[redhat-lspp] turning on quota under the MLS strict policy
Stephen Smalley
sds at tycho.nsa.gov
Fri Oct 20 19:43:09 UTC 2006
On Fri, 2006-10-20 at 16:34 -0300, Thiago Jung Bauermann wrote:
> On Fri, 2006-10-20 at 15:23 -0400, Valdis.Kletnieks at vt.edu wrote:
> > On Fri, 20 Oct 2006 16:14:23 -0300, Thiago Jung Bauermann said:
> > > So, does anyone have a tip about this?
> > Admittedly mostly shooting in the dark here..
>
> No problem!
>
> > > > scontext=staff_u:sysadm_r:quota_t:s0-s15:c0.c255
> > > > tcontext=root:object_r:root_t:s0 tclass=filesystem
> > What happens if you're running as sysadm_t or similar instead of root_t?
> > This looks like SELinux "working as designed" - it stopped a root process
> > that was in the wrong context from doing something it wasn't allowed to do.
>
> Actually, root_t is the type of the filesystem. I used it imagining the
> policy would allow quota to be turned on on /. I also tried mounting the
> filesystem as tmp_t, to no avail.
>
> The process's type is quota_t, which sounds like a reasonable type for
> the quotacheck utility.
>
> > Does 'newrole -r sysadm_r' improve things?
>
> Yup, that's what I'm using.
Seems like it is just a policy bug to me.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list