On Thu, Feb 20, 2020 at 07:57:31AM -0800, Darrick J. Wong wrote: > On Thu, Feb 20, 2020 at 03:32:33PM +0000, Richard Haines wrote: > > Added these quota command types for SELinux checks on XFS quotas. I picked > > those I thought useful. The selinux-testsuite will have tests for these > > permission checks on XFS. > > > > One point to note: XFS does not call dquot_quota_on() to trigger > > security_quota_on(), therefore the 'file quotaon' permission is not tested > > for SELinux > > Is that a feature or a bug? :) > > (It sounds like a bug to me, but let's see if anyone complains...) The dquot_* routines are not generic quota code, but a specific implementation used by most non-XFS file systems. So if there is a bug it is that the security call is not in the generic dispatch code.