RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 703871 - should allow quotacheck to create quota files
Summary: should allow quotacheck to create quota files
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 702988
TreeView+ depends on / blocked
 
Reported: 2011-05-11 13:46 UTC by Caspar Zhang
Modified: 2012-01-13 20:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause After upgraded selinux-policy package from 3.7.19-85 to -87, execute `quotacheck -c' command if no quota file existed. Consequence AVC denial happened like the following below. type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1305143065.387:1030618): avc: denied { write } for pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
Clone Of:
Environment:
Last Closed: 2011-06-14 12:34:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 717951 0 medium CLOSED access to a loop device is denied to quota utilities 2021-02-22 00:41:40 UTC

Description Caspar Zhang 2011-05-11 13:46:04 UTC 
Description of problem:

Due to an upgrade from selinux-policy-3.7.19-85 to -87, `quotacheck -c' command was not allowed to create a quota file if no quota file existed. Yet this command could complete in -85.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-87 (-93 still has this issue)

How reproducible:
run /kernel/distribution/ltp/debug/runtest.sh

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Daniel Walsh 2011-05-11 22:12:31 UTC 
What AVC's are you seeing?
Comment 4 Caspar Zhang 2011-05-12 01:16:00 UTC 
(In reply to comment #3)
> What AVC's are you seeing?

----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030617): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030617): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
Comment 5 Daniel Walsh 2011-05-12 05:41:25 UTC 
file_t indicates you added a file system without labels.  Run restorecon -R -v FILESYSTEMPATH and the quotacheck command will work fine.
Comment 6 Caspar Zhang 2011-05-12 06:17:22 UTC 
I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the filesystem, the quotacheck command still fails for the same AVC message.
Comment 7 Miroslav Grepl 2011-05-13 13:02:43 UTC 
(In reply to comment #6)
> I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the
> filesystem, the quotacheck command still fails for the same AVC message.

Could you show me your steps?
Comment 8 Qian Cai 2011-05-17 06:28:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    After upgraded selinux-policy package from 3.7.19-85 to
    -87, execute `quotacheck -c' command if no quota file   
    existed.
Consequence
    AVC denial happened like the following below.
 
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5
success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231
pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck"
subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for 
pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2
scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=dir
Comment 9 Daniel Walsh 2011-05-18 06:42:46 UTC 
THat means you still do not have labels on the file system.

You need to run restorecon on the directory mountpoint that you are doing quotacheck on .
Comment 10 Caspar Zhang 2011-05-18 07:42:32 UTC 
my steps:
dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- fail

cd /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- still fail

# mount -l
/root/ltp-fs-image on /tmp/mnt type ext3 (rw,loop=/dev/loop0,usrquota,grpquota) [label0] <-- have label
Comment 11 Daniel Walsh 2011-05-24 18:26:46 UTC 
Try chcon --reference=/mnt /tmp/mnt rather then restorecon.

restorecon has no effect on /tmp files since it does not know what is in this directory.


dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
chcon --reference=/mnt /tmp/mnt/
quotacheck -cug /tmp/mnt
Comment 12 Caspar Zhang 2011-05-30 02:46:53 UTC 
(In reply to comment #11)
> Try chcon --reference=/mnt /tmp/mnt rather then restorecon.
> 
> restorecon has no effect on /tmp files since it does not know what is in this
> directory.
> 
> 
> dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> mkdir /tmp/mnt
> mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> chcon --reference=/mnt /tmp/mnt/
> quotacheck -cug /tmp/mnt

The above steps gave exact the same error message:

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
kjournald starting.  Commit interval 5 seconds
EXT3-fs (loop0): using internal journal
EXT3-fs (loop0): mounted filesystem with ordered data mode
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
EXT3-fs (loop0): using internal journal
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

I also tried with mounting my loop file under /mnt but quotacheck -cug failed as well.
Comment 13 Miroslav Grepl 2011-05-30 11:01:47 UTC 
So you have the same AVC msg?

# ls -dZ /tmp/mnt
Comment 14 Caspar Zhang 2011-05-31 14:36:07 UTC 
Sorry, I made a mistake, `quotacheck -cug /tmp/mnt' succeeded after applied `chcon --reference=/mnt /tmp/mnt/', the error was due to another command:

quotaon -ug /tmp/mnt/

the AVC msg was:

----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40171): arch=c000003e syscall=179 success=no exit=-13 a0=80000200 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40171): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40170): arch=c000003e syscall=179 success=no exit=-13 a0=80000201 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40170): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.group" dev=loop0 ino=13 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

# ls -dZ /tmp/mnt
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       /tmp/mnt
# ls -dZ /tmp/mnt/*
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.group
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.user
drwx------. root root system_u:object_r:file_t:s0      /tmp/mnt/lost+found

Is this the similar issue, or any misconfiguration still exist? Thanks.
Comment 15 Caspar Zhang 2011-05-31 14:36:57 UTC 
quotaon -ug /tmp/mnt/ showed the following error msg:

# quotaon -ugv /tmp/mnt/
quotaon: using /tmp/mnt/aquota.group on /dev/loop0 [/tmp/mnt]: Permission denied
quotaon: using /tmp/mnt/aquota.user on /dev/loop0 [/tmp/mnt]: Permission denied
Comment 16 Daniel Walsh 2011-05-31 15:02:35 UTC 
The problem is aquota.group and aquota.user are mislabeled.  How did these files get created?

