[LU-7417] Permission Denied on enforcing SElinux on Client - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Duplicate
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Labels:
None
Environment:
1 Client node, 1 MDS node, 1 OSS node (with two OSTs)

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

Enabled SElinux on Client node and tried running sanity.sh Got the following output in terminal window:

[root@eagle-52vm5 tests]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@eagle-52vm5 tests]# ./auster -v -r -l sanity --only 1
Started at Wed Nov 11 13:01:36 PST 2015
eagle-52vm5: Permission denied.
[root@eagle-52vm5 tests]#

Tests ran fine when SElinux was in disabled or permissive mode.

Attachments

Issue Links

is related to

LU-6950 Lustre mount throws away SELinux context options

Resolved

LU-5560 SELinux support on the client side

Resolved

Activity

[LU-7417] Permission Denied on enforcing SElinux on Client

Saurabh Tandan (Inactive) added a comment - 13/Nov/15 9:19 PM

TEI-4187

Saurabh Tandan (Inactive) added a comment - 13/Nov/15 9:19 PM TEI-4187

Saurabh Tandan (Inactive) added a comment - 12/Nov/15 6:59 PM

Yes, I recon u are correct. It appears its trying to rsh from eagle-52vm5 to eagle-52vm5 according to /var/log/audit/audit.log

type=USER_AUTH msg=audit(1447354166.507:1137): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=USER_ACCT msg=audit(1447354166.518:1138): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=CRED_ACQ msg=audit(1447354166.521:1139): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=LOGIN msg=audit(1447354166.524:1140): pid=8070 uid=0 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=172
type=AVC msg=audit(1447354166.524:1141): avc:  denied  { setrlimit } for  pid=8070 comm="in.rshd" scontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1447354166.524:1141): arch=c000003e syscall=160 success=no exit=-13 a0=8 a1=7fff309dc7a0 a2=0 a3=26 items=0 ppid=1558 pid=8070 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=172 comm="in.rshd" exe="/usr/sbin/in.rshd" subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1447354166.525:1142): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed'
type=USER_LOGIN msg=audit(1447354166.527:1143): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed'
type=USER_ACCT msg=audit(1447354201.227:1144): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1447354201.227:1145): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1447354201.236:1146): pid=8075 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=173
type=USER_START msg=audit(1447354201.246:1147): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1447354201.349:1148): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1447354201.350:1149): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Saurabh Tandan (Inactive) added a comment - 12/Nov/15 6:59 PM Yes, I recon u are correct. It appears its trying to rsh from eagle-52vm5 to eagle-52vm5 according to /var/log/audit/audit.log type=USER_AUTH msg=audit(1447354166.507:1137): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success' type=USER_ACCT msg=audit(1447354166.518:1138): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success' type=CRED_ACQ msg=audit(1447354166.521:1139): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success' type=LOGIN msg=audit(1447354166.524:1140): pid=8070 uid=0 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=172 type=AVC msg=audit(1447354166.524:1141): avc: denied { setrlimit } for pid=8070 comm="in.rshd" scontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1447354166.524:1141): arch=c000003e syscall=160 success=no exit=-13 a0=8 a1=7fff309dc7a0 a2=0 a3=26 items=0 ppid=1558 pid=8070 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=172 comm="in.rshd" exe="/usr/sbin/in.rshd" subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1447354166.525:1142): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed' type=USER_LOGIN msg=audit(1447354166.527:1143): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed' type=USER_ACCT msg=audit(1447354201.227:1144): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1447354201.227:1145): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1447354201.236:1146): pid=8075 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=173 type=USER_START msg=audit(1447354201.246:1147): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1447354201.349:1148): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1447354201.350:1149): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

John Hammond added a comment - 12/Nov/15 4:41 PM

Does ssh work between the nodes? You could configure pdsh to use that.

Otherwise, what do you see in /var/log/audit/audit.log on the remote host when you try to rsh? (It looks like you are rsh-ing from eagle-52vm5 to eagle-52vm5.)

John Hammond added a comment - 12/Nov/15 4:41 PM Does ssh work between the nodes? You could configure pdsh to use that. Otherwise, what do you see in /var/log/audit/audit.log on the remote host when you try to rsh? (It looks like you are rsh-ing from eagle-52vm5 to eagle-52vm5.)

