RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 717948 - quotacheck -c fails without reporting error
Summary: quotacheck -c fails without reporting error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: quota
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: Branislav Blaškovič
URL: https://sourceforge.net/tracker/?func...
Whiteboard:
Depends On:
Blocks: 685101 836160
TreeView+ depends on / blocked
 
Reported: 2011-06-30 13:48 UTC by Karel Volný
Modified: 2013-11-21 05:40 UTC (History)
3 users (show)

Fixed In Version: quota-3.17-19.el6
Doc Type: Bug Fix
Doc Text:
* When quotacheck access was denied by SELinux, the "quotacheck -c" command did not report any errors, even in verbose mode, and the "quotacheck -c" command failed with an exit code 0. With this update, quotacheck internals have been changed to propagate any error with an appropriate non-zero exit code, and to print accurate warnings if the old quota file could not be used. Thus, quotacheck will report an error correctly while initializing quotas on a file system.
Clone Of:
: 717982 1020313 (view as bug list)
Environment:
Last Closed: 2013-11-21 05:40:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposed patch fixing exit code of quotacheck (6.42 KB, patch)
2011-07-01 08:48 UTC, Petr Pisar 		no flags Details | Diff
Patch fixing warning messages to describe underlying issue correctly (1.48 KB, patch)
2011-07-01 08:49 UTC, Petr Pisar 		no flags Details | Diff
Back-ported patch fixing exit code of quotacheck (6.44 KB, patch)
2011-07-15 09:31 UTC, Petr Pisar 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1548 0 normal SHIPPED_LIVE quota bug fix and enhancement update 2013-11-20 21:40:37 UTC

Description Karel Volný 2011-06-30 13:48:52 UTC 
Description of problem:
When quotacheck access is denied by selinux, the command doesn't bother to report any error, even in verbose mode, and it returns exit code 0.

Version-Release number of selected component (if applicable):
quota-3.17-16.el6.i686

How reproducible:
always

Steps to Reproduce:
from the test /CoreOS/quota/Regression/bz77871-grace-period-not-shown

rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory"
rlRun "chmod +x $TmpDir" 0 "Making tmp directory accessible"
rlRun "pushd $TmpDir"
HomeDir="$TmpDir/bz77871"
rlFileBackup "/etc/fstab"
rlRun "dd if=/dev/zero of=bz77871.img count=2k" 0 "Creating the testing image"
rlRun "mke2fs -F bz77871.img" 0 "Formatting the testing image"
rlRun "mkdir bz77871" 0 "Creating the mountpoint"
rlRun "echo '$TmpDir/bz77871.img $HomeDir ext2 loop,usrquota 0 0' >> /etc/fstab" 0 "Adding fstab record"
rlRun "mount $HomeDir" 0 "Mounting the testing image"
rlRun "useradd -d $HomeDir bz77871" 0 "Adding the testing user"
rlRun "chown bz77871:bz77871 $HomeDir" 0 "Fixing ownership of the testing user's homedir"
rlRun "chcon unconfined_u:object_r:user_home_dir_t:s0 $HomeDir" 0 "Fixing SELinux context of the testing user's homedir"
# DEBUG
    echo "ls -dlZ $HomeDir:"
    ls -dlZ $HomeDir
rlRun "quotacheck -vv -c $HomeDir" 0 "Initialising quota files"
    ls -l $HomeDir/aquota.user
rlRun "setquota bz77871 128 256 0 0 $HomeDir" 0 "Setting the testing user quotas"

  
Actual results:
<cut>
:: [   PASS   ] :: Fixing SELinux context of the testing user's homedir
ls -dlZ /tmp/tmp.6uU3U2s2HV/bz77871:
drwxr-xr-x. bz77871 bz77871 unconfined_u:object_r:user_home_dir_t:s0 /tmp/tmp.6uU3U2s2HV/bz77871
:: [   PASS   ] :: Initialising quota files
ls: cannot access /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory
setquota: Cannot open quotafile /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory
setquota: Not all specified mountpoints are using quota.
:: [   FAIL   ] :: Setting the testing user quotas (Expected 0, got 1)


- you see, between the ls after chcon and the ls after quotacheck there us no error message, and quotacheck ('Initialising quota files') says PASS which means the rlRun handler got the expected exit code which was 0 in this case

the corresponding SELinux denial is:

type=1400 audit(1309440738.774:30706): avc:  denied  { write } for  pid=12335 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

Expected results:
quotacheck should return non-zero exit code and print some information

from the manpage:

-v    quotacheck  reports  its operation as it progresses.  Normally it operates silently.  If the option is specified twice, also the current directory is printed (note that printing can slow down the scan measurably).

