Bug 703871

What AVC's are you seeing?

(In reply to comment #3)
> What AVC's are you seeing?

----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030617): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030617): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

file_t indicates you added a file system without labels.  Run restorecon -R -v FILESYSTEMPATH and the quotacheck command will work fine.

I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the filesystem, the quotacheck command still fails for the same AVC message.

(In reply to comment #6)
> I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the
> filesystem, the quotacheck command still fails for the same AVC message.

Could you show me your steps?

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    After upgraded selinux-policy package from 3.7.19-85 to
    -87, execute `quotacheck -c' command if no quota file   
    existed.
Consequence
    AVC denial happened like the following below.
 
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5
success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231
pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck"
subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for 
pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2
scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=dir

THat means you still do not have labels on the file system.

You need to run restorecon on the directory mountpoint that you are doing quotacheck on .

my steps:
dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- fail

cd /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- still fail

# mount -l
/root/ltp-fs-image on /tmp/mnt type ext3 (rw,loop=/dev/loop0,usrquota,grpquota) [label0] <-- have label

Try chcon --reference=/mnt /tmp/mnt rather then restorecon.

restorecon has no effect on /tmp files since it does not know what is in this directory.


dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
chcon --reference=/mnt /tmp/mnt/
quotacheck -cug /tmp/mnt

(In reply to comment #11)
> Try chcon --reference=/mnt /tmp/mnt rather then restorecon.
> 
> restorecon has no effect on /tmp files since it does not know what is in this
> directory.
> 
> 
> dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> mkdir /tmp/mnt
> mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> chcon --reference=/mnt /tmp/mnt/
> quotacheck -cug /tmp/mnt

The above steps gave exact the same error message:

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
kjournald starting.  Commit interval 5 seconds
EXT3-fs (loop0): using internal journal
EXT3-fs (loop0): mounted filesystem with ordered data mode
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
EXT3-fs (loop0): using internal journal
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

I also tried with mounting my loop file under /mnt but quotacheck -cug failed as well.

So you have the same AVC msg?

# ls -dZ /tmp/mnt

Sorry, I made a mistake, `quotacheck -cug /tmp/mnt' succeeded after applied `chcon --reference=/mnt /tmp/mnt/', the error was due to another command:

quotaon -ug /tmp/mnt/

the AVC msg was:

----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40171): arch=c000003e syscall=179 success=no exit=-13 a0=80000200 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40171): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40170): arch=c000003e syscall=179 success=no exit=-13 a0=80000201 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40170): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.group" dev=loop0 ino=13 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

# ls -dZ /tmp/mnt
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       /tmp/mnt
# ls -dZ /tmp/mnt/*
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.group
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.user
drwx------. root root system_u:object_r:file_t:s0      /tmp/mnt/lost+found

Is this the similar issue, or any misconfiguration still exist? Thanks.

quotaon -ug /tmp/mnt/ showed the following error msg:

# quotaon -ugv /tmp/mnt/
quotaon: using /tmp/mnt/aquota.group on /dev/loop0 [/tmp/mnt]: Permission denied
quotaon: using /tmp/mnt/aquota.user on /dev/loop0 [/tmp/mnt]: Permission denied

The problem is aquota.group and aquota.user are mislabeled.  How did these files get created?

Currently we have policy for the creation of this file.

allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
files_etc_filetrans(quota_t, quota_db_t, file)
files_tmp_filetrans(quota_t, quota_db_t, file)
files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)

Meaning we did not expect this file to be created on a mnt_t directory.  I guess we could add policy for this but if you just want the test to work, you could do.

chcon --reference=/var /tmp/mnt/'

And then this would mimic the file system being mounted on the /var.

(In reply to comment #16)
> The problem is aquota.group and aquota.user are mislabeled.  How did these
> files get created?

they're created by previous quotacheck command:

# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt

> 
> Currently we have policy for the creation of this file.
> 
> allow quota_t quota_db_t:file { manage_file_perms quotaon };
> files_root_filetrans(quota_t, quota_db_t, file)
> files_boot_filetrans(quota_t, quota_db_t, file)
> files_etc_filetrans(quota_t, quota_db_t, file)
> files_tmp_filetrans(quota_t, quota_db_t, file)
> files_home_filetrans(quota_t, quota_db_t, file)
> files_usr_filetrans(quota_t, quota_db_t, file)
> files_var_filetrans(quota_t, quota_db_t, file)
> files_spool_filetrans(quota_t, quota_db_t, file)

Did these policies changed since -87 version? I could run quotacheck/quotaon/quotaoff commands successfully in -85 but failed in -87. 

