4 # In order to be able to do the runcon commands in test_4,
5 # the SELinux policy must allow transitions from unconfined_t
6 # to user_t and guest_t:
7 # #============= unconfined_r ==============
8 # allow unconfined_r guest_r;
9 # allow unconfined_r user_r;
11 # Run select tests by setting ONLY, or as arguments to the script.
12 # Skip specific tests by setting EXCEPT.
14 # e.g. ONLY="22 23" or ONLY="`seq 32 39`" or EXCEPT="31"
18 # bug number for skipped test:
19 ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_SELINUX_EXCEPT"}
20 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
25 LUSTRE=${LUSTRE:-$(dirname $0)/..}
26 . $LUSTRE/tests/test-framework.sh
28 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
31 require_dsh_mds || exit 0
33 [ "$SLOW" = "no" ] && EXCEPT_SLOW="xxx"
35 RUNAS_CMD=${RUNAS_CMD:-runas}
36 # $RUNAS_ID may get set incorrectly somewhere else
37 [ $UID -eq 0 -a $RUNAS_ID -eq 0 ] &&
38 error "RUNAS_ID set to 0, but UID is also 0!"
41 # global variables of this sanity
45 echo -n "Checking SELinux environment... "
46 local selinux_status=$(getenforce)
47 if [ "$selinux_status" != "Enforcing" ]; then
48 skip "SELinux is currently in $selinux_status mode," \
49 "but it must be enforced to run sanity-selinux" && exit 0
51 local selinux_policy=$(sestatus |
52 awk -F':' '$1 == "Loaded policy name" {print $2}' | xargs)
53 if [ -z "$selinux_policy" ]; then
54 selinux_policy=$(sestatus |
55 awk -F':' '$1 == "Policy from config file" {print $2}' | xargs)
57 [ "$selinux_policy" == "targeted" ] ||
58 error "Accepting only targeted policy"
59 echo "$selinux_status, $selinux_policy"
64 # we want double mount
65 MOUNT_2=${MOUNT_2:-"yes"}
66 check_and_setup_lustre
68 rm -rf $DIR/[df][0-9]*
70 check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS
76 check_selinux_xattr() {
79 local mds_dev=$(facet_device $mds)
80 local mntpt="/tmp/mdt_"
83 do_facet $mds mkdir -p $mntpt || error "mkdir $mntpt failed"
84 mount_fstype $mds $mntpt || error "mount $mds failed"
86 local xattrval=$(do_facet $mds getfattr -n security.selinux \
87 ${mntpt}/ROOT/$mds_path |
88 awk -F"=" '$1=="security.selinux" {print $2}')
90 unmount_fstype $mds $mntpt || error "umount $mds failed"
91 do_facet $mds rmdir $mntpt || error "rmdir $mntpt failed"
98 local devname=$(mdsdevname 1)
99 local filename=${DIR}/${tdir}/df1
100 local mds_path=${filename#$MOUNT}
102 mds_path=${mds_path#/}
104 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir $tdir failed"
105 touch $filename || error "cannot touch $filename"
107 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
109 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
110 error "security.selinux xattr is not set"
112 run_test 1 "create file and check security.selinux xattr is set on MDT"
115 local devname=$(mdsdevname 1)
116 local dirname=${DIR}/${tdir}/dir2a
117 local mds_path=${dirname#$MOUNT}
119 mds_path=${mds_path#/}
121 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
122 mkdir $dirname || error "cannot mkdir $dirname"
124 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
126 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
127 error "security.selinux xattr is not set"
129 run_test 2a "create dir (mkdir) and check security.selinux xattr is set on MDT"
132 local devname=$(mdsdevname 1)
133 local dirname1=${DIR}/$tdir/dir2b1
134 local dirname2=${DIR}/$tdir/dir2b2
135 local mds_path=${dirname1#$MOUNT}
137 mds_path=${mds_path#/}
139 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
140 $LFS mkdir -c0 -i0 $dirname1 || error "cannot 'lfs mkdir' $dirname1"
142 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
144 mds_path=${dirname2#$MOUNT}
145 mds_path=${mds_path#/}
147 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
148 error "security.selinux xattr is not set"
150 $LFS setdirstripe -i0 $dirname2 ||
151 error "cannot 'lfs setdirstripe' $dirname2"
153 xattrval=$(check_selinux_xattr "mds1" $mds_path)
155 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
156 error "security.selinux xattr is not set"
158 run_test 2b "create dir with lfs and check security.selinux xattr is set on MDT"
161 local filename=$DIR/$tdir/df3
162 local level=$(id -Z | cut -d':' -f4-)
163 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t \
170 echo "As unconfined_u: touch $filename"
171 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename ||
172 error "can't touch $filename"
173 echo "As unconfined_u: rm -f $filename"
174 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx rm -f $filename ||
175 error "can't remove $filename"
179 run_test 3 "access with unconfined user"
182 local filename=$DIR/$tdir/df4
183 local guestctx="-u guest_u -r guest_r -t guest_t -l s0"
184 local usrctx="-u user_u -r user_r -t user_t -l s0"
186 sesearch --role_allow | grep -q "allow unconfined_r user_r"
187 if [ $? -ne 0 ]; then
188 skip "SELinux policy module must allow transition from \
189 unconfined_r to user_r for this test." && exit 0
191 sesearch --role_allow | grep -q "allow unconfined_r guest_r"
192 if [ $? -ne 0 ]; then
193 skip "SELinux policy module must allow transition from \
194 unconfined_r to guest_r for this test." && exit 0
201 echo "As guest_u: touch $filename"
202 $RUNAS_CMD -u $RUNAS_ID runcon $guestctx touch $filename &&
203 error "touch $filename should have failed"
206 echo "As user_u: touch $filename"
207 $RUNAS_CMD -u $RUNAS_ID runcon $usrctx touch $filename ||
208 error "can't touch $filename"
209 echo "As user_u: rm -f $filename"
210 $RUNAS_CMD -u $RUNAS_ID runcon $usrctx rm -f $filename ||
211 error "can't remove $filename"
215 run_test 4 "access with specific SELinux user"
218 local filename=$DIR/df5
219 local newsecctx="nfs_t"
222 touch $filename || error "cannot touch $filename"
225 chcon -t $newsecctx $filename
228 # purge client's cache
229 sync ; echo 3 > /proc/sys/vm/drop_caches
233 local secctxseen=$(ls -lZ $filename | awk '{print $4}' | cut -d: -f3)
235 [ "$newsecctx" == "$secctxseen" ] ||
236 error "sec context seen from 1st mount point is not correct"
240 run_test 5 "security context retrieval from MDT xattr"
243 local filename1=$DIR/df10
244 local filename2=$DIR2/df10
245 local newsecctx="nfs_t"
247 # create file from 1st mount point
248 touch $filename1 || error "cannot touch $filename1"
251 # change sec context from 2nd mount point
252 chcon -t $newsecctx $filename2
255 # get sec context from 1st mount point
257 local secctxseen=$(ls -lZ $filename1 | awk '{print $4}' | cut -d: -f3)
259 [ "$newsecctx" == "$secctxseen" ] ||
260 error_ignore LU-6784 \
261 "sec context seen from 1st mount point is not correct"
265 run_test 10 "[consistency] concurrent security context change"
268 local filename1=$DIR/$tdir/df20a
269 local filename2=$DIR2/$tdir/df20a
271 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
276 # sleep some time in ll_create_nd()
277 #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE 0x1409
278 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x1409"
280 # create file on first mount point
281 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename1 &
285 if [[ -z "$(ps h -o comm -p $touchpid)" ]]; then
286 error "touch failed to sleep, pid=$touchpid"
289 # get sec info on second mount point
290 if [ -e "$filename2" ]; then
291 secinfo2=$(ls -lZ $filename2 | awk '{print $4}')
294 # get sec info on first mount point
296 secinfo1=$(ls -lZ $filename1 | awk '{print $4}')
298 # compare sec contexts
299 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
300 error "sec context seen from 2nd mount point is not correct"
304 run_test 20a "[atomicity] concurrent access from another client (file)"
307 local dirname1=$DIR/$tdir/dd20b
308 local dirname2=$DIR2/$tdir/dd20b
310 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
315 # sleep some time in ll_create_nd()
316 #define OBD_FAIL_LLITE_NEWNODE_PAUSE 0x140a
317 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140a"
319 # create file on first mount point
320 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx mkdir $dirname1 &
324 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
325 error "mkdir failed to sleep, pid=$mkdirpid"
328 # get sec info on second mount point
329 if [ -e "$dirname2" ]; then
330 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
335 # get sec info on first mount point
337 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
339 # compare sec contexts
340 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
341 error "sec context seen from 2nd mount point is not correct"
