Patch for review:
http://review.whamcloud.com/#change,1703
Niu
Could you please review the supplied patch?
Thanks
Peter
Hi Aurelien
I'm wondering how to test this patch. In my local environment, I can't even mount lustre on loop devices with selinux enabled (in permissive mode), could you show me how to mount lustre in permissive mode? Thank you.
Hi
To test it, I setup a simple test environment with 2 nodes. 1 for servers, 1 for client.
With Lustre, SELinux is ok on Client, but absolutely not on Servers.
Something like
NAME=ncli REFORMAT=: RCLIENTS="foo2" sh ./llmount.sh
Should do the trick
Set SELinux in permissive mode on your RHEL6 client (/etc/sysconfig/selinux). You change to permissive/enforced using setenforce
Let SELinux disabled on your server node.
Thank you, Aurelien. I've added reviewers in the gerrit.
Integrated in 
lustre-master » x86_64,client,el5,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,server,el5,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,client,el6,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,client,sles11,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,server,el5,ofa #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,client,ubuntu1004,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,client,el5,ofa #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,server,el6,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,client,el6,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,server,el5,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,server,el5,ofa #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » x86_64,server,el6,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,client,el5,inkernel #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
Integrated in lustre-master » i686,client,el5,ofa #360
LU-857 security: Lustre client tolerates enforced SELinux. (Revision bf977ae5a02765f86b1920ae207cc1fe328011cb)
Result = SUCCESS
Oleg Drokin : bf977ae5a02765f86b1920ae207cc1fe328011cb
Files :
- lustre/llite/namei.c
patch landed for 2.2
This patch adds a security_d_instantiate() call under dcache_lock, while Selinux implementation of the LSM hook can sleep (calls mutex_lock, kmalloc, getxattr).
BUG: spinlock wrong CPU on CPU#0, diff/5435 (Tainted: G W ---------------- ) lock: ffffffff81a84780, .magic: dead4ead, .owner: diff/5435, .owner_cpu: 3 Pid: 5435, comm: diff Tainted: G W ---------------- 2.6.32-220.4.3.el6.x86_64 #10 Call Trace: [<ffffffff8128a88a>] ? spin_bug+0xaa/0x100 [<ffffffff8128a956>] ? _raw_spin_unlock+0x76/0xa0 [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40 [<ffffffffa0eab1d5>] ? ll_d_add+0x75/0x210 [lustre] [<ffffffff8150739b>] ? _spin_unlock+0x2b/0x40 [<ffffffffa0eac602>] ? ll_lookup_it_finish+0x8f2/0xa60 [lustre] [<ffffffffa0eaa4ee>] ? ll_i2gids+0x2e/0xe0 [lustre] [<ffffffffa0eacb8e>] ? ll_lookup_it+0x41e/0xc00 [lustre] [<ffffffffa0eaa5a0>] ? ll_md_blocking_ast+0x0/0x620 [lustre] [<ffffffffa0ead5cf>] ? ll_lookup_nd+0x25f/0x3e0 [lustre] [<ffffffff8119993e>] ? d_alloc+0x17e/0x1f0 [<ffffffff8118edac>] ? do_lookup+0x16c/0x1e0 [<ffffffff8118f12d>] ? __link_path_walk+0x20d/0x1080 [<ffffffff8119023a>] ? path_walk+0x6a/0xe0 [<ffffffff8119040b>] ? do_path_lookup+0x5b/0xa0 [<ffffffff81191077>] ? user_path_at+0x57/0xa0 [<ffffffff811858c4>] ? cp_new_stat+0xe4/0x100 [<ffffffff81185af6>] ? vfs_fstatat+0x46/0x80 [<ffffffff81185c5b>] ? vfs_stat+0x1b/0x20 [<ffffffff81185c84>] ? sys_newstat+0x24/0x50 [<ffffffff810dcc22>] ? audit_syscall_entry+0x272/0x2a0