Discussion:
USB drive mounting via remote access
Robert Moskowitz
2018-09-18 12:10:13 UTC
Permalink
I maintain some servers via VNC (over my internal network, firewall
rules prevent remote connections).

In the past, I would VNC in as root and I had all the control I needed. 
I am trying to get away from root over VNC.  I discovered that a user
account cannot mount a USB drive, no permissions.

This is true for a USB stick, USB connected HD, and a USB connected CD
burner (K3b does not even see the drive).

I am assuming this is an SELinux feature.  I want the user I have set up
for VNC access (that is also in the Wheel group) to be able to perform
this function.  I don't want to have to command line sudo mount, nor can
I figure out what k3b would need.

I have been googling this problem for a few days, but either my search
foo is weak (nothing new there), or there is really no information out
there on this.

So if this IS an SELinux feature, can someone help me with what I would
need as a policy rule?

Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be
doing it for Centos7-armfhp.

thanks
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject
Ed Greshko
2018-09-18 14:16:59 UTC
Permalink
I maintain some servers via VNC (over my internal network, firewall rules prevent
remote connections).
In the past, I would VNC in as root and I had all the control I needed.  I am
trying to get away from root over VNC.  I discovered that a user account cannot
mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b
does not even see the drive).
I am assuming this is an SELinux feature.  I want the user I have set up for VNC
access (that is also in the Wheel group) to be able to perform this function.  I
don't want to have to command line sudo mount, nor can I figure out what k3b would
need.
I have been googling this problem for a few days, but either my search foo is weak
(nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a
policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be doing it
for Centos7-armfhp.
I doubt this is an selinux issue.  Of course you could test this by setting selinux
to permissive.

I say this is probably not an selinux issue since I have a F29Beta system (KDE)
running in a VM.  I have the system running a VNC server and connect to it.
While connected I insert a USB flash drive.  The systray of the VNC client recognizes
the USB flash drive.  When I indicate that I want to open it with a file viewer
(dolphin) I get a popup asking for a password.  The popup indicates it to be a
"policykit" request.

In order for me to make it work I think I'd have to make changes in the policykit
area.  Kinda late in my day but I may research in the AM. 
--
Cardinal Rule of Presentations: "Tell them what you are going to tell them, tell
them, then tell them what you told them."
Robert Moskowitz
2018-09-18 17:15:53 UTC
Permalink
I maintain some servers via VNC (over my internal network, firewall rules prevent
remote connections).
In the past, I would VNC in as root and I had all the control I needed.  I am
trying to get away from root over VNC.  I discovered that a user account cannot
mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b
does not even see the drive).
I am assuming this is an SELinux feature.  I want the user I have set up for VNC
access (that is also in the Wheel group) to be able to perform this function.  I
don't want to have to command line sudo mount, nor can I figure out what k3b would
need.
I have been googling this problem for a few days, but either my search foo is weak
(nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a
policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be doing it
for Centos7-armfhp.
I doubt this is an selinux issue.  Of course you could test this by setting selinux
to permissive.
I say this is probably not an selinux issue since I have a F29Beta system (KDE)
running in a VM.  I have the system running a VNC server and connect to it.
While connected I insert a USB flash drive.  The systray of the VNC client recognizes
the USB flash drive.  When I indicate that I want to open it with a file viewer
(dolphin) I get a popup asking for a password.  The popup indicates it to be a
"policykit" request.
In order for me to make it work I think I'd have to make changes in the policykit
area.  Kinda late in my day but I may research in the AM.
Well I am off tomorrow for Yom Kippur, so you have time...

I am seeing the drive on my desktop.  Xfce is recognizing it.  But I
cannot mount it; get permissions error.

