Re: [HTCondor-users] condor_ssh_to_job and ephemeral LVM filesystems with SELinux

[Alexandr Mikula <mikula@xxxxxx>]

On Thu, 2025-10-02 at 10:58 +0200, Thomas Hartmann wrote:
> Hi Alexandr,
> 
> ah, SELinux fun...
> 
> one option (maybe a bit blunt force applied) could be either to
> disable 
> SELinux context for the whole /scratch file system (if it is on a 
> separate mount?) or maybe try and tweak mount it with the
> ÂÂ `-context="..."` mount flag and try/err which labels need to be 
> applied for everything to work. However, I have not tried that wrt 
> Condor so your experiences may vary...
> 
> Else, worth a try might be try to be less blunt and to label the
> scratch 
> dir with a broad context like `tmp_t` or `public_content_rw_t`, which
> should(?) be allow nearly anything IIRC
> Â > semanage fcontext -t public_content_rw_t -a
> "/scratch/condor(/.*)"
> Â > restorecon -Rv /scratch/condor/
> I would hope, that child directories for jobs inherit the labels ð
> 
> 
> I would be quite interested, if it works for you (as I have so far 
> disabled SELinux for my EPs... :-/ )
> 
> Cheers,
> ÂÂ Thomas
> 
> 
> 
The problem is in condor creating the LVM volume dynamically PER JOB
execution, and this volume does not have right context.
The original approach /scratch is OK (we are just testing the LVM per
job approach and we found this bug).
When we use standard /scratch with subdirs per job it works OK for us
with SEL enabled, you probably can give it a try.

-- 
Alexandr Mikula
OddÄlenà sÃÅovÃnà a vÃpoÄetnà techniky & VÃpoÄetnà stÅedisko 
FyzikÃlnà Ãstav Akademie vÄd Äeskà republiky, v. v. i.
Institute of Physics of the Czech Academy of Sciences

Attachment: smime.p7s
Description: S/MIME cryptographic signature