Currently we have policy for the creation of this file.

allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
files_etc_filetrans(quota_t, quota_db_t, file)
files_tmp_filetrans(quota_t, quota_db_t, file)
files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)

Meaning we did not expect this file to be created on a mnt_t directory.  I guess we could add policy for this but if you just want the test to work, you could do.

chcon --reference=/var /tmp/mnt/'

And then this would mimic the file system being mounted on the /var.
Comment 17 Caspar Zhang 2011-05-31 15:20:07 UTC 
(In reply to comment #16)
> The problem is aquota.group and aquota.user are mislabeled.  How did these
> files get created?

they're created by previous quotacheck command:

# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt

> 
> Currently we have policy for the creation of this file.
> 
> allow quota_t quota_db_t:file { manage_file_perms quotaon };
> files_root_filetrans(quota_t, quota_db_t, file)
> files_boot_filetrans(quota_t, quota_db_t, file)
> files_etc_filetrans(quota_t, quota_db_t, file)
> files_tmp_filetrans(quota_t, quota_db_t, file)
> files_home_filetrans(quota_t, quota_db_t, file)
> files_usr_filetrans(quota_t, quota_db_t, file)
> files_var_filetrans(quota_t, quota_db_t, file)
> files_spool_filetrans(quota_t, quota_db_t, file)

Did these policies changed since -87 version? I could run quotacheck/quotaon/quotaoff commands successfully in -85 but failed in -87. 

> 
> Meaning we did not expect this file to be created on a mnt_t directory.  I
> guess we could add policy for this but if you just want the test to work, you
> could do.
> 
> chcon --reference=/var /tmp/mnt/

this command works, I could add this line to my code as a workaround.

However, I want to know if the policy change between -85 and -87 against quotacheck/on/off commands was expected. If the answer is YES, I think the bug can be closed; if no, is any reason to keep this change in new version rather than restoring to old policy?

> 
> And then this would mimic the file system being mounted on the /var.
Comment 18 Daniel Walsh 2011-05-31 15:32:15 UTC 
I doubt there was any explicit change, but quotacheck could have been failing to transition and not it does.  Since this is a test of the quotacheck code it should probably be coded to handle the SELinux test case properly.
Comment 19 Caspar Zhang 2011-05-31 17:23:11 UTC 
(In reply to comment #18)
> I doubt there was any explicit change, but quotacheck could have been failing
> to transition and not it does.  

I diffed -85 and -86 and found this change:
diff -Naur rpmbuild.85/SOURCES/policy-F13.patch rpmbuild.86/SOURCES/policy-F13.patch
--- rpmbuild.85/SOURCES/policy-F13.patch        2011-04-13 06:33:50.000000000 -0400
+++ rpmbuild.86/SOURCES/policy-F13.patch        2011-04-19 07:22:28.000000000 -0400
<snip>
@@ -15270,6 +15311,10 @@
 +')
 +
 +optional_policy(`
++    quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +      rpm_run(unconfined_t, unconfined_r)
 +      # Allow SELinux aware applications to request rpm_script execution
 +      rpm_transition_script(unconfined_t)

I removed the above piece of patch and rebuilt the package, I was able to run quotacheck/on/off commands again without changing policy. So I think the above code is the point.

Now the question is simpler: is the above code change expected?
Comment 20 Daniel Walsh 2011-05-31 18:05:59 UTC 
Yes in order to make sure the labels are correct.
Comment 21 Daniel Walsh 2011-06-13 15:54:52 UTC 
*** Bug 712874 has been marked as a duplicate of this bug. ***
Comment 22 Daniel Walsh 2011-06-13 15:57:08 UTC 
The test here needs to be fixed to label the mount point it is creating as a valid mountpoint for quota to be run on.
Comment 23 Daniel Walsh 2011-06-14 12:34:03 UTC 
Since I believe this is a test issue, I am closing this as notabug.
Comment 24 qkpeng 2012-01-13 02:20:31 UTC 
I recently installed Fedora 15 that was down loaded last month.  When I run the following command, I got exactly the same error as Caspar did in May 2011: 

[root@localhost ~]# mkfs.ext4 /dev/sdb1
[root@localhost ~]# mkdir -p /opt/company_data
[root@localhost ~]# vi /etc/fstab
/dev/sdb1  /opt/company_data  ext4  defaults,usrquota,grpquota  1  2
[root@localhost ~]# mount /opt/company_data
[root@localhost ~]# mount | grep company_data
/dev/sdb1 on /opt/company_data type ext4 (rw,relatime,seclabel,barrier=1,data=ordered,usrquota,grpquota)
[root@localhost ~]# quotacheck -ugm /opt/company_data
quotacheck: Cannot create new quotafile /opt/company_data/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
----------------------------------------------------
I duplicate the same steps as Caspar did on my machine, and I got exactly the same error on my machine (what's the solution for that? -- sorry, it wasn't clear to me by reading the above solution Caspar had described): 

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s

# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
Comment 25 Caspar Zhang 2012-01-13 05:10:59 UTC 
(In reply to comment #24)
[snip]
> ----------------------------------------------------
> I duplicate the same steps as Caspar did on my machine, and I got exactly the
> same error on my machine (what's the solution for that? -- sorry, it wasn't
> clear to me by reading the above solution Caspar had described): 
> 
> # dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> 8000+0 records in
> 8000+0 records out
> 32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
> 
> # mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> # mkdir /tmp/mnt
> # mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> # chcon --reference=/mnt /tmp/mnt/

try --reference=/var instead of /mnt

> # quotacheck -cug /tmp/mnt
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied
Comment 26 qkpeng 2012-01-13 20:40:58 UTC 
Thank you! That solution worked for me on both situations:
# chcon --reference=/var /tmp/mnt/
[root@localhost tmp]# quotacheck -cug /tmp/mnt
[root@localhost tmp]# chcon --reference=/var /opt/company_data
[root@localhost tmp]# quotacheck -ugm /opt/company_data
[root@localhost tmp]#
Note You need to log in before you can comment on or make changes to this bug.