15016
Comment:
|
14988
|
Deletions are marked like this. | Additions are marked like this. |
Line 154: | Line 154: |
||<bgcolor="#ff8888"> tidy_up || 3 || tidy up the feature! but trivial || | ||<bgcolor="#00ff00"> tidy_up || 3 || done || |
Overall Status
automatic installation |
final tweaks to postinstall needed, but works well |
automatic maintenance |
sue, aaru,kernel works |
ssh |
using native ssh with gssapi and pam_afs for tokens |
integration / features |
the hard ones are done, but many missing |
user/group environment |
profiles/hepix etc. need lots of work |
application software |
many open questions |
batch/grid |
no work done yet |
Xsession environment |
many open questions |
desktop |
no work done yet |
general
- main targets: cleanup, progress
user level compatibility with SL3 & Solaris is NOT
- for file distribution, prefer rpm over cfengine-copy-by-checksum
- clean up profiles! do NOT copy from SL3!
- no more hepixdm - replacement needed?
open questions
support only bash as the login shell?
- zsh has UTF-8 issues
- can we stop supporting tcsh as a login shell?
- much effort especially since we have to change the profiles
- not recommended anyway
- mapping of users' shells in local /etc/passwd is implemented
- booting with init=/bin/sh does not worl
- probably due to udev?
- will it help to add /dev/tty0 to /etc/udev?
replace NIS/LDAP with local files?
Why not finally rid ourselves of all NIS/LDAP/nsswicth(compat...) problems?
create /etc/passwd & /etc/group from a distributed master file (taking into account who gets a shell on the system)
- this is available now, but needs some more testing and refinement
- this would also make it easy to change all users' shells to bash
- impemented by Waltraut and Felix, being tested
if yes: how to handle nscd?
- turn it off completely?
- or have different configurations (like: use for DNS only) ?
- need to adapt all features touching it
- ldap
- nagios
- netgroup
- nsswitch
- have a variable CF_nscd ?
- values could be (off, on, dns_only, ...), feture would copy right config
- which feature? nsswitch? or have a new one?
done
- CKS3.pl works (same script, input, location etc. as SL3)
- SL3U.pl works (same script as SL3, but need /opt/products/perl/5.8.2 - link to SL3 products is ok)
- AI client works
- aaru scripts work (same as on SL3)
- remapgroups works and is installed
- ppm, prpm, products feature
- staged errata, aaru feature
- KUSL3.pl, kernel feature
- automount feature
- postinstallation (now using runcon and restoring file contexts where needed - TEST!)
- ssh with GSSAPI authentication works out of the box
- Andreas found and implemented a neat solution for getting an AFS token using pam_afs2
roadmap
- other priority1 features (sue) (?profiles?)
- Milestone: Regular test systems
- priority2 features
- Milestone: Ready for special purposes
- priority3 features
- Milestone: public preview
little todos
- check: remapgroups in default.ys ?
