SELinux enforcing disallows opening floppy drive in Nautilus

Stephen Smalley sds at tycho.nsa.gov
Wed Apr 12 14:32:39 UTC 2006


On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote:
> On 4/12/06, Ron Yorston <rmy at tigress.co.uk> wrote:
> > "J. K. Cliburn" <jcliburn at gmail.com> wrote:
> > >When I try to open a floppy drive in Nautilus, nothing happens except
> > >the following message is logged in /var/log/messages.
> > >
> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc:  denied
> > >{ write } for  pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966
> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0
> > >tclass=file
> > >
> > >What do I need to do to enable opening the floppy drive?
> >
> 
> >    chcon -t etc_runtime_t /etc/mtab
> 
> Thanks for your reply, Ron.  If "ls -Z" already shows etc_runtime_t on
> /etc/mtab, will the chcon you suggest change anything?  (Just trying
> to learn.)

No, it won't relabel if it already has the right type.  But from your
avc message, at some earlier point, it had the wrong type (etc_t).  The
implication is that some process re-created /etc/mtab at some point
without having a proper type transition, so it was left in etc_t, and
later it was again re-created but this time by a process with a type
transition defined, so that it was put back into etc_runtime_t.

Dan has introduced a daemon (restorecond) as an attempt to provide a way
to automatically detect and reset contexts on files like this, where it
is difficult to ensure that the file retains the right type under
targeted policy because not all programs run confined.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list