345 run_test 20b "[atomicity] concurrent access from another client (dir)"
348 local dirname1=$DIR/dd20c
349 local dirname2=$DIR2/dd20c
352 # sleep some time in ll_create_nd()
353 #define OBD_FAIL_LLITE_SETDIRSTRIPE_PAUSE 0x140b
354 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140b"
356 # create file on first mount point
357 $LFS mkdir -c0 -i0 $dirname1 &
361 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
362 error "lfs mkdir failed to sleep, pid=$mkdirpid"
365 # get sec info on second mount point
366 if [ -e "$dirname2" ]; then
367 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
372 # get sec info on first mount point
374 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
376 # compare sec contexts
377 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
378 error "sec context seen from 2nd mount point is not correct"
382 run_test 20c "[atomicity] concurrent access from another client (dir via lfs)"
390 if [ "$nm" == "active" ]; then
393 proc_param="$nm.$key"
396 for i in $(seq 1 20); do
397 out=$(do_facet mds1 $LCTL get_param -n \
398 nodemap.$proc_param 2>/dev/null)
399 echo "On mds1, ${proc_param} = $out"
400 [ "$val" == "$out" ] && is_sync=true && break
404 error "$proc_param not updated on mds1 after 20 secs"
411 local client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
412 local client_nid=$(h2nettype $client_ip)
414 do_facet mgs $LCTL nodemap_activate 1
416 do_facet mgs $LCTL nodemap_add $nm
417 do_facet mgs $LCTL nodemap_add_range \
418 --name $nm --range $client_nid
419 do_facet mgs $LCTL nodemap_modify --name $nm \
420 --property admin --value 1
421 do_facet mgs $LCTL nodemap_modify --name $nm \
422 --property trusted --value 1
424 check_nodemap $nm admin_nodemap 1
425 check_nodemap $nm trusted_nodemap 1
427 sepol=$(l_getsepol | cut -d':' -f2- | xargs)
428 do_facet mgs $LCTL set_param nodemap.$nm.sepol="$sepol"
429 do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
431 check_nodemap $nm sepol $sepol
437 do_facet mgs $LCTL nodemap_del $nm
439 do_facet mgs $LCTL nodemap_activate 0
441 check_nodemap active x 0
447 [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] &&
448 skip "Need MDS >= 2.11.56"
451 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
452 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
454 if $(grep -q $MOUNT' ' /proc/mounts); then
455 umount_client $MOUNT || error "umount $MOUNT failed"
458 # create nodemap entry with sepol
462 # update mount option with skpath
463 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
464 export SK_UNIQUE_NM=true
466 # load specific key on servers
467 do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
468 -l $SK_PATH/nodemap/c0.key"
470 # set perms for per-nodemap keys else permission denied
471 do_nodes $(comma_list $(all_server_nodes)) \
472 "keyctl show | grep lustre | cut -c1-11 |
474 xargs -IX keyctl setperm X 0x3f3f3f3f"
478 # mount client without sending sepol
479 mount_client $MOUNT $MOUNT_OPTS &&
480 error "client mount without sending sepol should be refused"
482 # mount client with sepol
483 echo -1 > /sys/module/ptlrpc/parameters/send_sepol
484 mount_client $MOUNT $MOUNT_OPTS ||
485 error "client mount with sepol failed"
488 umount_client $MOUNT || error "umount $MOUNT failed"
490 # store wrong sepol in nodemap
491 sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
492 do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol"
493 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
494 check_nodemap c0 sepol $sepol
496 # mount client with sepol
497 mount_client $MOUNT $MOUNT_OPTS &&
498 error "client mount without matching sepol should be refused"
504 export SK_UNIQUE_NM=false
507 # remount client normally
508 echo 0 > /sys/module/ptlrpc/parameters/send_sepol
509 mountcli || error "normal client mount failed"
511 run_test 21a "Send sepol at connect"
516 [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] &&
517 skip "Need MDS >= 2.11.56"
519 mkdir -p $DIR/$tdir || error "failed to create $DIR/$tdir"
520 echo test > $DIR/$tdir/toopen ||
521 error "failed to write to $DIR/$tdir/toopen"
522 touch $DIR/$tdir/ftoremove ||
523 error "failed to create $DIR/$tdir/ftoremove"
524 touch $DIR/$tdir/ftoremove2 ||
525 error "failed to create $DIR/$tdir/ftoremove2"
526 touch $DIR/$tdir/ftoremove3 ||
