Bug 717951

Summary: access to a loop device is denied to quota utilities
Product: Red Hat Enterprise Linux 6 Reporter: Karel Volný <kvolny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: azelinka, dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-25 13:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 685101    

Description Karel Volný 2011-06-30 14:05:18 UTC 
Description of problem:
Trying to run the test /CoreOS/quota/Regression/bz77871-grace-period-not-shown I'm getting selinux denials ...

The test mounts a filesystem on /dev/loopN to a user home directory, then it tries to setup quota on it, but quotacheck fails due to selinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-54.el6_0.5.noarch

How reproducible:
always

Steps to Reproduce:
1. mount a loop device into /your/mount with quota enabled (-o loop,usrquota)
2. quotacheck -c /your/mount
  
Actual results:
type=1400 audit(1309440738.774:30706): avc:  denied  { write } for  pid=12335 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

Expected results:
quotacheck is allowed access to the device

Additional info:
I guess quota should be allowed to access any device it can run upon ...

note that with setenforce 0, letting the test to continue, I get bunch of other errors, including "quotaon" being denied to access aquota.user

SELinux: initialized (dev loop0, type ext2), uses xattr
type=1400 audit(1309442058.717:30708): avc:  denied  { write } for  pid=13344 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=1400 audit(1309442058.843:30709): avc:  denied  { add_name } for  pid=13344 comm="quotacheck" name="aquota.user.new" scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=1400 audit(1309442058.969:30710): avc:  denied  { create } for  pid=13344 comm="quotacheck" name="aquota.user.new" scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=1400 audit(1309442059.095:30711): avc:  denied  { write } for  pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=1400 audit(1309442059.230:30712): avc:  denied  { remove_name } for  pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=1400 audit(1309442059.366:30713): avc:  denied  { rename } for  pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=1400 audit(1309442059.500:30714): avc:  denied  { setattr } for  pid=13344 comm="quotacheck" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=1400 audit(1309442060.021:30715): avc:  denied  { quotaon } for  pid=13369 comm="quotaon" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
Comment 2 Daniel Walsh 2011-07-01 11:56:21 UTC 
This is not a regression, we need to have a valid label on the mount device, in order for SELinux to allow the access.

Just setting up random devices in a test and not putting a label on it will not work and did not work in 6.0.

mount a loop device into /your/mount with quota enabled (-o loop,usrquota)
chcon --reference /home /your/mount
quotacheck -c /your/mount

Should work.  Which seems to be similar to what you are working on.