But the PolicyKit point is interesting.  See my addition to bug 484945

https://bugzilla.redhat.com/show_bug.cgi?id=484945

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorapro
Robert Moskowitz
2018-09-18 17:49:44 UTC
Permalink
Post by Ed Greshko
I maintain some servers via VNC (over my internal network, firewall rules prevent
remote connections).
In the past, I would VNC in as root and I had all the control I needed.  I am
trying to get away from root over VNC.  I discovered that a user account cannot
mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b
does not even see the drive).
I am assuming this is an SELinux feature.  I want the user I have set up for VNC
access (that is also in the Wheel group) to be able to perform this function.  I
don't want to have to command line sudo mount, nor can I figure out what k3b would
need.
I have been googling this problem for a few days, but either my search foo is weak
(nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a
policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be doing it
for Centos7-armfhp.
I doubt this is an selinux issue.  Of course you could test this by setting selinux
to permissive.
I should have remembered this.

setenforce 0

did not make a difference.  The problem is probably elsewhere...
Post by Ed Greshko
I say this is probably not an selinux issue since I have a F29Beta system (KDE)
running in a VM.  I have the system running a VNC server and connect to it.
While connected I insert a USB flash drive.  The systray of the VNC client recognizes
the USB flash drive.  When I indicate that I want to open it with a file viewer
(dolphin) I get a popup asking for a password.  The popup indicates it to be a
"policykit" request.
In order for me to make it work I think I'd have to make changes in the policykit
area.  Kinda late in my day but I may research in the AM.
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Ed Greshko
2018-09-18 23:17:26 UTC
Permalink
Post by Robert Moskowitz
I should have remembered this.
setenforce 0
did not make a difference.  The problem is probably elsewhere...
And, IMO, you should  post your query on the user's group.  I believe it is polkit
related and I am the last person that should
be asked about polkit rules.  :-)
--
Cardinal Rule of Presentations: "Tell them what you are going to tell them, tell
them, then tell them what you told them."
Robert Moskowitz
2018-09-20 10:44:09 UTC
Permalink
Post by Robert Moskowitz
I should have remembered this.
setenforce 0
did not make a difference.  The problem is probably elsewhere...
And, IMO, you should  post your query on the user's group.  I believe it is polkit
related and I am the last person that should
be asked about polkit rules.  :-)
I originally  posted to the arm list, and after some backing and
forething,  Ended up here.  Seems I never posted this to the main list. 
And maybe to the tiger-vncserver list as well...

:)

Roger and out.

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorapro

mark
2018-09-18 14:51:34 UTC
Permalink
Post by Robert Moskowitz
I maintain some servers via VNC (over my internal network, firewall
rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. 
I am trying to get away from root over VNC.  I discovered that a user
account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD
burner (K3b does not even see the drive).
I am assuming this is an SELinux feature.  I want the user I have set up
for VNC access (that is also in the Wheel group) to be able to perform this
function.  I don't want to have to command line sudo mount, nor can I
figure out what k3b would need.
I have been googling this problem for a few days, but either my search
foo is weak (nothing new there), or there is really no information out
there on this.
So if this IS an SELinux feature, can someone help me with what I would
need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be
doing it for Centos7-armfhp.
Actually, there are two ways of dealing with it: on a desktop, at least on
the console (like my workstation), it automounts, and the user logged in
is notified. The other answer would be to sudo mount it.

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archiv
Robert Moskowitz
2018-09-18 17:12:21 UTC
Permalink
Post by mark
Post by Robert Moskowitz
I maintain some servers via VNC (over my internal network, firewall
rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed.
I am trying to get away from root over VNC.  I discovered that a user
account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD
burner (K3b does not even see the drive).
I am assuming this is an SELinux feature.  I want the user I have set up
for VNC access (that is also in the Wheel group) to be able to perform this
function.  I don't want to have to command line sudo mount, nor can I
figure out what k3b would need.
I have been googling this problem for a few days, but either my search
foo is weak (nothing new there), or there is really no information out
there on this.
So if this IS an SELinux feature, can someone help me with what I would
need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta.  I will also be
doing it for Centos7-armfhp.
Actually, there are two ways of dealing with it: on a desktop, at least on
the console (like my workstation), it automounts, and the user logged in
is notified. The other answer would be to sudo mount it.
When I am on the local console, it does automount.  Not when I am
connected via VNC.

And I want to avoid a command line sudo mount.

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproje
Loading...