Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux

Date: Thu, 2 Oct 2025 10:58:48 +0200
From: Thomas Hartmann <thomas.hartmann@xxxxxxx>
Subject: Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux

Hi Alexandr,

ah, SELinux fun...

one option (maybe a bit blunt force applied) could be either to disableSELinux context for the whole /scratch file system (if it is on aseparate mount?) or maybe try and tweak mount it with the`-context="..."` mount flag and try/err which labels need to beapplied for everything to work. However, I have not tried that wrtCondor so your experiences may vary...

Else, worth a try might be try to be less blunt and to label the scratchdir with a broad context like `tmp_t` or `public_content_rw_t`, whichshould(?) be allow nearly anything IIRC

 > semanage fcontext -t public_content_rw_t -a "/scratch/condor(/.*)"
 > restorecon -Rv /scratch/condor/
I would hope, that child directories for jobs inherit the labels ð

I would be quite interested, if it works for you (as I have so fardisabled SELinux for my EPs... :-/ )


Cheers,
  Thomas

On  2025-10-02 09:40, Alexandr Mikula wrote:

Hi fellow birdkeepers,
I am having the problem using condor_ssh_to_jobs (including the
interactive jobs), due to the combination of the per job LVM and
enforcing SELinux on EP.

On EP without LVM and with SELinux it works OK.

The condor is unable to create the ssh keypair with this in the audit
log:

type=AVC msg=audit(1759390053.112:250528): avc:  denied  { write } for
pid=1383020 comm="ssh-keygen"
path="/scratch/condor/dir_1364028/.condor_ssh_to_job_2/keygen.log"
dev="dm-13" ino=27 scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

condor_ssh_to_job output:
#condor_ssh_to_job 31194944
slot1_2@minis01: condor_ssh_to_job_sshd_setup failed: Failed to create
ssh key /scratch/condor/dir_1364028/.condor_ssh_to_job_2/sshkey with
command "/usr/bin/ssh-keygen" "-N" "" "-C" "" "-q" "-f"
"/scratch/condor/dir_1364028/.condor_ssh_to_job_2/sshkey" "-t" "rsa"


Any ideas how to fix it?
Cheers
AM


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
  - From: Alexandr Mikula

References:
- [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
  - From: Alexandr Mikula

Prev by Date: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
Next by Date: Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
Previous by thread: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
Next by thread: Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux