无法在 RHEL6 和 CentOS6 中配置配额 - quotecheck 返回错误消息
我创建了新分区(/dev/sda6)并将其安装在(/hulk 上)。
编辑 /etc/fstab 文件以使用以下行在分区上提供配额
/dev/sda6 /hulk ext4 defaults,usrquota,grpquota 0 0
并给出了以下命令
[root@localhost ~]# mount -o remount,rw /hulk
[root@localhost ~]# mount|grep hulk
/dev/sda6 on /hulk type ext4 (rw,usrquota,grpquota)
[root@localhost ~]# cd /hulk
[root@localhost hulk]# ls
lost+found
当我使用quotacheck命令时,它给出了以下错误消息
[root@localhost hulk]# quotacheck -cug /hulk
quotacheck: Cannot create new quotafile /hulk/aquota.user.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
quotacheck: Cannot create new quotafile /hulk/aquota.group.new: Permission denied
quotacheck: Cannot initialize IO on new quotafile: Permission denied
答案1
在宽容模式下运行一次,然后扫描可能的违规行为,或者重复该过程,直到找到所有违规行为。
ausearch -c 'quotaon' --raw | audit2allow -M my-quotaon
semodule -i my-quotaon.pp
这将扫描所有违规行为并创建一个合适的 selinux 模块来允许它们。您可以重复此步骤,直到有效为止。
这是我在 Fedora 24 上想到的。我的/home安装上启用了配额。
module my-quotaon 1.0;
require {
type fs_t;
type quota_exec_t;
type home_root_t;
type init_t;
type quota_db_t;
class file { execute execute_no_trans open quotaon read };
class filesystem { quotaget quotamod };
}
#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t fs_t:filesystem { quotaget quotamod };
#!!!! This avc is allowed in the current policy
allow init_t home_root_t:file read;
allow init_t quota_db_t:file quotaon;
#!!!! This avc is allowed in the current policy
allow init_t quota_db_t:file { open read };
#!!!! This avc is allowed in the current policy
allow init_t quota_exec_t:file { execute execute_no_trans open read };
答案2
# chcon ---reference=/var /hulk
或者将 SElinux 模式更改为许可或禁用。