Bug 703871 - should allow quotacheck to create quota files
Summary: should allow quotacheck to create quota files
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords: Regression, Reopened
Depends On:
Blocks: 702988
TreeView+ depends on / blocked
 
Reported: 2011-05-11 13:46 UTC by Caspar Zhang
Modified: 2012-01-13 20:40 UTC (History)
9 users (show)

(edit)
Cause
    After upgraded selinux-policy package from 3.7.19-85 to
    -87, execute `quotacheck -c' command if no quota file   
    existed.
Consequence
    AVC denial happened like the following below.
 
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5
success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231
pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck"
subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for 
pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2
scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=dir
Clone Of:
(edit)
Last Closed: 2011-06-14 12:34:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 717951 None None None Never

Description Caspar Zhang 2011-05-11 13:46:04 UTC
Description of problem:

Due to an upgrade from selinux-policy-3.7.19-85 to -87, `quotacheck -c' command was not allowed to create a quota file if no quota file existed. Yet this command could complete in -85.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-87 (-93 still has this issue)

How reproducible:
run /kernel/distribution/ltp/debug/runtest.sh

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 3 Daniel Walsh 2011-05-11 22:12:31 UTC
What AVC's are you seeing?

Comment 4 Caspar Zhang 2011-05-12 01:16:00 UTC
(In reply to comment #3)
> What AVC's are you seeing?

----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030617): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030617): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
time->Wed May 11 15:44:25 2011
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5 success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231 pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for  pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

Comment 5 Daniel Walsh 2011-05-12 05:41:25 UTC
file_t indicates you added a file system without labels.  Run restorecon -R -v FILESYSTEMPATH and the quotacheck command will work fine.

Comment 6 Caspar Zhang 2011-05-12 06:17:22 UTC
I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the filesystem, the quotacheck command still fails for the same AVC message.

Comment 7 Miroslav Grepl 2011-05-13 13:02:43 UTC
(In reply to comment #6)
> I tried both running restorecon -R -v FILESYSTEMPATH and add a label to the
> filesystem, the quotacheck command still fails for the same AVC message.

Could you show me your steps?

Comment 8 Qian Cai 2011-05-17 06:28:57 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    After upgraded selinux-policy package from 3.7.19-85 to
    -87, execute `quotacheck -c' command if no quota file   
    existed.
Consequence
    AVC denial happened like the following below.
 
type=SYSCALL msg=audit(1305143065.387:1030618): arch=40000003 syscall=5
success=no exit=-13 a0=bf9e05dc a1=80c2 a2=180 a3=bf9e05dc items=0 ppid=26231
pid=26295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="quotacheck" exe="/sbin/quotacheck"
subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305143065.387:1030618): avc:  denied  { write } for 
pid=26295 comm="quotacheck" name="/" dev=loop0 ino=2
scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=dir

Comment 9 Daniel Walsh 2011-05-18 06:42:46 UTC
THat means you still do not have labels on the file system.

You need to run restorecon on the directory mountpoint that you are doing quotacheck on .

Comment 10 Caspar Zhang 2011-05-18 07:42:32 UTC
my steps:
dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- fail

cd /tmp/mnt
restorecon -R -v /tmp/mnt/
quotacheck -cug /tmp/mnt <-- still fail

# mount -l
/root/ltp-fs-image on /tmp/mnt type ext3 (rw,loop=/dev/loop0,usrquota,grpquota) [label0] <-- have label

Comment 11 Daniel Walsh 2011-05-24 18:26:46 UTC
Try chcon --reference=/mnt /tmp/mnt rather then restorecon.

restorecon has no effect on /tmp files since it does not know what is in this directory.


dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
mkdir /tmp/mnt
mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
chcon --reference=/mnt /tmp/mnt/
quotacheck -cug /tmp/mnt

Comment 12 Caspar Zhang 2011-05-30 02:46:53 UTC
(In reply to comment #11)
> Try chcon --reference=/mnt /tmp/mnt rather then restorecon.
> 
> restorecon has no effect on /tmp files since it does not know what is in this
> directory.
> 
> 
> dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> mkdir /tmp/mnt
> mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> chcon --reference=/mnt /tmp/mnt/
> quotacheck -cug /tmp/mnt

The above steps gave exact the same error message:

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
kjournald starting.  Commit interval 5 seconds
EXT3-fs (loop0): using internal journal
EXT3-fs (loop0): mounted filesystem with ordered data mode
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
EXT3-fs (loop0): using internal journal
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

I also tried with mounting my loop file under /mnt but quotacheck -cug failed as well.