- microcode_ctl fails, as the device is missing. From Mandriva's /etc/udev/rules.d/50-mdk.rules
{{{# CPU devices: KERNEL=="cpu[0-9]*", NAME="cpu/%n/cpuid", SYMLINK="cpu/%k" KERNEL=="msr[0-9]*", NAME="cpu/%n/msr", SYMLINK="cpu/%k", SYMLINK="%k" KERNEL=="microcode", NAME="cpu/microcode" }}} From /etc/udev/links.conf
{{{D cpu D cpu/0 M cpu/0/cpuid c 203 0 M cpu/0/microcode c 10 184 M cpu/0/msr c 202 0 }}}
features
Feature |
Priority |
Remarks |
aaru |
done |
init script should probably runcon -t unconfined_t yum ... |
account |
3 |
|
afs_client |
3 |
|
arcd |
won't |
should not be needed naymore |
arcx |
5 |
|
automount |
done |
|
cfengine |
2 |
|
conmgr |
done |
- gpm not turned off (also on SL3) ?!BR - check_console operational (also on SL3?) |
dhcp |
5 |
basically ok, but restorecon missing, bug in init script (status) |
doocsadm |
5 |
PITZ HOSTS ONLY!!! Keep this off my sane systems. Please. |
emacs |
2 |
trivial |
exports |
2 |
done (&trivial) for V3, but V4 ? |
hepixdm |
4 |
replace with new simple xdm feature? |
hosts |
done |
|
inetd |
3 |
|
kerberos |
3 |
|
kernel |
done |
|
klogin |
ok |
nothing to do |
ldap (client) |
2 |
|
ldap (server) |
5 |
|
links |
won't |
links should be packaged |
linux |
3 |
|
localdisks |
5 |
probably trivial |
won't |
DL_postfix_nullclient.rpm |
|
motd |
3 |
probably trivial |
nagios |
5 |
should be ok? nscd stuff is done |
name_srv |
5 |
|
netgroup |
2 |
|
nfs |
2 |
NFS3 ok, NFS4 to be done |
nsswitch |
2 |
nsswitch.files ok as is? |
optpro |
? |
|
pam |
3 |
|
passwd |
2 |
use local files for everything ?BR - passwd implemented, but needs more test and refinementBR - need nscd restart if it runsBR - group? |
passwd_prog |
3 |
|
printing |
3 |
switch to cups? keep lprng? |
products |
done |
|
profiles |
won't |
most of this should go into profiles and other packages |
removable_media |
5 |
probably not much to do, but check crash case etc. |
scout |
4 |
|
security |
2 |
|
sge |
5 |
|
sound |
5 |
|
ssh |
3 |
|
sudo |
3 |
|
sue |
done |
sue_boot now runs sue.update in the unconfined_t domain on SELinux-enabled systems, this should alleviate most file context problems |
sue_links |
won't |
should be packaged |
syslog |
3 |
trivial if kept as is, but try to improve (boot.log,...) |
tcp_wrapper |
2 |
|
testcfe |
? |
|
tidy_up |
3 |
done |
trusted |
ok |
trivial |
vamos |
2 |
|
xf86 |
5 |
|
xntp |
done |
|
ypclient |
3 |
|
zzz |
2 |
needed for sue.run-sched |
Traps & Pitfalls
Files in /etc/cron.d
These must have mode 644. Crond does not accept 755.
SELinux and cfengine
the problem
Any files read by daemons covered by the targeted policy must have the correct type. The file /etc/passwd, for example, is read by nscd:
[root@satyr2 ~]# ls -Z /etc/passwd -rw-r--r-- root root system_u:object_r:etc_t /etc/passwd
Unfortuantely, cfengine is not aware of security contexts. Hence files it modifies may end up with the wrong context, and daemons may no longer be able to access them:
[root@satyr2 ~]# ls -Z /etc/passwd -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/passwd
These actions are known to have this problem:
- editfiles
- copy
- link
Even more unfortunately, many files (but not all) will still have the right context if a feature is run interactively, or even by cron, since in this case they run in the unconfined_t domain. This may change in the future, but so far the problem only affects features run from /etc/init.d/sue_boot The reason is that then processes run in domain initrc_t, with the result that newly created files may get a different context.
Hence to test the effect of a feature, run sue.update like this:
[root@satyr2 ~]# runcon -t initrc_t /products/sue/etc/sue.update ...
the solution(s)
modify the sue_boot init script
One step is obviously to run sue_boot in a different context, by adding this to /etc/init.d/sue_boot
RUNCON="" if [ -x /usr/sbin/selinuxenabled ]; then /usr/sbin/selinuxenabled && RUNCON="/usr/bin/runcon -t unconfined_t --" fi
and then changing the sue.update command to this:
$RUNCON /products/sue/etc/sue.update -v 2>&1 | cat
This seems to work the way it does normally (which is less than perfect since all output ends up in the sue update logs even if nothing was done), and it indeed solves most problems. Hence this should probably be implemented.
