解决SELINUX限制quota的问题

环境：CentOS 6.2 ，/quotadisk为独立分区，专用于磁盘限额。
问题：在运行quotacheck命令时，提示“权限不够”并且无法建立aquota.user和aquota.group两个文件。
解决办法：
[root@centos www.linuxidc.com quotadisk]# tail -4 /var/log/messages | grep setroubleshoot
Feb 29 15:36:12 centos62 setroubleshoot: SELinux is preventing /sbin/quo tacheck from write access on the directory /quotadisk. For complete SELi nux messages. run sealert -l 7e9da0aa-387f-49c8-afaa-315812ca3b23[root@centos www.linuxidc.com quotadisk]# sealert -l 7e9da0aa-387f-49c8-afaa-315812ca3b23
SELinux is preventing /sbin/quotacheck from write access on the directory /quotadisk.***** Plugin catchall_labels （83.8 confidence） suggests ********************If you want to allow quotacheck to have write access on the quotadisk directory
Then you need to change the label on /quotadisk
Do
# semanage fcontext -a -t FILE_TYPE "/quotadisk" <=执行此命令，要把FILE_TYPE换成下面的一种
where FILE_TYPE is one of the following:boot_t, root_t, tmp_t, usr_t, var_t, mail_spool_t, etc_t, mqueue_spool_t, var_spool_t, home_root_t.
Then execute:
restorecon -v "/quotadisk"
***** Plugin catchall （17.1 confidence） suggests ***************************If you believe that quotacheck should be allowed write access on the quotadisk directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep quotacheck /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
---------------------------------------------------------------[root@centos www.linuxidc.com ~]# semanage fcontext -a -t usr_t "/quotadisk"[root@centos www.linuxidc.com ~]# restorecon -v "/quotadisk"
restorecon reset /quotadisk context system_u:object_r:default_t:s0->system_u:object_r:usr_t:s0[root@centos www.linuxidc.com ~]# quotacheck -acvug
quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown.
quotacheck: Scanning /dev/sda11 [/quotadisk] done
quotacheck: Cannot stat old user quota file: 没有那个文件或目录
quotacheck: Cannot stat old group quota file: 没有那个文件或目录
quotacheck: Cannot stat old user quota file: 没有那个文件或目录
quotacheck: Cannot stat old group quota file: 没有那个文件或目录
quotacheck: Checked 2 directories and 2 files
quotacheck: Old file not found.
quotacheck: Old file not found.[root@centos www.linuxidc.com ~]# ll -Z /quotadisk/
-rw-------. root root unconfined_u:object_r:quota_db_t:s0 aquota.group
-rw-------. root root unconfined_u:object_r:quota_db_t:s0 aquota.user
drwxr-x---. wolf2012 wolf2012 unconfined_u:object_r:usr_t:s0 wold2012[root@centos www.linuxidc.com ~]# quotaon -avug
[root@centos www.linuxidc.com ~]# edquota -u wolf2012
编辑配额，搞定。Linux上安装和使用WiresharkRHEL使用CentOS作为yum更新源相关资讯 SELinux

CentOS Samba 服务器 Iptables 和（今 07:14）
SELinux入门和基本配置（09月15日）
SELinux 入门指南（05月09日）

SELinux的沙箱和W^X页保护被绕过（09月26日）
SELinux再次被绕过（06月22日）
SELinux在HTTP＋PHP服务中的安全权（12/20/2015 19:29:04）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规