From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: When trying to make partition and filesystem on ZIP drive (as root), the fdisk command was denied by selinux targeted policy. The same is valid for mkfs.vfat (and possibly others). Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6, libselinux-1.23.10-2 How reproducible: Always Steps to Reproduce: 1.insert ZIP media into ZIP drive (ATA) 2.run fdisk on ZIP drive device 3.see /var/log/messages for errors produces by targeted policy Actual Results: fdisk failed with: [root@erazim Desktop]# fdisk /dev/hdd Unable to open /dev/hdd [root@erazim Desktop]# and following logs appeared in /var/log/messages: Aug 5 22:46:12 erazim kernel: audit(1123274772.039:27): avc: denied { dac_override } for pid=4433 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability Aug 5 22:46:12 erazim kernel: audit(1123274772.040:28): avc: denied { dac_override } for pid=4433 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability Aug 5 22:46:12 erazim kernel: audit(1123274772.040:29): avc: denied { dac_read_search } for pid=4433 comm="fdisk" capability=2 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability Expected Results: fdisk should enter prompt mode and allow creating partition on the ZIP diskette. Additional info:
Ok I can add those rules, but could you turn off selinux enforcing mode to see if it requires any others? setenforce 0 THen create the partition. Dan
Ok, here are some (hopefully) relevant messages when doing fdisk and mkfs: Aug 7 14:12:01 erazim kernel: audit(1123416721.645:5): avc: granted { setenforce } for pid=29425 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Aug 7 14:12:01 erazim dbus: avc: received setenforce notice (enforcing=0) Aug 7 14:12:01 erazim dbus: avc: received setenforce notice (enforcing=0) Aug 7 14:12:22 erazim kernel: audit(1123416742.781:6): avc: denied { dac_override } for pid=29431 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability Aug 7 14:12:22 erazim kernel: hdd: 98304kB, 196608 blocks, 512 sector size Aug 7 14:12:39 erazim kernel: hdd: hdd4 Aug 7 14:12:58 erazim kernel: hdd: Aug 7 14:13:06 erazim last message repeated 2 times Aug 7 14:13:35 erazim kernel: hdd: hdd1 Aug 7 14:13:37 erazim kernel: hdd: hdd1 Aug 7 14:13:43 erazim kernel: audit(1123416823.933:7): avc: denied { dac_override } for pid=29472 comm="fdisk" capability=1 scontext=root:system_r:fsadm_t tcontext=root:system_r:fsadm_t tclass=capability Aug 7 14:13:44 erazim kernel: hdd: hdd1 Aug 7 14:14:23 erazim kernel: hdd: hdd1 Aug 7 14:14:31 erazim last message repeated 2 times Aug 7 14:14:43 erazim kernel: audit(1123416883.350:8): avc: denied { search } for pid=29535 comm="mkfs.ext2" name="techie" dev=dm-0 ino=2572291 scontext=root:system_r:fsadm_t tcontext=user_u:object_r:user_home_dir_t tclass=dir Aug 7 14:14:43 erazim kernel: hdd: hdd1 The mkfs commands ended with: [root@erazim techie]# mkfs.ext2 /dev/hdd1 mke2fs 1.37 (21-Mar-2005) mkfs.ext2: No such file or directory while trying to determine hardware sector size [root@erazim techie]# mkfs.ext mkfs.ext2 mkfs.ext3 [root@erazim techie]# mke2fs /dev/hdd1 mke2fs 1.37 (21-Mar-2005) mke2fs: No such file or directory while trying to determine hardware sector size[root@erazim techie]# (and yes, I did run setenforce 0 as root)
Fixed in selinux-policy-targeted-1.25.3-12
Thanks for the bug report. This particular bug was fixed and a update package was published for download. Please feel free to report any further bugs you find.