[LU-14581] el8.3/lu2.14 cannot mount mgs with selinux enabled

Related — Sun, 4 Apr 2021 14:21:26 +0000

I just tried setting up a test server on el8 and took a bit of time to realize selinux was the problem, even if set to permissive.

Setting selinux to disabled allowed me to mount the server normally.

The problem seems to be that selinux thinks there is no xattr support and throws the baby with the water?

Might be relevant: I've only tested with a loop mount, it might work with real devices.

Here are the traces I have; happy to provide more if required:

# rm -f mgt && truncate -s 50M mgt && mkfs.lustre --mgs mgt
# mount -t lustre -o loop ./mgt /mnt/lustre/mgt/
mount.lustre: mount /dev/loop0 at /mnt/lustre/mgt failed: Operation not supported
# dmesg | tail
[  100.138808] LDISKFS-fs (loop0): mounted filesystem with ordered data mode. Opts: user_xattr,errors=remount-ro,no_mbcache,nodelalloc
[  101.210730] SELinux: (dev lustre, type lustre) has no xattr support
[  101.236892] Lustre: server umount MGS complete
# (nothing obvious in lctl dk as the umount was not initiated from lustre code)
# bpftrace -e 'kprobe:server_put_super { printf("umount: %s\n", kstack); }'
Attaching 1 probe...
umount: 
        server_put_super+1
        generic_shutdown_super+108
        kill_anon_super+20
        deactivate_locked_super+52
        mount_fs+308
        vfs_kern_mount.part.35+84
        do_mount+508
        ksys_mount+182
        __x64_sys_mount+33
        do_syscall_64+91
        entry_SYSCALL_64_after_hwframe+101
# cd /usr/src/debug/kernel-4.18.0-240.15.1.el8_3/linux-4.18.0-240.15.1.el8_3.x86_64/
# vim -t mount_fs
...
struct dentry *
mount_fs(struct file_system_type *type, int flags, const char *name, void *data)
{
...
        error = security_sb_kern_mount(sb, flags, secdata);
        if (error)
                goto out_sb;
...
out_sb:
        dput(root);
        deactivate_locked_super(sb);
...

So the selinux message in dmesg was a real hard error and not a safe-to-ignore warning as I'm used to...

I didn't look further into why selinux thinks there is no xattr support, but quick tracing shows selinux_sb_kern_mount() is called twice - once for osd_mount for the actual ldiskfs device which works, and once more for the actual lustre layer mount call which I guess is probably expected not to have xattrs, so I guess selinux got a bit more strict lately, or a policy change? I'm not sure policies can make the difference between the "lustre" server mount and the "lustre" client mount unfortunately.

Whamcloud Community JIRA

[LU-14581] el8.3/lu2.14 cannot mount mgs with selinux enabled