On Wed, 2004-04-28 at 11:57 -0400, Daniel J Walsh wrote:
> Andrew Farris wrote:
>
> >Playing a cd from the terminal using cdp, or cdplay (non-interactive),
> >results in the following avc in permissive mode (but the cd is allowed
> >to play):
> >
> >Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
> >denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
> >ino=66203 scontext=user_u:user_r:user_t
> >tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> >
> >
>
> Please put in a bugzilla. The problem is that /dev/hdc is labeled
> wrong. It should have a label of removable_disk_device_t.
> The problem is there is currently no good way of determining what cdrom
> disk is from a fixed disk, from a policy point of
> view. We are investigating ideas around using kudzu to relabel the devices.
>
> If you do a chcon -t removable_disk_device_t /dev/hdc
> does the problem go away?
>
> Dan
> >I'm working with policy-sources-1.11.2-13.
Now working with policy-sources-1.11.2-18 and removable_disk_device_t is
not a valid argument to chcon, however removable_device_t is, and when I
relabel /dev/hdc such it does allow me to play the cd in enforcing mode,
this is the solution.
brw-rw-rw-+ root disk system_u:object_r:removable_device_t /dev/hdc
I will add this to bugzilla if not there already today.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora@xxxxxxxxxxxxxxxx :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
