[LU-8659] sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied Created: 30/Sep/16  Updated: 20/May/17  Resolved: 20/May/17

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.9.0
Fix Version/s: Lustre 2.10.0

Type: Bug Priority: Major
Reporter: Maloo Assignee: Sebastien Buisson (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Environment:

master

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

This issue was created by maloo for Saurabh Tandan <saurabh.tandan@intel.com>

This issue relates to the following test suite run: https://testing.hpdd.intel.com/test_sets/b0261008-85e9-11e6-a8b7-5254006e85c2.

The sub-test test_20a failed with the following error:

localhost: ssh exited with exit code 255

Test_logs:

== sanity-selinux test 20a: [atomicity] concurrent access from another client (file) ================= 02:04:40 (1475114680)
CMD: trevis-66vm1.trevis.hpdd.intel.com /usr/sbin/lctl set_param fail_val=20 fail_loc=0x1409
fail_val=20
fail_loc=0x1409
localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
ls: cannot access /mnt/lustre/df20a: No such file or directory
Resetting fail_loc on all nodes...CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 lctl set_param -n fail_loc=0 	    fail_val=0 2>/dev/null
done.
CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 rc=0;
val=\$(/usr/sbin/lctl get_param -n catastrophe 2>&1);
if [[ \$? -eq 0 && \$val -ne 0 ]]; then
	echo \$(hostname -s): \$val;
	rc=\$val;
fi;
exit \$rc
CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 dmesg

test_20 passing even when the localhost is returning Permission denied.

 Comments   
Comment by James Nunez (Inactive) [ 03/Oct/16 ]

Similar failures for tests 3 and 4 at https://testing.hpdd.intel.com/test_sets/420ef8f0-897c-11e6-a9b0-5254006e85c2

== sanity-selinux test 3: access with unconfined user ================================================ 15:11:56 (1475507516)
sanityusr mapped as unconfined_u: touch /mnt/lustre/df3
localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
 sanity-selinux test_3: @@@@@@ FAIL: can't touch /mnt/lustre/df3 

== sanity-selinux test 4: access with specific SELinux user ========================================== 15:12:08 (1475507528)
sanityusr mapped as guest_u: touch /mnt/lustre/df4
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
sanityusr mapped as user_u: touch /mnt/lustre/df4
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
 sanity-selinux test_4: @@@@@@ FAIL: can't touch /mnt/lustre/df4
Comment by Andreas Dilger [ 04/Oct/16 ]

Sebastien, I see that the failing test is using $PDSH ${uname}@localhost "touch $filename" & to run the command on the local file. Is $PDSH (ssh) used to initialize the security context for $uname, instead of just using $RUNAS directly? Would "su - $uname touch $filename" or similar work without the need to allow passwordless ssh for $uname?

On a related note, it would be useful to set $RUNAS_USER in lustre/tests/cfg/local.sh and as a fallback in test-framework.sh::init_test_env() if it is not set, instead of fetching it repeatedly in the test:

init_test_env() {
        RUNAS_USER=${RUNAS_USER:-$(getent passwd $RUNAS_ID | cut -d: -f1)}
}
Comment by John Hammond [ 07/Oct/16 ]

Using su - USER keeps the original security context.

Comment by John Hammond [ 07/Oct/16 ]

There are utilities runcon and newrole which we should try to use here (see https://linux.die.net/man/1/newrole and https://linux.die.net/man/1/runcon).

Comment by Sebastien Buisson (Inactive) [ 25/Nov/16 ]

Hi,

I think I figured out how to replace 'ssh user@localhost' with 'runas runcon'.
The thing is it requires that the SELinux policy allows transitions from unconfined_t to user_t and guest_t:
#============= unconfined_r ==============
allow unconfined_r guest_r;
allow unconfined_r user_r;

I will push a patch that modifies sanity-selinux.

Thanks,
Sebastien.

Comment by Gerrit Updater [ 25/Nov/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: http://review.whamcloud.com/23962
Subject: LU-8659 tests: use runcon in sanity-selinux
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 0cd696c19a837efe2a44a6530b01323960c839fc

Comment by Gerrit Updater [ 20/May/17 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23962/
Subject: LU-8659 tests: use runcon in sanity-selinux
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 9d9a5ac444bcd796fe8757b092069570c24bc26a

Comment by Peter Jones [ 20/May/17 ]

Landed for 2.10

Generated at Sat Feb 10 02:19:27 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.