Additional info:
Comment 2 Petr Pisar 2011-06-30 14:51:07 UTC 
I can confirm wrong return code:

[root@rhel-6_1 tmp]# ls -laZ /mnt/quota/
drwxr-xr-x. root root unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       ..
drwx------. root root system_u:object_r:file_t:s0      lost+found

[root@rhel-6_1 tmp]# quotacheck -vv -c /mnt/quota/
quotacheck: Scanning /dev/loop0 [/mnt/quota] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Old group file not found. Usage will not be substracted.
quotacheck: Checked 3 directories and 1 files
quotacheck: Cannot create new quotafile /mnt/quota/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

[root@rhel-6_1 tmp]# echo $?
0

[root@rhel-6_1 tmp]# rpm -q quota
quota-3.17-16.el6.x86_64

However in contrast to your output, there is lot of messages on stderr including relevant error message. I guess beaker script does not echo rlRun() command output by default.

The same bug presents with upstream development version.
Comment 3 Petr Pisar 2011-07-01 08:48:22 UTC 
Created attachment 510819 [details]
Proposed patch fixing exit code of quotacheck
Comment 4 Petr Pisar 2011-07-01 08:49:42 UTC 
Created attachment 510820 [details]
Patch fixing warning messages to describe underlying issue correctly
Comment 5 Petr Pisar 2011-07-01 08:52:09 UTC 
Patches posted to upstream for revision.
Comment 6 Karel Volný 2011-07-01 10:06:25 UTC 
(In reply to comment #2)
> However in contrast to your output, there is lot of messages on stderr
> including relevant error message. I guess beaker script does not echo rlRun()
> command output by default.

it does, after disabling selinux, I'm getting the informative messages without any problem ... maybe there's some other problem with selinux

however, thanks for the patches, let's wait for upstream then
Comment 7 RHEL Program Management 2011-07-06 00:06:34 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 8 Petr Pisar 2011-07-15 06:14:32 UTC 
Both patches accepted by upstream:

commit 1c3bc6d34439f353ea00239dc1ca31239823bb4f
Author: Petr Písař <ppisar>
Date:   Fri Jul 1 10:22:10 2011 +0200

    get_qf_name() does not check quota file presence
    
    Old error messsage stated a quota file does not exist despite fact
    get_qf_name() does not check the file existence. It constructs the
    file name only.
    
    This lead to misleading message when running initial `quotacheck -c'
    on extended file system mounted with usrquota option only.
    
    Signed-off-by: Jan Kara <jack>

commit 3c0f38a60e0879b4ba1ae9d3cdb3a971951a761f
Author: Petr Pisar <ppisar>
Date:   Fri Jul 1 10:13:54 2011 +0200

    Report quotacheck failures by return code
    
    Signed-off-by: Jan Kara <jack>
Comment 9 Petr Pisar 2011-07-15 09:31:54 UTC 
Created attachment 513348 [details]
Back-ported patch fixing exit code of quotacheck
Comment 11 Suzanne Logcher 2012-02-14 23:10:44 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 12 RHEL Program Management 2012-09-07 05:08:27 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 14 RHEL Program Management 2013-05-21 01:00:42 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 22 Branislav Blaškovič 2013-08-09 10:29:24 UTC 
I can't reproduce this with:

# rpm -q quota selinux-policy
quota-3.17-18.el6.x86_64
selinux-policy-3.7.19-195.el6.noarch

I cannot force SElinux to block quotacheck according to comment 1 or comment 2.

So I've added 'chattr +i <folder>' to block quotacheck.

TestCase added.
Comment 25 errata-xmlrpc 2013-11-21 05:40:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1548.html
Note You need to log in before you can comment on or make changes to this bug.