Bug 634179 - quota on LVM is not started correctly during booting processs
quota on LVM is not started correctly during booting processs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 635623 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-15 08:49 EDT by Frederic Hornain
Modified: 2011-05-31 09:34 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-31 09:34:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot of the VM in single mode where i have the problem (35.90 KB, image/png)
2010-09-15 16:43 EDT, Frederic Hornain
no flags Details
Correct screenshot (36.41 KB, image/png)
2010-09-16 05:08 EDT, Frederic Hornain
no flags Details
Output of what have been requested (8.80 KB, text/plain)
2010-09-16 05:34 EDT, Frederic Hornain
no flags Details
SELinux related (58.55 KB, image/png)
2010-09-16 05:36 EDT, Frederic Hornain
no flags Details
Same exercice in runlevel 5 (903.08 KB, image/png)
2010-09-16 05:43 EDT, Frederic Hornain
no flags Details
dmesg output (28.54 KB, text/plain)
2010-09-16 13:08 EDT, Frederic Hornain
no flags Details
AVC output (27.19 KB, text/plain)
2010-09-16 13:08 EDT, Frederic Hornain
no flags Details
SOSReport (1.08 MB, application/x-xz)
2010-09-16 13:09 EDT, Frederic Hornain
no flags Details

  None (edit)
Description Frederic Hornain 2010-09-15 08:49:00 EDT
Description of problem:
When you set quota over LVM, quotaon is not started properly due to the fact that logical volume management is started after quota in /etc/rc.sysinit

Version-Release number of selected component (if applicable):
quota-3.17-11.fc13.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Frederic Hornain 2010-09-15 08:53:43 EDT
How reproducible:


Steps to Reproduce:
1. Create an lvm partition
pvcreate /dev/sda5
vgcreate TEST /dev/sda5
lvcreate -n test -L50M TEST

2. Partition filesystem.
mkfs.ext3 /dev/mapper/TEST-test
mount -o usrquota /dev/mapper/TEST-test /mnt

3. Add a user.
useradd test

4. Enable quotas 
quotacheck -cugvm /mnt
quotaon /mnt
mkfir /mnt/test
chmod 777 /mnt/test

5. Add some quotas
edquota -u test

6. Become user, do some work

7. Restart the station

8. edquota -u test
Check the status of inodes or used size

9. Redo some work as user on the defined partition.

10. edquota -u test
Check the status of inodes or used size
Nothing have changed since point 8.

11. then you have to do quotaon /mnt

Actual results:

Quota doesn't work at all.

Expected results:

User should be limited by the specifications made at poit 10.

Additional info:
Comment 2 Petr Pisar 2010-09-15 09:24:09 EDT
The quotaon is executed by /etc/rc.d/rc.sysinit belonging to initscripts package.
Comment 3 Bill Nottingham 2010-09-15 11:34:35 EDT
(In reply to comment #0)
> Description of problem:
> When you set quota over LVM, quotaon is not started properly due to the fact
> that logical volume management is started after quota in /etc/rc.sysinit

quotaon is done after mount & fsck, which is well after LVM.

What does '/sbin/quotaon -avug' say when run from single user mode?
Comment 4 Frederic Hornain 2010-09-15 15:02:18 EDT
Dear Bill,

Thanks for your reply.

1] This is the output of what you have requested : 
[root@rhce1 ~]# init 1
[root@rhce1 ~]# runlevel
5 1
[root@rhce1 ~]# /sbin/quotaon -avug
/dev/mapper/vgraid-lvraid [/raid]: group quotas turned on
/dev/mapper/vgraid-lvraid [/raid]: user quotas turned on

2] The above result is in ad-equation of what I wrote in my previous posts.
I mean that quota is not activated during boot sequence even if it is included in /etc/rc.sysinit.

3] You are right this is not due to the fact that LVM is started after quota.
   So I was wrong in my assumption. My apologies for that.

4] This is the content /var/log/boot.log :

Setting up Logical Volume Management:   1 logical volume(s) in volume group "vgraid" now active
  2 logical volume(s) in volume group "VolGroup" now active
                                                           [  OK  ]
Checking filesystems
/dev/mapper/VolGroup-lv_root: clean, 137181/430784 files, 1068266/1720320 blocks
/dev/vda1: clean, 45/128016 files, 85869/512000 blocks
/dev/mapper/vgraid-lvraid: clean, 14/128 files, 53/1024 blocks (check in 4 mounts)
                                                           [  OK  ]
Remounting root filesystem in read-write mode:             [  OK  ]
Mounting local filesystems:                                [  OK  ]
Enabling local filesystem quotas:                          [FAILED]
Enabling /etc/fstab swaps:                                 [  OK  ]
Entering non-interactive startup
Starting monitoring for VG VolGroup:   2 logical volume(s) in volume group "VolGroup" monitored
                                                           [  OK  ]
Starting monitoring for VG vgraid:   1 logical volume(s) in volume group "vgraid" monitored
                                                           [  OK  ]

5] BTW, my test config is indeed quota on LVM on raid 1.
Comment 5 Bill Nottingham 2010-09-15 15:10:55 EDT
w.r.t. testing from single-user mode, can you try it from a reboot with 'linux single' on the command line?
Comment 6 Frederic Hornain 2010-09-15 16:43:06 EDT
Created attachment 447568 [details]
screenshot of the VM in single mode where i have the problem
Comment 7 Frederic Hornain 2010-09-15 16:45:48 EDT
Dear Bill,

Does it exist a log file for quota ?

