[GE users] Using SGE with SSH on RHEL 5.5 - SElinux troubles

prentice prentice at ias.edu
Fri Nov 5 15:31:04 GMT 2010


reuti wrote:
> Hi,
> 
> Am 04.11.2010 um 17:25 schrieb cmoyroud:
> 
>> Hello,
>>
>> I'm trying to use SSH for qrsh in SGE on a cluster with RHEL 5.5 machines (using http://gridengine.sunsource.net/howto/qrsh_qlogin_ssh.html ), and SElinux is giving me troubles. Putting SElinux into 'permissive' mode instead of 'enforce' mode is working fine, which means there's something in the SElinux configuration that needs to be changed.
> 
> yes, switching it off was often a way to bypass SELinux problems.
> 
> 
>> What I've tried so far:
>> - Authorizing ports 1024 to 65535 to be used for SSH with semanage port -a -t ssh_port_t -p tcp 1024-65535'
>> - Authorizing SSH to run through inetd with 'setsebool -P run_ssh_inetd on'
>>
>> Still no luck :(
>>
>> As soon as the SSH connection is established successfully (authentication and all), the connection is closed ("Read from remote host crx5380: Connection reset by peer").
>>
>> Has anyone managed to get SGE to work with SSH on an SElinux-enabled system?
> 
> We don't use it, but one idea: even when started by inetd, you have only one sshd running at a time I think. With SGE you will have one per job, and it's not bound to (x)inetd. In addition it won't be a kid of (x)inetd too, but of the sge_shepherd.
> 


Is you SGE_ROOT shared over NFS? Can you tell us what troubles SELinux
is giving you (log messages would be helpful).

I setup SSH integration a few weeks ago, and started getting SELinux
warnings (we run in permissive mode, so SELinux errors are logged, but
nothing is prevented) in my log files.

After trying to fix the problem myself, I consulted with a local SELinux
expert. After looking  into the problem together, we came to the
conclusion that as long as SGE_ROOT is shared over NFS, there is nothing
we could do to fix the problem.

In my case, the problem was that SGE was trying to start SSH, and the
SELinux contexts weren't correct for that. With NFS, you could specify
the SELInux context for a mountpoint, but then every file under that
mount point would have the same context, which wouldn't be desirable (it
could create SELInux security holes).

If your problem is the same as mine, and you want to fix it, the link
below has information on how to reduce or eliminate NFS usage in SGE. If
you have the files on local disk, you can use semanage/restorecon to set
teh correct contects. I decided it wasn't worth the effort in my
environment.

http://gridengine.sunsource.net/howto/nfsreduce.html


-- 
Prentice

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=292989

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list