Bug 498823 - rpc.rquotad cannot access disk devices (fixed_disk_device_t)
rpc.rquotad cannot access disk devices (fixed_disk_device_t)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-03 12:57 EDT by Edgar Hoch
Modified: 2009-11-18 08:04 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:04:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Edgar Hoch 2009-05-03 12:57:25 EDT
Description of problem:
I enabled quota on an lvm device.

"quota" on the fileserver shows the quota, but on an nfs client nothing is shown.
When testing with SELinux in permissive mode then "quota" shows the quota also on nfs clients.

Here the audit messages:

node=server type=AVC msg=audit(1241368095.335:78828): avc:  denied  { getattr } for  pid=12022 comm="rpc.rquotad" path="/dev/dm-12" dev=tmpfs ino=8206 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

node=server type=SYSCALL msg=audit(1241368095.335:78828): arch=c000003e syscall=4 success=yes exit=0 a0=154ecc0 a1=7fffbe46d290 a2=7fffbe46d290 a3=8ff1be items=0 ppid=1 pid=12022 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5641 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)

ls -lZ /dev/dm-12 shows:
brw-rw----  root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12

mount|grep dm-12 shows:
/dev/dm-12 on /fs/users0 type ext3 (rw,usrjquota=aquota.user,jqfmt=vfsv0)


Version-Release number of selected component (if applicable):
quota-3.16-7.fc10.x86_64
selinux-policy-targeted-3.5.13-53.fc10.noarch
selinux-policy-3.5.13-53.fc10.noarch
libselinux-utils-2.0.78-1.fc10.x86_64
libselinux-2.0.78-1.fc10.x86_64
libselinux-2.0.78-1.fc10.i386

How reproducible:
Always.

Steps to Reproduce:
1. Create and activate quota on an filesystem and nfs-export it.
2. Set quota to a user and activate it (quotacheck!).
3. Start nfs and rpc.rquotad (will be started with service nfs).
4. Mount the filesystem on a nfs client.
5. Enter "quota -v username" on server and client where user exist (e.g. using nfs or ldap or create the same user locally).
6. Set permissive mode on the server and test "quota -v username" on the nfs client again.
  
Actual results:
"quota -v username" on nfs client shows nothing when SELinux is enforcing on nfs server.

Expected results:
"quota -v username" shows the quota.
Comment 1 Daniel Walsh 2009-05-04 12:28:33 EDT
Miroslav can you add

storage_getattr_fixed_disk_dev(rpcd_t)

to rpc.te
Comment 2 Miroslav Grepl 2009-05-07 08:53:23 EDT
Fixed in selinux-policy-3.5.13-59.fc10
Comment 3 Bug Zapper 2009-11-18 06:54:00 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Daniel Walsh 2009-11-18 08:04:51 EST
Closing as closed in the current release.

Note You need to log in before you can comment on or make changes to this bug.