4 # In order to be able to do the runcon commands in test_4,
5 # the SELinux policy must allow transitions from unconfined_t
6 # to user_t and guest_t:
7 # #============= unconfined_r ==============
8 # allow unconfined_r guest_r;
9 # allow unconfined_r user_r;
11 # Run select tests by setting ONLY, or as arguments to the script.
12 # Skip specific tests by setting EXCEPT.
14 # e.g. ONLY="22 23" or ONLY="`seq 32 39`" or EXCEPT="31"
19 LUSTRE=${LUSTRE:-$(dirname $0)/..}
20 . $LUSTRE/tests/test-framework.sh
24 ALWAYS_EXCEPT="$SANITY_SELINUX_EXCEPT"
26 [ "$SLOW" = "no" ] && EXCEPT_SLOW="xxx"
30 require_dsh_mds || exit 0
32 RUNAS_CMD=${RUNAS_CMD:-runas}
33 # $RUNAS_ID may get set incorrectly somewhere else
34 [ $UID -eq 0 -a $RUNAS_ID -eq 0 ] &&
35 error "RUNAS_ID set to 0, but UID is also 0!"
38 # global variables of this sanity
42 echo -n "Checking SELinux environment... "
43 local selinux_status=$(getenforce)
44 if [ "$selinux_status" != "Enforcing" ]; then
45 skip "SELinux is currently in $selinux_status mode," \
46 "but it must be enforced to run sanity-selinux" && exit 0
48 local selinux_policy=$(sestatus |
49 awk -F':' '$1 == "Loaded policy name" {print $2}' | xargs)
50 if [ -z "$selinux_policy" ]; then
51 selinux_policy=$(sestatus |
52 awk -F':' '$1 == "Policy from config file" {print $2}' | xargs)
54 [ "$selinux_policy" == "targeted" ] ||
55 error "Accepting only targeted policy"
56 echo "$selinux_status, $selinux_policy"
61 # we want double mount
62 MOUNT_2=${MOUNT_2:-"yes"}
63 check_and_setup_lustre
65 rm -rf $DIR/[df][0-9]*
67 check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS
71 check_selinux_xattr() {
74 local mds_dev=$(facet_device $mds)
75 local mntpt="/tmp/mdt_"
78 do_facet $mds mkdir -p $mntpt || error "mkdir $mntpt failed"
79 mount_fstype $mds $mntpt || error "mount $mds failed"
81 local xattrval=$(do_facet $mds getfattr -n security.selinux \
82 ${mntpt}/ROOT/$mds_path |
83 awk -F"=" '$1=="security.selinux" {print $2}')
85 unmount_fstype $mds $mntpt || error "umount $mds failed"
86 do_facet $mds rmdir $mntpt || error "rmdir $mntpt failed"
94 [ -n "$file" ] || return;
95 [ -f $file ] || return;
96 stat $file | awk '$1 == "Context:" {print $2}'
100 local devname=$(mdsdevname 1)
101 local filename=${DIR}/${tdir}/df1
102 local mds_path=${filename#$MOUNT}
104 mds_path=${mds_path#/}
106 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir $tdir failed"
107 touch $filename || error "cannot touch $filename"
109 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
111 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
112 error "security.selinux xattr is not set"
114 run_test 1 "create file and check security.selinux xattr is set on MDT"
117 local devname=$(mdsdevname 1)
118 local dirname=${DIR}/${tdir}/dir2a
119 local mds_path=${dirname#$MOUNT}
121 mds_path=${mds_path#/}
123 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
124 mkdir $dirname || error "cannot mkdir $dirname"
126 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
128 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
129 error "security.selinux xattr is not set"
131 run_test 2a "create dir (mkdir) and check security.selinux xattr is set on MDT"
134 local devname=$(mdsdevname 1)
135 local dirname1=${DIR}/$tdir/dir2b1
136 local dirname2=${DIR}/$tdir/dir2b2
137 local mds_path=${dirname1#$MOUNT}
139 mds_path=${mds_path#/}
141 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
142 $LFS mkdir -c0 -i0 $dirname1 || error "cannot 'lfs mkdir' $dirname1"
