Bug 165250 - fdisk denied when working with ZIP drive
fdisk denied when working with ZIP drive
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-05 16:53 EDT by Vladimir Kotal
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.3-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-26 02:34:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vladimir Kotal 2005-08-05 16:53:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
When trying to make partition and filesystem on ZIP drive (as root), the fdisk command was denied by selinux targeted policy.

The same is valid for mkfs.vfat (and possibly others).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6, libselinux-1.23.10-2

How reproducible:
Always

Steps to Reproduce:
1.insert ZIP media into ZIP drive (ATA)
2.run fdisk on ZIP drive device
3.see /var/log/messages for errors produces by targeted policy
  

Actual Results:  fdisk failed with:

[root@erazim Desktop]# fdisk /dev/hdd

Unable to open /dev/hdd
[root@erazim Desktop]# 

and following logs appeared in /var/log/messages:

Aug  5 22:46:12 erazim kernel: audit(1123274772.039:27): avc:  denied  { dac_override } for  pid=4433 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability
Aug  5 22:46:12 erazim kernel: audit(1123274772.040:28): avc:  denied  { dac_override } for  pid=4433 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability
Aug  5 22:46:12 erazim kernel: audit(1123274772.040:29): avc:  denied  { dac_read_search } for  pid=4433 comm="fdisk" capability=2 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability


Expected Results:  fdisk should enter prompt mode and allow creating partition on the ZIP diskette.

Additional info:
Comment 1 Daniel Walsh 2005-08-07 06:16:27 EDT
Ok I can add those rules, but could you turn off selinux enforcing mode to see
if it requires any others?

setenforce 0
THen create the partition.

Dan
Comment 2 Vladimir Kotal 2005-08-07 08:16:28 EDT
Ok, here are some (hopefully) relevant messages when doing fdisk and mkfs:

Aug  7 14:12:01 erazim kernel: audit(1123416721.645:5): avc:  granted  {
setenforce } for  pid=29425 comm="setenforce"
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t
tclass=security
Aug  7 14:12:01 erazim dbus: avc:  received setenforce notice (enforcing=0)
Aug  7 14:12:01 erazim dbus: avc:  received setenforce notice (enforcing=0)
Aug  7 14:12:22 erazim kernel: audit(1123416742.781:6): avc:  denied  {
dac_override } for  pid=29431 comm="fdisk" capability=1
scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability
Aug  7 14:12:22 erazim kernel: hdd: 98304kB, 196608 blocks, 512 sector size
Aug  7 14:12:39 erazim kernel:  hdd: hdd4
Aug  7 14:12:58 erazim kernel:  hdd:
Aug  7 14:13:06 erazim last message repeated 2 times
Aug  7 14:13:35 erazim kernel:  hdd: hdd1
Aug  7 14:13:37 erazim kernel:  hdd: hdd1
Aug  7 14:13:43 erazim kernel: audit(1123416823.933:7): avc:  denied  {
dac_override } for  pid=29472 comm="fdisk" capability=1
scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability
Aug  7 14:13:44 erazim kernel:  hdd: hdd1
Aug  7 14:14:23 erazim kernel:  hdd: hdd1
Aug  7 14:14:31 erazim last message repeated 2 times
Aug  7 14:14:43 erazim kernel: audit(1123416883.350:8): avc:  denied  { search }
for  pid=29535 comm="mkfs.ext2" name="techie" dev=dm-0 ino=2572291
scontext=root:system_r:fsadm_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
Aug  7 14:14:43 erazim kernel:  hdd: hdd1


The mkfs commands ended with:

[root@erazim techie]# mkfs.ext2 /dev/hdd1
mke2fs 1.37 (21-Mar-2005)
mkfs.ext2: No such file or directory while trying to determine hardware sector size
[root@erazim techie]# mkfs.ext
mkfs.ext2  mkfs.ext3
[root@erazim techie]# mke2fs /dev/hdd1
mke2fs 1.37 (21-Mar-2005)
mke2fs: No such file or directory while trying to determine hardware sector
size[root@erazim techie]#


(and yes, I did run setenforce 0 as root)
Comment 3 Daniel Walsh 2005-08-25 15:03:23 EDT
Fixed in selinux-policy-targeted-1.25.3-12
Comment 4 Walter Justen 2005-08-26 02:34:04 EDT
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.

Note You need to log in before you can comment on or make changes to this bug.