On Wed, Apr 28, 2004 at 05:53:16PM -0700, Andrew Farris wrote:
> From: Andrew Farris <fedora@xxxxxxxxxxxxxxxx>
> > Andrew Farris wrote:
> >
> > >Playing a cd from the terminal using cdp, or cdplay (non-interactive),
> > >results in the following avc in permissive mode (but the cd is allowed
> > >to play):
> > >
> > >Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
> > >denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
> > >ino=66203 scontext=user_u:user_r:user_t
> > >tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> > >
> > Please put in a bugzilla. The problem is that /dev/hdc is labeled
> > wrong.
> this is the solution.
> brw-rw-rw-+ root disk system_u:object_r:removable_device_t /dev/hdc
>
> I will add this to bugzilla if not there already today.
Should there be some distinctions for removable media eventually i.e
"removable-rw-storage" or something reflecting a function....
USBflashstick, Floppy, iPod, tape, CDRW.
Match this with "removable-ro-storage" for things like music CDs, iPod
or other content in a "roach motel environment" where stuff might
check in but never check out ;-). In the the iPod case policy could
enforce read only.
With hotplug hardware I can see disk controlers and other removable
devices.
I know I am splitting a hair...
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
