Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-4291] Lustre 1.8.9 client on RHEL 6.4 does not play nice with SELINUX while mounting 2.4.1 filesystems https://jira.whamcloud.com/browse/LU-4291 Lustre <p>Lustre 1.8.9 client built locally from HPDD Git for kernel 2.6.32-358.23.2.el6.x86_64, using distribution OFED. Client successfully mounts all 1.8.9 filesystems, but when you ask it to mount a 2.4.1 filesystem it crashes with the following stack trace:</p> <p>-----------<del>[ cut here ]</del>-----------<br/> kernel BUG at security/selinux/ss/services.c:625!<br/> invalid opcode: 0000 <a href="#1" target="_blank" rel="noopener">1</a> SMP<br/> last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:02:00.4/usb7/7-1/speed<br/> CPU 11<br/> Modules linked in: mgc(U) lustre(U) lov(U) mdc(U) lquota(U) osc(U) ptlrpc(U) obdclass(U) lvfs(U) ko2iblnd(U) lnet(U) libcfs(U) nfs lockd fscache auth_rpcgss nfs_acl mptctl mptbase autofs4 sunrpc nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_REJECT xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack iptable_filter ip_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ipv6 tcp_bic power_meter sg mlx4_ib ib_sa ib_mad ib_core mlx4_en mlx4_core hpilo hpwdt bnx2 myri10ge(U) dca microcode serio_raw k10temp amd64_edac_mod edac_core edac_mce_amd i2c_piix4 shpchp ext4 jbd2 mbcache sd_mod crc_t10dif hpsa pata_acpi ata_generic pata_atiixp ahci radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod <span class="error">&#91;last unloaded: scsi_wait_scan&#93;</span> </p> <p>Pid: 7454, comm: lsof Not tainted 2.6.32-358.23.2.el6.x86_64 #1 HP ProLiant DL385 G7<br/> RIP: 0010:<span class="error">&#91;&lt;ffffffff8123982b&gt;&#93;</span> <span class="error">&#91;&lt;ffffffff8123982b&gt;&#93;</span> context_struct_compute_av+0x40b/0x420<br/> RSP: 0018:ffff88083854db18 EFLAGS: 00010246<br/> RAX: 0000000000000000 RBX: ffff88083854dca8 RCX: 0000000000000100<br/> RDX: 0000000000000f3c RSI: 00000000ffffffff RDI: 0000000000000010<br/> RBP: ffff88083854db98 R08: 00000000000135f0 R09: ffff88083854dca8<br/> R10: 0000000000000010 R11: 0000000000000000 R12: 0000000000000007<br/> R13: ffff880c3a556248 R14: 0000000000000796 R15: 000000000000079e<br/> FS: 00007f9638d787a0(0000) GS:ffff88084e480000(0000) knlGS:0000000000000000<br/> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b<br/> CR2: 0000003a4dadaf50 CR3: 00000008391ac000 CR4: 00000000000007e0<br/> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br/> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400<br/> Process lsof (pid: 7454, threadinfo ffff88083854c000, task ffff8808395e0040)<br/> Stack:<br/> ffff880839c1bc80 0007880800000007 ffff88041cc613c8 ffff880c3a556248<br/> &lt;d&gt; ffff88083a6825f0 00000000b4bb9d11 0000000000000007 0000000000000000<br/> &lt;d&gt; 000700073854dbd8 ffffffff81223621 ffff88083854dbe8 ffff88083854dca8<br/> Call Trace:<br/> <span class="error">&#91;&lt;ffffffff81223621&gt;&#93;</span> ? avc_has_perm+0x71/0x90<br/> <span class="error">&#91;&lt;ffffffff81239d05&gt;&#93;</span> security_compute_av+0xf5/0x2c0<br/> <span class="error">&#91;&lt;ffffffff8122328e&gt;&#93;</span> avc_has_perm_noaudit+0x14e/0x470<br/> <span class="error">&#91;&lt;ffffffff812235fb&gt;&#93;</span> avc_has_perm+0x4b/0x90<br/> <span class="error">&#91;&lt;ffffffff812253c4&gt;&#93;</span> inode_has_perm+0x54/0xa0<br/> <span class="error">&#91;&lt;ffffffff811a2100&gt;&#93;</span> ? mntput_no_expire+0x30/0x110<br/> <span class="error">&#91;&lt;ffffffff8122599b&gt;&#93;</span> dentry_has_perm+0x5b/0x80<br/> <span class="error">&#91;&lt;ffffffff81225a4c&gt;&#93;</span> selinux_inode_getattr+0x2c/0x30<br/> <span