144 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
146 mds_path=${dirname2#$MOUNT}
147 mds_path=${mds_path#/}
149 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
150 error "security.selinux xattr is not set"
152 $LFS setdirstripe -i0 $dirname2 ||
153 error "cannot 'lfs setdirstripe' $dirname2"
155 xattrval=$(check_selinux_xattr "mds1" $mds_path)
157 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
158 error "security.selinux xattr is not set"
160 run_test 2b "create dir with lfs and check security.selinux xattr is set on MDT"
163 local filename=$DIR/$tdir/df3
164 local level=$(id -Z | cut -d':' -f4-)
165 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t \
172 echo "As unconfined_u: touch $filename"
173 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename ||
174 error "can't touch $filename"
175 echo "As unconfined_u: rm -f $filename"
176 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx rm -f $filename ||
177 error "can't remove $filename"
181 run_test 3 "access with unconfined user"
184 local filename=$DIR/$tdir/df4
185 local guestctx="-u guest_u -r guest_r -t guest_t -l s0"
186 local usrctx="-u user_u -r user_r -t user_t -l s0"
188 sesearch --role_allow | grep -q "allow unconfined_r user_r"
189 if [ $? -ne 0 ]; then
190 skip "SELinux policy module must allow transition from \
191 unconfined_r to user_r for this test." && exit 0
193 sesearch --role_allow | grep -q "allow unconfined_r guest_r"
194 if [ $? -ne 0 ]; then
195 skip "SELinux policy module must allow transition from \
196 unconfined_r to guest_r for this test." && exit 0
203 echo "As guest_u: touch $filename"
204 $RUNAS_CMD -u $RUNAS_ID runcon $guestctx touch $filename &&
205 error "touch $filename should have failed"
208 echo "As user_u: touch $filename"
209 $RUNAS_CMD -u $RUNAS_ID runcon $usrctx touch $filename ||
210 error "can't touch $filename"
211 echo "As user_u: rm -f $filename"
212 $RUNAS_CMD -u $RUNAS_ID runcon $usrctx rm -f $filename ||
213 error "can't remove $filename"
217 run_test 4 "access with specific SELinux user"
220 local filename=$DIR/df5
221 local newsecctx="nfs_t"
224 touch $filename || error "cannot touch $filename"
227 chcon -t $newsecctx $filename
230 # purge client's cache
231 sync ; echo 3 > /proc/sys/vm/drop_caches
235 local secctxseen=$(get_sel_ctx $filename | cut -d: -f3)
237 [ "$newsecctx" == "$secctxseen" ] ||
238 error "sec context seen from 1st mount point is not correct"
242 run_test 5 "security context retrieval from MDT xattr"
245 local filename1=$DIR/df10
246 local filename2=$DIR2/df10
247 local newsecctx="nfs_t"
249 # create file from 1st mount point
250 touch $filename1 || error "cannot touch $filename1"
253 # change sec context from 2nd mount point
254 chcon -t $newsecctx $filename2
257 # get sec context from 1st mount point
259 local secctxseen=$(get_sel_ctx $filename1 | cut -d: -f3)
261 [ "$newsecctx" == "$secctxseen" ] ||
262 error_ignore LU-6784 \
263 "sec context seen from 1st mount point is not correct"
267 run_test 10 "[consistency] concurrent security context change"
270 local filename1=$DIR/$tdir/df20a
271 local filename2=$DIR2/$tdir/df20a
273 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
278 # sleep some time in ll_create_nd()
279 #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE 0x1409
280 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x1409"
282 # create file on first mount point
283 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename1 &
287 if [[ -z "$(ps h -o comm -p $touchpid)" ]]; then