Saurabh Tandan (Inactive) added a comment - 11/Nov/15 9:14 PM - edited

/var/log/messages show the following:

Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: START: shell pid=2526 from=::ffff:10.100.4.186
Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh denied to root@eagle-52vm5.eagle.hpdd.intel.com as root: Permission denied.
Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh command was '(PATH=$PATH:/usr/lib64/lustre/utils:/usr/lib64/lustre/tests:/sbin:/usr/sbin; cd /usr/lib64/lustre/tests; LUSTRE="/usr/lib64/lustre"  VERBOSE=false FSTYPE=ldiskfs NETTYPE=tcp sh -c "PATH=/usr/lib64/lustre/tests:/usr/lib/lustre/tests:/usr/lib64/lustre/tests:/usr/lib64/lustre/tests/mpi:/usr/lib64/lustre/tests/racer:/usr/lib64/lustre/../lustre-iokit/sgpdd-survey:/usr/lib64/lustre/tests:/usr/lib64/lustre/utils/gss:/usr/lib64/lustre/utils:/usr/lib64/qt-3.3/bin:/usr/lib64/openmpi/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin::/sbin:/bin:/usr/sbin: NAME=local sh rpc.sh check_config_client /mnt/lustre ");echo XXRETCODE:$?'
Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: EXIT: shell status=1 pid=2526 duration=0(sec)
[root@eagle-52vm5 tests]#

/var/log/secure shows :

Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_rhosts(rsh:auth): allowed access to root@eagle-52vm5.eagle.hpdd.intel.com as root
Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_limits(rsh:session): Could not set limit for 'memlock': Permission denied
Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_unix(rsh:session): session opened for user root by (uid=0)

Saurabh Tandan (Inactive) added a comment - 11/Nov/15 9:14 PM - edited /var/log/messages show the following: Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: START: shell pid=2526 from=::ffff:10.100.4.186 Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh denied to root@eagle-52vm5.eagle.hpdd.intel.com as root: Permission denied. Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh command was '(PATH=$PATH:/usr/lib64/lustre/utils:/usr/lib64/lustre/tests:/sbin:/usr/sbin; cd /usr/lib64/lustre/tests; LUSTRE="/usr/lib64/lustre" VERBOSE=false FSTYPE=ldiskfs NETTYPE=tcp sh -c "PATH=/usr/lib64/lustre/tests:/usr/lib/lustre/tests:/usr/lib64/lustre/tests:/usr/lib64/lustre/tests/mpi:/usr/lib64/lustre/tests/racer:/usr/lib64/lustre/../lustre-iokit/sgpdd-survey:/usr/lib64/lustre/tests:/usr/lib64/lustre/utils/gss:/usr/lib64/lustre/utils:/usr/lib64/qt-3.3/bin:/usr/lib64/openmpi/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin::/sbin:/bin:/usr/sbin: NAME=local sh rpc.sh check_config_client /mnt/lustre ");echo XXRETCODE:$?' Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: EXIT: shell status=1 pid=2526 duration=0(sec) [root@eagle-52vm5 tests]# /var/log/secure shows : Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_rhosts(rsh:auth): allowed access to root@eagle-52vm5.eagle.hpdd.intel.com as root Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_limits(rsh:session): Could not set limit for 'memlock': Permission denied Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_unix(rsh:session): session opened for user root by (uid=0)

John Hammond added a comment - 11/Nov/15 8:11 PM

Also please figure out what's printing 'Permission denied'? And from exactly which lines in auster/test-framework/sanity/...?

John Hammond added a comment - 11/Nov/15 8:11 PM Also please figure out what's printing 'Permission denied'? And from exactly which lines in auster/test-framework/sanity/...?

John Hammond added a comment - 11/Nov/15 8:02 PM

What are they?

John Hammond added a comment - 11/Nov/15 8:02 PM What are they?

Saurabh Tandan (Inactive) added a comment - 11/Nov/15 7:29 PM - edited

John, I checked the SElinux contexts on /root/.ssh and /root/.ssh/* , it looks good to me.
they are as follows:

[root@eagle-52vm5 tests]# ls -dZ /root/.ssh/
drwx------. root root system_u:object_r:ssh_home_t:s0  /root/.ssh/
[root@eagle-52vm5 tests]# ls -Z /root/.ssh/
-rw-r--r--. root root system_u:object_r:ssh_home_t:s0  authorized_keys
-rw-r--r--. root root system_u:object_r:ssh_home_t:s0  known_hosts

Saurabh Tandan (Inactive) added a comment - 11/Nov/15 7:29 PM - edited John, I checked the SElinux contexts on /root/.ssh and /root/.ssh/* , it looks good to me. they are as follows: [root@eagle-52vm5 tests]# ls -dZ /root/.ssh/ drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/ [root@eagle-52vm5 tests]# ls -Z /root/.ssh/ -rw-r--r--. root root system_u:object_r:ssh_home_t:s0 authorized_keys -rw-r--r--. root root system_u:object_r:ssh_home_t:s0 known_hosts

John Hammond added a comment - 11/Nov/15 2:48 AM

Have you checked that the SELinux contexts are correct on /root/.ssh and /root/.ssh/*?

John Hammond added a comment - 11/Nov/15 2:48 AM Have you checked that the SELinux contexts are correct on /root/.ssh and /root/.ssh/*?

People

Assignee:: Saurabh Tandan (Inactive)

Reporter:: Saurabh Tandan (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 11/Nov/15 12:20 AM

Updated:: 13/Nov/15 9:19 PM

Resolved:: 13/Nov/15 9:19 PM