class="error">&#91;&lt;ffffffff8121d033&gt;&#93;</span> security_inode_getattr+0x23/0x30<br/> <span class="error">&#91;&lt;ffffffff81186d2f&gt;&#93;</span> vfs_getattr+0x2f/0x80<br/> <span class="error">&#91;&lt;ffffffff81186de0&gt;&#93;</span> vfs_fstatat+0x60/0x80<br/> <span class="error">&#91;&lt;ffffffff81186f2b&gt;&#93;</span> vfs_stat+0x1b/0x20<br/> <span class="error">&#91;&lt;ffffffff81186f54&gt;&#93;</span> sys_newstat+0x24/0x50<br/> <span class="error">&#91;&lt;ffffffff810dc937&gt;&#93;</span> ? audit_syscall_entry+0x1d7/0x200<br/> <span class="error">&#91;&lt;ffffffff810dc685&gt;&#93;</span> ? __audit_syscall_exit+0x265/0x290<br/> <span class="error">&#91;&lt;ffffffff8100b072&gt;&#93;</span> system_call_fastpath+0x16/0x1b<br/> Code: ff ff ff e8 08 53 e3 ff 85 c0 0f 84 34 ff ff ff 0f b7 75 8e 48 c7 c7 28 22 7c 81 31 c0 e8 52 43 2d 00 e9 1d ff ff ff 0f 0b eb fe &lt;0f&gt; 0b 0f 1f 00 eb fb 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00<br/> RIP <span class="error">&#91;&lt;ffffffff8123982b&gt;&#93;</span> context_struct_compute_av+0x40b/0x420<br/> RSP &lt;ffff88083854db18&gt;</p> <p>To get this trace, set SELINUX=permissive in /etc/selinux/config.</p> <p>We do have a kdump from this node in the permissive mode.</p> <p>Setting SELINUX=disabled and the behavior goes away. </p> <p>This is for an internet facing server (data transfer node), and our cyber policy strongly suggests running SELINUX on the web facing systems for the center. </p> <p>This isn't critical as there's a workaround, but it's serious and we do need to get the reason that Lustre is tickling SELINUX figured out and patched so we can move forward with putting the new Lustre filesystems on the data transfer nodes.</p> LU-4291 Lustre 1.8.9 client on RHEL 6.4 does not play nice with SELINUX while mounting 2.4.1 filesystems Bug Major Resolved Fixed Oleg Drokin Jason Hill Fri, 22 Nov 2013 05:05:42 +0000 Mon, 10 Feb 2014 17:19:05 +0000 Mon, 10 Feb 2014 17:19:05 +0000 Lustre 1.8.9 0 5 <p>Historically 1.8.9 with selinux in any state but off was not supported, so can you please turn it off completely?<br/> Even if it worked before for you, the code path was not verified, so now at the slight change broken things revealed itself.</p> <p>Oleg &#8211; thanks for the update. What is the stance for 2.4.X for our reference?</p> <p>There were some patches from Xyratex to allow operating a client and a server with SELinux enabled (no enforcement available, just to make it not crash), but to my knowledge we do not actively test this configuration.</p> <p>Lustre 2.4 is missing the patch from <a href="https://jira.whamcloud.com/browse/LU-2655" title="Make ability to mount lustre server target on selinux enabled servers." class="issue-link" data-issue-key="LU-2655"><del>LU-2655</del></a>. Lustre 1.8 would need to back port that and a bunch of patches from <a href="https://jira.whamcloud.com/browse/LU-589" title="test-packages launched by auster.sh read the wrong configuration file when auster.sh is invoked with the &#39;-c&#39; option" class="issue-link" data-issue-key="LU-589"><del>LU-589</del></a>. Is SELinux a hard requirement?</p> <p>Jason, </p> <p>As Oleg pointed out, there are patches in b2_5 and beyond that allow clients and servers to operate with SELinux enabled. </p> <p>Is there something else we need to do for this ticket or should we close it?</p> <p>Thanks, <br/> James</p> <p>James,</p> <p>Go ahead and close this. My apologies for not responding sooner. 1 Month latencies are unacceptable.</p> <p>Thanks!</p> <p>&#8211;<br/> -Jason</p> <p>Thank you for the update, Jason.</p> Development Rank 1|hzw9wf: Rank (Obsolete) 11774 Severity