[LU-857] Lustre client tolerates enforced SELinux. - Whamcloud Community JIRA

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.2.0, Lustre 2.1.3
Affects Version/s: Lustre 2.0.0, Lustre 2.1.0
Labels:
None

Rank (Obsolete):
4843

Description

This issue impacts Lustre 2.x releases on RHEL 6. This is possible that the same issues exists with Lustre 1.x.

The problem is that you cannot use a Lustre filesystem with SELinux enforced, even if your Lustre policies only apply to all other filesystems, but not Lustre!

If you do so, accesses to Lustre directories will be denied in some cases. However, file accesses in the same directory are granted. There is no SELinux policy involved here. This kind of configuration is used in production on our Lustre 1.6/RHEL 5 systems without any issues.

Here is a 2-line patch to have a common behavior on RHEL5/RHEL6.
Note: It does not add a real SELinux support for Lustre but ables to activate it for all other local filesystems, without Lustre misbehaving.

Steps to reproduce the issue:

# setenforce Enforcing
# cd /mnt/lustre
# mkdir foo
# cd foo
# ls: Permission denied

Attachments

Issue Links

Trackbacks

Changelog 2.1 Changes from version 2.1.2 to version 2.1.3 Server support for kernels: 2.6.18308.13.1.el5 (RHEL5) 2.6.32279.2.1.el6 (RHEL6) Client support for unpatched kernels: 2.6.18308.13.1.el5 (RHEL5) 2.6.32279.2.1....

Activity

[LU-857] Lustre client tolerates enforced SELinux.

Andrew Perepechko added a comment - 23/Jul/13 1:03 AM

This patch adds a security_d_instantiate() call under dcache_lock, while Selinux implementation of the LSM hook can sleep (calls mutex_lock, kmalloc, getxattr).

BUG: spinlock wrong CPU on CPU#0, diff/5435 (Tainted: G        W  ----------------  )
 lock: ffffffff81a84780, .magic: dead4ead, .owner: diff/5435, .owner_cpu: 3
Pid: 5435, comm: diff Tainted: G        W  ----------------   2.6.32-220.4.3.el6.x86_64 #10
Call Trace:
 [<ffffffff8128a88a>] ? spin_bug+0xaa/0x100
 [<ffffffff8128a956>] ? _raw_spin_unlock+0x76/0xa0
 [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40
 [<ffffffffa0eab1d5>] ? ll_d_add+0x75/0x210 [lustre]
 [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40
 [<ffffffffa0eac602>] ? ll_lookup_it_finish+0x8f2/0xa60 [lustre]
 [<ffffffffa0eaa4ee>] ? ll_i2gids+0x2e/0xe0 [lustre]
 [<ffffffffa0eacb8e>] ? ll_lookup_it+0x41e/0xc00 [lustre]
 [<ffffffffa0eaa5a0>] ? ll_md_blocking_ast+0x0/0x620 [lustre]
 [<ffffffffa0ead5cf>] ? ll_lookup_nd+0x25f/0x3e0 [lustre]
 [<ffffffff8119993e>] ? d_alloc+0x17e/0x1f0
 [<ffffffff8118edac>] ? do_lookup+0x16c/0x1e0
 [<ffffffff8118f12d>] ? __link_path_walk+0x20d/0x1080
 [<ffffffff8119023a>] ? path_walk+0x6a/0xe0
 [<ffffffff8119040b>] ? do_path_lookup+0x5b/0xa0
 [<ffffffff81191077>] ? user_path_at+0x57/0xa0
 [<ffffffff811858c4>] ? cp_new_stat+0xe4/0x100
 [<ffffffff81185af6>] ? vfs_fstatat+0x46/0x80
 [<ffffffff81185c5b>] ? vfs_stat+0x1b/0x20
 [<ffffffff81185c84>] ? sys_newstat+0x24/0x50
 [<ffffffff810dcc22>] ? audit_syscall_entry+0x272/0x2a0

