Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-857

Lustre client tolerates enforced SELinux.

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • Lustre 2.2.0, Lustre 2.1.3
    • Lustre 2.0.0, Lustre 2.1.0
    • None
    • 4843

    Description

      This issue impacts Lustre 2.x releases on RHEL 6. This is possible that the same issues exists with Lustre 1.x.

      The problem is that you cannot use a Lustre filesystem with SELinux enforced, even if your Lustre policies only apply to all other filesystems, but not Lustre!

      If you do so, accesses to Lustre directories will be denied in some cases. However, file accesses in the same directory are granted. There is no SELinux policy involved here. This kind of configuration is used in production on our Lustre 1.6/RHEL 5 systems without any issues.

      Here is a 2-line patch to have a common behavior on RHEL5/RHEL6.
      Note: It does not add a real SELinux support for Lustre but ables to activate it for all other local filesystems, without Lustre misbehaving.

      Steps to reproduce the issue:

      # setenforce Enforcing
# cd /mnt/lustre
# mkdir foo
# cd foo
# ls: Permission denied

      Attachments

        Issue Links

          Trackbacks

          [Confluence: Whamcloud Community Space] Changelog 2.1 Changes from version 2.1.2 to version 2.1.3 Server support for kernels: 2.6.18308.13.1.el5 (RHEL5) 2.6.32279.2.1.el6 (RHEL6) Client support for unpatched kernels: 2.6.18308.13.1.el5 (RHEL5) 2.6.32279.2.1....

          Activity

            [LU-857] Lustre client tolerates enforced SELinux.
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » i686,server,el6,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » i686,server,el6,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,client,el5,ofa #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,client,el5,ofa #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,client,ubuntu1004,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,client,ubuntu1004,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,server,el5,ofa #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,server,el5,ofa #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,client,sles11,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,client,sles11,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » i686,client,el6,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » i686,client,el6,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,server,el5,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,server,el5,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment -

            Integrated in lustre-master » x86_64,client,el5,inkernel #360
            LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)

            Result = SUCCESS
            Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
            Files :

            • lustre/llite/namei.c
            hudson Build Master (Inactive) added a comment - Integrated in lustre-master » x86_64,client,el5,inkernel #360 LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb) Result = SUCCESS Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb Files : lustre/llite/namei.c
            niu Niu Yawei (Inactive) added a comment -

            Thank you, Aurelien. I've added reviewers in the gerrit.

            niu Niu Yawei (Inactive) added a comment - Thank you, Aurelien. I've added reviewers in the gerrit.
            adegremont Aurelien Degremont (Inactive) added a comment -

            Hi

            To test it, I setup a simple test environment with 2 nodes. 1 for servers, 1 for client.
            With Lustre, SELinux is ok on Client, but absolutely not on Servers.

            Something like

            NAME=ncli REFORMAT=: RCLIENTS="foo2" sh ./llmount.sh

            Should do the trick

            Set SELinux in permissive mode on your RHEL6 client (/etc/sysconfig/selinux). You change to permissive/enforced using setenforce
            Let SELinux disabled on your server node.

            adegremont Aurelien Degremont (Inactive) added a comment - Hi To test it, I setup a simple test environment with 2 nodes. 1 for servers, 1 for client. With Lustre, SELinux is ok on Client, but absolutely not on Servers. Something like NAME=ncli REFORMAT=: RCLIENTS="foo2" sh ./llmount.sh Should do the trick Set SELinux in permissive mode on your RHEL6 client (/etc/sysconfig/selinux). You change to permissive/enforced using setenforce Let SELinux disabled on your server node.
            niu Niu Yawei (Inactive) added a comment -

            Hi Aurelien

            I'm wondering how to test this patch. In my local environment, I can't even mount lustre on loop devices with selinux enabled (in permissive mode), could you show me how to mount lustre in permissive mode? Thank you.

            niu Niu Yawei (Inactive) added a comment - Hi Aurelien I'm wondering how to test this patch. In my local environment, I can't even mount lustre on loop devices with selinux enabled (in permissive mode), could you show me how to mount lustre in permissive mode? Thank you.

            People

              niu Niu Yawei (Inactive)
              adegremont Aurelien Degremont (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: