5

Unable to Configure Quotas in RHEL6 & CentOS6- quotecheck returns error message

I've created new partition(/dev/sda6) and mounted it(on /hulk).

Edited /etc/fstab file to give quotas on the partition with following line

/dev/sda6   /hulk   ext4   defaults,usrquota,grpquota    0 0

and gave the following commands

[root@localhost ~]# mount -o remount,rw /hulk

[root@localhost ~]# mount|grep hulk
/dev/sda6 on /hulk type ext4 (rw,usrquota,grpquota)

[root@localhost ~]# cd /hulk

[root@localhost hulk]# ls
lost+found

and as i use the quotacheck command, it gives me the following error message

[root@localhost hulk]# quotacheck -cug /hulk
quotacheck: Cannot create new quotafile /hulk/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /hulk/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
zen pwning
  • 47
  • 1
  • 2
  • What are the permissions on `/hulk`? – Jenny D Oct 20 '14 at 07:28
  • @Jenny D [root@localhost ~]# ls -ld /hulk drwxrwxrwx. 2 root root 4096 Oct 20 13:45 /hulk – zen pwning Oct 20 '14 at 08:28
  • @Jenny D [root@localhost ~]# ls -ldZ /hulk drwxr-xr-x. root root system_u:object_r:file_t:s0 /hulk – zen pwning Oct 20 '14 at 10:12
  • 1
    @Jenny D Finally i was able resolve the issue with help of the following link: http://www.unix.com/red-hat/176845-user-group-quota-not-working-rhel6-2-ext4-ext3.html – zen pwning Oct 21 '14 at 03:00
  • Great that you found the solution! It would be very much appreciated if you could take a few moments to write it into an answer that you can accept and I can upvote too... (There might be a timelimit before you can do this since you're a new user, but it would be **really** helpful for others if you could hang around and do that!) – Jenny D Oct 21 '14 at 07:14
  • `#chcon ---reference=/var /hulk` or else changing the selinux mode to either permissive or disabled – zen pwning Nov 04 '14 at 05:54
  • Please type that into the Answer box, I promise to upvote it if you do and leave a comment. – Jenny D Nov 04 '14 at 07:16

2 Answers2

0

Run it once in permissive mode and then scan for possible violations or just repeat the procedure until you find all violations.

ausearch -c 'quotaon' --raw | audit2allow -M my-quotaon
semodule -i my-quotaon.pp

This will scan for all violations and create a fitting selinux module to allow them. You can repeat this step until it works.

This is what I came up with on Fedora 24. The quota is enabled on my /home mount.

module my-quotaon 1.0;

require {
    type fs_t;
    type quota_exec_t;
    type home_root_t;
    type init_t;
    type quota_db_t;
    class file { execute execute_no_trans open quotaon read };
    class filesystem { quotaget quotamod };
}

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t fs_t:filesystem { quotaget quotamod };

#!!!! This avc is allowed in the current policy
allow init_t home_root_t:file read;
allow init_t quota_db_t:file quotaon;

#!!!! This avc is allowed in the current policy
allow init_t quota_db_t:file { open read };

#!!!! This avc is allowed in the current policy
allow init_t quota_exec_t:file { execute execute_no_trans open read };
pgampe
  • 130
  • 3
-2
# chcon ---reference=/var /hulk

or else changing the SElinux mode to either permissive or disabled.

slm
  • 363,520
  • 117
  • 767
  • 871
zen pwning
  • 47
  • 1
  • 2