[OpenAFS-devel] openafs hangs on shutdown with selinux (caused
by callback expiration via umount?)
Christopher Allen Wing
wingc@umich.edu
Wed, 2 Jan 2008 22:03:31 -0500 (EST)
Jim:
On Wed, 2 Jan 2008, Jim Rees wrote:
> It seems to me the problem here is with the security policy, not with
> OpenAFS.
Yes, that's likely the case.
> What does the policy say exactly? No network traffic during
> shutdown, or that the traffic is being generated in the wrong context?
The umount binary runs in a security context called 'mount_t'. My
understanding is that the mount_t context is being restricted from doing
network I/O, or from doing certain types of network I/O.
(Compounding the issue is the fact that umount doesn't really want to do
network I/O, it just calls umount(), but the network code paths in the
kernel are reached from within the same process context and so SELinux
applies the same restrictions as it would have if umount had made socket
calls explicitly)
I'll try to ask the appropriate people (SELinux/Fedora/Red Hat) what
happens for the case of NFS or cifs. I don't know if NFS is going to be
analogous, though, because I think NFS I/O traffic happens within the
context of 'nfsiod' kernel daemons- therefore the actual mount/unmount
binary may not end up doing any I/O of its own.
Right now I don't know how to trigger this on demand, so I'm not able to
quickly characterize the problem in detail.
Thanks,
Chris
wingc@umich.edu