Bug 1413025

Summary: avc: denied { write } for pid=11089 comm="quotacheck" name="/" dev=loop0
Product: Red Hat Enterprise Linux 6 Reporter: Jan Stancek <jstancek>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: dwalsh, jburke, jstancek, liwan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-02 13:15:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Stancek 2017-01-13 12:37:18 UTC
Description of problem:
Following sequence is getting denied by selinux:

# ./repro.sh 
+ cd /tmp/
+ fallocate -l1G file
+ mkfs.ext4 -F file
mke2fs 1.41.12 (17-May-2010)
+ mkdir -p mntpoint
+ mount -o loop,usrquota,grpquota file mntpoint
+ quotacheck -ug mntpoint
quotacheck: Cannot create new quotafile /tmp/mntpoint/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mntpoint/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
+ umount mntpoint

# cat /var/log/audit/audit.log 
type=AVC msg=audit(1484310376.174:36): avc:  denied  { write } for  pid=11089 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1484310376.174:36): arch=c000003e syscall=2 success=no exit=-13 a0=7ffde7eb7230 a1=c2 a2=180 a3=7ffde7eb6f80 items=0 ppid=11081 pid=11089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1484310376.174:37): avc:  denied  { write } for  pid=11089 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1484310376.174:37): arch=c000003e syscall=2 success=no exit=-13 a0=7ffde7eb7230 a1=c2 a2=180 a3=fffffffffffffff0 items=0 ppid=11081 pid=11089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)

With selinux off:
# setenforce 0
# ./repro.sh 
+ cd /tmp/
+ fallocate -l1G file
+ mkfs.ext4 -F file
mke2fs 1.41.12 (17-May-2010)
+ mkdir -p mntpoint
+ mount -o loop,usrquota,grpquota file mntpoint
+ quotacheck -ug mntpoint
+ umount mntpoint


# audit2allow  < /var/log/audit/audit.log 

#============= quota_t ==============
#!!!! The source type 'quota_t' can write to a 'dir' of the following types:
# mail_spool_t, etc_t, boot_t, mnt_t, root_t, tmp_t, usr_t, var_t, mqueue_spool_t, var_spool_t, home_root_t, openshift_var_lib_t, user_home_dir_t, noxattrfs

allow quota_t file_t:dir write;


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-307.el6.noarch
2.6.32-682.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
see description

Actual results:
avc:  denied  { write } for  pid=11089 comm="quotacheck" name="/" dev=loop0

Expected results:
no AVC

Additional info:

Comment 1 Milos Malik 2017-01-13 12:58:49 UTC
[0 root@qeos-121 tmp]# ls -Z file 
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 file
[0 root@qeos-121 tmp]# ls -dZ mntpoint
drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 mntpoint
[0 root@qeos-121 tmp]# mount -o loop,usrquota,grpquota file mntpoint
[0 root@qeos-121 tmp]# ls -dZ mntpoint
drwxr-xr-x. root root system_u:object_r:file_t:s0      mntpoint
[0 root@qeos-121 tmp]#

Comment 7 Lukas Vrabec 2017-10-02 13:15:12 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com