[OpenAFS-devel] openafs hangs on shutdown with selinux (caused by callback expiration via umount?)

Christopher Allen Wing wingc@umich.edu
Wed, 2 Jan 2008 22:03:31 -0500 (EST)


Jim:


On Wed, 2 Jan 2008, Jim Rees wrote:

> It seems to me the problem here is with the security policy, not with
> OpenAFS.

Yes, that's likely the case.

> What does the policy say exactly?  No network traffic during
> shutdown, or that the traffic is being generated in the wrong context?

The umount binary runs in a security context called 'mount_t'.  My 
understanding is that the mount_t context is being restricted from doing 
network I/O, or from doing certain types of network I/O.

(Compounding the issue is the fact that umount doesn't really want to do 
network I/O, it just calls umount(), but the network code paths in the 
kernel are reached from within the same process context and so SELinux 
applies the same restrictions as it would have if umount had made socket 
calls explicitly)

I'll try to ask the appropriate people (SELinux/Fedora/Red Hat) what 
happens for the case of NFS or cifs.  I don't know if NFS is going to be 
analogous, though, because I think NFS I/O traffic happens within the 
context of 'nfsiod' kernel daemons- therefore the actual mount/unmount 
binary may not end up doing any I/O of its own.


Right now I don't know how to trigger this on demand, so I'm not able to 
quickly characterize the problem in detail.


Thanks,

Chris
wingc@umich.edu