Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote:
> On 4/12/06, Ron Yorston <rmy(a)tigress.co.uk> wrote:
> > "J. K. Cliburn" <jcliburn(a)gmail.com> wrote:
> > >When I try to open a floppy drive in Nautilus, nothing happens except
> > >the following message is logged in /var/log/messages.
> > >
> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied
> > >{ write } for pid=6730 comm="mount" name="mtab"
dev=hda3 ino=6843966
> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0
> > >tclass=file
> > >
> > >What do I need to do to enable opening the floppy drive?
> >
>
> > chcon -t etc_runtime_t /etc/mtab
>
> Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on
> /etc/mtab, will the chcon you suggest change anything? (Just trying
> to learn.)
No, it won't relabel if it already has the right type. But from your
avc message, at some earlier point, it had the wrong type (etc_t). The
implication is that some process re-created /etc/mtab at some point
without having a proper type transition, so it was left in etc_t, and
later it was again re-created but this time by a process with a type
transition defined, so that it was put back into etc_runtime_t.
And "some process" can be as simple as umount:
# ls -Z /etc/mtab
-rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab
# ls -i /etc/mtab
31987 /etc/mtab
# umount /opt
# ls -Z /etc/mtab
-rw-r--r-- root root user_u:object_r:etc_t /etc/mtab
# ls -i /etc/mtab
33358 /etc/mtab
Ron