288 error "touch failed to sleep, pid=$touchpid"
291 # get sec info on second mount point
292 if [ -e "$filename2" ]; then
293 secinfo2=$(get_sel_ctx $filename2)
296 # get sec info on first mount point
298 secinfo1=$(get_sel_ctx $filename1)
300 # compare sec contexts
301 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
302 error "sec context seen from 2nd mount point is not correct"
306 run_test 20a "[atomicity] concurrent access from another client (file)"
309 local dirname1=$DIR/$tdir/dd20b
310 local dirname2=$DIR2/$tdir/dd20b
312 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
317 # sleep some time in ll_create_nd()
318 #define OBD_FAIL_LLITE_NEWNODE_PAUSE 0x140a
319 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140a"
321 # create file on first mount point
322 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx mkdir $dirname1 &
326 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
327 error "mkdir failed to sleep, pid=$mkdirpid"
330 # get sec info on second mount point
331 if [ -e "$dirname2" ]; then
332 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
337 # get sec info on first mount point
339 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
341 # compare sec contexts
342 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
343 error "sec context seen from 2nd mount point is not correct"
347 run_test 20b "[atomicity] concurrent access from another client (dir)"
350 local dirname1=$DIR/dd20c
351 local dirname2=$DIR2/dd20c
354 # sleep some time in ll_create_nd()
355 #define OBD_FAIL_LLITE_SETDIRSTRIPE_PAUSE 0x140b
356 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140b"
358 # create file on first mount point
359 $LFS mkdir -c0 -i0 $dirname1 &
363 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
364 error "lfs mkdir failed to sleep, pid=$mkdirpid"
367 # get sec info on second mount point
368 if [ -e "$dirname2" ]; then
369 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
374 # get sec info on first mount point
376 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
378 # compare sec contexts
379 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
380 error "sec context seen from 2nd mount point is not correct"
384 run_test 20c "[atomicity] concurrent access from another client (dir via lfs)"
387 umount_client $MOUNT || error "umount $MOUNT failed"
393 local xattr_prefix=$(grep -E \
394 "#define[[:space:]]+XATTR_SECURITY_PREFIX[[:space:]]+" \
395 /usr/include/linux/xattr.h 2>/dev/null |
396 awk '{print $3}' | sed s+\"++g)
397 local xattr_suffix=$(grep -E \
398 "#define[[:space:]]+XATTR_SELINUX_SUFFIX[[:space:]]+" \
399 /usr/include/linux/xattr.h 2>/dev/null |
400 awk '{print $3}' | sed s+\"++g)
401 local xattr_name=${xattr_prefix}${xattr_suffix}
403 [ -z "$xattr_name" ] && xattr_name="security.selinux"
406 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
407 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
409 if $(grep -q $MOUNT' ' /proc/mounts); then
410 umount_client $MOUNT || error "umount $MOUNT failed"
414 mount_client $MOUNT ${MOUNT_OPTS} || error "mount client failed"
416 $LCTL set_param debug=+info
422 $LCTL dk | grep "get xattr '${xattr_name}'"
423 [ $? -eq 0 ] && error "get xattr event was triggered" || true
427 if [ "$MDS1_VERSION" -lt $(version_code 2.12.50) ] ||
428 [ "$CLIENT_VERSION" -lt $(version_code 2.12.50) ]; then
429 skip "Need version >= 2.12.50"
431 [ $MDSCOUNT -lt 2 ] && skip "needs >= 2 MDTs"
433 stack_trap cleanup_20d EXIT