However, if the default type created in a directory is not the desired one, action must be taken in the features. Example:
/etc/dhcpd.conf should be dhcp_etc_t, not etc_t
- even if in this case dhcpd is still allowed to read the file, this may change eventually
and the file is not protected from other daemons allowed to read files of type etc_t but have no business with dhcp
use restorecon in features where appropriate
The restorecon command looks up the right file context(s) in /etc/selinux/targeted/contexts/files/file_contexts and sets the context accordingly for all files passed as arguments. It only works if SELinux is available in the kernel and enabled. If it is available but disabled, the command will complete successfully but the contexts will not be changed, hence no point in running it.
These are the ingredients for (cfengine2 only) feature to correct the filetypes:
control: actionsequence = ( shellcommands.PASS1 copy editfiles shellcommands.PASS2 ) AddInstallable = ( RESTORECON )
It will often be necessary to introduce several shellcomands passes, since restorecon should obviously run after the files are modified, but before any daemons that need them are (re)started.
groups: HAS_SEL = ( FileExists(/usr/sbin/selinuxenabled) ) HAS_SEL:: SELINUX = ( ReturnsZero(/usr/sbin/selinuxenabled) )
This should work silently and with minimal overhead on any system. If the SELINUX class is set, restorecon should work.
editfiles: { /some/file.1 ... DefineClasses "RESTORECON" } copy: /repository/some/file.2 dest=/some/file.2 type=checksum define=RESTORECON links: CLASS1:: /some/file ->! ./some/file.1 type=relative define=RESTORECON CLASS2:: /some/file ->! ./some/file.2 type=relative define=RESTORECON
Here we make sure the RESTORECON class gets set if there is something to do for restorecon.
At least in some cases, this only works if RESTORECON is declared AddInstallable, as shown above.
shellcommands: PASS1:: "/some/other command ..." PASS2:: "/sbin/restorecon /some/file /some/file.1 /some/file.2"
One could do this more fine grained, but it's probably not worth it.
SELinux and httpd
local files
Must be of type httpd_sys_content_t. The sync-a.pl script now does this with chcon. To work on a whole tree:
chcon -R -h -t httpd_sys_content_t /some/tree
The -h switch is important if symlinks should be usable through http. Notice the root directory of new filesystems is unlabelled, and chcon will refuse to apply a partial context to it. Hence, after mounting a new filesystem, run something like this:chcon system_u:object_r:file_t /new/mounted/filesystem
AFS By default, httpd is not allowed to read files in AFS. It takes two steps to make this work (and, of course, appropriate httpd configuration in /etc/httpd/conf.d/):
Enable the SELinux booleans httpd_enable_homedirs and use_nfs_home_dirs. This allows httpd to read files of type nfs_t. The latest policy (requires selinux-policy-targeted-1.17.30-2.120 or later) applies a genfs context of nfs_t to anything below /afs. It is easiest to do this with system-config-securitylevel.
- Modify the policy.
After step 1 and with an unmodified policy, it almost works. But access is really slow, and the logs fill with messages
avc: denied { write } for pid=3980 comm="httpd" lport=7001 scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=udp_socket
Using the audit2allow utility, the following rule was generated:# allow AFS callbacks triggered by httpd: # This is much too generous, but I haven't found out yet how to limit this to # port 7001. Anyway, it's better than running httpd in unconfined_t. allow httpd_t initrc_t:udp_socket write;
To get this into a binary policy and load it:install the selinux-policy-targeted-sources rpm
save the rule above in the file /etc/selinux/targeted/src/policy/domains/local.te
make -C /etc/selinux/targeted/src/policy load
Afterwards, updating the policy rpm will no longer load the new policy.BRBR To get the new policy with our change, install the new selinux-policy-targeted-sources and rerun the make load step.BRBRDo not play with the policy on production systems. Never install the policy sources on a production system unless you have to modify the binary policy on it and know what you're doing.
Bugs in the distribution we need to fix
SL 4.2: service dhcpd status buggy, always returns 0