-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2013 03:23 PM, EljiUdia wrote: > With semanage it works. > > The new rule will be included in next release? > Miroslav can you back port this role to RHEL 6.6. > > > > On Friday, December 20, 2013 7:29 PM, Daniel J Walsh <dwalsh at redhat.com> > wrote: > > On 12/19/2013 02:31 PM, EljiUdia wrote: >> Hi, > > >> I'm facing a challenge with selinux and because I don't got an >> explanation elsewhere, I'm trying to explain here. I have decided to >> mount /var/spool/cron on a separate partition and apply quota for >> regular users. But quotacheck replyes with a "permission denied" . > >> quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: >> Permission denied quotacheck: Cannot initialize IO on new quotafile: >> Permission denied > > >> Indeed, files in that directory has a context witch denies quotacheck >> process to write files. To became suitable fo quota, those files >> (aquota.user and aquota.group) must have quota_db_t type(in context). If >> I use restorecon /var/spool/cron/aquota.user , it reports that is no >> default context for that file. > > >> [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS >> active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ >> /var/spool/cron/ -rw-r--r--. root root >> unconfined_u:object_r:user_cron_spool_t:s0 aquota.user > > >> [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: >> Warning no default label for /var/spool/cron/aquota.user > >> Semanage reports this > >> [root at CentOS active]# semanage fcontext -l|grep quota >> /a?quota\.(user|group) regular file >> system_u:object_r:quota_db_t:s0 /boot/a?quota\.(user|group) regular file >> system_u:object_r:quota_db_t:s0 /etc/a?quota\.(user|group) >> regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) >> regular file system_u:object_r:quota_exec_t:s0 >> /usr/sbin/convertquota regular file >> system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file >> system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc\.rquotad >> regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota\.(user|group) >> regular file system_u:object_r:quota_db_t:s0 >> /var/lib/openshift/a?quota\.(user|group) regular file >> system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files >> system_u:object_r:quota_flag_t:s0 >> /var/lib/stickshift/a?quota\.(user|group) regular file >> system_u:object_r:quota_db_t:s0 /var/run/quota_nld\.pid regular file >> system_u:object_r:quota_nld_var_run_t:s0 >> /var/spool/(.*/)?a?quota\.(user|group) regular file >> system_u:object_r:quota_db_t:s0 > > > >> Take a look on the last file . Isn't a default context for >> /var/spool/cron/aquota.user ?It looks like >> https://bugzilla.redhat.com/show_bug.cgi?id=703871 > > >> What's your opinion? > >> Elji Udia _______________________________________________ CentOS mailing >> list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos > > The problem is the way the algorithm that figures out the best match > works. > > restorecon is using > > /var/spool/cron/[^/]* -- <<none>> > > inseard of > > /var/spool/(.*/)?a?quota\.(user|group) regular file > system_u:object_r:quota_db_t:s0 > > I just added > > /var/spool/cron/a?quota\.(user|group) -- > system_u:object_r:quota_db_t:s0 > > Which now gets > > matchpathcon /var/spool/cron/aquota.user /var/spool/cron/aquota.user > system_u:object_r:quota_db_t:s0 > > > If you want to fix this on your machine just add > > > semanage fcontext -a -t quota_db_t /var/spool/cron/aquota\.user > > restorecon /var/spool/cron/aquota.user > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlK4T3YACgkQrlYvE4MpobNohgCfbzlIbaNLigY8G0ZjtgWALYK5 vP8AnRypiRICJ29b1DqGO6NiZgMt+0Y2 =OGfN -----END PGP SIGNATURE-----