Red Hat Bugzilla – Bug 717948
quotacheck -c fails without reporting error
Last modified: 2013-11-21 00:40:01 EST
Description of problem: When quotacheck access is denied by selinux, the command doesn't bother to report any error, even in verbose mode, and it returns exit code 0. Version-Release number of selected component (if applicable): quota-3.17-16.el6.i686 How reproducible: always Steps to Reproduce: from the test /CoreOS/quota/Regression/bz77871-grace-period-not-shown rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" rlRun "chmod +x $TmpDir" 0 "Making tmp directory accessible" rlRun "pushd $TmpDir" HomeDir="$TmpDir/bz77871" rlFileBackup "/etc/fstab" rlRun "dd if=/dev/zero of=bz77871.img count=2k" 0 "Creating the testing image" rlRun "mke2fs -F bz77871.img" 0 "Formatting the testing image" rlRun "mkdir bz77871" 0 "Creating the mountpoint" rlRun "echo '$TmpDir/bz77871.img $HomeDir ext2 loop,usrquota 0 0' >> /etc/fstab" 0 "Adding fstab record" rlRun "mount $HomeDir" 0 "Mounting the testing image" rlRun "useradd -d $HomeDir bz77871" 0 "Adding the testing user" rlRun "chown bz77871:bz77871 $HomeDir" 0 "Fixing ownership of the testing user's homedir" rlRun "chcon unconfined_u:object_r:user_home_dir_t:s0 $HomeDir" 0 "Fixing SELinux context of the testing user's homedir" # DEBUG echo "ls -dlZ $HomeDir:" ls -dlZ $HomeDir rlRun "quotacheck -vv -c $HomeDir" 0 "Initialising quota files" ls -l $HomeDir/aquota.user rlRun "setquota bz77871 128 256 0 0 $HomeDir" 0 "Setting the testing user quotas" Actual results: <cut> :: [ PASS ] :: Fixing SELinux context of the testing user's homedir ls -dlZ /tmp/tmp.6uU3U2s2HV/bz77871: drwxr-xr-x. bz77871 bz77871 unconfined_u:object_r:user_home_dir_t:s0 /tmp/tmp.6uU3U2s2HV/bz77871 :: [ PASS ] :: Initialising quota files ls: cannot access /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory setquota: Cannot open quotafile /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory setquota: Not all specified mountpoints are using quota. :: [ FAIL ] :: Setting the testing user quotas (Expected 0, got 1) - you see, between the ls after chcon and the ls after quotacheck there us no error message, and quotacheck ('Initialising quota files') says PASS which means the rlRun handler got the expected exit code which was 0 in this case the corresponding SELinux denial is: type=1400 audit(1309440738.774:30706): avc: denied { write } for pid=12335 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Expected results: quotacheck should return non-zero exit code and print some information from the manpage: -v quotacheck reports its operation as it progresses. Normally it operates silently. If the option is specified twice, also the current directory is printed (note that printing can slow down the scan measurably). Additional info:
I can confirm wrong return code: [root@rhel-6_1 tmp]# ls -laZ /mnt/quota/ drwxr-xr-x. root root unconfined_u:object_r:user_home_dir_t:s0 . drwxr-xr-x. root root system_u:object_r:mnt_t:s0 .. drwx------. root root system_u:object_r:file_t:s0 lost+found [root@rhel-6_1 tmp]# quotacheck -vv -c /mnt/quota/ quotacheck: Scanning /dev/loop0 [/mnt/quota] done quotacheck: Cannot stat old user quota file: No such file or directory quotacheck: Old group file not found. Usage will not be substracted. quotacheck: Checked 3 directories and 1 files quotacheck: Cannot create new quotafile /mnt/quota/aquota.user.new: Permission denied quotacheck: Cannot initialize IO on new quotafile: Permission denied [root@rhel-6_1 tmp]# echo $? 0 [root@rhel-6_1 tmp]# rpm -q quota quota-3.17-16.el6.x86_64 However in contrast to your output, there is lot of messages on stderr including relevant error message. I guess beaker script does not echo rlRun() command output by default. The same bug presents with upstream development version.
Created attachment 510819 [details] Proposed patch fixing exit code of quotacheck
Created attachment 510820 [details] Patch fixing warning messages to describe underlying issue correctly
Patches posted to upstream for revision.
(In reply to comment #2) > However in contrast to your output, there is lot of messages on stderr > including relevant error message. I guess beaker script does not echo rlRun() > command output by default. it does, after disabling selinux, I'm getting the informative messages without any problem ... maybe there's some other problem with selinux however, thanks for the patches, let's wait for upstream then
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
Both patches accepted by upstream: commit 1c3bc6d34439f353ea00239dc1ca31239823bb4f Author: Petr Písař <ppisar@redhat.com> Date: Fri Jul 1 10:22:10 2011 +0200 get_qf_name() does not check quota file presence Old error messsage stated a quota file does not exist despite fact get_qf_name() does not check the file existence. It constructs the file name only. This lead to misleading message when running initial `quotacheck -c' on extended file system mounted with usrquota option only. Signed-off-by: Jan Kara <jack@suse.cz> commit 3c0f38a60e0879b4ba1ae9d3cdb3a971951a761f Author: Petr Pisar <ppisar@redhat.com> Date: Fri Jul 1 10:13:54 2011 +0200 Report quotacheck failures by return code Signed-off-by: Jan Kara <jack@suse.cz>
Created attachment 513348 [details] Back-ported patch fixing exit code of quotacheck
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
I can't reproduce this with: # rpm -q quota selinux-policy quota-3.17-18.el6.x86_64 selinux-policy-3.7.19-195.el6.noarch I cannot force SElinux to block quotacheck according to comment 1 or comment 2. So I've added 'chattr +i <folder>' to block quotacheck. TestCase added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1548.html