Dnia 29-07-2006, sob o godzinie 09:40 -0400, Jesse Keating napisał(a): > Its different by manufacturer which is why we can't just > say 'these commands are safe for all devices', it has to be on a per-device > level and the kernel currently can't handle that. Needs to be fixed in the > upstream kernel. This way the kernel has to be taught which device is a burner, have an API to switch modes (or transparently sniff SCSI commands to know which mode the burner is in) and for every burner model has big lists of commands allowed in each of its modes of operation. We all know cdrecord already knows or pretends to know what to say to which device. Did it EVER make a burner explode or something? (The Mandrake thing with LG/Lite-On was about CD-ROM-s and kernel, not cdrecord) I have ATA DVD-ROM and SCSI CD-R in this FC5 machine. The kernel doesn't say anything in dmesg about my burner being a burner, but hal knows that (lshal says storage.cdrom.cdr = true). It's possible to give cdrecord some specific selinux attributes (type?). Maybe it would be possible to give this process full access to devices with some other specific attribute. The script which takes lshal's output and does some chcon on every burner device is trivial, probably a patch to udev would be better (I'm not into its workings) and can be done. This way we can be sure cdrecord is not allowed to send any commands to devices not being CD burners, but is allowed to do anything it wants with the burners. What can happen? FLASH FIRMWARE? Come on, we're talking about cdrecord and its privileges, not any other process in the system. I trust cdrecord to the point of making it suid root (thanks for making it work in updates-testing for FC5, BTW), I'd trust it even more when it runs with user right + the right to send whatever it wants to the only burner in my computer. So the question is: can it be done with SELinux? Lam
Attachment:
signature.asc
Description: To jest =?UTF-8?Q?cz=C4=99=C5=9B=C4=87?= listu podpisana cyfrowo
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
