separate domain, or give sysadm_t the requisite access.
Actually I'm not sure what's going on here. As uid 500 in
user_r/user_t, I inserted a floppy, opened gfloppy, and clicked
"Format", and it worked correctly.
Are you using a different floppy formatting program?
No, I'm was using same gfloppy. I've just installed FC2-test2 (fresh
installation), and now gfoppy start up with this warning;
"You do not have the proper permissions to write to /dev/floppy/0 or
/dev/fd0, formatting will not be possible.
Contact your system administrator about getting write permissions."
I changed the permission and now it works, Thanks.
But I still can't mount/unmount any device as a user as I used to be
able to do before, I'm not sure anymore if it's due to selinux enabled
I assume the warning is because you weren't in the "floppy" group,
correct? That doesn't have anything to do with SELinux.
I'll investigate the mount/unmount issue now.
You're probably right about the floppy stuff, however I can now
confirm the mount/unmount issue is due to SELinux; because the issue
disappear after disabling it (SELinux).
Check the /var/log/messages to see if there are any denial messages
when this happens. Also you can do setenforce 0 to turn off SELinux
enforcing mode and see if it works. If it does then it is an selinux
problem. Send us the avc messages if you are seeing a problem.
Created attachment 98984 [details]
I did setenforce 0 and the problem persists, after that i followed an
instruction i saw on the mailing list, changing attribute owner to
user in /etc/fstab which then allowed me to mount.
Attached is tail-end of /var/log/messages, i've included some other
avc messages that might interest you in the upper part :), the mount
avc messages are towards the end
I had the same issue, but set my /etc/fstab lines like this and then
the problem went away:
/dev/cdrom /mnt/cdrom udf,iso9660
noauto,user,kudzu,ro 0 0
/dev/hdc4 /mnt/zip auto
noauto,user,kudzu 0 0
/dev/fd0 /mnt/floppy auto
noauto,user,kudzu 0 0
This appears to be not a bug with SELinux. Should this bug be closed?
I didn't open this as a bug report but as RFE, my concern is that pple
should be able to mount their devices with the default setup. You
don't expect pple just starting into linux to know about /etc/fstab or
understand what the 'noauto,owner,kudzu, etc' in there means (it took
me some times before I can look into /etc after being exposed to linux).
The SELinux-related issues in this bug appear to have been fixed. As
for mounting as a user, I investigated this a bit and it turns out
pam_console should set ownership of the device to you when you log in,
and the "owner" property should allow you to mount CDROMs.