Understanding filesystem quotas

Chris Szilagyi chris at apex-internet.com
Fri Nov 14 16:57:27 UTC 2014 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 14 Nov 2014, Chris Szilagyi wrote:
>
>>> 3) have read dovecot logs, if there are errors, and
>>
>> Quite a while after testing and posting this, these errors started showing
>> up in /var/log/maillog ... I'm currently investigating.  This may be part
>> of
>> the issue.
>>
>> dovecot: imap(username): Error: quotactl(Q_GETQUOTA, /dev/sdb1) failed:
>> Permission denied
>
> This is the reason, you do not get any "current" information about the
> quota
>
> Do you have SELinux in action?
> Run "sestatus" and "grep -i AVC /var/log/audit/audit.log" to identify
> SELinux caused denials,
>

Yes, I do use SELinux.  I have tried setting "setenforce 0" however just as
you mentioned these show up in the audit.log which I just found as well:

type=AVC msg=audit(1415935621.946:8005): avc:  denied  { quotaget } for 
pid=27701 comm="imap" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

I ended up following instructions in a SELinux FAQ to allow dovecot to use
quotaget.  Seems that Dovecot is still not reporting any quota usage though:

Quota name Type    Value Limit                                    %
User quota STORAGE     0     -                                    0

I also did a check by running "quota username" and it shows the hard/soft
values set correctly.

These are the steps I went through to correct the SELinux issue:

audit2allow -m local -l -i /var/log/audit/audit.log > dovecotquotaget.te

Edit and take out other lines in this file not pertaining to the quotaget
issue.

checkmodule -M -m -o dovecotquotaget.mod dovecotquotaget.te
semodule_package -o dovecotquotaget.pp -m dovecotquotaget.mod
semodule -i dovecotquotaget.pp


I noticed this before but it doesn't seem that it queries quota usage every
time the user connects via IMAP.  I know this because I wasn't always
getting the "Permission denied" errors until a while after I enabled quotas.

If you have any further ideas please let me know. Thank you very much once
again.

--
Chris

More information about the dovecot mailing list