Hide Forgot
Description of problem: Trying to run the test /CoreOS/quota/Regression/bz77871-grace-period-not-shown I'm getting selinux denials ... The test mounts a filesystem on /dev/loopN to a user home directory, then it tries to setup quota on it, but quotacheck fails due to selinux denial. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-54.el6_0.5.noarch How reproducible: always Steps to Reproduce: 1. mount a loop device into /your/mount with quota enabled (-o loop,usrquota) 2. quotacheck -c /your/mount Actual results: type=1400 audit(1309440738.774:30706): avc: denied { write } for pid=12335 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Expected results: quotacheck is allowed access to the device Additional info: I guess quota should be allowed to access any device it can run upon ... note that with setenforce 0, letting the test to continue, I get bunch of other errors, including "quotaon" being denied to access aquota.user SELinux: initialized (dev loop0, type ext2), uses xattr type=1400 audit(1309442058.717:30708): avc: denied { write } for pid=13344 comm="quotacheck" name="/" dev=loop0 ino=2 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=1400 audit(1309442058.843:30709): avc: denied { add_name } for pid=13344 comm="quotacheck" name="aquota.user.new" scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=1400 audit(1309442058.969:30710): avc: denied { create } for pid=13344 comm="quotacheck" name="aquota.user.new" scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=1400 audit(1309442059.095:30711): avc: denied { write } for pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=1400 audit(1309442059.230:30712): avc: denied { remove_name } for pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=1400 audit(1309442059.366:30713): avc: denied { rename } for pid=13344 comm="quotacheck" name="aquota.user.new" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=1400 audit(1309442059.500:30714): avc: denied { setattr } for pid=13344 comm="quotacheck" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=1400 audit(1309442060.021:30715): avc: denied { quotaon } for pid=13369 comm="quotaon" name="aquota.user" dev=loop0 ino=12 scontext=unconfined_u:unconfined_r:quota_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
This is not a regression, we need to have a valid label on the mount device, in order for SELinux to allow the access. Just setting up random devices in a test and not putting a label on it will not work and did not work in 6.0. mount a loop device into /your/mount with quota enabled (-o loop,usrquota) chcon --reference /home /your/mount quotacheck -c /your/mount Should work. Which seems to be similar to what you are working on.