435 local dirname=$DIR/$tdir/subdir
440 trace_cmd stat $dirname
441 trace_cmd touch $dirname/f1
442 trace_cmd stat $dirname/f1
443 trace_cmd cat $dirname/f1
444 dd if=/dev/zero of=$dirname/f1 bs=1M count=10
445 trace_cmd /usr/bin/truncate -s 10240 $dirname/f1
446 trace_cmd lfs setstripe -E -1 -S 4M $dirname/f2
447 trace_cmd lfs migrate -E -1 -S 256K $dirname/f2
448 trace_cmd lfs setdirstripe -i 1 $dirname/d2
449 trace_cmd lfs migrate -m 0 $dirname/d2
451 lfs setdirstripe -i 1 -c 1 $dirname/d3
452 dirname=$dirname/d3/subdir
455 trace_cmd stat $dirname
456 trace_cmd touch $dirname/f1
457 trace_cmd stat $dirname/f1
458 trace_cmd cat $dirname/f1
459 dd if=/dev/zero of=$dirname/f1 bs=1M count=10
460 trace_cmd /usr/bin/truncate -s 10240 $dirname/f1
461 trace_cmd lfs setstripe -E -1 -S 4M $dirname/f2
462 trace_cmd lfs migrate -E -1 -S 256K $dirname/f2
464 run_test 20d "[atomicity] avoid getxattr for security context"
467 [ "$CLIENT_VERSION" -lt $(version_code 2.13.54) ] &&
468 skip "Need client version >= 2.13.54"
469 local filename1=$DIR/$tdir/df20e
472 local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
476 #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE2 0x1416
477 do_facet client "$LCTL set_param fail_val=$delay fail_loc=0x80001416"
479 # create file on first mount point
480 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename1 &
484 sysctl -w vm.drop_caches=2
485 $RUNAS_CMD -u $RUNAS_ID runcon $unconctx stat $DIR/$tdir &
489 evict=$($LCTL get_param mdc.$FSNAME-MDT*.state |
490 awk -F"[ [,]" '/EVICTED ]$/ { if (mx<$5) {mx=$5;} } END { print mx }')
492 [ -z "$evict" ] || [[ $evict -le $before ]] || error "eviction happened"
494 run_test 20e "client deadlock and eviction form MDS"
503 if [ "$nm" == "active" ]; then
506 proc_param="$nm.$key"
508 # check all MDS nodes, in reverse order to privilege remote ones first
509 for i in $(seq $MDSCOUNT); do
510 facets="mds$i $facets"
512 for facet in $facets; do
515 out=$(do_facet $facet $LCTL get_param -n \
516 nodemap.$proc_param 2>/dev/null)
517 echo "On $facet, ${proc_param} = $out"
518 [ "$val" == "$out" ] && is_sync=true && break
522 error "$proc_param not updated on $facet after 20 secs"
530 local client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
531 local client_nid=$(h2nettype $client_ip)
533 do_facet mgs $LCTL nodemap_activate 1
535 do_facet mgs $LCTL nodemap_add $nm
536 do_facet mgs $LCTL nodemap_add_range \
537 --name $nm --range $client_nid
538 do_facet mgs $LCTL nodemap_modify --name $nm \
539 --property admin --value 1
540 do_facet mgs $LCTL nodemap_modify --name $nm \
541 --property trusted --value 1
543 check_nodemap $nm admin_nodemap 1
544 check_nodemap $nm trusted_nodemap 1
547 l_getsepol || error "cannot get sepol"
548 sepol=$(l_getsepol | cut -d':' -f2- | xargs)
549 [ -n "$sepol" ] || error "sepol is empty"
550 do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
552 check_nodemap $nm sepol $sepol
558 do_facet mgs $LCTL nodemap_del $nm
560 wait_update_facet --verbose mds1 \
561 "$LCTL get_param nodemap.$nm.id 2>/dev/null | \
562 grep -c $nm || true" 0 30 ||
563 error "nodemap $nm could not be removed"
565 do_facet mgs $LCTL nodemap_activate 0
567 check_nodemap active x 0
571 [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] &&
572 skip "Need MDS >= 2.11.56"
577 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
578 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
580 if $(grep -q $MOUNT' ' /proc/mounts); then
581 umount_client $MOUNT || error "umount $MOUNT failed"
