[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SELinux enforcing disallows opening floppy drive in Nautilus

From: Stephen Smalley <sds tycho nsa gov>
To: Ron Yorston <rmy tigress co uk>
Cc: Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
Subject: Re: SELinux enforcing disallows opening floppy drive in Nautilus
Date: Wed, 12 Apr 2006 14:43:53 -0400

On Wed, 2006-04-12 at 19:33 +0100, Ron Yorston wrote:
> Stephen Smalley <sds tycho nsa gov> wrote:
> >On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote:
> >> On 4/12/06, Ron Yorston <rmy tigress co uk> wrote:
> >> > "J. K. Cliburn" <jcliburn gmail com> wrote:
> >> > >When I try to open a floppy drive in Nautilus, nothing happens except
> >> > >the following message is logged in /var/log/messages.
> >> > >
> >> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc:  denied
> >> > >{ write } for  pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966
> >> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0
> >> > >tclass=file
> >> > >
> >> > >What do I need to do to enable opening the floppy drive?
> >> >
> >> 
> >> >    chcon -t etc_runtime_t /etc/mtab
> >> 
> >> Thanks for your reply, Ron.  If "ls -Z" already shows etc_runtime_t on
> >> /etc/mtab, will the chcon you suggest change anything?  (Just trying
> >> to learn.)
> >
> >No, it won't relabel if it already has the right type.  But from your
> >avc message, at some earlier point, it had the wrong type (etc_t).  The
> >implication is that some process re-created /etc/mtab at some point
> >without having a proper type transition, so it was left in etc_t, and
> >later it was again re-created but this time by a process with a type
> >transition defined, so that it was put back into etc_runtime_t.
> 
> And "some process" can be as simple as umount:
> 
>    # ls -Z /etc/mtab
>    -rw-r--r--  root     root     system_u:object_r:etc_runtime_t  /etc/mtab
>    # ls -i /etc/mtab
>    31987 /etc/mtab
>    # umount /opt
>    # ls -Z /etc/mtab
>    -rw-r--r--  root     root     user_u:object_r:etc_t            /etc/mtab
>    # ls -i /etc/mtab
>    33358 /etc/mtab

Hmm...that's interesting.  umount should run in the same domain as
mount, and they should thus have a type transition on etc_t:file to
etc_runtime_t.  ls -Z /bin/umount

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: SELinux enforcing disallows opening floppy drive in Nautilus
  - From: Stephen Smalley

References:
- SELinux enforcing disallows opening floppy drive in Nautilus
  - From: J. K. Cliburn
- Re: SELinux enforcing disallows opening floppy drive in Nautilus
  - From: Ron Yorston
- Re: SELinux enforcing disallows opening floppy drive in Nautilus
  - From: J. K. Cliburn
- Re: SELinux enforcing disallows opening floppy drive in Nautilus
  - From: Stephen Smalley
- Re: SELinux enforcing disallows opening floppy drive in Nautilus
  - From: Ron Yorston

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]