Bug 212957 - MLS policy doesn't allow turning on quotas
MLS policy doesn't allow turning on quotas
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-10-30 06:06 EST by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-22 20:52:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
avc messages (4.57 KB, text/plain)
2006-11-30 15:27 EST, Archana K. Raghavan
no flags Details

  None (edit)
Description Bastien Nocera 2006-10-30 06:06:21 EST
(Create a file called "vdisk", and format it)
# mount -o loop,usrquota,grpquota,context=root:object_r:root_t:s0
vdisk /mnt/loop
# quotacheck -cug /mnt/loop
quotacheck: Can't statfs() /mnt/loop: Permission denied
quotacheck: Mountpoint (or device) /mnt/loop not found.
quotacheck: Can't find filesystem to check or filesystem not mounted
with quota option.

And in the audit logs:
type=SYSCALL msg=audit(1161225352.239:1569): arch=14 syscall=252
success=no exit=-13 a0=fe8ad6bc a1=58 a2=fe8ac660 a3=100c0bfc
items=0 ppid=30858 pid=31062 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 comm="quotacheck" exe="/
sbin/quotacheck" subj=staff_u:sysadm_r:quota_t:s0-s15:c0.c255 key=(null)
type=AVC msg=audit(1161225352.239:1569): avc:  denied  { getattr } for
pid=31062 comm="quotacheck" name="/" dev=loop0 ino=2
tcontext=root:object_r:root_t:s0 tclass=filesystem

Comment 1 RHEL Product and Program Management 2006-10-30 06:20:32 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
Comment 2 Daniel Walsh 2006-11-17 13:37:40 EST
Fixed in selinux-policy-2.4.5-1
Comment 4 Daniel Walsh 2006-11-27 12:05:16 EST
Please setenforce 0, and run this command again, to gather all of the AVC messages.

I have added this priv to selinux-policy-2.4.5-4
Comment 7 Archana K. Raghavan 2006-11-30 15:27:09 EST
Created attachment 142517 [details]
avc messages
Comment 8 Daniel Walsh 2006-11-30 16:17:56 EST
Try  selinux-policy-2.4.6-4
Comment 11 Daniel Walsh 2006-12-01 16:48:44 EST
Ok lets try selinux-policy-2.4.6-5
Comment 14 Daniel Walsh 2006-12-08 11:42:28 EST
I put these avc's on selinux-policy-2.4.6-8 and they say the would be allowed by
active policy.  The problem here was MLS.  sysadm_t was not allowed to getattr
on the disk at a higher sensitivity level.  Since we have combined secadm and
sysadm, this should be allowed.
Comment 17 RHEL Product and Program Management 2006-12-22 20:52:15 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.