Stephen Smalley wrote:
On Fri, 2006-10-20 at 16:34 -0300, Thiago Jung Bauermann wrote:
On Fri, 2006-10-20 at 15:23 -0400, [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 16:14:23 -0300, Thiago Jung Bauermann said:
So, does anyone have a tip about this?
Admittedly mostly shooting in the dark here..
No problem!
scontext=staff_u:sysadm_r:quota_t:s0-s15:c0.c255
tcontext=root:object_r:root_t:s0 tclass=filesystem
What happens if you're running as sysadm_t or similar instead of root_t?
This looks like SELinux "working as designed" - it stopped a root process
that was in the wrong context from doing something it wasn't allowed to do.
Actually, root_t is the type of the filesystem. I used it imagining the
policy would allow quota to be turned on on /. I also tried mounting the
filesystem as tmp_t, to no avail.
The process's type is quota_t, which sounds like a reasonable type for
the quotacheck utility.
Does 'newrole -r sysadm_r' improve things?
Yup, that's what I'm using.
Seems like it is just a policy bug to me.
The problem is neither root_t or tmp_t are filesystem_type(s) as far as
policy is concerned.
Currently policy only allows for fs_t:filesystem getattr;
Not sure how well the policy is written for quota. Perhaps we should
turn off protection and make sysadm_t do it?
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
