Description of problem: quotaon.service fails to start on boot. $ systemctl status quotaon ● quotaon.service - Enable File System Quotas Loaded: loaded (/usr/lib/systemd/system/quotaon.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since 五 2016-06-24 15:11:55 CST; 1min 29s ago Docs: man:quotaon(8) Process: 6930 ExecStart=/usr/sbin/quotaon -aug (code=exited, status=203/EXEC) Main PID: 6930 (code=exited, status=203/EXEC) 6月 24 15:11:55 <hostname> systemd[1]: Starting Enable File System Quotas... 6月 24 15:11:55 <hostname> systemd[1]: quotaon.service: Main process exited, code=exited, status=203/EXEC 6月 24 15:11:55 <hostname> systemd[1]: Failed to start Enable File System Quotas. 6月 24 15:11:55 <hostname> systemd[1]: quotaon.service: Unit entered failed state. 6月 24 15:11:55 <hostname> systemd[1]: quotaon.service: Failed with result 'exit-code'. SELinux is preventing (quotaon) from 'execute' accesses on the file /usr/sbin/quotaon. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (quotaon) should be allowed execute access on the quotaon file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(quotaon)' --raw | audit2allow -M my-quotaon # semodule -X 300 -i my-quotaon.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:quota_exec_t:s0 Target Objects /usr/sbin/quotaon [ file ] Source (quotaon) Source Path (quotaon) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.5.7-300.fc24.x86_64 #1 SMP Wed Jun 8 18:12:45 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-06-24 15:11:55 CST Last Seen 2016-06-24 15:11:55 CST Local ID d31279f5-afe7-4130-8079-30432989b7b3 Raw Audit Messages type=AVC msg=audit(1466752315.985:648): avc: denied { execute } for pid=6930 comm="(quotaon)" name="quotaon" dev="dm-7" ino=1061425 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:quota_exec_t:s0 tclass=file permissive=0 Hash: (quotaon),init_t,quota_exec_t,file,execute Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.5.7-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
It is quite easily reproducable. It just happens always. Quotaon always fails when run by systemd. Running from console is OK.
Looks like this is more fallout from the systemd confinement. I've wasted hours tracking down new failures related to that. This particular quota issue has broken a number of bits of my network. Is there any chance of having someone look at these? Or is the solution to just audit2allow everything and hope it's better by F25? Here's the patch I'm using to fix this one (applied against the contrib policy). Gary is really helping me out with these: From f6b7a2d1375418900d166b0a64339be14f34019e Mon Sep 17 00:00:00 2001 From: Gary Tierney <gary.tierney> Date: Fri, 19 Aug 2016 16:31:21 +0100 Subject: [PATCH] quota: allow init to run quota tools --- quota.te | 1 + 1 file changed, 1 insertion(+) diff --git a/quota.te b/quota.te index 3710974..d4e9042 100644 --- a/quota.te +++ b/quota.te @@ -76,6 +76,7 @@ files_getattr_all_file_type_fs(quota_t) # Read /etc/mtab. files_read_etc_runtime_files(quota_t) +init_domain(quota_t, quota_exec_t) init_use_fds(quota_t) init_use_script_ptys(quota_t) -- 2.4.11
selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 still doesn't fix the issue: systemd[1]: Starting Enable File System Quotas... systemd[30868]: quotaon.service: Failed at step EXEC spawning /usr/sbin/quotaon: Permission denied
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
The patch is NOT working for me: dnf upgrade reboot dnf list installed | grep selinux-policy selinux-policy.noarch 3.13.1-191.16.fc24 @updates selinux-policy-targeted.noarch 3.13.1-191.16.fc24 @updates systemctl | grep quotaon quotaon.service loaded failed failed Enable File System Quotas
Unfortunately it does not work for me in selinux-policy-targeted-3.13.1-191.16.fc24.noarch
(In reply to Ting-Wei Lan from comment #5) > selinux-policy-3.13.1-191.16.fc24 still doesn't fix the issue: > > systemd[1]: Starting Enable File System Quotas... > systemd[30868]: quotaon.service: Failed at step EXEC spawning > /usr/sbin/quotaon: Permission denied Could you please reopen the bug? Thanks.
Created attachment 1208576 [details] Extract from log Might this log extact help.
The bug seems to be not present in Fedora 25.
I did upgrade from F24 to F25 and the bug remains. The quotaon.service fails at boot of my system.
Did you try to run fixfiles -v -F relabel while quota off??? In F24 it did not help, but in F25 it fixed my problem.
Thanks for hint! The problem (at me) was with bad SELinux context of my "aquota.user" file. Somewhere it is enough to correct it with "fixfiles relabel" or with "restorecon -v /path/to/aquota.user". Somewhere it is necessary to create a local SELinux rule: semanage fcontext -a -t quota_db_t "/path/to/a?quota\.(user|group)" restorecon -v /path/to/aquota.user It would be useful to add a notice to documentation.
I guess the bad SELinux context is a result of quotacheck command...
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.