-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/19/2013 02:31 PM, EljiUdia wrote: > Hi, > > > I'm facing a challenge with selinux and because I don't got an explanation > elsewhere, I'm trying to explain here. I have decided to mount > /var/spool/cron on a separate partition and apply quota for regular users. > But quotacheck replyes with a "permission denied" . > > quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: > Permission denied quotacheck: Cannot initialize IO on new quotafile: > Permission denied > > > Indeed, files in that directory has a context witch denies quotacheck > process to write files. To became suitable fo quota, those files > (aquota.user and aquota.group) must have quota_db_t type(in context). If I > use restorecon /var/spool/cron/aquota.user , it reports that is no default > context for that file. > > > [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS > active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ > /var/spool/cron/ -rw-r--r--. root root > unconfined_u:object_r:user_cron_spool_t:s0 aquota.user > > > [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: > Warning no default label for /var/spool/cron/aquota.user > > Semanage reports this > > [root at CentOS active]# semanage fcontext -l|grep quota > /a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 /boot/a?quota\.(user|group) > regular file system_u:object_r:quota_db_t:s0 > /etc/a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) > regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota > regular file system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld > regular file system_u:object_r:quota_nld_exec_t:s0 > /usr/sbin/rpc\.rquotad regular file > system_u:object_r:rpcd_exec_t:s0 /var/a?quota\.(user|group) > regular file system_u:object_r:quota_db_t:s0 > /var/lib/openshift/a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? > all files system_u:object_r:quota_flag_t:s0 > /var/lib/stickshift/a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 /var/run/quota_nld\.pid > regular file system_u:object_r:quota_nld_var_run_t:s0 > /var/spool/(.*/)?a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 > > > > Take a look on the last file . Isn't a default context for > /var/spool/cron/aquota.user ?It looks like > https://bugzilla.redhat.com/show_bug.cgi?id=703871 > > > What's your opinion? > > Elji Udia _______________________________________________ CentOS mailing > list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos > The problem is the way the algorithm that figures out the best match works. restorecon is using /var/spool/cron/[^/]* -- <<none>> inseard of /var/spool/(.*/)?a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 I just added /var/spool/cron/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 Which now gets matchpathcon /var/spool/cron/aquota.user /var/spool/cron/aquota.user system_u:object_r:quota_db_t:s0 If you want to fix this on your machine just add semanage fcontext -a -t quota_db_t /var/spool/cron/aquota\.user restorecon /var/spool/cron/aquota.user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlK0fo8ACgkQrlYvE4MpobPDSACgmUcb+jsWTegHPL99/c0w1i5N /tAAoJgPyPuc67UMpDVmjVq3bwePJtFG =A4ww -----END PGP SIGNATURE-----