Bug 500400 - rpc.rquotad cannot access local disks
rpc.rquotad cannot access local disks
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-12 11:04 EDT by Orion Poplawski
Modified: 2010-09-21 08:41 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-21 08:41:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of rquotad in enforcing mode (8.19 KB, text/plain)
2009-08-31 10:57 EDT, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2009-05-12 11:04:43 EDT
Description of problem:

Running quota on nfs clients returns nothing and the following denials are generated on the server:

type=AVC msg=audit(1242140458.635:598): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/export" dev=dm-0 ino=65537 scontext=system_u:system_r:rpcd_t:s0tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242140458.635:599): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/var/spool" dev=dm-5 ino=258049 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

quotas are implemented on /export/home and /var/spool/mail which are separate file systems.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-229.el5
Comment 1 Daniel Walsh 2009-05-12 11:22:34 EDT
/export looks like it is labeled incorrectly?  Do you have users homedirectories under here?

Are you shareing /var/spool via NFS?

I guess rpc.quota needs to be able to getattr on every dir file_type.
Comment 2 Orion Poplawski 2009-05-12 11:23:34 EDT
Here's a more complete list:


type=AVC msg=audit(1242141333.588:954): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/export" dev=dm-0 ino=65537 scontext=system_u:system_r:rpcd_t:s0tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242141333.588:955): avc:  denied  { search } for  pid=4480 comm="rpc.rquotad" name="export" dev=dm-0 ino=65537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242141333.588:956): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1242141333.588:957): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/dev/mapper/rootvg-home" dev=tmpfs ino=1388 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1242141333.589:958): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/var/spool" dev=dm-5 ino=258049 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1242141333.589:959): avc:  denied  { search } for  pid=4480 comm="rpc.rquotad" name="spool" dev=dm-5 ino=258049 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1242141333.589:959): avc:  denied  { getattr } for  pid=4480 comm="rpc.rquotad" path="/var/spool/mail" dev=dm-6 ino=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
type=AVC msg=audit(1242141333.628:962): avc:  denied  { quotaget } for  pid=4480 comm="rpc.rquotad" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem



#============= rpcd_t ==============
allow rpcd_t fixed_disk_device_t:blk_file getattr;
allow rpcd_t fs_t:filesystem { getattr quotaget };
allow rpcd_t home_root_t:dir { getattr search };
allow rpcd_t mail_spool_t:dir getattr;
allow rpcd_t var_spool_t:dir { getattr search };



I seem to now have removed all denials from /var/log/audit/audit.log, but quota still doesn't work on the nfs clients.
Comment 3 Orion Poplawski 2009-05-12 11:25:01 EDT
(In reply to comment #1)
> /export looks like it is labeled incorrectly?  Do you have users
> homedirectories under here?
> 

user directories are in /export/home/<username>, which get automounted as /home/<username> on the server (bind mounted) as well as the clients.

> Are you shareing /var/spool via NFS?

No.
Comment 4 Daniel Walsh 2009-08-21 17:12:59 EDT
I think this might be
Fixed in selinux-policy-2.4.6-256.el5
Comment 5 Orion Poplawski 2009-08-25 17:13:31 EDT
Will this be posted to your repo soon?
Comment 6 Orion Poplawski 2009-08-28 16:04:31 EDT
Well, it still doesn't work with selinux-policy-2.4.6-256.el5.  I can't see any denials though in /var/log/audit/audit.log, even with enableaudit loaded.  But disabling enforcing mode does enable remote quota's to work.   The directories are in logical volumes, hence device mapper is involved if that matters:

/dev/mapper/rootvg-home
                       86G   76G  5.6G  94% /export/home
Comment 7 Daniel Walsh 2009-08-28 16:37:47 EDT
Orion,  5.4 has a better way to turn off dontaudit rules.

execute

semodule -DB

THen try it out.  Should see more AVC messages.

semodule -B 

Turns back on dontaudit messages.
Comment 8 Orion Poplawski 2009-08-28 18:58:02 EDT
Well, I don't know if:

checkpolicy-1.33.1-4.el5
policycoreutils-1.33.12-14.6.el5
selinux-policy-2.4.6-256.el5
selinux-policy-targeted-2.4.6-256.el5

is close enough to being "5.4", but semodule -DB didn't seem to show anything in /var/log/audit/audit.log either.
Comment 9 Daniel Walsh 2009-08-31 08:59:35 EDT
Is it working in permissive mode?
Comment 10 Orion Poplawski 2009-08-31 10:31:12 EDT
(In reply to comment #9)
> Is it working in permissive mode?  

Yes.  Toggling /selinux/enforce toggles whether quota on a remote machine works.
Comment 11 Daniel Walsh 2009-08-31 10:48:28 EDT
Can you get an strace so we can see what syscall is getting the permission denied?
Comment 12 Orion Poplawski 2009-08-31 10:57:51 EDT
Created attachment 359274 [details]
strace of rquotad in enforcing mode

Basically the difference between enforcing/permissive is:

< 4556  quotactl(Q_GETQUOTA|USRQUOTA, "/dev/mapper/rootvg-home", 1744, {bhardlimit=5096000, bsoftlimit=5096000, curspace=3295522816, ihardlimit=0, isoftlimit=0, curinodes=27590, ...}) = 0
---                    
> 4556  quotactl(Q_GETQUOTA|USRQUOTA, "/dev/mapper/rootvg-home", 1744, 0xbfd93cf8) = -1 EPERM (Operation not permitted)

/dev/mapper/rootvg-home on /export/home type ext3 (rw,usrquota)

[root@earth ~]# ls -Z /export/home/aquota.user
-rw-------  root root root:object_r:home_root_t        /export/home/aquota.user

restorecon set context /export/home/aquota.user->system_u:object_r:default_t:s0 failed:'Operation not permitted'
Comment 13 Daniel Walsh 2009-08-31 11:14:22 EDT
Orion what is /export/home/quoata.user

ls -lZ /export/home/quoata.user


This feels like a kernel problem.
Comment 14 Orion Poplawski 2009-08-31 11:32:36 EDT
[root@earth ~]# ls -lZ /export/home/aquota.user
-rw-------  root root root:object_r:home_root_t        /export/home/aquota.user
restorecon -v /export/home/aquota.user
restorecon set context /export/home/aquota.user->system_u:object_r:default_t:s0 failed:'Operation not permitted'
Comment 15 Daniel Walsh 2009-10-15 13:53:15 EDT
Eric, did you get a chance to look at this?
Comment 16 Eric Paris 2010-02-11 14:42:30 EST
I appologize that it has been months since you filed this bug, I was able to reproduce the problem today and am actively working on getting to the bottom of it.
Comment 17 Eric Paris 2010-02-11 14:51:34 EST
I was able to make this work by doing a couple of things.  First I fixed up my labelling on the server so I didn't have default_t any more.  I actually made the labeling such that the root of the mount was user_home_t but I would guess that home_root_t would be a LOT more common.  After I fixed the labeling and disabled dontaudits I got one rule:

allow rpcd_t user_home_t:file { read lock open };

With that new rule the problem appears (at least to me) to be fixed.  I'm moving this back to policy as we need to decide what files we want, or do not want, rpcd_t to be able to read......
Comment 18 Daniel Walsh 2010-02-11 15:16:41 EST
Do I need to allow rpcd_t to read all files or just files in the top level directories?

Do I need a boolean to allow this

rpcd_use_quota
Comment 20 Daniel Walsh 2010-02-22 15:34:54 EST
Miroslav add

userdom_read_user_home_content_files(rpcd_t)

Note You need to log in before you can comment on or make changes to this bug.