[CentOS] quota and selinux on centos 6.5

Fri Dec 20 17:29:51 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/19/2013 02:31 PM, EljiUdia wrote:
> Hi,
> 
> 
> I'm facing a challenge with selinux and because I don't got an explanation
> elsewhere, I'm trying to explain here. I have decided to mount
> /var/spool/cron on a separate partition  and apply quota for regular users.
> But quotacheck replyes with a "permission denied" .
> 
> quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new:
> Permission denied quotacheck: Cannot initialize IO on new quotafile:
> Permission denied
> 
> 
> Indeed,  files in that directory has a context witch denies quotacheck
> process to write files. To became suitable fo quota, those files
> (aquota.user and aquota.group) must have quota_db_t type(in context). If I
> use restorecon /var/spool/cron/aquota.user , it reports that is no default
> context for that file.
> 
> 
> [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS
> active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ
> /var/spool/cron/ -rw-r--r--. root root
> unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
> 
> 
> [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon:
> Warning no default label for /var/spool/cron/aquota.user
> 
> Semanage reports this
> 
> [root at CentOS active]#  semanage fcontext -l|grep quota 
> /a?quota\.(user|group)                             regular file
> system_u:object_r:quota_db_t:s0 /boot/a?quota\.(user|group)
> regular file       system_u:object_r:quota_db_t:s0 
> /etc/a?quota\.(user|group)                         regular file
> system_u:object_r:quota_db_t:s0 /sbin/quota(check|on)
> regular file       system_u:object_r:quota_exec_t:s0 /usr/sbin/convertquota
> regular file       system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld
> regular file       system_u:object_r:quota_nld_exec_t:s0 
> /usr/sbin/rpc\.rquotad                             regular file
> system_u:object_r:rpcd_exec_t:s0 /var/a?quota\.(user|group)
> regular file       system_u:object_r:quota_db_t:s0 
> /var/lib/openshift/a?quota\.(user|group)           regular file
> system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)?
> all files          system_u:object_r:quota_flag_t:s0 
> /var/lib/stickshift/a?quota\.(user|group)          regular file
> system_u:object_r:quota_db_t:s0 /var/run/quota_nld\.pid
> regular file       system_u:object_r:quota_nld_var_run_t:s0 
> /var/spool/(.*/)?a?quota\.(user|group)             regular file
> system_u:object_r:quota_db_t:s0
> 
> 
> 
> Take a look on the last file . Isn't a default context for
> /var/spool/cron/aquota.user ?It looks like
> https://bugzilla.redhat.com/show_bug.cgi?id=703871
> 
> 
> What's your opinion?
> 
> Elji Udia _______________________________________________ CentOS mailing
> list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 
The problem is the way the algorithm that figures out the best match works.

restorecon is using

/var/spool/cron/[^/]*	--	<<none>>

inseard of

/var/spool/(.*/)?a?quota\.(user|group)             regular file
system_u:object_r:quota_db_t:s0

I just added

/var/spool/cron/a?quota\.(user|group)	--	system_u:object_r:quota_db_t:s0

Which now gets

matchpathcon  /var/spool/cron/aquota.user
/var/spool/cron/aquota.user	system_u:object_r:quota_db_t:s0


If you want to fix this on your machine just add


semanage fcontext -a -t quota_db_t /var/spool/cron/aquota\.user
restorecon  /var/spool/cron/aquota.user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlK0fo8ACgkQrlYvE4MpobPDSACgmUcb+jsWTegHPL99/c0w1i5N
/tAAoJgPyPuc67UMpDVmjVq3bwePJtFG
=A4ww
-----END PGP SIGNATURE-----