This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 717948 - quotacheck -c fails without reporting error
quotacheck -c fails without reporting error
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: quota (Show other bugs)
6.1
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Petr Pisar
Branislav Blaškovič
https://sourceforge.net/tracker/?func...
: Patch
Depends On:
Blocks: 685101 836160
  Show dependency treegraph
 
Reported: 2011-06-30 09:48 EDT by Karel Volný
Modified: 2013-11-21 00:40 EST (History)
3 users (show)

See Also:
Fixed In Version: quota-3.17-19.el6
Doc Type: Bug Fix
Doc Text:
* When quotacheck access was denied by SELinux, the "quotacheck -c" command did not report any errors, even in verbose mode, and the "quotacheck -c" command failed with an exit code 0. With this update, quotacheck internals have been changed to propagate any error with an appropriate non-zero exit code, and to print accurate warnings if the old quota file could not be used. Thus, quotacheck will report an error correctly while initializing quotas on a file system.
Story Points: ---
Clone Of:
: 717982 1020313 (view as bug list)
Environment:
Last Closed: 2013-11-21 00:40:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch fixing exit code of quotacheck (6.42 KB, patch)
2011-07-01 04:48 EDT, Petr Pisar
no flags Details | Diff
Patch fixing warning messages to describe underlying issue correctly (1.48 KB, patch)
2011-07-01 04:49 EDT, Petr Pisar
no flags Details | Diff
Back-ported patch fixing exit code of quotacheck (6.44 KB, patch)
2011-07-15 05:31 EDT, Petr Pisar
no flags Details | Diff

  None (edit)
Description Karel Volný 2011-06-30 09:48:52 EDT
Description of problem:
When quotacheck access is denied by selinux, the command doesn't bother to report any error, even in verbose mode, and it returns exit code 0.

Version-Release number of selected component (if applicable):
quota-3.17-16.el6.i686

How reproducible:
always

Steps to Reproduce:
from the test /CoreOS/quota/Regression/bz77871-grace-period-not-shown

rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory"
rlRun "chmod +x $TmpDir" 0 "Making tmp directory accessible"
rlRun "pushd $TmpDir"
HomeDir="$TmpDir/bz77871"
rlFileBackup "/etc/fstab"
rlRun "dd if=/dev/zero of=bz77871.img count=2k" 0 "Creating the testing image"
rlRun "mke2fs -F bz77871.img" 0 "Formatting the testing image"
rlRun "mkdir bz77871" 0 "Creating the mountpoint"
rlRun "echo '$TmpDir/bz77871.img $HomeDir ext2 loop,usrquota 0 0' >> /etc/fstab" 0 "Adding fstab record"
rlRun "mount $HomeDir" 0 "Mounting the testing image"
rlRun "useradd -d $HomeDir bz77871" 0 "Adding the testing user"
rlRun "chown bz77871:bz77871 $HomeDir" 0 "Fixing ownership of the testing user's homedir"
rlRun "chcon unconfined_u:object_r:user_home_dir_t:s0 $HomeDir" 0 "Fixing SELinux context of the testing user's homedir"
# DEBUG
    echo "ls -dlZ $HomeDir:"
    ls -dlZ $HomeDir
rlRun "quotacheck -vv -c $HomeDir" 0 "Initialising quota files"
    ls -l $HomeDir/aquota.user
rlRun "setquota bz77871 128 256 0 0 $HomeDir" 0 "Setting the testing user quotas"

  
Actual results:
<cut>
:: [   PASS   ] :: Fixing SELinux context of the testing user's homedir
ls -dlZ /tmp/tmp.6uU3U2s2HV/bz77871:
drwxr-xr-x. bz77871 bz77871 unconfined_u:object_r:user_home_dir_t:s0 /tmp/tmp.6uU3U2s2HV/bz77871
:: [   PASS   ] :: Initialising quota files
ls: cannot access /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory
setquota: Cannot open quotafile /tmp/tmp.6uU3U2s2HV/bz77871/aquota.user: No such file or directory
setquota: Not all specified mountpoints are using quota.
:: [   FAIL   ] :: Setting the testing user quotas (Expected 0, got 1)


- you see, between the ls after chcon and the ls after quotacheck there us no error message, and quotacheck ('Initialising quota files') says PASS which means the rlRun handler got the expected exit code which was 0 in this case

the corresponding SELinux denial is:

type=1400 audit(1309440738.774:30706): avc:  denied  { write } for  pid=12335 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

Expected results:
quotacheck should return non-zero exit code and print some information

from the manpage:

-v    quotacheck  reports  its operation as it progresses.  Normally it operates silently.  If the option is specified twice, also the current directory is printed (note that printing can slow down the scan measurably).

