[LU-7417] Permission Denied on enforcing SElinux on Client Created: 11/Nov/15 Updated: 13/Nov/15 Resolved: 13/Nov/15 |
|
| Status: | Closed |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor |
| Reporter: | Saurabh Tandan (Inactive) | Assignee: | Saurabh Tandan (Inactive) |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Environment: |
1 Client node, 1 MDS node, 1 OSS node (with two OSTs) |
||
| Issue Links: |
|
||||||||||||
| Severity: | 3 | ||||||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||||||
| Description |
|
Enabled SElinux on Client node and tried running sanity.sh Got the following output in terminal window: [root@eagle-52vm5 tests]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@eagle-52vm5 tests]# ./auster -v -r -l sanity --only 1 Started at Wed Nov 11 13:01:36 PST 2015 eagle-52vm5: Permission denied. [root@eagle-52vm5 tests]# Tests ran fine when SElinux was in disabled or permissive mode. |
| Comments |
| Comment by John Hammond [ 11/Nov/15 ] |
|
Have you checked that the SELinux contexts are correct on /root/.ssh and /root/.ssh/*? |
| Comment by Saurabh Tandan (Inactive) [ 11/Nov/15 ] |
|
John, I checked the SElinux contexts on /root/.ssh and /root/.ssh/* , it looks good to me. [root@eagle-52vm5 tests]# ls -dZ /root/.ssh/ drwx------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/ [root@eagle-52vm5 tests]# ls -Z /root/.ssh/ -rw-r--r--. root root system_u:object_r:ssh_home_t:s0 authorized_keys -rw-r--r--. root root system_u:object_r:ssh_home_t:s0 known_hosts |
| Comment by John Hammond [ 11/Nov/15 ] |
|
What are they? |
| Comment by John Hammond [ 11/Nov/15 ] |
|
Also please figure out what's printing 'Permission denied'? And from exactly which lines in auster/test-framework/sanity/...? |
| Comment by Saurabh Tandan (Inactive) [ 11/Nov/15 ] |
|
/var/log/messages show the following: Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: START: shell pid=2526 from=::ffff:10.100.4.186 Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh denied to root@eagle-52vm5.eagle.hpdd.intel.com as root: Permission denied. Nov 11 13:11:40 eagle-52vm5 rshd[2526]: rsh command was '(PATH=$PATH:/usr/lib64/lustre/utils:/usr/lib64/lustre/tests:/sbin:/usr/sbin; cd /usr/lib64/lustre/tests; LUSTRE="/usr/lib64/lustre" VERBOSE=false FSTYPE=ldiskfs NETTYPE=tcp sh -c "PATH=/usr/lib64/lustre/tests:/usr/lib/lustre/tests:/usr/lib64/lustre/tests:/usr/lib64/lustre/tests/mpi:/usr/lib64/lustre/tests/racer:/usr/lib64/lustre/../lustre-iokit/sgpdd-survey:/usr/lib64/lustre/tests:/usr/lib64/lustre/utils/gss:/usr/lib64/lustre/utils:/usr/lib64/qt-3.3/bin:/usr/lib64/openmpi/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin::/sbin:/bin:/usr/sbin: NAME=local sh rpc.sh check_config_client /mnt/lustre ");echo XXRETCODE:$?' Nov 11 13:11:40 eagle-52vm5 xinetd[1558]: EXIT: shell status=1 pid=2526 duration=0(sec) [root@eagle-52vm5 tests]# /var/log/secure shows : Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_rhosts(rsh:auth): allowed access to root@eagle-52vm5.eagle.hpdd.intel.com as root Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_limits(rsh:session): Could not set limit for 'memlock': Permission denied Nov 11 13:11:40 eagle-52vm5 rshd[2526]: pam_unix(rsh:session): session opened for user root by (uid=0) |
| Comment by John Hammond [ 12/Nov/15 ] |
|
Does ssh work between the nodes? You could configure pdsh to use that. Otherwise, what do you see in /var/log/audit/audit.log on the remote host when you try to rsh? (It looks like you are rsh-ing from eagle-52vm5 to eagle-52vm5.) |
| Comment by Saurabh Tandan (Inactive) [ 12/Nov/15 ] |
|
Yes, I recon u are correct. It appears its trying to rsh from eagle-52vm5 to eagle-52vm5 according to /var/log/audit/audit.log type=USER_AUTH msg=audit(1447354166.507:1137): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=USER_ACCT msg=audit(1447354166.518:1138): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=CRED_ACQ msg=audit(1447354166.521:1139): user pid=8070 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=success'
type=LOGIN msg=audit(1447354166.524:1140): pid=8070 uid=0 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=172
type=AVC msg=audit(1447354166.524:1141): avc: denied { setrlimit } for pid=8070 comm="in.rshd" scontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1447354166.524:1141): arch=c000003e syscall=160 success=no exit=-13 a0=8 a1=7fff309dc7a0 a2=0 a3=26 items=0 ppid=1558 pid=8070 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=172 comm="in.rshd" exe="/usr/sbin/in.rshd" subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1447354166.525:1142): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed'
type=USER_LOGIN msg=audit(1447354166.527:1143): user pid=8070 uid=0 auid=0 ses=172 subj=system_u:system_r:rshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/in.rshd" hostname=eagle-52vm5.eagle.hpdd.intel.com addr=10.100.4.186 terminal=rsh res=failed'
type=USER_ACCT msg=audit(1447354201.227:1144): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1447354201.227:1145): user pid=8075 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1447354201.236:1146): pid=8075 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=173
type=USER_START msg=audit(1447354201.246:1147): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1447354201.349:1148): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1447354201.350:1149): user pid=8075 uid=0 auid=0 ses=173 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
|
| Comment by Saurabh Tandan (Inactive) [ 13/Nov/15 ] |
|
TEI-4187 |