[slurm-users] pam_slurm_adopt always claims now active jobs even when they do
William Brown
william at signalbox.org.uk
Fri Jan 15 14:23:00 UTC 2021
I encountered the same problem, and as with munge I created a .te file that
can be built to create a policy to add to the compute nodes to fix this:
my-pam_slurm_adopt.te:
-----------------------------------------------------------------------------------
module my-pam_slurm_adopt 1.0;
require {
type sshd_t;
type var_spool_t;
class sock_file write;
}
#============= sshd_t ==============
#!!!! WARNING: 'var_spool_t' is a base type.
allow sshd_t var_spool_t:sock_file { write };
-----------------------------------------------------------------------------------
My notes adapted from a similar module for munge:
Preparing and compiling the policy requires that the selinux-policy-devel
package is installed; this only has to be done on one server, typically a
separate development node. This from the RHEL docs:
*For developing policy modules, the selinux-policy-devel package includes
all of the interface files used to build policy. It is recommended that
people who build policy use these files to build the policy modules.*
*This package installs the policy interface files under
/usr/share/selinux/devel/include and has make files installed in
/usr/share/selinux/devel/Makefile.*
*To help applications that need the various SELinux paths, libselinux
provides a number of functions that return the paths to the different
configuration files and directories. This negates the need for applications
to hard-code the paths, especially since the active policy location is
dependent on the SELINUXTYPE setting in /etc/selinux/config.*
Copy the my-pam_slurm_adopt.te file into an empty directory.
Copy the example Makefile from /usr/share/selinux/devel/Makefile into the
same directory.
Run make to create the .pp file.
Once the my-pam_slurm_adopt.pp file is created it can be copied to other
systems (your compute nodes) and installed using semodule as above. Once
it is built it is worth saving off-host. Note however that if an update is
made to the source it would need to be recompiled.
Install the new policy (this will survive reboots):
/usr/sbin/semodule -i munge.pp
semodule is provided by policycoreutils package, so install this if it is
not already installed:
# yum install policycoreutils
On Fri, 15 Jan 2021 at 13:47, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk>
wrote:
> On 10/29/20 12:56 PM, Paul Raines wrote:
> > The debugging was useful. The problem turned out to be that I am running
> > with SELINUX enabled due to corporate policy. The issue was SELINUX is
> > blocking sshd access to /var/slurm/spool/d socket files:
>
> The documentation https://slurm.schedmd.com/pam_slurm_adopt.html
> describes
> some limitations:
>
> * SELinux may conflict with pam_slurm_adopt, so it might need to be
> disabled.
>
> See also the author's page
> http://tech.ryancox.net/2015/11/pamslurmadopt.html
>
> /Ole
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20210115/ce32d8ad/attachment.htm>
More information about the slurm-users
mailing list