SELinux enforcing disallows opening floppy drive in Nautilus
Ron Yorston
rmy at tigress.co.uk
Wed Apr 12 18:33:26 UTC 2006
Stephen Smalley <sds at tycho.nsa.gov> wrote:
>On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote:
>> On 4/12/06, Ron Yorston <rmy at tigress.co.uk> wrote:
>> > "J. K. Cliburn" <jcliburn at gmail.com> wrote:
>> > >When I try to open a floppy drive in Nautilus, nothing happens except
>> > >the following message is logged in /var/log/messages.
>> > >
>> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied
>> > >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966
>> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0
>> > >tclass=file
>> > >
>> > >What do I need to do to enable opening the floppy drive?
>> >
>>
>> > chcon -t etc_runtime_t /etc/mtab
>>
>> Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on
>> /etc/mtab, will the chcon you suggest change anything? (Just trying
>> to learn.)
>
>No, it won't relabel if it already has the right type. But from your
>avc message, at some earlier point, it had the wrong type (etc_t). The
>implication is that some process re-created /etc/mtab at some point
>without having a proper type transition, so it was left in etc_t, and
>later it was again re-created but this time by a process with a type
>transition defined, so that it was put back into etc_runtime_t.
And "some process" can be as simple as umount:
# ls -Z /etc/mtab
-rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab
# ls -i /etc/mtab
31987 /etc/mtab
# umount /opt
# ls -Z /etc/mtab
-rw-r--r-- root root user_u:object_r:etc_t /etc/mtab
# ls -i /etc/mtab
33358 /etc/mtab
Ron
More information about the fedora-selinux-list
mailing list