[lustre-discuss] Lustre client cannot access file system with SELinux enabled

Michael Watters wattersm at watters.ws
Thu Dec 8 06:14:10 PST 2016 

Thanks.  The issue turned out to be missing user and group IDs on the
metadata server.  I created the apache user with the proper UID and
group IDs and apache is now able to access the directory.  I also had to
mount the file system using the nfs_t context to allow access.


On 12/05/2016 03:59 AM, Sebastien Buisson wrote:
> Hi Michael,
>
> I guess your problem shows SELinux works just fine on Lustre :)
>
> The SELinux policy enforced on your CentOS client does not allow Apache server to access files that have the ‘system_u:object_r:unlabeled_t:s0’ security context.
> To see the SELinux denial messages please make sure you issue this command:
> # semanage dontaudit off
> Messages should be written to /var/log/audit/audit.log.
>
> Regards,
> Sebastien.
>
>> Le 1 déc. 2016 à 22:10, Michael Watters <wattersm at watters.ws> a écrit :
>>
>> Hello,
>>
>> I have a lustre client running CentOS 7.2 with lustre 2.8 which is having issues accessing files on the lustre mount from Apache. There are no AVC denials shown in the logs however Apache does show an error in the logs as follows.
>>
>>> AH00035: access to /repos/centos2/index.html denied (filesystem path '/var/www/html/repos/centos2/index.html') because search permissions are missing on a component of the path
>> I checked file permissions and they are fine.  SELinux context is set to unlabeled_t as shown by ls -lZ.
>>
>> [root at srv1 pub]# ls -lZ
>> drwxrwxr-x. mirrmaid mirrmaid system_u:object_r:unlabeled_t:s0 centos
>>
>> I attempted to chcon the files to allow apache access however that also errors out.
>>
>> [root at srv1 pub]# chcon -v r:httpd_sys_content_t:s0  centos/
>> changing security context of ‘centos/’
>> chcon: failed to change context of ‘centos/’ to ‘r:httpd_sys_content_t:s0’: Invalid argument
>>
>> Does Lustre 2.8 support SELinux or should I simply turn SELinux off?  Is there a way to make SELinux labels work properly?
>>
>>
>>
>> _______________________________________________
>> lustre-discuss mailing list
>> lustre-discuss at lists.lustre.org
>> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org

More information about the lustre-discuss mailing list