Andrew Perepechko added a comment - 23/Jul/13 1:03 AM This patch adds a security_d_instantiate() call under dcache_lock, while Selinux implementation of the LSM hook can sleep (calls mutex_lock, kmalloc, getxattr). BUG: spinlock wrong CPU on CPU#0, diff/5435 (Tainted: G W ---------------- ) lock: ffffffff81a84780, .magic: dead4ead, .owner: diff/5435, .owner_cpu: 3 Pid: 5435, comm: diff Tainted: G W ---------------- 2.6.32-220.4.3.el6.x86_64 #10 Call Trace: [<ffffffff8128a88a>] ? spin_bug+0xaa/0x100 [<ffffffff8128a956>] ? _raw_spin_unlock+0x76/0xa0 [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40 [<ffffffffa0eab1d5>] ? ll_d_add+0x75/0x210 [lustre] [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40 [<ffffffffa0eac602>] ? ll_lookup_it_finish+0x8f2/0xa60 [lustre] [<ffffffffa0eaa4ee>] ? ll_i2gids+0x2e/0xe0 [lustre] [<ffffffffa0eacb8e>] ? ll_lookup_it+0x41e/0xc00 [lustre] [<ffffffffa0eaa5a0>] ? ll_md_blocking_ast+0x0/0x620 [lustre] [<ffffffffa0ead5cf>] ? ll_lookup_nd+0x25f/0x3e0 [lustre] [<ffffffff8119993e>] ? d_alloc+0x17e/0x1f0 [<ffffffff8118edac>] ? do_lookup+0x16c/0x1e0 [<ffffffff8118f12d>] ? __link_path_walk+0x20d/0x1080 [<ffffffff8119023a>] ? path_walk+0x6a/0xe0 [<ffffffff8119040b>] ? do_path_lookup+0x5b/0xa0 [<ffffffff81191077>] ? user_path_at+0x57/0xa0 [<ffffffff811858c4>] ? cp_new_stat+0xe4/0x100 [<ffffffff81185af6>] ? vfs_fstatat+0x46/0x80 [<ffffffff81185c5b>] ? vfs_stat+0x1b/0x20 [<ffffffff81185c84>] ? sys_newstat+0x24/0x50 [<ffffffff810dcc22>] ? audit_syscall_entry+0x272/0x2a0

Niu Yawei (Inactive) added a comment - 23/Nov/11 7:33 AM

patch landed for 2.2

Niu Yawei (Inactive) added a comment - 23/Nov/11 7:33 AM patch landed for 2.2

Build Master (Inactive) added a comment - 21/Nov/11 3:53 AM

Integrated in lustre-master » i686,client,el5,ofa #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:53 AM Integrated in lustre-master » i686,client,el5,ofa #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:46 AM

Integrated in lustre-master » i686,client,el5,inkernel #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:46 AM Integrated in lustre-master » i686,client,el5,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:36 AM

Integrated in lustre-master » x86_64,server,el6,inkernel #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:36 AM Integrated in lustre-master » x86_64,server,el6,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:34 AM

Integrated in lustre-master » i686,server,el5,ofa #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:34 AM Integrated in lustre-master » i686,server,el5,ofa #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:29 AM

Integrated in lustre-master » i686,server,el5,inkernel #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:29 AM Integrated in lustre-master » i686,server,el5,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:26 AM

Integrated in lustre-master » x86_64,client,el6,inkernel #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:26 AM Integrated in lustre-master » x86_64,client,el6,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:24 AM

Integrated in lustre-master » i686,server,el6,inkernel #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:24 AM Integrated in lustre-master » i686,server,el6,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:19 AM

Integrated in lustre-master » x86_64,client,el5,ofa #360
~~LU-857~~ security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :

lustre/llite/namei.c

Build Master (Inactive) added a comment - 21/Nov/11 3:19 AM Integrated in lustre-master » x86_64,client,el5,ofa #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c

People

Assignee:: Niu Yawei (Inactive)

Reporter:: Aurelien Degremont (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Nov/11 7:41 AM

Updated:: 23/Jul/13 1:03 AM

Resolved:: 23/Nov/11 7:33 AM