584 # create nodemap entry with sepol
588 # update mount option with skpath
589 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
590 export SK_UNIQUE_NM=true
592 # load specific key on servers
593 do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
594 -l $SK_PATH/nodemap/c0.key"
596 # set perms for per-nodemap keys else permission denied
597 do_nodes $(comma_list $(all_server_nodes)) \
598 "keyctl show | grep lustre | cut -c1-11 |
600 xargs -IX keyctl setperm X 0x3f3f3f3f"
604 # mount client without sending sepol
605 mount_client $MOUNT $MOUNT_OPTS &&
606 error "client mount without sending sepol should be refused"
608 # mount client with sepol
609 echo -1 > /sys/module/ptlrpc/parameters/send_sepol
610 mount_client $MOUNT $MOUNT_OPTS ||
611 error "client mount with sepol failed"
614 umount_client $MOUNT || error "umount $MOUNT failed"
616 # store wrong sepol in nodemap
617 sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
618 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
619 check_nodemap c0 sepol $sepol
621 # mount client with sepol
622 mount_client $MOUNT $MOUNT_OPTS &&
623 error "client mount without matching sepol should be refused"
629 export SK_UNIQUE_NM=false
632 # remount client normally
633 echo 0 > /sys/module/ptlrpc/parameters/send_sepol
634 mountcli || error "normal client mount failed"
636 run_test 21a "Send sepol at connect"
639 [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] &&
640 skip "Need MDS >= 2.11.56"
644 mkdir -p $DIR/$tdir || error "failed to create $DIR/$tdir"
645 echo test > $DIR/$tdir/toopen ||
646 error "failed to write to $DIR/$tdir/toopen"
647 touch $DIR/$tdir/ftoremove ||
648 error "failed to create $DIR/$tdir/ftoremove"
649 touch $DIR/$tdir/ftoremove2 ||
650 error "failed to create $DIR/$tdir/ftoremove2"
651 touch $DIR/$tdir/ftoremove3 ||
652 error "failed to create $DIR/$tdir/ftoremove3"
653 touch $DIR/$tdir/ftoremove4 ||
654 error "failed to create $DIR/$tdir/ftoremove4"
655 mkdir $DIR/$tdir/dtoremove ||
656 error "failed to create $DIR/$tdir/dtoremove"
657 mkdir $DIR/$tdir/dtoremove2 ||
658 error "failed to create $DIR/$tdir/dtoremove2"
659 mkdir $DIR/$tdir/dtoremove3 ||
660 error "failed to create $DIR/$tdir/dtoremove3"
661 mkdir $DIR/$tdir/dtoremove4 ||
662 error "failed to create $DIR/$tdir/dtoremove4"
663 touch $DIR/$tdir/ftorename ||
664 error "failed to create $DIR/$tdir/ftorename"
665 mkdir $DIR/$tdir/dtorename ||
666 error "failed to create $DIR/$tdir/dtorename"
667 setfattr -n user.myattr -v myval $DIR/$tdir/toopen ||
668 error "failed to set xattr on $DIR/$tdir/toopen"
669 echo 3 > /proc/sys/vm/drop_caches
671 # create nodemap entry with sepol
675 export SK_UNIQUE_NM=true
677 # load specific key on servers
678 do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
679 -l $SK_PATH/nodemap/c0.key"
681 # set perms for per-nodemap keys else permission denied
682 do_nodes $(comma_list $(all_server_nodes)) \
683 "keyctl show | grep lustre | cut -c1-11 |
685 xargs -IX keyctl setperm X 0x3f3f3f3f"
689 # metadata ops without sending sepol
690 touch $DIR/$tdir/f0 && error "touch (1)"
691 lfs setstripe -c1 $DIR/$tdir/f1 && error "lfs setstripe (1)"
692 mkdir $DIR/$tdir/d0 && error "mkdir (1)"
693 lfs setdirstripe -i0 -c1 $DIR/$tdir/d1 && error "lfs setdirstripe (1)"
694 cat $DIR/$tdir/toopen && error "cat (1)"
695 rm -f $DIR/$tdir/ftoremove && error "rm (1)"
696 rmdir $DIR/$tdir/dtoremove && error "rmdir (1)"
697 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 && error "mv (1)"