BR
Frederic
Comment 8 Bill Nottingham 2010-09-15 16:52:30 EDT
That's weird. No, there's not a log

Can you do: 'strace -fo -s 999 /tmp/quota.log quotaon -avug' and attach that file?
Comment 9 Frederic Hornain 2010-09-16 05:08:10 EDT
Created attachment 447687 [details]
Correct screenshot
Comment 10 Frederic Hornain 2010-09-16 05:32:22 EDT
Dear Bill,

I used the indeed the following command : /usr/bin/strace -f -s 999 -o /tmp/quota.log /sbin/quotaon -avug
And the output of that command will be enclosed to that ticket asap.

BR
Frederic
Comment 11 Frederic Hornain 2010-09-16 05:34:34 EDT
Created attachment 447694 [details]
Output of what have been requested
Comment 12 Frederic Hornain 2010-09-16 05:35:36 EDT
Dear Bill,

I have made some progress and think that is maybe related to SELinux.
Please have a look at the new enclosed file - see below -
Comment 13 Frederic Hornain 2010-09-16 05:36:04 EDT
Created attachment 447696 [details]
SELinux related
Comment 14 Frederic Hornain 2010-09-16 05:42:05 EDT
Dear Bill,

It seems that when quotaon is lauched in single mode it fails due to SELinux rules... - see attachment 447696 [details] here above -
But when we are in runlevel 5 it works with SELinux enabled.
Maybe my conclusion is wrong or misinterpreted but it is what I can see - see new attachment below -.

Please could you check it on your own VM ?
Do I have to set a particular SELinux boolean on ?

BR
Frederic
Comment 15 Frederic Hornain 2010-09-16 05:43:08 EDT
Created attachment 447700 [details]
Same exercice in runlevel 5
Comment 16 Bill Nottingham 2010-09-16 11:28:59 EDT
Can you attach the output of 'ausearch -m avc' (or dmesg, if the AVCs are listed there.)
Comment 17 Frederic Hornain 2010-09-16 13:07:32 EDT
Dear Bill,

Well, nothing relevant with 'ausearch  -m avc' unfortunatly :(
I have attached files associated to each command

Have you try to reproduce it on a Virtual Machine ?

I also have done an sosreport file. - attached with this ticket -

BR
Frederic ;)
Comment 18 Frederic Hornain 2010-09-16 13:08:21 EDT
Created attachment 447801 [details]
dmesg output
Comment 19 Frederic Hornain 2010-09-16 13:08:50 EDT
Created attachment 447802 [details]
AVC output
Comment 20 Frederic Hornain 2010-09-16 13:09:42 EDT
Created attachment 447803 [details]
SOSReport
Comment 21 Daniel Walsh 2010-09-16 17:06:10 EDT
Frederic,

Execute 

semodule -DB
Then try quota

See if this generates avcs.
Comment 22 Daniel Walsh 2010-09-16 17:06:34 EDT
semodule -B 

Will turn the dontaudit messages back on.
Comment 23 Frederic Hornain 2010-09-20 03:31:31 EDT
Dear Daniel,

This is the result of what you requested :

[root@rhce1 /]# semodule -DB
[root@rhce1 /]# echo $?
0
[root@rhce1 /]# quotaon -avug
[root@rhce1 /]# echo $?
2
[root@rhce1 /]# semodule -R

BR
Frederic
Comment 24 Petr Pisar 2010-09-21 07:03:01 EDT
*** Bug 635623 has been marked as a duplicate of this bug. ***
Comment 25 Daniel Walsh 2010-09-22 17:01:59 EDT
Frederic I need the AVC report
Comment 26 Fedora Admin XMLRPC Client 2010-11-08 16:48:56 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 27 Fedora Admin XMLRPC Client 2010-11-08 16:50:29 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 28 Fedora Admin XMLRPC Client 2010-11-08 16:51:41 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 29 Mark Lamourine 2011-04-05 17:15:02 EDT
I'm observing this on RHEL6.0 from media and after updates.

with selinux permissive, quotas are enabled on boot.
With selinux enforcing, quotas fail to start on boot, yielding this message in /var/log/messages.

quotas start without error when run as root login immediately after boot.

