Hi,
I'm facing a challenge with selinux and because I don't got an explanation elsewhere, I'm trying to explain here. I have decided to mount /var/spool/cron on a separate partition and apply quota for regular users. But quotacheck replyes with a "permission denied" .
quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied
Indeed, files in that directory has a context witch denies quotacheck process to write files. To became suitable fo quota, those files (aquota.user and aquota.group) must have quota_db_t type(in context). If I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file.
[root@CentOS active]# touch /var/spool/cron/aquota.user [root@CentOS active]# restorecon /var/spool/cron/ [root@CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
[root@CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: Warning no default label for /var/spool/cron/aquota.user
Semanage reports this
[root@CentOS active]# semanage fcontext -l|grep quota /a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /boot/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /etc/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc.rquotad regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/openshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files system_u:object_r:quota_flag_t:s0 /var/lib/stickshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/run/quota_nld.pid regular file system_u:object_r:quota_nld_var_run_t:s0 /var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
Take a look on the last file . Isn't a default context for /var/spool/cron/aquota.user ?It looks like https://bugzilla.redhat.com/show_bug.cgi?id=703871
What's your opinion?
Elji Udia
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/19/2013 02:31 PM, EljiUdia wrote:
Hi,
I'm facing a challenge with selinux and because I don't got an explanation elsewhere, I'm trying to explain here. I have decided to mount /var/spool/cron on a separate partition and apply quota for regular users. But quotacheck replyes with a "permission denied" .
quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied
Indeed, files in that directory has a context witch denies quotacheck process to write files. To became suitable fo quota, those files (aquota.user and aquota.group) must have quota_db_t type(in context). If I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file.
[root@CentOS active]# touch /var/spool/cron/aquota.user [root@CentOS active]# restorecon /var/spool/cron/ [root@CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
[root@CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: Warning no default label for /var/spool/cron/aquota.user
Semanage reports this
[root@CentOS active]# semanage fcontext -l|grep quota /a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /boot/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /etc/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc.rquotad regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/openshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files system_u:object_r:quota_flag_t:s0 /var/lib/stickshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/run/quota_nld.pid regular file system_u:object_r:quota_nld_var_run_t:s0 /var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
Take a look on the last file . Isn't a default context for /var/spool/cron/aquota.user ?It looks like https://bugzilla.redhat.com/show_bug.cgi?id=703871
What's your opinion?
Elji Udia _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The problem is the way the algorithm that figures out the best match works.
restorecon is using
/var/spool/cron/[^/]* -- <<none>>
inseard of
/var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
I just added
/var/spool/cron/a?quota.(user|group) -- system_u:object_r:quota_db_t:s0
Which now gets
matchpathcon /var/spool/cron/aquota.user /var/spool/cron/aquota.user system_u:object_r:quota_db_t:s0
If you want to fix this on your machine just add
semanage fcontext -a -t quota_db_t /var/spool/cron/aquota.user restorecon /var/spool/cron/aquota.user
With semanage it works.
The new rule will be included in next release?
On Friday, December 20, 2013 7:29 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/19/2013 02:31 PM, EljiUdia wrote:
Hi,
I'm facing a challenge with selinux and because I don't got an explanation elsewhere, I'm trying to explain here. I have decided to mount /var/spool/cron on a separate partition and apply quota for regular users. But quotacheck replyes with a "permission denied" .
quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied
Indeed, files in that directory has a context witch denies quotacheck process to write files. To became suitable fo quota, those files (aquota.user and aquota.group) must have quota_db_t type(in context). If I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file.
[root@CentOS active]# touch /var/spool/cron/aquota.user [root@CentOS active]# restorecon /var/spool/cron/ [root@CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
[root@CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: Warning no default label for /var/spool/cron/aquota.user
Semanage reports this
[root@CentOS active]# semanage fcontext -l|grep quota /a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /boot/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /etc/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc.rquotad regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/openshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files system_u:object_r:quota_flag_t:s0 /var/lib/stickshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/run/quota_nld.pid regular file system_u:object_r:quota_nld_var_run_t:s0 /var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
Take a look on the last file . Isn't a default context for /var/spool/cron/aquota.user ?It looks like https://bugzilla.redhat.com/show_bug.cgi?id=703871
What's your opinion?
Elji Udia _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The problem is the way the algorithm that figures out the best match works.
restorecon is using
/var/spool/cron/[^/]* -- <<none>>
inseard of
/var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
I just added
/var/spool/cron/a?quota.(user|group) -- system_u:object_r:quota_db_t:s0
Which now gets
matchpathcon /var/spool/cron/aquota.user /var/spool/cron/aquota.user system_u:object_r:quota_db_t:s0
If you want to fix this on your machine just add
semanage fcontext -a -t quota_db_t /var/spool/cron/aquota.user
restorecon /var/spool/cron/aquota.user
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2013 03:23 PM, EljiUdia wrote:
With semanage it works.
The new rule will be included in next release?
Miroslav can you back port this role to RHEL 6.6.
On Friday, December 20, 2013 7:29 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 12/19/2013 02:31 PM, EljiUdia wrote:
Hi,
I'm facing a challenge with selinux and because I don't got an explanation elsewhere, I'm trying to explain here. I have decided to mount /var/spool/cron on a separate partition and apply quota for regular users. But quotacheck replyes with a "permission denied" .
quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied
Indeed, files in that directory has a context witch denies quotacheck process to write files. To became suitable fo quota, those files (aquota.user and aquota.group) must have quota_db_t type(in context). If I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file.
[root@CentOS active]# touch /var/spool/cron/aquota.user [root@CentOS active]# restorecon /var/spool/cron/ [root@CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
[root@CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: Warning no default label for /var/spool/cron/aquota.user
Semanage reports this
[root@CentOS active]# semanage fcontext -l|grep quota /a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /boot/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /etc/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc.rquotad regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/openshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files system_u:object_r:quota_flag_t:s0 /var/lib/stickshift/a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/run/quota_nld.pid regular file system_u:object_r:quota_nld_var_run_t:s0 /var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
Take a look on the last file . Isn't a default context for /var/spool/cron/aquota.user ?It looks like https://bugzilla.redhat.com/show_bug.cgi?id=703871
What's your opinion?
Elji Udia _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The problem is the way the algorithm that figures out the best match works.
restorecon is using
/var/spool/cron/[^/]* -- <<none>>
inseard of
/var/spool/(.*/)?a?quota.(user|group) regular file system_u:object_r:quota_db_t:s0
I just added
/var/spool/cron/a?quota.(user|group) -- system_u:object_r:quota_db_t:s0
Which now gets
matchpathcon /var/spool/cron/aquota.user /var/spool/cron/aquota.user system_u:object_r:quota_db_t:s0
If you want to fix this on your machine just add
semanage fcontext -a -t quota_db_t /var/spool/cron/aquota.user
restorecon /var/spool/cron/aquota.user _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Daniel J Walsh -
EljiUdia