(Create a file called "vdisk", and format it) # mount -o loop,usrquota,grpquota,context=root:object_r:root_t:s0 vdisk /mnt/loop # quotacheck -cug /mnt/loop quotacheck: Can't statfs() /mnt/loop: Permission denied quotacheck: Mountpoint (or device) /mnt/loop not found. quotacheck: Can't find filesystem to check or filesystem not mounted with quota option. And in the audit logs: type=SYSCALL msg=audit(1161225352.239:1569): arch=14 syscall=252 success=no exit=-13 a0=fe8ad6bc a1=58 a2=fe8ac660 a3=100c0bfc items=0 ppid=30858 pid=31062 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="quotacheck" exe="/ sbin/quotacheck" subj=staff_u:sysadm_r:quota_t:s0-s15:c0.c255 key=(null) type=AVC msg=audit(1161225352.239:1569): avc: denied { getattr } for pid=31062 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=staff_u:sysadm_r:quota_t:s0-s15:c0.c255 tcontext=root:object_r:root_t:s0 tclass=filesystem selinux-policy-mls-2.3.18-3
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Fixed in selinux-policy-2.4.5-1
Please setenforce 0, and run this command again, to gather all of the AVC messages. I have added this priv to selinux-policy-2.4.5-4
Created attachment 142517 [details] avc messages
Try selinux-policy-2.4.6-4
Ok lets try selinux-policy-2.4.6-5
I put these avc's on selinux-policy-2.4.6-8 and they say the would be allowed by active policy. The problem here was MLS. sysadm_t was not allowed to getattr on the disk at a higher sensitivity level. Since we have combined secadm and sysadm, this should be allowed.
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.