Description of problem: I upgraded a NFS server from RHEL 5.3 to 5.4, and after rebooting accessing quotas over NFS stopped working. Running quota locally worked fine. After some digging, it turned out that this was due to selinux. The following policy changes allowed rpc.rquotad to work again: allow rpcd_t fs_t:filesystem { getattr quotaget }; allow rpcd_t home_root_t:file read; allow rpcd_t self:capability sys_admin; # ll -Z /usr/sbin/rpc.rquotad -rwxr-xr-x root root system_u:object_r:rpcd_exec_t /usr/sbin/rpc.rquotad* Version-Release number of selected component (if applicable): quota-3.13-1.2.5.el5 kernel-PAE-2.6.18-164.el5 libselinux-devel-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 libselinux-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 selinux-policy-targeted-2.4.6-255.el5 selinux-policy-2.4.6-255.el5 nfs-utils-lib-1.0.8-7.6.el5 system-config-nfs-1.3.23-1.el5 nfs-utils-1.0.9-42.el5 How reproducible: No idea Steps to Reproduce: 1. Upgrade from RHEL 5.3 to 5.4 2. See if quotas over NFS work Actual results: Quotas over NFS do not work. Expected results: Quotas over NFS work. Additional info:
Thanks for report. I'll reassign this to selinux-policy to solve this generally... Keeping myself in CC...
What AVC's are you seeing?
Grepping the audit.log for rquotad shows thousands of lines of the "denied {getattr}" stuff, then a few others once I started fixing it, like: type=AVC msg=audit(1253728211.916:355): avc: denied { getattr } for pid=4360 comm="rpc.rquotad" name="/" dev=dm-10 ino=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1253728211.916:355): arch=40000003 syscall=268 success=no exit=-13 a0=bfe051b4 a1=54 a2=bfe04160 a3=4dfb40 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728260.637:358): avc: denied { quotaget } for pid=4360 comm="rpc.rquotad" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1253728260.637:358): arch=40000003 syscall=131 success=no exit=-13 a0=80000400 a1=8516c40 a2=0 a3=bfe05d64 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728260.638:359): avc: denied { read } for pid=4360 comm="rpc.rquotad" name="aquota.user" dev=dm-11 ino=49155 scontext=system_u:system_r:rpcd_t:s0 tcontext=root:object_r:home_root_t:s0 tclass=file type=SYSCALL msg=audit(1253728260.638:359): arch=40000003 syscall=5 success=no exit=-13 a0=bfe05168 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1253728364.914:364): avc: denied { sys_admin } for pid=4360 comm="rpc.rquotad" capability=21 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability type=SYSCALL msg=audit(1253728364.914:364): arch=40000003 syscall=131 success=no exit=-1 a0=80000700 a1=8516c40 a2=441f a3=bfe060e8 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null) Once I made the policy changes in the original report, quota started working, as I mentioned.
Fixed in selinux-policy-2.4.6-259.el5
I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum this morning and the errors are there. Could you please tell me where to find selinux-policy-2.4.6-259.el5 or when it is coming?
(In reply to comment #8) > I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum > this morning and the errors are there. Could you please tell me where to find > selinux-policy-2.4.6-259.el5 or when it is coming? Hi Cale, the latest available policy appears time to time in Dan's repository: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ At the moment there is version 2.4.6-269, which should be even better for you to install/test.
Fixed in selinux-policy-2.4.6-274.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html