X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=blobdiff_plain;f=lustre%2Ftests%2Fsanity-selinux.sh;h=c08f446877e81fd484aad643afedb4e04e5e81b5;hp=8ddc402cd4944271a9a1bb33a1f8c213b306f323;hb=refs%2Fchanges%2F15%2F35815%2F2;hpb=1796539799e2798caa80799e957faa03ef6af1a5 diff --git a/lustre/tests/sanity-selinux.sh b/lustre/tests/sanity-selinux.sh index 8ddc402..c08f446 100755 --- a/lustre/tests/sanity-selinux.sh +++ b/lustre/tests/sanity-selinux.sh @@ -536,7 +536,24 @@ test_21a() { fi # create nodemap entry with sepol - create_nodemap nm1 + create_nodemap c0 + + if $GSS_SK; then + # update mount option with skpath + MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS) + export SK_UNIQUE_NM=true + + # load specific key on servers + do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \ + -l $SK_PATH/nodemap/c0.key" + + # set perms for per-nodemap keys else permission denied + do_nodes $(comma_list $(all_server_nodes)) \ + "keyctl show | grep lustre | cut -c1-11 | + sed -e 's/ //g;' | + xargs -IX keyctl setperm X 0x3f3f3f3f" + + fi # mount client without sending sepol mount_client $MOUNT $MOUNT_OPTS && @@ -552,16 +569,20 @@ test_21a() { # store wrong sepol in nodemap sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000" - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol" + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol # mount client with sepol mount_client $MOUNT $MOUNT_OPTS && error "client mount without matching sepol should be refused" # remove nodemap - remove_nodemap nm1 + remove_nodemap c0 + + if $GSS_SK; then + export SK_UNIQUE_NM=false + fi # remount client normally echo 0 > /sys/module/ptlrpc/parameters/send_sepol @@ -603,7 +624,22 @@ test_21b() { echo 3 > /proc/sys/vm/drop_caches # create nodemap entry with sepol - create_nodemap nm1 + create_nodemap c0 + + if $GSS_SK; then + export SK_UNIQUE_NM=true + + # load specific key on servers + do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \ + -l $SK_PATH/nodemap/c0.key" + + # set perms for per-nodemap keys else permission denied + do_nodes $(comma_list $(all_server_nodes)) \ + "keyctl show | grep lustre | cut -c1-11 | + sed -e 's/ //g;' | + xargs -IX keyctl setperm X 0x3f3f3f3f" + + fi # metadata ops without sending sepol touch $DIR/$tdir/f0 && error "touch (1)" @@ -647,9 +683,9 @@ test_21b() { # store wrong sepol in nodemap sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000" - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol" + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol # metadata ops with sepol touch $DIR/$tdir/f4 && error "touch (3)" @@ -672,9 +708,9 @@ test_21b() { # reset correct sepol sepol=$(l_getsepol | cut -d':' -f2- | xargs) - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + do_facet mgs $LCTL set_param nodemap.c0.sepol="$sepol" + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol # metadata ops with sepol every 10 seconds only echo 10 > /sys/module/ptlrpc/parameters/send_sepol @@ -754,8 +790,12 @@ test_21b() { fi # remove nodemap - remove_nodemap nm1 + remove_nodemap c0 echo 0 > /sys/module/ptlrpc/parameters/send_sepol + + if $GSS_SK; then + export SK_UNIQUE_NM=false + fi } run_test 21b "Send sepol for metadata ops"