Bug 616670
| Summary: | quotacheck -cug failed only in beaker | ||
|---|---|---|---|
| Product: | [Retired] Beaker | Reporter: | Caspar Zhang <czhang> |
| Component: | beah | Assignee: | Bill Peck <bpeck> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 0.5 | CC: | bpeck, dcallagh, dtian, kbaker, kvolny, mcsontos, qcai, rmancy, yugzhang |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-09-28 15:15:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Caspar Zhang
2010-07-21 06:36:31 UTC
I had suspected selinux. When running with fixed avc subtest, it produces following output: https://beaker.engineering.redhat.com/logs/2010/79/9179/16749/207833/564382 ///test_log--kernel-distribution-ltp-debug-avc.log Looks like there are more selinux related issues. Running in compatible mode and setting the context to unconfined did the trick: https://beaker.engineering.redhat.com/jobs/47073 This will be delivered as beah-0.6.3 within next upgrade window. Hi, this bug seems happen again on beaker 0.6.10: https://beaker.engineering.redhat.com/jobs/83399 http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/05/833/83399/171348/1868251///TESTOUT.log bottom lines: + dd if=/dev/zero of=/tmp/ltp-fs-image bs=4096 count=8000 + mkfs.ext3 -q -F -b 4096 /tmp/ltp-fs-image + mkdir /tmp/mnt + mount -t ext3 -o loop,usrquota,grpquota /tmp/ltp-fs-image /tmp/mnt + quotacheck -cug /tmp/mnt quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied How did you run the script when it worked? Whatever I tried it just does not work for me: IMG=quotacheck.img.SwaY2G MNTPOINT=quotacheck.mnt.THLW7j + dd if=/dev/zero of=quotacheck.img.SwaY2G bs=4096 count=8000 + mkfs.ext3 -q -F -b 4096 quotacheck.img.SwaY2G + mkdir quotacheck.mnt.THLW7j mkdir: cannot create directory `quotacheck.mnt.THLW7j': File exists + mount -t ext3 -o loop,usrquota,grpquota quotacheck.img.SwaY2G quotacheck.mnt.THLW7j + quotacheck -cug quotacheck.mnt.THLW7j quotacheck: Cannot create new quotafile /root/quotacheck.mnt.THLW7j/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied quotacheck: Cannot create new quotafile /root/quotacheck.mnt.THLW7j/aquota.group.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied When running the task manually after running following command I see SELinux denials:
LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Wed May 11 03:33:44 2011
type=SYSCALL msg=audit(1305099224.281:107471): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc681a100 a1=c2 a2=180 a3=7fffc6819e70 items=0 ppid=2809 pid=2865 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305099224.281:107471): avc: denied { write } for pid=2865 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
time->Wed May 11 03:33:44 2011
type=SYSCALL msg=audit(1305099224.282:107472): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc681a100 a1=c2 a2=180 a3=fe items=0 ppid=2809 pid=2865 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305099224.282:107472): avc: denied { write } for pid=2865 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
Surprisingly, there is absolutely nothing in the audit.log during the tests.
Did you run the task with SELinxu enabled?
Yes I run it with SELinux enabled; also I ran just the same steps as comment 0 When I reported this bug for first time, I could run the script successfully manually with SELinux enabled, only failed in Beaker. Now it seems manual/Beaker automation runs both fail. If nothing changed in Beaker, I suspect it's system's issue. Still there is a problem the AVC denial is not reported. (In reply to comment #9) > Still there is a problem the AVC denial is not reported. I don't experience this in beaker, for example see https://beaker.engineering.redhat.com/tasks/executed?task=/CoreOS/quota/Regression/bz77871-grace-period-not-shown&job_id=170480 there is the report: Info: Searching AVC errors produced since 1323811392.77 (Tue Dec 13 16:23:12 2011) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/13/2011 16:23:12 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.mOyDfz 2>&1' ---- time->Tue Dec 13 16:23:15 2011 type=SYSCALL msg=audit(1323811395.282:1089019): arch=c000003e syscall=2 success=no exit=-13 a0=7fff2d5d2030 a1=c2 a2=180 a3=7fff2d5d1da0 items=0 ppid=30595 pid=30889 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1323811395.282:1089019): avc: denied { write } for pid=30889 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.mOyDfz | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.TaLXyw 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Running 'rpm -q selinux-policy || true' selinux-policy-3.7.19-126.el6.noarch however, as for the original problem with quota, this is genuine selinux bug which I've reported as bug #767579 and see also bug #717956#c2 where ppisar says "(with SELinux in permissive mode as the policy has not been updated in RHEL-6 yet)" |