Comment 13 Miroslav Grepl 2011-05-30 11:01:47 UTC
So you have the same AVC msg?

# ls -dZ /tmp/mnt

Comment 14 Caspar Zhang 2011-05-31 14:36:07 UTC
Sorry, I made a mistake, `quotacheck -cug /tmp/mnt' succeeded after applied `chcon --reference=/mnt /tmp/mnt/', the error was due to another command:

quotaon -ug /tmp/mnt/

the AVC msg was:

----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40171): arch=c000003e syscall=179 success=no exit=-13 a0=80000200 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40171): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
----
time->Tue May 31 10:32:33 2011
type=SYSCALL msg=audit(1306852353.433:40170): arch=c000003e syscall=179 success=no exit=-13 a0=80000201 a1=7eff7d55c070 a2=2 a3=7eff7d55c050 items=0 ppid=25345 pid=32164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=67 comm="quotaon" exe="/sbin/quotaon" subj=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306852353.433:40170): avc:  denied  { quotaon } for  pid=32164 comm="quotaon" name="aquota.group" dev=loop0 ino=13 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

# ls -dZ /tmp/mnt
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       /tmp/mnt
# ls -dZ /tmp/mnt/*
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.group
-rw-------. root root unconfined_u:object_r:mnt_t:s0   /tmp/mnt/aquota.user
drwx------. root root system_u:object_r:file_t:s0      /tmp/mnt/lost+found

Is this the similar issue, or any misconfiguration still exist? Thanks.

Comment 15 Caspar Zhang 2011-05-31 14:36:57 UTC
quotaon -ug /tmp/mnt/ showed the following error msg:

# quotaon -ugv /tmp/mnt/
quotaon: using /tmp/mnt/aquota.group on /dev/loop0 [/tmp/mnt]: Permission denied
quotaon: using /tmp/mnt/aquota.user on /dev/loop0 [/tmp/mnt]: Permission denied

Comment 16 Daniel Walsh 2011-05-31 15:02:35 UTC
The problem is aquota.group and aquota.user are mislabeled.  How did these files get created?

Currently we have policy for the creation of this file.

allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
files_etc_filetrans(quota_t, quota_db_t, file)
files_tmp_filetrans(quota_t, quota_db_t, file)
files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)

Meaning we did not expect this file to be created on a mnt_t directory.  I guess we could add policy for this but if you just want the test to work, you could do.

chcon --reference=/var /tmp/mnt/'

And then this would mimic the file system being mounted on the /var.

Comment 17 Caspar Zhang 2011-05-31 15:20:07 UTC
(In reply to comment #16)
> The problem is aquota.group and aquota.user are mislabeled.  How did these
> files get created?

they're created by previous quotacheck command:

# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt

> 
> Currently we have policy for the creation of this file.
> 
> allow quota_t quota_db_t:file { manage_file_perms quotaon };
> files_root_filetrans(quota_t, quota_db_t, file)
> files_boot_filetrans(quota_t, quota_db_t, file)
> files_etc_filetrans(quota_t, quota_db_t, file)
> files_tmp_filetrans(quota_t, quota_db_t, file)
> files_home_filetrans(quota_t, quota_db_t, file)
> files_usr_filetrans(quota_t, quota_db_t, file)
> files_var_filetrans(quota_t, quota_db_t, file)
> files_spool_filetrans(quota_t, quota_db_t, file)

Did these policies changed since -87 version? I could run quotacheck/quotaon/quotaoff commands successfully in -85 but failed in -87. 

> 
> Meaning we did not expect this file to be created on a mnt_t directory.  I
> guess we could add policy for this but if you just want the test to work, you
> could do.
> 
> chcon --reference=/var /tmp/mnt/

this command works, I could add this line to my code as a workaround.

However, I want to know if the policy change between -85 and -87 against quotacheck/on/off commands was expected. If the answer is YES, I think the bug can be closed; if no, is any reason to keep this change in new version rather than restoring to old policy?

> 
> And then this would mimic the file system being mounted on the /var.

Comment 18 Daniel Walsh 2011-05-31 15:32:15 UTC
I doubt there was any explicit change, but quotacheck could have been failing to transition and not it does.  Since this is a test of the quotacheck code it should probably be coded to handle the SELinux test case properly.

Comment 19 Caspar Zhang 2011-05-31 17:23:11 UTC
(In reply to comment #18)
> I doubt there was any explicit change, but quotacheck could have been failing
> to transition and not it does.  

