[slurm-users] pam_slurm_adopt always claims now active jobs even when they do

Fri Jan 15 14:23:00 UTC 2021

I encountered the same problem, and as with munge I created a .te file that
can be built to create a policy to add to the compute nodes to fix this:

my-pam_slurm_adopt.te:
-----------------------------------------------------------------------------------
module my-pam_slurm_adopt 1.0;

require {
        type sshd_t;
        type var_spool_t;
        class sock_file write;
}

#============= sshd_t ==============

#!!!! WARNING: 'var_spool_t' is a base type.
allow sshd_t var_spool_t:sock_file { write };
-----------------------------------------------------------------------------------
My notes adapted from a similar module for munge:

Preparing and compiling the policy requires that the selinux-policy-devel
package is installed; this only has to be done on one server, typically a
separate development node.  This from the RHEL docs:

*For developing policy modules, the selinux-policy-devel package includes
all of the interface files used to build policy. It is recommended that
people who build policy use these files to build the policy modules.*

*This package installs the policy interface files under
/usr/share/selinux/devel/include and has make files installed in
/usr/share/selinux/devel/Makefile.*

*To help applications that need the various SELinux paths, libselinux
provides a number of functions that return the paths to the different
configuration files and directories. This negates the need for applications
to hard-code the paths, especially since the active policy location is
dependent on the SELINUXTYPE setting in /etc/selinux/config.*

Copy the my-pam_slurm_adopt.te file into an empty directory.

Copy the example Makefile from /usr/share/selinux/devel/Makefile into the
same directory.

Run make to create the .pp file.

Once the my-pam_slurm_adopt.pp file is created it can be copied to other
systems (your compute nodes) and installed using semodule as above.  Once
it is built it is worth saving off-host.  Note however that if an update is
made to the source it would need to be recompiled.

Install the new policy (this will survive reboots):

/usr/sbin/semodule -i munge.pp

semodule is provided by policycoreutils package, so install this if it is
not already installed:

# yum install policycoreutils

On Fri, 15 Jan 2021 at 13:47, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk>
wrote:

> On 10/29/20 12:56 PM, Paul Raines wrote:
> > The debugging was useful.  The problem turned out to be that I am running
> > with SELINUX enabled due to corporate policy.  The issue was SELINUX is
> > blocking sshd access to /var/slurm/spool/d socket files:
>
> The documentation https://slurm.schedmd.com/pam_slurm_adopt.html
> describes
> some limitations:
>
> * SELinux may conflict with pam_slurm_adopt, so it might need to be
> disabled.
>
> See also the author's page
> http://tech.ryancox.net/2015/11/pamslurmadopt.html
>
> /Ole
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20210115/ce32d8ad/attachment.htm>