698 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 && error "mv (2)"
699 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (1)"
700 setfattr -n user.myattr -v myval2 $DIR/$tdir/toopen &&
702 chattr +i $DIR/$tdir/toopen && error "chattr (1)"
703 lsattr $DIR/$tdir/toopen && error "lsattr (1)"
704 chattr -i $DIR/$tdir/toopen && error "chattr (1)"
705 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl1 && error "symlink (1)"
706 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl1 && error "hardlink (1)"
708 # metadata ops with sepol
709 echo -1 > /sys/module/ptlrpc/parameters/send_sepol
710 touch $DIR/$tdir/f2 || error "touch (2)"
711 lfs setstripe -c1 $DIR/$tdir/f3 || error "lfs setstripe (2)"
712 mkdir $DIR/$tdir/d2 || error "mkdir (2)"
713 lfs setdirstripe -i0 -c1 $DIR/$tdir/d3 || error "lfs setdirstripe (2)"
714 cat $DIR/$tdir/toopen || error "cat (2)"
715 rm -f $DIR/$tdir/ftoremove || error "rm (2)"
716 rmdir $DIR/$tdir/dtoremove || error "rmdir (2)"
717 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 || error "mv (3)"
718 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 || error "mv (4)"
719 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (2)"
720 setfattr -n user.myattr -v myval2 $DIR/$tdir/toopen ||
722 chattr +i $DIR/$tdir/toopen || error "chattr (2)"
723 lsattr $DIR/$tdir/toopen || error "lsattr (2)"
724 chattr -i $DIR/$tdir/toopen || error "chattr (2)"
725 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl2 || error "symlink (2)"
726 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl2 || error "hardlink (2)"
727 echo 3 > /proc/sys/vm/drop_caches
729 # store wrong sepol in nodemap
730 sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
731 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
732 check_nodemap c0 sepol $sepol
734 # metadata ops with sepol
735 touch $DIR/$tdir/f4 && error "touch (3)"
736 lfs setstripe -c1 $DIR/$tdir/f5 && error "lfs setstripe (3)"
737 mkdir $DIR/$tdir/d4 && error "mkdir (3)"
738 lfs setdirstripe -i0 -c1 $DIR/$tdir/d5 && error "lfs setdirstripe (3)"
739 cat $DIR/$tdir/toopen && error "cat (3)"
740 rm -f $DIR/$tdir/ftoremove2 && error "rm (3)"
741 rmdir $DIR/$tdir/dtoremove2 && error "rmdir (3)"
742 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename && error "mv (5)"
743 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename && error "mv (6)"
744 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (3)"
745 setfattr -n user.myattr -v myval3 $DIR/$tdir/toopen &&
747 chattr +i $DIR/$tdir/toopen && error "chattr (3)"
748 lsattr $DIR/$tdir/toopen && error "lsattr (3)"
749 chattr -i $DIR/$tdir/toopen && error "chattr (3)"
750 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl3 && error "symlink (3)"
751 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
753 # reset correct sepol
754 l_getsepol || error "cannot get sepol"
755 sepol=$(l_getsepol | cut -d':' -f2- | xargs)
756 [ -n "$sepol" ] || error "sepol is empty"
757 do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
758 check_nodemap c0 sepol $sepol
760 # metadata ops with sepol every 1000 seconds only
761 echo 1000 > /sys/module/ptlrpc/parameters/send_sepol
762 local before=$(date +%s)
763 touch $DIR/$tdir/f6 || error "touch (4)"
764 lfs setstripe -c1 $DIR/$tdir/f7 || error "lfs setstripe (4)"
765 mkdir $DIR/$tdir/d6 || error "mkdir (4)"
766 lfs setdirstripe -i0 -c1 $DIR/$tdir/d7 || error "lfs setdirstripe (4)"
767 cat $DIR/$tdir/toopen || error "cat (4)"
