Bug 525420 - rpc.rquotad stops working after RHEL 5.4 upgrade due to avc denied errors
rpc.rquotad stops working after RHEL 5.4 upgrade due to avc denied errors
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-24 06:38 EDT by Janne Blomqvist
Modified: 2012-10-15 10:24 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:50:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Janne Blomqvist 2009-09-24 06:38:01 EDT
Description of problem:

I upgraded a NFS server from RHEL 5.3 to 5.4, and after rebooting accessing quotas over NFS stopped working. Running quota locally worked fine. After some digging, it turned out that this was due to selinux. The following policy changes allowed rpc.rquotad to work again:

allow rpcd_t fs_t:filesystem { getattr quotaget };
allow rpcd_t home_root_t:file read;
allow rpcd_t self:capability sys_admin;

# ll -Z /usr/sbin/rpc.rquotad
-rwxr-xr-x  root root system_u:object_r:rpcd_exec_t    /usr/sbin/rpc.rquotad*


Version-Release number of selected component (if applicable):

quota-3.13-1.2.5.el5
kernel-PAE-2.6.18-164.el5
libselinux-devel-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-targeted-2.4.6-255.el5
selinux-policy-2.4.6-255.el5
nfs-utils-lib-1.0.8-7.6.el5
system-config-nfs-1.3.23-1.el5
nfs-utils-1.0.9-42.el5

How reproducible:

No idea

Steps to Reproduce:
1. Upgrade from RHEL 5.3 to 5.4
2. See if quotas over NFS work
  
Actual results:

Quotas over NFS do not work.

Expected results:

Quotas over NFS work.

Additional info:
Comment 1 Ondrej Vasik 2009-09-24 06:53:10 EDT
Thanks for report. I'll reassign this to selinux-policy to solve this generally... Keeping myself in CC...
Comment 2 Daniel Walsh 2009-09-24 14:28:45 EDT
What AVC's are you seeing?
Comment 3 Janne Blomqvist 2009-09-25 04:40:25 EDT
Grepping the audit.log for rquotad shows thousands of lines of the "denied {getattr}" stuff, then a few others once I started fixing it, like:

type=AVC msg=audit(1253728211.916:355): avc:  denied  { getattr } for  pid=4360 comm="rpc.rquotad" name="/" dev=dm-10 ino=2 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1253728211.916:355): arch=40000003 syscall=268 success=no exit=-13 a0=bfe051b4 a1=54 a2=bfe04160 a3=4dfb40 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1253728260.637:358): avc:  denied  { quotaget } for  pid=4360 comm="rpc.rquotad" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1253728260.637:358): arch=40000003 syscall=131 success=no exit=-13 a0=80000400 a1=8516c40 a2=0 a3=bfe05d64 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1253728260.638:359): avc:  denied  { read } for  pid=4360 comm="rpc.rquotad" name="aquota.user" dev=dm-11 ino=49155 scontext=system_u:system_r:rpcd_t:s0 tcontext=root:object_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1253728260.638:359): arch=40000003 syscall=5 success=no exit=-13 a0=bfe05168 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1253728364.914:364): avc:  denied  { sys_admin } for  pid=4360 comm="rpc.rquotad" capability=21 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability
type=SYSCALL msg=audit(1253728364.914:364): arch=40000003 syscall=131 success=no exit=-1 a0=80000700 a1=8516c40 a2=441f a3=bfe060e8 items=0 ppid=1 pid=4360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null)

Once I made the policy changes in the original report, quota started working, as I mentioned.
Comment 4 Daniel Walsh 2009-09-25 10:50:40 EDT
Fixed in selinux-policy-2.4.6-259.el5
Comment 8 Cale Fairchild 2010-01-15 09:41:36 EST
I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum this morning and the errors are there. Could you please tell me where to find selinux-policy-2.4.6-259.el5 or when it is coming?
Comment 9 Eduard Benes 2010-01-15 09:55:57 EST
(In reply to comment #8)
> I just got the upgraded package selinux-policy-2.4.6-255.el5_4.3 through yum
> this morning and the errors are there. Could you please tell me where to find
> selinux-policy-2.4.6-259.el5 or when it is coming?    

Hi Cale, the latest available policy appears time to time in Dan's repository:

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

At the moment there is version 2.4.6-269, which should be even better for you to install/test.
Comment 12 Miroslav Grepl 2010-02-15 11:36:20 EST
Fixed in selinux-policy-2.4.6-274.el5
Comment 15 errata-xmlrpc 2010-03-30 03:50:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.