Bug 212957

Summary: MLS policy doesn't allow turning on quotas
Product: Red Hat Enterprise Linux 5 Reporter: Bastien Nocera <bnocera>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: eparis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-23 01:52:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
avc messages none

Description Bastien Nocera 2006-10-30 11:06:21 UTC 
(Create a file called "vdisk", and format it)
# mount -o loop,usrquota,grpquota,context=root:object_r:root_t:s0
vdisk /mnt/loop
# quotacheck -cug /mnt/loop
quotacheck: Can't statfs() /mnt/loop: Permission denied
quotacheck: Mountpoint (or device) /mnt/loop not found.
quotacheck: Can't find filesystem to check or filesystem not mounted
with quota option.


And in the audit logs:
type=SYSCALL msg=audit(1161225352.239:1569): arch=14 syscall=252
success=no exit=-13 a0=fe8ad6bc a1=58 a2=fe8ac660 a3=100c0bfc
items=0 ppid=30858 pid=31062 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 comm="quotacheck" exe="/
sbin/quotacheck" subj=staff_u:sysadm_r:quota_t:s0-s15:c0.c255 key=(null)
type=AVC msg=audit(1161225352.239:1569): avc:  denied  { getattr } for
pid=31062 comm="quotacheck" name="/" dev=loop0 ino=2
scontext=staff_u:sysadm_r:quota_t:s0-s15:c0.c255
tcontext=root:object_r:root_t:s0 tclass=filesystem

selinux-policy-mls-2.3.18-3
Comment 1 RHEL Program Management 2006-10-30 11:20:32 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 2 Daniel Walsh 2006-11-17 18:37:40 UTC 
Fixed in selinux-policy-2.4.5-1
Comment 4 Daniel Walsh 2006-11-27 17:05:16 UTC 
Please setenforce 0, and run this command again, to gather all of the AVC messages.

I have added this priv to selinux-policy-2.4.5-4
Comment 7 Archana K. Raghavan 2006-11-30 20:27:09 UTC 
Created attachment 142517 [details]
avc messages
Comment 8 Daniel Walsh 2006-11-30 21:17:56 UTC 
Try  selinux-policy-2.4.6-4
Comment 11 Daniel Walsh 2006-12-01 21:48:44 UTC 
Ok lets try selinux-policy-2.4.6-5
Comment 14 Daniel Walsh 2006-12-08 16:42:28 UTC 
I put these avc's on selinux-policy-2.4.6-8 and they say the would be allowed by
active policy.  The problem here was MLS.  sysadm_t was not allowed to getattr
on the disk at a higher sensitivity level.  Since we have combined secadm and
sysadm, this should be allowed.
Comment 17 RHEL Program Management 2006-12-23 01:52:15 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.