I diffed -85 and -86 and found this change:
diff -Naur rpmbuild.85/SOURCES/policy-F13.patch rpmbuild.86/SOURCES/policy-F13.patch
--- rpmbuild.85/SOURCES/policy-F13.patch        2011-04-13 06:33:50.000000000 -0400
+++ rpmbuild.86/SOURCES/policy-F13.patch        2011-04-19 07:22:28.000000000 -0400
<snip>
@@ -15270,6 +15311,10 @@
 +')
 +
 +optional_policy(`
++    quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +      rpm_run(unconfined_t, unconfined_r)
 +      # Allow SELinux aware applications to request rpm_script execution
 +      rpm_transition_script(unconfined_t)

I removed the above piece of patch and rebuilt the package, I was able to run quotacheck/on/off commands again without changing policy. So I think the above code is the point.

Now the question is simpler: is the above code change expected?

Comment 20 Daniel Walsh 2011-05-31 18:05:59 UTC
Yes in order to make sure the labels are correct.

Comment 21 Daniel Walsh 2011-06-13 15:54:52 UTC
*** Bug 712874 has been marked as a duplicate of this bug. ***

Comment 22 Daniel Walsh 2011-06-13 15:57:08 UTC
The test here needs to be fixed to label the mount point it is creating as a valid mountpoint for quota to be run on.

Comment 23 Daniel Walsh 2011-06-14 12:34:03 UTC
Since I believe this is a test issue, I am closing this as notabug.

Comment 24 qkpeng 2012-01-13 02:20:31 UTC
I recently installed Fedora 15 that was down loaded last month.  When I run the following command, I got exactly the same error as Caspar did in May 2011: 

[root@localhost ~]# mkfs.ext4 /dev/sdb1
[root@localhost ~]# mkdir -p /opt/company_data
[root@localhost ~]# vi /etc/fstab
/dev/sdb1  /opt/company_data  ext4  defaults,usrquota,grpquota  1  2
[root@localhost ~]# mount /opt/company_data
[root@localhost ~]# mount | grep company_data
/dev/sdb1 on /opt/company_data type ext4 (rw,relatime,seclabel,barrier=1,data=ordered,usrquota,grpquota)
[root@localhost ~]# quotacheck -ugm /opt/company_data
quotacheck: Cannot create new quotafile /opt/company_data/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
----------------------------------------------------
I duplicate the same steps as Caspar did on my machine, and I got exactly the same error on my machine (what's the solution for that? -- sorry, it wasn't clear to me by reading the above solution Caspar had described): 

# dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
8000+0 records in
8000+0 records out
32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s

# mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
# mkdir /tmp/mnt
# mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
# chcon --reference=/mnt /tmp/mnt/
# quotacheck -cug /tmp/mnt
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

Comment 25 Caspar Zhang 2012-01-13 05:10:59 UTC
(In reply to comment #24)
[snip]
> ----------------------------------------------------
> I duplicate the same steps as Caspar did on my machine, and I got exactly the
> same error on my machine (what's the solution for that? -- sorry, it wasn't
> clear to me by reading the above solution Caspar had described): 
> 
> # dd if=/dev/zero of=ltp-fs-image bs=4096 count=8000
> 8000+0 records in
> 8000+0 records out
> 32768000 bytes (33 MB) copied, 0.0366585 s, 894 MB/s
> 
> # mkfs.ext3 -q -F -b 4096 ltp-fs-image -L label0
> # mkdir /tmp/mnt
> # mount -t ext3 -o loop,usrquota,grpquota ltp-fs-image /tmp/mnt
> # chcon --reference=/mnt /tmp/mnt/

try --reference=/var instead of /mnt

> # quotacheck -cug /tmp/mnt
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.user.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied
> quotacheck: Cannot create new quotafile /tmp/mnt/aquota.group.new: Permission
> denied
> quotacheck: Cannot initialize IO on new quotafile: Permission denied

Comment 26 qkpeng 2012-01-13 20:40:58 UTC
Thank you! That solution worked for me on both situations:
# chcon --reference=/var /tmp/mnt/
[root@localhost tmp]# quotacheck -cug /tmp/mnt
[root@localhost tmp]# chcon --reference=/var /opt/company_data
[root@localhost tmp]# quotacheck -ugm /opt/company_data
[root@localhost tmp]#


Note You need to log in before you can comment on or make changes to this bug.