解决SELINUX限制quota的问题


环境:CentOS 6.2 ,/quotadisk为独立分区,专用于磁盘限额。
问题:在运行quotacheck命令时,提示“权限不够”并且无法建立aquota.user和aquota.group两个文件。
解决办法:
[root@centos www.bkjia.com quotadisk]# tail -4 /var/log/messages | grep setroubleshoot
Feb 29 15:36:12 centos62 setroubleshoot: SELinux is preventing /sbin/quo        tacheck from write access on the directory /quotadisk. For complete SELi        nux messages. run sealert -l 7e9da0aa-387f-49c8-afaa-315812ca3b23

[root@centos www.bkjia.com quotadisk]# sealert -l 7e9da0aa-387f-49c8-afaa-315812ca3b23
SELinux is preventing /sbin/quotacheck from write access on the directory /quotadisk.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow quotacheck to have write access on the quotadisk directory
Then you need to change the label on /quotadisk
Do
# semanage fcontext -a -t FILE_TYPE '/quotadisk' <=执行此命令,要把FILE_TYPE换成下面的一种
where FILE_TYPE is one of the following:boot_t, root_t, tmp_t, usr_t, var_t, mail_spool_t, etc_t, mqueue_spool_t, var_spool_t, home_root_t.
Then execute:
restorecon -v '/quotadisk'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that quotacheck should be allowed write access on the quotadisk directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep quotacheck /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
---------------------------------------------------------------

[root@centos www.bkjia.com ~]# semanage fcontext -a -t usr_t '/quotadisk'

[root@centos www.bkjia.com ~]# restorecon -v '/quotadisk'
restorecon reset /quotadisk context system_u:object_r:default_t:s0->system_u:object_r:usr_t:s0

[root@centos www.bkjia.com ~]# quotacheck -acvug
quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown.
quotacheck: Scanning /dev/sda11 [/quotadisk] done
quotacheck: Cannot stat old user quota file: 没有那个文件或目录
quotacheck: Cannot stat old group quota file: 没有那个文件或目录
quotacheck: Cannot stat old user quota file: 没有那个文件或目录
quotacheck: Cannot stat old group quota file: 没有那个文件或目录
quotacheck: Checked 2 directories and 2 files
quotacheck: Old file not found.
quotacheck: Old file not found.

[root@centos www.bkjia.com ~]# ll -Z /quotadisk/
-rw-------. root root unconfined_u:object_r:quota_db_t:s0 aquota.group
-rw-------. root root unconfined_u:object_r:quota_db_t:s0 aquota.user
drwxr-x---. wolf2012 wolf2012 unconfined_u:object_r:usr_t:s0   wold2012

[root@centos www.bkjia.com ~]# quotaon -avug
[root@centos www.bkjia.com ~]# edquota -u wolf2012
编辑配额,搞定。

相关内容