[LU-14199] sanity-selinux test 21a fails with 'client mount without sending sepol should be refused' Created: 08/Dec/20  Updated: 24/Mar/23  Resolved: 14/Dec/20

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.14.0
Fix Version/s: Lustre 2.14.0

Type: Bug Priority: Minor
Reporter: James Nunez (Inactive) Assignee: Sebastien Buisson
Resolution: Fixed Votes: 0
Labels: rhel8.3, security
Environment:

RHEL8.3 client/server

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

sanity-selinux test_21a fails for RHEL 8.3 client/server testing in review-dne-selinux.

Looking at the logs for the failure at https://testing.whamcloud.com/test_sets/75526e78-6eda-4900-995c-b361935c3e9f , the suite_log shows the test output

CMD: trevis-200vm4 /usr/sbin/lctl set_param -P nodemap.c0.sepol=
On mds4, c0.sepol = 
On mds3, c0.sepol = 
On mds2, c0.sepol = 
On mds1, c0.sepol = 
Starting client: trevis-200vm1.trevis.whamcloud.com:  -o user_xattr,flock trevis-200vm4@tcp:/lustre /mnt/lustre
CMD: trevis-200vm1.trevis.whamcloud.com mkdir -p /mnt/lustre
CMD: trevis-200vm1.trevis.whamcloud.com mount -t lustre -o user_xattr,flock trevis-200vm4@tcp:/lustre /mnt/lustre
 sanity-selinux test_21a: @@@@@@ FAIL: client mount without sending sepol should be refused 
  Trace dump:
  = /usr/lib64/lustre/tests/test-framework.sh:6257:error()
  = /usr/lib64/lustre/tests/sanity-selinux.sh:604:test_21a()

Sebastien took a look at this and had the following comments:
It comes from the following command in the test script:

do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"

and the sepol variable is obtained from:

sepol=$(l_getsepol | cut -d':' -f2- | xargs)

On my RHEL 8.2 test system it goes like this:

# l_getsepol | cut -d':' -f2- | xargs
1:targeted:31:309ea33f4ea67b3baf7354d797d41a5330eb7c7653e66bcc928ea62268b7aa08

so the test is expected to set a non empty value for the sepol parameter on the nodemap, and the fact that it fails breaks the rest of the test. So it seems there is a problem with this command in RHEL 8.3

In addition, we see sanity-selinux test 21b fail in the same way with

CMD: trevis-200vm4 /usr/sbin/lctl set_param -P nodemap.c0.sepol=
On mds4, c0.sepol = 
On mds3, c0.sepol = 
On mds2, c0.sepol = 
On mds1, c0.sepol = 
 sanity-selinux test_21b: @@@@@@ FAIL: touch (1) 
  Trace dump:
  = /usr/lib64/lustre/tests/test-framework.sh:6257:error()
  = /usr/lib64/lustre/tests/sanity-selinux.sh:688:test_21b()


 Comments   
Comment by Sebastien Buisson [ 08/Dec/20 ]

I will look into this, thanks for documenting this issue James.

Comment by Gerrit Updater [ 09/Dec/20 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/40918
Subject: LU-14199 sec: find policy version in use for sepol
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: e6e8034c05503773274ababc0b2399b9dd80f5f5

Comment by Sebastien Buisson [ 10/Dec/20 ]

James,

I managed to have review-dne-selinux passing on RHEL 8.3 clients with patch #40918:
https://testing.whamcloud.com/test_sessions/31d8395b-3a26-49b2-92c9-52efdded3733

So it should be fixed now.

Comment by Gerrit Updater [ 14/Dec/20 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/40918/
Subject: LU-14199 sec: find policy version in use for sepol
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: e39d6451efb1d05ce7bb62eb0a91aebe7af302d9

Comment by Peter Jones [ 14/Dec/20 ]

Landed for 2.14

Comment by Gerrit Updater [ 24/Mar/23 ]

"Etienne AUJAMES <eaujames@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/50402
Subject: LU-14199 sec: find policy version in use for sepol
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: 543051b621826ee118fb678a33bfe9b14c59a002

Generated at Sat Feb 10 03:07:42 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.