[CentOS] quota and selinux on centos 6.5

Mon Dec 23 14:57:58 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/20/2013 03:23 PM, EljiUdia wrote:
> With semanage it works.
> 
> The new rule  will be included in next release?
> 
Miroslav can you back port this role to RHEL 6.6.
> 
> 
> 
> On Friday, December 20, 2013 7:29 PM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
> 
> On 12/19/2013 02:31 PM, EljiUdia wrote:
>> Hi,
> 
> 
>> I'm facing a challenge with selinux and because I don't got an
>> explanation elsewhere, I'm trying to explain here. I have decided to
>> mount /var/spool/cron on a separate partition  and apply quota for
>> regular users. But quotacheck replyes with a "permission denied" .
> 
>> quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: 
>> Permission denied quotacheck: Cannot initialize IO on new quotafile: 
>> Permission denied
> 
> 
>> Indeed,  files in that directory has a context witch denies quotacheck 
>> process to write files. To became suitable fo quota, those files 
>> (aquota.user and aquota.group) must have quota_db_t type(in context). If
>> I use restorecon /var/spool/cron/aquota.user , it reports that is no
>> default context for that file.
> 
> 
>> [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS 
>> active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ 
>> /var/spool/cron/ -rw-r--r--. root root 
>> unconfined_u:object_r:user_cron_spool_t:s0 aquota.user
> 
> 
>> [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon: 
>> Warning no default label for /var/spool/cron/aquota.user
> 
>> Semanage reports this
> 
>> [root at CentOS active]#  semanage fcontext -l|grep quota 
>> /a?quota\.(user|group)                             regular file 
>> system_u:object_r:quota_db_t:s0 /boot/a?quota\.(user|group) regular file
>> system_u:object_r:quota_db_t:s0 /etc/a?quota\.(user|group)
>> regular file system_u:object_r:quota_db_t:s0 /sbin/quota(check|on) 
>> regular file       system_u:object_r:quota_exec_t:s0
>> /usr/sbin/convertquota regular file
>> system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld regular file
>> system_u:object_r:quota_nld_exec_t:s0 /usr/sbin/rpc\.rquotad
>> regular file system_u:object_r:rpcd_exec_t:s0 /var/a?quota\.(user|group) 
>> regular file       system_u:object_r:quota_db_t:s0 
>> /var/lib/openshift/a?quota\.(user|group)           regular file 
>> system_u:object_r:quota_db_t:s0 /var/lib/quota(/.*)? all files
>> system_u:object_r:quota_flag_t:s0 
>> /var/lib/stickshift/a?quota\.(user|group)          regular file 
>> system_u:object_r:quota_db_t:s0 /var/run/quota_nld\.pid regular file
>> system_u:object_r:quota_nld_var_run_t:s0 
>> /var/spool/(.*/)?a?quota\.(user|group)             regular file 
>> system_u:object_r:quota_db_t:s0
> 
> 
> 
>> Take a look on the last file . Isn't a default context for 
>> /var/spool/cron/aquota.user ?It looks like 
>> https://bugzilla.redhat.com/show_bug.cgi?id=703871
> 
> 
>> What's your opinion?
> 
>> Elji Udia _______________________________________________ CentOS mailing 
>> list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 
> The problem is the way the algorithm that figures out the best match
> works.
> 
> restorecon is using
> 
> /var/spool/cron/[^/]*    --    <<none>>
> 
> inseard of
> 
> /var/spool/(.*/)?a?quota\.(user|group)             regular file 
> system_u:object_r:quota_db_t:s0
> 
> I just added
> 
> /var/spool/cron/a?quota\.(user|group)    --
> system_u:object_r:quota_db_t:s0
> 
> Which now gets
> 
> matchpathcon  /var/spool/cron/aquota.user /var/spool/cron/aquota.user
> system_u:object_r:quota_db_t:s0
> 
> 
> If you want to fix this on your machine just add
> 
> 
> semanage fcontext -a -t quota_db_t /var/spool/cron/aquota\.user
> 
> restorecon  /var/spool/cron/aquota.user 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlK4T3YACgkQrlYvE4MpobNohgCfbzlIbaNLigY8G0ZjtgWALYK5
vP8AnRypiRICJ29b1DqGO6NiZgMt+0Y2
=OGfN
-----END PGP SIGNATURE-----