R: RE: R: OT: Linux df question
Date: Fri, 11 Jul 2014 16:53:29 +0200 (CEST)
Message-ID: <1119439782.9047201405090409645.JavaMail.actor_at_webmail42>
Can you show us the content of /etc/fstab? Alessandro
----Messaggio originale----
Da: JSweetser_at_icat.com
Data: 11/07/2014 16.42
- "dedba_at_tpg.com.au"<dedba_at_tpg.com.au>
Cc: "oracle-l_at_freelists.org"<oracle-l_at_freelists.org>
Ogg: RE: R: OT: Linux df question
_at_font-face
{font-family:Wingdings}
_at_font-face
{font-family:"Cambria Math"}
_at_font-face
{font-family:Calibri}
_at_font-face
{font-family:Tahoma}
_at_font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif"; color:black} a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline} a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline} pre
{margin:0in;
margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New"; color:black} tt
{font-family:"Courier New"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0in;
margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif"; color:black} span.HTMLPreformattedChar
{font-family:Consolas;
color:black} span.EmailStyle20
{font-family:"Calibri","sans-serif";
color:#1F497D} span.BalloonTextChar
{font-family:"Tahoma","sans-serif";
color:black} .MsoChpDefault
{font-size:10.0pt}
_at_page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
->_at_font-face
{font-family:Wingdings}
_at_font-face
{font-family:"Cambria Math"}
_at_font-face
{font-family:Calibri}
_at_font-face
{font-family:Tahoma}
_at_font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif"; color:black} a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline} a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline} pre
{margin:0in;
margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New"; color:black} tt
{font-family:"Courier New"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0in;
margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif"; color:black} span.HTMLPreformattedChar
{font-family:Consolas;
color:black} span.EmailStyle20
{font-family:"Calibri","sans-serif";
color:#1F497D} span.BalloonTextChar
{font-family:"Tahoma","sans-serif";
color:black} .MsoChpDefault
{font-size:10.0pt}
_at_page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
->
-->
Unfortunately (perhaps not
J ), we are not running selinux.
I worked a bit with Seth Miller backchannel on this with still no resolution, though certainly not for Seth’s lack of effort or knowledge. It’s a strange one. I did run lsattr at the / level and all the ‘system-related’ directories are throwing an inappropriate ioctl error.
Thanks so far to all for suggestions/ideas. If nothing else, this has been a good educational experience for me!
-joe
(as root)
# sestatus
SELinux status: disabled# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
# lsattr -d /
--------------- /
# lsattr /
-------------e- /usr
--------------- /u02
lsattr: Inappropriate ioctl for device While reading flags on /boot
----------I--e- /lib64
lsattr: Inappropriate ioctl for device While reading flags on /sys
lsattr: Inappropriate ioctl for device While reading flags on /proc
-------------e- /lib
-------------e- /cgroup
lsattr: Inappropriate ioctl for device While reading flags on /misc
-------------e- /home -------------e- /var -------------e- /selinux --------------- /u04
lsattr: Inappropriate ioctl for device While reading flags on /net
-------------e- /mnt -------------e- /tmp --------------- /u01 ----------I--e- /sbin ----------I--e- /etc --------------- /u03 -------------e- /root -------------e- /bin --------------- /opt -------------e- /srv --------------- /lost+found
lsattr: Inappropriate ioctl for device While reading flags on /dev -------------e- /media
#
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of De DBA
Sent: Friday, July 11, 2014 2:49 AM
To: alever_at_libero.it
Cc: oracle-l_at_freelists.org
Subject: Re: R: OT: Linux df question
I don't believe that permissions or ACLs are the problem here, as the output of ls -ld does not show ACLs to be enabled on the filesystem ("." or "+" after the rwx permissions), and the rwx permissions are the same for /boot and /boot/efi, but the error occurs only on /boot/efi, not on any other subdirectories in /boot (there should at least also be /boot/grub).
