Access to cd device denied for cdp
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 28 15:57:29 UTC 2004
Andrew Farris wrote:
>Playing a cd from the terminal using cdp, or cdplay (non-interactive),
>results in the following avc in permissive mode (but the cd is allowed
>to play):
>
>Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
>denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
>ino=66203 scontext=user_u:user_r:user_t
>tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
>
>
Please put in a bugzilla. The problem is that /dev/hdc is labeled
wrong. It should have a label of removable_disk_device_t.
The problem is there is currently no good way of determining what cdrom
disk is from a fixed disk, from a policy point of
view. We are investigating ideas around using kudzu to relabel the devices.
If you do a chcon -t removable_disk_device_t /dev/hdc
does the problem go away?
Dan
>This is not audited in enforcing mode.. but does not work either
>(program exits with "please chmod 666 /dev/cdrom as root").
>/dev/cdrom is symlinked directly to /dev/hdc.
>
>4.0K lrwxrwxrwx 1 0 0 8 Mar 29 17:26 /dev/cdrom -> /dev/hdc
>4.0K brw-rw-rw- 1 0 6 22, 0 Feb 23 13:02 /dev/hdc
>
>Is this expected, or desired behavior? Shouldn't a locally logged in
>user be allowed access to audio cds? (perhaps should be -or is- tunable)
>
>I'm working with policy-sources-1.11.2-13.
>
>
More information about the fedora-selinux-list
mailing list