Description of problem: I enabled quota on an lvm device. "quota" on the fileserver shows the quota, but on an nfs client nothing is shown. When testing with SELinux in permissive mode then "quota" shows the quota also on nfs clients. Here the audit messages: node=server type=AVC msg=audit(1241368095.335:78828): avc: denied { getattr } for pid=12022 comm="rpc.rquotad" path="/dev/dm-12" dev=tmpfs ino=8206 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file node=server type=SYSCALL msg=audit(1241368095.335:78828): arch=c000003e syscall=4 success=yes exit=0 a0=154ecc0 a1=7fffbe46d290 a2=7fffbe46d290 a3=8ff1be items=0 ppid=1 pid=12022 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5641 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) ls -lZ /dev/dm-12 shows: brw-rw---- root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12 mount|grep dm-12 shows: /dev/dm-12 on /fs/users0 type ext3 (rw,usrjquota=aquota.user,jqfmt=vfsv0) Version-Release number of selected component (if applicable): quota-3.16-7.fc10.x86_64 selinux-policy-targeted-3.5.13-53.fc10.noarch selinux-policy-3.5.13-53.fc10.noarch libselinux-utils-2.0.78-1.fc10.x86_64 libselinux-2.0.78-1.fc10.x86_64 libselinux-2.0.78-1.fc10.i386 How reproducible: Always. Steps to Reproduce: 1. Create and activate quota on an filesystem and nfs-export it. 2. Set quota to a user and activate it (quotacheck!). 3. Start nfs and rpc.rquotad (will be started with service nfs). 4. Mount the filesystem on a nfs client. 5. Enter "quota -v username" on server and client where user exist (e.g. using nfs or ldap or create the same user locally). 6. Set permissive mode on the server and test "quota -v username" on the nfs client again. Actual results: "quota -v username" on nfs client shows nothing when SELinux is enforcing on nfs server. Expected results: "quota -v username" shows the quota.
Miroslav can you add storage_getattr_fixed_disk_dev(rpcd_t) to rpc.te
Fixed in selinux-policy-3.5.13-59.fc10
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as closed in the current release.