Bug 525420
Summary: | rpc.rquotad stops working after RHEL 5.4 upgrade due to avc denied errors | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Janne Blomqvist <blomqvist.janne> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.4 | CC: | cfairchild, mgrepl, mmalik, ovasik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-30 07:50:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Janne Blomqvist
2009-09-24 10:38:01 UTC
Thanks for report. I'll reassign this to selinux-policy to solve this generally... Keeping myself in CC... What AVC's are you seeing? Grepping the audit.log for rquotad shows thousands of lines of the "denied {getattr}" stuff, then a few others once I started fixing it, like: type=AVC msg=audit(1253728211.916:355): avc: denied { getattr } for pid=4360 comm="rpc.rquotad" name="/" dev=dm-10 ino=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1253728211.916:355): arch=40000003 syscall=268 success=no exit=-13 a0=bfe051b4 a1=54 a2=bfe04160 a3=4dfb40 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728260.637:358): avc: denied { quotaget } for pid=4360 comm="rpc.rquotad" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1253728260.637:358): arch=40000003 syscall=131 success=no exit=-13 a0=80000400 a1=8516c40 a2=0 a3=bfe05d64 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728260.638:359): avc: denied { read } for pid=4360 comm="rpc.rquotad" name="aquota.user" dev=dm-11 ino=49155 scontext=system_u:system_r:rpcd_t:s0 tcontext=root:object_r:home_root_t:s0 tclass=file type=SYSCALL msg=audit(1253728260.638:359): arch=40000003 syscall=5 success=no exit=-13 a0=bfe05168 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728364.914:364): avc: denied { sys_admin } for pid=4360 comm="rpc.rquotad" capability=21 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability type=SYSCALL msg=audit(1253728364.914:364): arch=40000003 syscall=131 success=no exit=-1 a0=80000700 a1=8516c40 a2=441f a3=bfe060e8 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) Once I made the policy changes in the original report, quota started working, as I mentioned. Fixed in selinux-policy-2.4.6-259.el5 I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum this morning and the errors are there. Could you please tell me where to find selinux-policy-2.4.6-259.el5 or when it is coming? (In reply to comment #8) > I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum > this morning and the errors are there. Could you please tell me where to find > selinux-policy-2.4.6-259.el5 or when it is coming? Hi Cale, the latest available policy appears time to time in Dan's repository: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ At the moment there is version 2.4.6-269, which should be even better for you to install/test. Fixed in selinux-policy-2.4.6-274.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html |