> 
> Meaning we did not expect this file to be created on a mnt_t directory.  I
> guess we could add policy for this but if you just want the test to work, you
> could do.
> 
> chcon --reference=/var /tmp/mnt/

this command works, I could add this line to my code as a workaround.

However, I want to know if the policy change between -85 and -87 against quotacheck/on/off commands was expected. If the answer is YES, I think the bug can be closed; if no, is any reason to keep this change in new version rather than restoring to old policy?

> 
> And then this would mimic the file system being mounted on the /var.

I doubt there was any explicit change, but quotacheck could have been failing to transition and not it does.  Since this is a test of the quotacheck code it should probably be coded to handle the SELinux test case properly.

(In reply to comment #18)
> I doubt there was any explicit change, but quotacheck could have been failing
> to transition and not it does.  

I diffed -85 and -86 and found this change:
diff -Naur rpmbuild.85/SOURCES/policy-F13.patch rpmbuild.86/SOURCES/policy-F13.patch
--- rpmbuild.85/SOURCES/policy-F13.patch        2011-04-13 06:33:50.000000000 -0400
+++ rpmbuild.86/SOURCES/policy-F13.patch        2011-04-19 07:22:28.000000000 -0400
<snip>
@@ -15270,6 +15311,10 @@
 +')
 +
 +optional_policy(`
++    quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +      rpm_run(unconfined_t, unconfined_r)
 +      # Allow SELinux aware applications to request rpm_script execution
 +      rpm_transition_script(unconfined_t)

I removed the above piece of patch and rebuilt the package, I was able to run quotacheck/on/off commands again without changing policy. So I think the above code is the point.

Now the question is simpler: is the above code change expected?

Yes in order to make sure the labels are correct.

*** Bug 712874 has been marked as a duplicate of this bug. ***

The test here needs to be fixed to label the mount point it is creating as a valid mountpoint for quota to be run on.

Since I believe this is a test issue, I am closing this as notabug.

I recently installed Fedora 15 that was down loaded last month.  When I run the following command, I got exactly the same error as Caspar did in May 2011: 

[root@localhost ~]# mkfs.ext4 /dev/sdb1
[root@localhost ~]# mkdir -p /opt/company_data
[root@localhost ~]# vi /etc/fstab
/dev/sdb1  /opt/company_data  ext4  defaults,usrquota,grpquota  1  2
[root@localhost ~]# mount /opt/company_data
[root@localhost ~]# mount | grep company_data
/dev/sdb1 on /opt/company_data type ext4 (rw,relatime,seclabel,barrier=1,data=ordered,usrquota,grpquota)
[root@localhost ~]# quotacheck -ugm /opt/company_data
quotacheck: Cannot create new quotafile /opt/company_data/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
----------------------------------------------------
I duplicate the same steps as Caspar did on my machine, and I got exactly the same error on my machine (what's the solution for that? -- sorry, it wasn't clear to me by reading the above solution Caspar had described): 

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s

# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

(In reply to comment #24)
[snip]
> ----------------------------------------------------
> I duplicate the same steps as Caspar did on my machine, and I got exactly the
> same error on my machine (what's the solution for that? -- sorry, it wasn't
> clear to me by reading the above solution Caspar had described): 
> 
> # dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> 8000+0 records in
> 8000+0 records out
> 32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
> 
> # mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> # mkdir /tmp/mnt
> # mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> # chcon --reference=/mnt /tmp/mnt/

try --reference=/var instead of /mnt

> # quotacheck -cug /tmp/mnt
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied

Thank you! That solution worked for me on both situations:
# chcon --reference=/var /tmp/mnt/
[root@localhost tmp]# quotacheck -cug /tmp/mnt
[root@localhost tmp]# chcon --reference=/var /opt/company_data
[root@localhost tmp]# quotacheck -ugm /opt/company_data
[root@localhost tmp]#