768 rm -f $DIR/$tdir/ftoremove2 || error "rm (4)"
769 rmdir $DIR/$tdir/dtoremove2 || error "rmdir (4)"
770 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename || error "mv (7)"
771 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename || error "mv (8)"
772 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (4)"
773 setfattr -n user.myattr -v myval3 $DIR/$tdir/toopen ||
775 chattr +i $DIR/$tdir/toopen || error "chattr (4)"
776 lsattr $DIR/$tdir/toopen || error "lsattr (4)"
777 chattr -i $DIR/$tdir/toopen || error "chattr (4)"
778 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl4 || error "symlink (4)"
779 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl4 || error "hardlink (4)"
780 echo 3 > /proc/sys/vm/drop_caches
782 # change one SELinux boolean value
783 sebool=$(getsebool deny_ptrace | awk '{print $3}')
784 if [ "$sebool" == "off" ]; then
785 setsebool -P deny_ptrace on
787 setsebool -P deny_ptrace off
790 # sepol should not be checked yet, so metadata ops without matching
791 # sepol should succeed
792 touch $DIR/$tdir/f8 || error "touch (5)"
793 lfs setstripe -c1 $DIR/$tdir/f9 || error "lfs setstripe (5)"
794 mkdir $DIR/$tdir/d8 || error "mkdir (5)"
795 lfs setdirstripe -i0 -c1 $DIR/$tdir/d9 || error "lfs setdirstripe (5)"
796 cat $DIR/$tdir/toopen || error "cat (5)"
797 rm -f $DIR/$tdir/ftoremove3 || error "rm (5)"
798 rmdir $DIR/$tdir/dtoremove3 || error "rmdir (5)"
799 mv $DIR/$tdir/ftorename $DIR/$tdir/ftorename2 || error "mv (9)"
800 mv $DIR/$tdir/dtorename $DIR/$tdir/dtorename2 || error "mv (10)"
801 getfattr -n user.myattr $DIR/$tdir/toopen || error "getfattr (5)"
802 setfattr -n user.myattr -v myval4 $DIR/$tdir/toopen ||
804 chattr +i $DIR/$tdir/toopen || error "chattr (5)"
805 lsattr $DIR/$tdir/toopen || error "lsattr (5)"
806 chattr -i $DIR/$tdir/toopen || error "chattr (5)"
807 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl5 || error "symlink (5)"
808 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl5 || error "hardlink (5)"
809 echo 3 > /proc/sys/vm/drop_caches
811 local after=$(date +%s)
812 # change send_sepol to a smaller, already expired, value
813 echo $((after-before-1)) > /sys/module/ptlrpc/parameters/send_sepol
814 # metadata ops without matching sepol: should fail now
815 touch $DIR/$tdir/f10 && error "touch (6)"
816 lfs setstripe -c1 $DIR/$tdir/f11 && error "lfs setstripe (6)"
817 mkdir $DIR/$tdir/d10 && error "mkdir (6)"
818 lfs setdirstripe -i0 -c1 $DIR/$tdir/d11 && error "lfs setdirstripe (6)"
819 cat $DIR/$tdir/toopen && error "cat (6)"
820 rm -f $DIR/$tdir/ftoremove4 && error "rm (6)"
821 rmdir $DIR/$tdir/dtoremove4 && error "rmdir (6)"
822 mv $DIR/$tdir/ftorename2 $DIR/$tdir/ftorename && error "mv (11)"
823 mv $DIR/$tdir/dtorename2 $DIR/$tdir/dtorename && error "mv (12)"
824 getfattr -n user.myattr $DIR/$tdir/toopen && error "getfattr (6)"
825 setfattr -n user.myattr -v myval5 $DIR/$tdir/toopen &&
827 chattr +i $DIR/$tdir/toopen && error "chattr (6)"
828 lsattr $DIR/$tdir/toopen && error "lsattr (6)"
829 chattr -i $DIR/$tdir/toopen && error "chattr (6)"
830 ln -s $DIR/$tdir/toopen $DIR/$tdir/toopen_sl6 && error "symlink (6)"
831 ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl6 && error "hardlink (6)"
833 # restore SELinux boolean value
834 if [ "$sebool" == "off" ]; then
835 setsebool -P deny_ptrace off
837 setsebool -P deny_ptrace on
842 echo 0 > /sys/module/ptlrpc/parameters/send_sepol
845 export SK_UNIQUE_NM=false
848 run_test 21b "Send sepol for metadata ops"
851 check_and_cleanup_lustre