Description of problem: A normal user is not permitted to play a cd due to incorrect device context. The default policy labels the cd device (/dev/hdc in my case) as fixed_disk_devict_t. When the device is relabeled as removable_device_t the cd can be played. Version-Release number of selected component (if applicable): policy-1.11.2-18 policy-sources-1.11.2-18 How reproducible: always Steps to Reproduce: 1. install default policy 2. fixfiles relabel 3. play cd as normal user (cdp or cdplay) Actual results: playing cd is denied with this audit: Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc: denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8 ino=66203 scontext=user_u:user_r:user_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file Expected results: playing of the cd would be permitted Additional info: See the URL for mailing list discussion.
Latest policy and udev changes should create the cdrom device with the correct context. selinux-policy-strict-1.17.12-1 udev-030-25