527 error "failed to create $DIR/$tdir/ftoremove3"
528 touch $DIR/$tdir/ftoremove4 ||
529 error "failed to create $DIR/$tdir/ftoremove4"
530 mkdir $DIR/$tdir/dtoremove ||
531 error "failed to create $DIR/$tdir/dtoremove"
532 mkdir $DIR/$tdir/dtoremove2 ||
533 error "failed to create $DIR/$tdir/dtoremove2"
534 mkdir $DIR/$tdir/dtoremove3 ||
535 error "failed to create $DIR/$tdir/dtoremove3"
536 mkdir $DIR/$tdir/dtoremove4 ||
537 error "failed to create $DIR/$tdir/dtoremove4"
538 touch $DIR/$tdir/ftorename ||
539 error "failed to create $DIR/$tdir/ftorename"
540 mkdir $DIR/$tdir/dtorename ||
541 error "failed to create $DIR/$tdir/dtorename"
542 setfattr -n user.myattr -v myval $DIR/$tdir/toopen ||
543 error "failed to set xattr on $DIR/$tdir/toopen"
544 echo 3 > /proc/sys/vm/drop_caches
546 # create nodemap entry with sepol
550 export SK_UNIQUE_NM=true
552 # load specific key on servers
553 do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
554 -l $SK_PATH/nodemap/c0.key"
556 # set perms for per-nodemap keys else permission denied
557 do_nodes $(comma_list $(all_server_nodes)) \
558 "keyctl show | grep lustre | cut -c1-11 |
560 xargs -IX keyctl setperm X 0x3f3f3f3f"
564 # metadata ops without sending sepol
565 touch $DIR/$tdir/f0 && error "touch (1)"
566 lfs setstripe -c1 $DIR/$tdir/f1 && error "lfs setstripe (1)"
567 mkdir $DIR/$tdir/d0 && error "mkdir (1)"
568 lfs setdirstripe -i0 -c1 $DIR/$tdir/d1 && error "lfs setdirstripe (1)"
569 cat $DIR/$tdir/toopen && error "cat (1)"
570 rm -f $DIR/$tdir/ftoremove && error "rm (1)"
571 rmdir $DIR/$tdir/dtoremove && error "rmdir (1)"
572 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 && error "mv (1)"
573 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 && error "mv (2)"
574 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (1)"
575 setfattr -n user.myattr -v myval2 $DIR/$tdir/toopen &&
577 chattr +i $DIR/$tdir/toopen && error "chattr (1)"
578 lsattr $DIR/$tdir/toopen && error "lsattr (1)"
579 chattr -i $DIR/$tdir/toopen && error "chattr (1)"
580 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl1 && error "symlink (1)"
581 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl1 && error "hardlink (1)"
583 # metadata ops with sepol
584 echo -1 > /sys/module/ptlrpc/parameters/send_sepol
585 touch $DIR/$tdir/f2 || error "touch (2)"
586 lfs setstripe -c1 $DIR/$tdir/f3 || error "lfs setstripe (2)"
587 mkdir $DIR/$tdir/d2 || error "mkdir (2)"
588 lfs setdirstripe -i0 -c1 $DIR/$tdir/d3 || error "lfs setdirstripe (2)"
589 cat $DIR/$tdir/toopen || error "cat (2)"
590 rm -f $DIR/$tdir/ftoremove || error "rm (2)"
591 rmdir $DIR/$tdir/dtoremove || error "rmdir (2)"
592 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 || error "mv (3)"
593 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 || error "mv (4)"
594 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (2)"
595 setfattr -n user.myattr -v myval2 $DIR/$tdir/toopen ||
597 chattr +i $DIR/$tdir/toopen || error "chattr (2)"
598 lsattr $DIR/$tdir/toopen || error "lsattr (2)"
599 chattr -i $DIR/$tdir/toopen || error "chattr (2)"
600 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl2 || error "symlink (2)"
601 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl2 || error "hardlink (2)"
602 echo 3 > /proc/sys/vm/drop_caches
604 # store wrong sepol in nodemap
605 sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
606 do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol"
607 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
608 check_nodemap c0 sepol $sepol
610 # metadata ops with sepol
611 touch $DIR/$tdir/f4 && error "touch (3)"
612 lfs setstripe -c1 $DIR/$tdir/f5 && error "lfs setstripe (3)"
613 mkdir $DIR/$tdir/d4 && error "mkdir (3)"
614 lfs setdirstripe -i0 -c1 $DIR/$tdir/d5 && error "lfs setdirstripe (3)"
615 cat $DIR/$tdir/toopen && error "cat (3)"
616 rm -f $DIR/$tdir/ftoremove2 && error "rm (3)"
617 rmdir $DIR/$tdir/dtoremove2 && error "rmdir (3)"
618 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename && error "mv (5)"
619 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename && error "mv (6)"
620 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (3)"
621 setfattr -n user.myattr -v myval3 $DIR/$tdir/toopen &&
623 chattr +i $DIR/$tdir/toopen && error "chattr (3)"
