Failed CD mount as normal user (enforcing), works in permissive

[Andrew Farris]

Mounting FC1 cd1 as normal user fails when in enforcing mode, but is
allowed (with audit) when in permissive mode.

Note: I relinked files in a modified way, it is straightforward, but I
apologize if it confuses (/mnt/cdrom1 is not used, but links
to /mnt/cdrw).

/mnt/cdrw: directory
/dev/hdd: block special (22/64)

426829 8 drwxr-xr-x   2 system_u:object_r:mnt_t 0 0 4 Mar 29 17:33 cdrw/
 66236 4 brw-------   1 system_u:object_r:fixed_disk_device_t 502   6
22,  64 Feb 23 13:02 hdd

 $-> getenforce
enforcing
 $-> mount /mnt/cdrw
mount: only root can mount /dev/hdd on /mnt/cdrw

(root runs setenforce 0)
(normal user)
 $-> mount /mnt/cdrw
(success mounting)

-- audit generated
Apr 18 18:17:07 CirithUngol kernel: audit(1082326627.383:0): avc:
denied  { getattr } for  pid=20162 exe=/bin/mount path=/dev/hdd dev=hdb8
ino=66236 scontext=user_u:user_r:user_mount_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

/etc/fstab entry:
/dev/hdd        /mnt/cdrw         iso9660        noauto,owner,ro 0 0

policy version:
policy-1.11.2-9

(a full relabel was not performed since this policy was updated)
-- 
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora at andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)