Brasero/cdrecord/growisofs With Selinux Users Confined To Staff_u
Hello CentOS / RedHat / IBM folks!
I am wondering if I can get a communication channel opened with someone who can affect changes win upstream RHEL? I don’t have support accounts with RHEL, and use CentOS almost exclusively. I did have a direct email conversation with Mr. Daniel Walsh regarding these problems, but his answer was to create custom policy to allow what’s being denied, as there is no risk to doing so by his analysis. That said, I’m wondering if this isn’t more of a bug or a need to adjust the selinux policy packages to allow the functionality.
The user story is this: Gnome3 user wants to burn a CD/DVD. The system is selinux enforcing, selinux boolean cdrecord_read_content is set to on, and the user is confined to staff_u. When the user runs Brasero to burn a disk, the burn operation fails.
/var/log/audit/audit.log contains the following:
type=AVC msg=audit(1556724762.446:1133340): avc: denied { read } for pid
One thought on - Brasero/cdrecord/growisofs With Selinux Users Confined To Staff_u
File a bug in bugzilla.redhat.com.
It is being denied because it doesn’t need gettattr on those devices as that utility. So the utility is just sort of walking around looking for drives it could change.. and while getattr sounds ok, it is not expected so should be dropped. Which is where Daniel Walsh’s analysis comes in.. if you want it, then write a custom selinux policy. If you don’t then file a bug against brasero as it should not be walking around looking for devices it could access.. it should have a subset of ones it knows it can and not walk around.