[redhat-lspp] turning on quota under the MLS strict policy
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 23 17:21:41 UTC 2006
Stephen Smalley wrote:
> On Fri, 2006-10-20 at 16:34 -0300, Thiago Jung Bauermann wrote:
>
>> On Fri, 2006-10-20 at 15:23 -0400, Valdis.Kletnieks at vt.edu wrote:
>>
>>> On Fri, 20 Oct 2006 16:14:23 -0300, Thiago Jung Bauermann said:
>>>
>>>> So, does anyone have a tip about this?
>>>>
>>> Admittedly mostly shooting in the dark here..
>>>
>> No problem!
>>
>>
>>>>> scontext=staff_u:sysadm_r:quota_t:s0-s15:c0.c255
>>>>> tcontext=root:object_r:root_t:s0 tclass=filesystem
>>>>>
>>> What happens if you're running as sysadm_t or similar instead of root_t?
>>> This looks like SELinux "working as designed" - it stopped a root process
>>> that was in the wrong context from doing something it wasn't allowed to do.
>>>
>> Actually, root_t is the type of the filesystem. I used it imagining the
>> policy would allow quota to be turned on on /. I also tried mounting the
>> filesystem as tmp_t, to no avail.
>>
>> The process's type is quota_t, which sounds like a reasonable type for
>> the quotacheck utility.
>>
>>
>>> Does 'newrole -r sysadm_r' improve things?
>>>
>> Yup, that's what I'm using.
>>
>
> Seems like it is just a policy bug to me.
>
>
The problem is neither root_t or tmp_t are filesystem_type(s) as far as
policy is concerned.
Currently policy only allows for fs_t:filesystem getattr;
Not sure how well the policy is written for quota. Perhaps we should
turn off protection and make sysadm_t do it?
More information about the redhat-lspp
mailing list