On an EC2 AMI

Apr  5 17:02:49 ip-10-242-85-153 kernel: VFS: Disk quotas dquot_6.5.2
Apr  5 17:02:49 ip-10-242-85-153 kernel: dracut: Remounting /dev/disk/by-label/_\x2f with -o usrjquota=aquota.user,jqfmt=vfsv0,ro
Apr  5 17:02:49 ip-10-242-85-153 kernel: type=1400 audit(1302037326.962:4): avc:  denied  { quotaon } for  pid=561 comm="quotaon" name="aquota.user" dev=xvda1 ino=702 scontext=system_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file


On an HP blade:

Apr  5 21:00:19 blade14 dbus: avc:  netlink poll: error 4
Apr  5 21:07:26 blade14 kernel: type=1400 audit(1302037638.639:4): avc:  denied  { quotaon } for  pid=1247 comm="quotaon" name="aquota.user" dev=sda4 ino=13 scontext=system_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Apr  5 21:07:28 blade14 dbus: avc:  netlink poll: error 4

In neither case was any filesystem on the host using LVM directly.  I can't say what's behind the EC2 virt host.
Comment 30 Daniel Walsh 2011-04-05 17:18:43 EDT
The AVC that I have been sent recently indicate that /aquota.user and
/var/lib/aquota.user were labeled incorrectly,  How do those files get created?
Comment 31 Daniel Walsh 2011-04-05 17:22:47 EDT
Looks like these files should get created by quota on start, if they did not exist already.  I believe this is a labeling problem.  If you remove the files does quota create them with the right label?   Did you run the quotaon service by hand and then later run it in a service?
Comment 32 Petr Pisar 2011-04-06 03:45:41 EDT
(In reply to comment #30)
> The AVC that I have been sent recently indicate that /aquota.user and
> /var/lib/aquota.user were labeled incorrectly,  How do those files get created?

The quota files are created by quotacheck tool. If they exists, they will be replaced by new quota files by rename(2) to assure atomicity. The name of quota files depends on quota format version and on name space (users, groups) they meassure: {,a}quota.{user,group}. Also if journaled quota files are used, the name can be any arbitrary file name specified by mount options usrjquota and grpjquota.

Who should specify label for those files? quotacheck binary or SELinux policy based on context of quotacheck binary?
Comment 33 Mark Lamourine 2011-04-06 07:21:54 EDT
In one of the two cases a user defined selinux policy overrides the default so that restorecon no longer sets the correct type on the aquota.user file.  This case is being addressed by correcting the user policy.

Petr's question remains:  Who is responsible for setting the label for those files and when?
Comment 34 Daniel Walsh 2011-04-06 09:26:02 EDT
I would say we need to have the proper policy in place for quotacheck to create the files with the right labels.

Miroslav looks like we need

optional_policy(`
	quota_run(unconfined_t, unconfined_r)
')

In F13,F14, F15, RHEL5 RHEL6.


Mark could you install build and install the following policy to make sure it works correctly.

==========================  cut int myquota.te ==================================
policy_module(myquota, 1,0)
gen_require(`
      type unconfined_t;
      role unconfined_r;
')

quota_run(unconfined_t, unconfined_r)
========================================================================

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myquota.pp

Then remove /aquota.user
run quotacheck

And make sure /aquota.user gets created with the correct label, and no avc's are generated.
Comment 35 Mark Lamourine 2011-04-13 09:27:59 EDT
Before policy change:

[root@ip-10-110-250-122 ~]# mount -o remount,defaults,usrjquota=aquota.user,jqfmt=vfsv0 /
[root@ip-10-110-250-122 ~]# quotacheck -cmuf /[root@ip-10-110-250-122 ~]# ls -Z /aquota.user 
-rw-------. root root unconfined_u:object_r:etc_runtime_t:s0 /aquota.user
[root@ip-10-110-250-122 ~]# rm /aquota.user 
rm: remove regular file `/aquota.user'? y


[root@ip-10-110-250-122 ~]# vi myquota.te
[root@ip-10-110-250-122 ~]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted myquota module
/usr/bin/checkmodule:  loading policy configuration from tmp/myquota.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/myquota.mod
Creating targeted myquota.pp policy package
rm tmp/myquota.mod tmp/myquota.mod.fc
[root@ip-10-110-250-122 ~]# semodule -i myquota.pp
[root@ip-10-110-250-122 ~]# ls /
bin   cgroup  etc   lib    lost+found  misc  net  proc  sbin     srv  tmp  var
boot  dev     home  lib64  media       mnt   opt  root  selinux  sys  usr

After policy change:

[root@ip-10-110-250-122 ~]# quotacheck -cmuf /
[root@ip-10-110-250-122 ~]# ls -Z /aquota.user 
-rw-------. root root unconfined_u:object_r:quota_db_t:s0 /aquota.user
Comment 36 Daniel Walsh 2011-04-13 10:29:26 EDT
Miroslav lets add this, I think it is low risk.  We need it in RHEL6 also.
Comment 37 Miroslav Grepl 2011-04-18 02:45:55 EDT
Fixed in selinux-policy-3.7.19-107.fc13
Comment 38 Bug Zapper 2011-05-31 09:26:30 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.