I have installed the Torque batch system (from EPEL) in a tiny demo cluster (frontend+3 nodes). In the front-end I have
Code: Select all
[root@n0 ~]# rpm -qa |grep torque
torque-4.2.10-10.el7.x86_64
torque-server-4.2.10-10.el7.x86_64
torque-libs-4.2.10-10.el7.x86_64
torque-docs-4.2.10-10.el7.noarch
torque-gui-4.2.10-10.el7.x86_64
torque-scheduler-4.2.10-10.el7.x86_64
torque-client-4.2.10-10.el7.x86_64
[root@n0 ~]#
Code: Select all
[root@n1 log]# rpm -qa |grep torque
torque-4.2.10-10.el7.x86_64
torque-pam-4.2.10-10.el7.x86_64
torque-libs-4.2.10-10.el7.x86_64
torque-mom-4.2.10-10.el7.x86_64
[root@n1 log]#
Code: Select all
[root@n1 log]# rpm -ql torque-pam
/lib64/security/pam_pbssimpleauth.so
/usr/share/doc/torque-pam-4.2.10
/usr/share/doc/torque-pam-4.2.10/README.pam
[root@n1 log]#
[root@n1 log]# cat /usr/share/doc/torque-pam-4.2.10/README.pam
This is a simple PAM module to be used on PBS compute nodes (hosts running
pbs_mom) to authorize users that have a running job. Uid 0 is always allowed.
The optional argument "debug" sends verbose information to syslog.
You'll want something like this in your PAM
conf files:
account sufficient pam_pbssimpleauth.so
The pam_pbssimpleauth module combines nicely with the pam_access module to
allow access to cluster administrators:
account sufficient pam_pbssimpleauth.so
account required pam_access.so
/etc/security/access.conf can then have something like:
-:ALL EXCEPT root admgroup:ALL
[root@n1 log]#
http://docs.adaptivecomputing.com/torqu ... s%7C_____4
(instead of "sufficient") for pam_pbssimpleauth.so. I'm not sure I understand that. I think I understand sufficient.
Even writing "suficient", I cannot get it working. In compute nodes I have added this last line to the whole-commented-out access.conf
Code: Select all
[root@n1 log]# tail -3 /etc/security/access.conf
# All other users should be denied to get access from all sources.
#- : ALL : ALL
- : ALL EXCEPT root : ALL
[root@n1 log]#
Code: Select all
[root@n1 log]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
######################################################
account sufficient pam_pbssimpleauth.so debug
account required pam_access.so
######################################################
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
...
The "debug" argument (not mentioned in Torque manual) is great, since it allows me to discover it is not working just because of... SELinux
Code: Select all
[root@n1 log]# less messages
...
Jun 15 18:50:11 n1 pbs_mom: LOG_INFO::create_job_cpuset, creating cpuset for job 15.n0: 0 cpus (), 0 mems ()
Jun 15 18:50:13 n1 pam_pbssimpleauth[1603]: opening /var/lib/torque/mom_priv/jobs
Jun 15 18:50:13 n1 pam_pbssimpleauth[1603]: username javier, known
Jun 15 18:50:13 n1 pam_pbssimpleauth[1603]: opening /var/lib/torque/mom_priv/jobs/15.n0.JB
Jun 15 18:50:13 n1 pam_pbssimpleauth[1603]: error opening job file
Jun 15 18:50:13 n1 pam_pbssimpleauth[1603]: returning failed
Jun 15 18:50:13 n1 dbus-daemon: dbus[692]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
...
Jun 15 18:50:16 n1 setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file 15.n0.JB. For complete SELinux messages. run sealert -l 8016e71e-8fe1-4368-a3d9-2576a1f630ec
...
Jun 15 18:51:14 n1 pam_pbssimpleauth[1708]: opening /var/lib/torque/mom_priv/jobs/16.n0.JB
...
Jun 15 18:51:16 n1 setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file 16.n0.JB. For complete SELinux messages. run sealert -l 8016e71e-8fe1-4368-a3d9-2576a1f630ec
...
Jun 15 18:52:07 n1 pam_pbssimpleauth[1763]: opening /var/lib/torque/mom_priv/jobs/17.n0.JB
...
Jun 15 18:52:08 n1 setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file 17.n0.JB. For complete SELinux messages. run sealert -l 8016e71e-8fe1-4368-a3d9-2576a1f630ec
...
Code: Select all
[root@n1 log]# sealert -l 8016e71e-8fe1-4368-a3d9-2576a1f630ec
SELinux is preventing /usr/sbin/sshd from read access on the file 17.n0.JB.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow sshd to have read access on the 17.n0.JB file
Then you need to change the label on 17.n0.JB
Do
# semanage fcontext -a -t FILE_TYPE '17.n0.JB'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, ... , zebra_tmp_t.
Then execute:
restorecon -v '17.n0.JB'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that sshd should be allowed read access on the 17.n0.JB file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects 17.n0.JB [ file ]
Source sshd
Source Path /usr/sbin/sshd
...
Alert Count 17
First Seen 2017-06-15 13:43:50 CEST
Last Seen 2017-06-15 18:52:07 CEST
Local ID 8016e71e-8fe1-4368-a3d9-2576a1f630ec
Raw Audit Messages
type=AVC msg=audit(1497545527.21:290): avc: denied { read } for pid=1763 comm="sshd" name="17.n0.JB" dev="sda3" ino=1859787 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1497545527.21:290): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffd0b9b7cf0 a1=0 a2=0 a3=4000 items=0 ppid=1115 pid=1763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Hash: sshd,sshd_t,var_lib_t,file,read
[root@n1 log]#
Code: Select all
[root@n1 jobs]# pwd
/var/lib/torque/mom_priv/jobs
[root@n1 jobs]# ls -Z ..
lrwxrwxrwx. root root system_u:object_r:var_lib_t:s0 config -> /etc/torque/mom/config
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 jobs
lrwxrwxrwx. root root system_u:object_r:var_lib_t:s0 mom.layout -> /etc/torque/mom/mom.layout
-rw-r--r--. root root system_u:object_r:var_lib_t:s0 mom.lock
[root@n1 jobs]# [root@n1 jobs]# ls -la
total 16
drwxr-xr-x. 2 root root 54 Jun 15 20:10 .
drwxr-xr-x. 3 root root 66 Jun 15 18:49 ..
-rw-------. 1 root root 5264 Jun 15 20:10 18.n0.JB
-rwx------. 1 javier javier 10 Jun 15 20:10 18.n0.SC
-rw-------. 1 root root 2272 Jun 15 20:10 18.n0.TK
[root@n1 jobs]# ls -Z
-rw-------. root root system_u:object_r:var_lib_t:s0 18.n0.JB
-rwx------. javier javier system_u:object_r:var_lib_t:s0 18.n0.SC
-rw-------. root root system_u:object_r:var_lib_t:s0 18.n0.TK
[root@n1 jobs]# cat 18.n0.JB
* ! ��BY 18.n0
...
[root@n1 jobs]# cat 18.n0.SC
sleep 100
[root@n1 jobs]# cat 18.n0.TK
18.n0 ����
[root@n1 jobs]#
Can SELinux allow sshd to read any file in /var/lib/torque/mom_priv/jobs? Thanks in advance for any advice!