624 lsattr $DIR/$tdir/toopen && error "lsattr (3)"
625 chattr -i $DIR/$tdir/toopen && error "chattr (3)"
626 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl3 && error "symlink (3)"
627 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
629 # reset correct sepol
630 sepol=$(l_getsepol | cut -d':' -f2- | xargs)
631 do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol"
632 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
633 check_nodemap c0 sepol $sepol
635 # metadata ops with sepol every 10 seconds only
636 echo 10 > /sys/module/ptlrpc/parameters/send_sepol
637 touch $DIR/$tdir/f6 || error "touch (4)"
638 lfs setstripe -c1 $DIR/$tdir/f7 || error "lfs setstripe (4)"
639 mkdir $DIR/$tdir/d6 || error "mkdir (4)"
640 lfs setdirstripe -i0 -c1 $DIR/$tdir/d7 || error "lfs setdirstripe (4)"
641 cat $DIR/$tdir/toopen || error "cat (4)"
642 rm -f $DIR/$tdir/ftoremove2 || error "rm (4)"
643 rmdir $DIR/$tdir/dtoremove2 || error "rmdir (4)"
644 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename || error "mv (7)"
645 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename || error "mv (8)"
646 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (4)"
647 setfattr -n user.myattr -v myval3 $DIR/$tdir/toopen ||
649 chattr +i $DIR/$tdir/toopen || error "chattr (4)"
650 lsattr $DIR/$tdir/toopen || error "lsattr (4)"
651 chattr -i $DIR/$tdir/toopen || error "chattr (4)"
652 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl4 || error "symlink (4)"
653 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl4 || error "hardlink (4)"
654 echo 3 > /proc/sys/vm/drop_caches
656 # change one SELinux boolean value
657 sebool=$(getsebool deny_ptrace | awk '{print $3}')
658 if [ "$sebool" == "off" ]; then
659 setsebool -P deny_ptrace on
661 setsebool -P deny_ptrace off
664 # sepol should not be checked yet, so metadata ops without matching
665 # sepol should succeed
666 touch $DIR/$tdir/f8 || error "touch (5)"
667 lfs setstripe -c1 $DIR/$tdir/f9 || error "lfs setstripe (5)"
668 mkdir $DIR/$tdir/d8 || error "mkdir (5)"
669 lfs setdirstripe -i0 -c1 $DIR/$tdir/d9 || error "lfs setdirstripe (5)"
670 cat $DIR/$tdir/toopen || error "cat (5)"
671 rm -f $DIR/$tdir/ftoremove3 || error "rm (5)"
672 rmdir $DIR/$tdir/dtoremove3 || error "rmdir (5)"
673 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 || error "mv (9)"
674 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 || error "mv (10)"
675 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (5)"
676 setfattr -n user.myattr -v myval4 $DIR/$tdir/toopen ||
678 chattr +i $DIR/$tdir/toopen || error "chattr (5)"
679 lsattr $DIR/$tdir/toopen || error "lsattr (5)"
680 chattr -i $DIR/$tdir/toopen || error "chattr (5)"
681 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl5 || error "symlink (5)"
682 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl5 || error "hardlink (5)"
683 echo 3 > /proc/sys/vm/drop_caches
686 # metadata ops without matching sepol: should fail now
687 touch $DIR/$tdir/f10 && error "touch (6)"
688 lfs setstripe -c1 $DIR/$tdir/f11 && error "lfs setstripe (6)"
689 mkdir $DIR/$tdir/d10 && error "mkdir (6)"
690 lfs setdirstripe -i0 -c1 $DIR/$tdir/d11 && error "lfs setdirstripe (6)"
691 cat $DIR/$tdir/toopen && error "cat (6)"
692 rm -f $DIR/$tdir/ftoremove4 && error "rm (6)"
693 rmdir $DIR/$tdir/dtoremove4 && error "rmdir (6)"
694 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename && error "mv (11)"
695 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename && error "mv (12)"
696 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (6)"
697 setfattr -n user.myattr -v myval5 $DIR/$tdir/toopen &&
699 chattr +i $DIR/$tdir/toopen && error "chattr (6)"
700 lsattr $DIR/$tdir/toopen && error "lsattr (6)"
701 chattr -i $DIR/$tdir/toopen && error "chattr (6)"
702 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl6 && error "symlink (6)"
703 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl6 && error "hardlink (6)"
705 # restore SELinux boolean value
706 if [ "$sebool" == "off" ]; then
707 setsebool -P deny_ptrace off
709 setsebool -P deny_ptrace on
714 echo 0 > /sys/module/ptlrpc/parameters/send_sepol
717 export SK_UNIQUE_NM=false
720 run_test 21b "Send sepol for metadata ops"
723 check_and_cleanup_lustre