Description of problem: We implement filesystem quotas for many servers and clusters in campus and this feature is crucial to support the scalability of our centralized NFS services. We can't count on the file service nodes to be able to lookup account credentials for each of the clients. Version-Release number of selected component (if applicable): quota-3.13-1.2.5 How reproducible: Install RHEL5 and try to use the remote "-r" quota feature in all utilities. Steps to Reproduce: 1. 2. 3. Actual results: Not able to set quotas remotely. Expected results: Being able to set quotas remotely over RPC. Additional info:
Thanks for suggestion, I have the same request for Fedora as well but I'm not sure about 100% safety of that feature. That's IMHO one of the reasons why it is not enabled by default in upstream release. Anyway, I would suggest to contact Red Hat product support (Bugzilla is not product support) to give priority such change. It has to be tested quite a lot to make it safe for everyone.
Additionally - --enable-rpcsetquota=YES only enables setquota -r and edquota -r possibility... this could be easily done by ssh connection to distant machine and running those commands locally - in script it would have the same result for you and no possible security impact for others. Rquotad works over RPC even without that option enabled.
We spotted problem that /usr/sbin/rpc.rquotad binary is denied to perform quotactl(SETQUOTA) syscall by SELinux: type=AVC msg=audit(1280410596.965:31522): avc: denied { quotamod } for pid=6857 comm="rpc.rquotad" scontext=root:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1280410596.965:31522): arch=c000003e syscall=179 success=no exit=-13 a0=80000800 a1=2b0680737108 a2=8ae a3=7fff9bfe3490 items=0 ppid=1 pid=6857 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5122 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=root:system_r:rpcd_t:s0 key=(null) In contrast /usr/sbin/setquota is allowed to do it as has different role: -rwxr-xr-x. root root system_u:object_r:rpcd_exec_t:s0 /usr/sbin/rpc.rquotad -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/setquota We need to change /usr/sbin/setquota role or change SELinux policy.
SELinux issue has been discussed to mgrepl off-line. New bug against SELinux policy component will be opened.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.+The superuser is now able to use the '-r' (remote) option to edit quota limits on a remote system via remote procedure call (RPC) using the standard quota limit utilities. This enables quota limits on file systems which are mounted oven the network.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0023.html