Additional info:
Comment 2 Petr Pisar 2011-06-30 10:51:07 EDT
I can confirm wrong return code:

[root@rhel-6_1 tmp]# ls -laZ /mnt/quota/
drwxr-xr-x. root root unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       ..
drwx------. root root system_u:object_r:file_t:s0      lost+found

[root@rhel-6_1 tmp]# quotacheck -vv -c /mnt/quota/
quotacheck: Scanning /dev/loop0 [/mnt/quota] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Old group file not found. Usage will not be substracted.
quotacheck: Checked 3 directories and 1 files
quotacheck: Cannot create new quotafile /mnt/quota/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

[root@rhel-6_1 tmp]# echo $?
0

[root@rhel-6_1 tmp]# rpm -q quota
quota-3.17-16.el6.x86_64

However in contrast to your output, there is lot of messages on stderr including relevant error message. I guess beaker script does not echo rlRun() command output by default.

The same bug presents with upstream development version.
Comment 3 Petr Pisar 2011-07-01 04:48:22 EDT
Created attachment 510819 [details]
Proposed patch fixing exit code of quotacheck
Comment 4 Petr Pisar 2011-07-01 04:49:42 EDT
Created attachment 510820 [details]
Patch fixing warning messages to describe underlying issue correctly
Comment 5 Petr Pisar 2011-07-01 04:52:09 EDT
Patches posted to upstream for revision.
Comment 6 Karel Volný 2011-07-01 06:06:25 EDT
(In reply to comment #2)
> However in contrast to your output, there is lot of messages on stderr
> including relevant error message. I guess beaker script does not echo rlRun()
> command output by default.

it does, after disabling selinux, I'm getting the informative messages without any problem ... maybe there's some other problem with selinux

however, thanks for the patches, let's wait for upstream then
Comment 7 RHEL Product and Program Management 2011-07-05 20:06:34 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 8 Petr Pisar 2011-07-15 02:14:32 EDT
Both patches accepted by upstream:

commit 1c3bc6d34439f353ea00239dc1ca31239823bb4f
Author: Petr Písař <ppisar@redhat.com>
Date:   Fri Jul 1 10:22:10 2011 +0200

    get_qf_name() does not check quota file presence
    
    Old error messsage stated a quota file does not exist despite fact
    get_qf_name() does not check the file existence. It constructs the
    file name only.
    
    This lead to misleading message when running initial `quotacheck -c'
    on extended file system mounted with usrquota option only.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

commit 3c0f38a60e0879b4ba1ae9d3cdb3a971951a761f
Author: Petr Pisar <ppisar@redhat.com>
Date:   Fri Jul 1 10:13:54 2011 +0200

    Report quotacheck failures by return code
    
    Signed-off-by: Jan Kara <jack@suse.cz>
Comment 9 Petr Pisar 2011-07-15 05:31:54 EDT
Created attachment 513348 [details]
Back-ported patch fixing exit code of quotacheck
Comment 11 Suzanne Yeghiayan 2012-02-14 18:10:44 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 12 RHEL Product and Program Management 2012-09-07 01:08:27 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2013-05-20 21:00:42 EDT
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 22 Branislav Blaškovič 2013-08-09 06:29:24 EDT
I can't reproduce this with:

# rpm -q quota selinux-policy
quota-3.17-18.el6.x86_64
selinux-policy-3.7.19-195.el6.noarch

I cannot force SElinux to block quotacheck according to comment 1 or comment 2.

So I've added 'chattr +i <folder>' to block quotacheck.

TestCase added.
Comment 25 errata-xmlrpc 2013-11-21 00:40:01 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1548.html

Note You need to log in before you can comment on or make changes to this bug.