It being RedHat 6, selinux is enabled by default, so it could well be the selinux context. They should be the same for /boot and /boot/efi. In my Scientific Linux 6 VM:
[user_at_emperor ~]$ sudo ls -dZ /boot /boot/efi /boot/grub
drwx------. root root system_u:object_r:boot_t:s0 /boot
drwx------. root root system_u:object_r:boot_t:s0 /boot/efi
drwx------. root root system_u:object_r:boot_t:s0 /boot/grub
[user_at_emperor ~]$ sudo getfacl /boot/efi
getfacl: Removing leading '/' from absolute path names
# file: boot/efi
# owner: root
# group: root
user::rwx
group::---
other::---
[user_at_emperor ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_skerchi_sys-LVRoot1 7.9G 2.8G 4.8G 37% /
tmpfs 372M 228K 371M 1% /dev/shm /dev/sda1 485M 35M 426M 8% /boot
/dev/mapper/vg_skerchi_sys-LVHome1 1008M 104M 853M 11% /home
Note that here ACLs are enabled on the filesystem, but none defined (there would be a "+"-sign instead of a "." after the rwx permissions). You can find out your own selinux context with id -Z. The context on /boot/efi can be corrected (if needed) with
# chcon -R --reference /boot /boot/efi
Hth,
Tony
On 11/07/14 17:56, Alessandro Vercelli wrote:
Hi Joe,
your error is due to oracle user permissions on filesystems.
Non-root users are permitted to run df against mounted filesystems, but they
must have execute permission on the parent directories of the mount.
In your case, oracle user is granted to run df against /boot filesystem but it needs execute on /boot/efi.
To correct the problem:
# chmod go+x /boot/efi
However, a better workaround is to add oracle user to the disk group
# usermod -aG disk oracle
in order that /boot/efi is not readable to all users.
Greetings,
Alessandro
----Messaggio originale----
Da: JSweetser_at_icat.com
Data: 10/07/2014 19.17
A: "oracle-l (oracle-l_at_freelists.org)"<oracle-l_at_freelists.org>
Ogg: OT: Linux df question
A bit of strangeness on a new server.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Systems team had the system up but could not get a 10gb ethernet card to
work. However, the output of df -h was normal when logged in as the oracle user.
They did something yesterday (new card at a minimum) and now the 10gb
interface works but the df command throws an error (though it does complete). This doesn't appear to be causing any issues but it does bug me a bit. I can't find much online about the error other than the grub file down that tree is needed for booting.
(oracle)
$ df -h
Filesystem Size Used Avail Use% Mounted on /dev/sda7 73G 5.5G 64G 8% / tmpfs 95G 88K 95G 1% /dev/shm /dev/sda2 200M 24M 176M 12% /boot df: `/boot/efi': Permission denied /dev/sda6 97G 22G 71G 24% /opt /dev/sda3 842G 4.7G 794G 1% /u01 /dev/sda4 842G 58G 742G 8% /u02 /dev/sda8 837G 7.7G 787G 1% /u03 /dev/sdb1 2.8T 58G 2.6T 3% /u04
(root)
# df -h
Filesystem Size Used Avail Use% Mounted on /dev/sda7 73G 5.5G 64G 8% / tmpfs 95G 88K 95G 1% /dev/shm /dev/sda2 200M 24M 176M 12% /boot /dev/sda1 200M 256K 200M 1% /boot/efi /dev/sda6 97G 22G 71G 24% /opt /dev/sda3 842G 4.7G 794G 1% /u01 /dev/sda4 842G 58G 742G 8% /u02 /dev/sda8 837G 7.7G 787G 1% /u03 /dev/sdb1 2.8T 58G 2.6T 3% /u04
# ls -ld /boot
drwx------ 4 root root 16384 Dec 31 1969 /boot
# ls -ld /boot/efi
drwx------ 3 root root 16384 Dec 31 1969 /boot/efi
Any/all ideas/comments welcome.
Thanks,
-joe
Confidentiality Note: This message contains information that may be confidential and/or privileged. If you are not the intended recipient, you should not use, copy, disclose, distribute or take any action based on this message. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Although ICAT, Underwriters at Lloyd's, Syndicate 4242, scans e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. Thank you.
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Jul 11 2014 - 16:53:29 CEST