quota and selinux on centos 6.5

EljiUdia <eljiudia@xxxxxxxxx> · Thu, 19 Dec 2013 11:31:03 -0800 (PST)

    Hi,

I'm facing a challenge with selinux and because I don't got an explanation elsewhere, I'm trying to explain here.
I have decided to mount /var/spool/cron on a separate partition  and apply quota for regular users. But quotacheck replyes with a "permission denied" .

quotacheck: Cannot create new quotafile /var/spool/cron/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied

Indeed,  files in that directory has a context witch denies quotacheck process to write files. To became suitable fo quota, those files (aquota.user and aquota.group) must have quota_db_t type(in context).
If I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file.

[root@CentOS active]# touch /var/spool/cron/aquota.user
[root@CentOS active]# restorecon /var/spool/cron/
[root@CentOS active]# ls -lZ /var/spool/cron/
-rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user

[root@CentOS active]# restorecon /var/spool/cron/aquota.user
restorecon:  Warning no default label for /var/spool/cron/aquota.user

Semanage reports this 

[root@CentOS active]#  semanage fcontext -l|grep quota
/a?quota\.(user|group)                             regular file       system_u:object_r:quota_db_t:s0
/boot/a?quota\.(user|group)                        regular file       system_u:object_r:quota_db_t:s0
/etc/a?quota\.(user|group)                         regular file       system_u:object_r:quota_db_t:s0
/sbin/quota(check|on)                              regular file       system_u:object_r:quota_exec_t:s0
/usr/sbin/convertquota                             regular file       system_u:object_r:quota_exec_t:s0
/usr/sbin/quota_nld                                regular file       system_u:object_r:quota_nld_exec_t:s0
/usr/sbin/rpc\.rquotad                             regular file       system_u:object_r:rpcd_exec_t:s0
/var/a?quota\.(user|group)                         regular file       system_u:object_r:quota_db_t:s0
/var/lib/openshift/a?quota\.(user|group)           regular file       system_u:object_r:quota_db_t:s0
/var/lib/quota(/.*)?                               all files          system_u:object_r:quota_flag_t:s0
/var/lib/stickshift/a?quota\.(user|group)          regular file       system_u:object_r:quota_db_t:s0
/var/run/quota_nld\.pid                            regular file       system_u:object_r:quota_nld_var_run_t:s0
/var/spool/(.*/)?a?quota\.(user|group)             regular file       system_u:object_r:quota_db_t:s0

Take a look on the last file . Isn't a default context for /var/spool/cron/aquota.user ?It looks like https://bugzilla.redhat.com/show_bug.cgi?id=703871 

What's your opinion?

Elji Udia
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos