I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
thanks
On 9/18/18 8:10 PM, Robert Moskowitz wrote:
I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
I doubt this is an selinux issue. Of course you could test this by setting selinux to permissive.
I say this is probably not an selinux issue since I have a F29Beta system (KDE) running in a VM. I have the system running a VNC server and connect to it. While connected I insert a USB flash drive. The systray of the VNC client recognizes the USB flash drive. When I indicate that I want to open it with a file viewer (dolphin) I get a popup asking for a password. The popup indicates it to be a "policykit" request.
In order for me to make it work I think I'd have to make changes in the policykit area. Kinda late in my day but I may research in the AM.
On 9/18/18 10:16 AM, Ed Greshko wrote:
On 9/18/18 8:10 PM, Robert Moskowitz wrote:
I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
I doubt this is an selinux issue. Of course you could test this by setting selinux to permissive.
I say this is probably not an selinux issue since I have a F29Beta system (KDE) running in a VM. I have the system running a VNC server and connect to it. While connected I insert a USB flash drive. The systray of the VNC client recognizes the USB flash drive. When I indicate that I want to open it with a file viewer (dolphin) I get a popup asking for a password. The popup indicates it to be a "policykit" request.
In order for me to make it work I think I'd have to make changes in the policykit area. Kinda late in my day but I may research in the AM.
Well I am off tomorrow for Yom Kippur, so you have time...
I am seeing the drive on my desktop. Xfce is recognizing it. But I cannot mount it; get permissions error.
But the PolicyKit point is interesting. See my addition to bug 484945
On 9/18/18 10:16 AM, Ed Greshko wrote:
On 9/18/18 8:10 PM, Robert Moskowitz wrote:
I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
I doubt this is an selinux issue. Of course you could test this by setting selinux to permissive.
I should have remembered this.
setenforce 0
did not make a difference. The problem is probably elsewhere...
I say this is probably not an selinux issue since I have a F29Beta system (KDE) running in a VM. I have the system running a VNC server and connect to it. While connected I insert a USB flash drive. The systray of the VNC client recognizes the USB flash drive. When I indicate that I want to open it with a file viewer (dolphin) I get a popup asking for a password. The popup indicates it to be a "policykit" request.
In order for me to make it work I think I'd have to make changes in the policykit area. Kinda late in my day but I may research in the AM.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 9/19/18 1:49 AM, Robert Moskowitz wrote:
I should have remembered this.
setenforce 0
did not make a difference. The problem is probably elsewhere...
And, IMO, you should post your query on the user's group. I believe it is polkit related and I am the last person that should be asked about polkit rules. :-)
On 9/18/18 7:17 PM, Ed Greshko wrote:
On 9/19/18 1:49 AM, Robert Moskowitz wrote:
I should have remembered this.
setenforce 0
did not make a difference. The problem is probably elsewhere...
And, IMO, you should post your query on the user's group. I believe it is polkit related and I am the last person that should be asked about polkit rules. :-)
I originally posted to the arm list, and after some backing and forething, Ended up here. Seems I never posted this to the main list. And maybe to the tiger-vncserver list as well...
:)
Roger and out.
Robert Moskowitz wrote:
I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
Actually, there are two ways of dealing with it: on a desktop, at least on the console (like my workstation), it automounts, and the user logged in is notified. The other answer would be to sudo mount it.
mark
On 9/18/18 10:51 AM, mark wrote:
Robert Moskowitz wrote:
I maintain some servers via VNC (over my internal network, firewall rules prevent remote connections).
In the past, I would VNC in as root and I had all the control I needed. I am trying to get away from root over VNC. I discovered that a user account cannot mount a USB drive, no permissions.
This is true for a USB stick, USB connected HD, and a USB connected CD burner (K3b does not even see the drive).
I am assuming this is an SELinux feature. I want the user I have set up for VNC access (that is also in the Wheel group) to be able to perform this function. I don't want to have to command line sudo mount, nor can I figure out what k3b would need.
I have been googling this problem for a few days, but either my search foo is weak (nothing new there), or there is really no information out there on this.
So if this IS an SELinux feature, can someone help me with what I would need as a policy rule?
Oh, right now I am doing this for Fedora 29-armfhp beta. I will also be doing it for Centos7-armfhp.
Actually, there are two ways of dealing with it: on a desktop, at least on the console (like my workstation), it automounts, and the user logged in is notified. The other answer would be to sudo mount it.
When I am on the local console, it does automount. Not when I am connected via VNC.
And I want to avoid a command line sudo mount.
selinux@lists.fedoraproject.org