On RHEL 10.1 and its derivatives (confirmed on Rocky Linux 10.1), the selinux-policy package no longer defines the kernel_generic_helper_t SELinux type. The Linux kernel assigns this type to every process spawned via call_usermodehelper(), but with no policy rules backing it,  all such processes are denied every permission and fail immediately.

  Lustre relies on call_usermodehelper() for several helpers on both clients and servers. All of them are broken on RHEL/Rocky 10.1 with SELinux in enforcing mode.

  This bug only manifests when SELinux is in enforcing mode. Permissive mode or disabled  SELinux are unaffected since policy rules are not enforced.

  —

  Root Cause

  The kernel_generic_helper_t type was fully defined in RHEL 9.7's selinux-policy-38.1.65 with broad permissions that covered all Lustre helpers and other usermode helpers (ZFS, etc.). When the policy was rewritten for RHEL 10.1 (selinux-policy-42.1.7), the type was dropped entirely.

  Confirmed via seinfo -t kernel_generic_helper_t:

  —
  Steps to Reproduce

  l_getsepol (client):
  1. Install Lustre 2.17 client on RHEL/Rocky 10.1 with SELinux enforcing
  2. echo -1 > /sys/module/ptlrpc/parameters/send_sepol
  3. Mount a Lustre filesystem
  4. Mount fails after ~30s; kernel log: sptlrpc_sepol: acquire for key 0 after 30: rc = -110
  5. Audit log: avc: denied { create } for comm="l_getsepol" ... tclass=unix_dgram_socket permissive=0

  lctl (client):
  1. Set root_squash on MGS: lctl set_param -P mdt.<fsname>-MDT0000.root_squash=0:0
  2. Mount from a RHEL/Rocky 10.1 client
  3. Mount succeeds but root_squash is not applied; AVC denials in audit log

  —
  Workaround

  Install a custom SELinux policy module on each affected node restoring the missing kernel_generic_helper_t rules. The full module (lustre_helpers.te) is attached. Install with:

  checkmodule -M -m -o lustre_helpers.mod lustre_helpers.te
  semodule_package -o lustre_helpers.pp -m lustre_helpers.mod
  semodule -i lustre_helpers.pp

  Confirmed working on RHEL 10.1 and Rocky 10.1.

  —
  Proper Fix

  The fix belongs in the selinux-policy package for RHEL/Rocky 10.1 — restoring kernel_generic_helper_t with the permissions required by Lustre helpers (and other call_usermodehelper()-based programs). This should be reported to Red Hat Bugzilla and the upstream SELinux reference policy. Optionally, Lustre packaging could ship lustre_helpers.te as a distro-agnostic workaround for distributions with this policy gap.

  —
  Related

  - LU-20045: l_getsepol policy version mismatch on RHEL/Rocky 10.1 — security_policyvers() returns 33 but only policy.35 on disk. Co-occurring but independent; fixed in branch fix-l-getsepol-rhel10-policy-ver.
  - fedora-selinux/selinux-policy#1878: Same class of problem for ZFS on Fedora 38; fixed Oct 2023 by restoring kernel_generic_helper_t rules.