Differences between revisions 1 and 2
Revision 1 as of 2006-08-12 18:55:45
Size: 2430
Editor: StephanWiesand
Comment: first notes
Revision 2 as of 2006-08-13 17:34:47
Size: 5026
Editor: StephanWiesand
Comment:
Deletions are marked like this. Additions are marked like this.
Line 21: Line 21:
    * initial yum configuration ok (development->errata not yet mirrored)
 * aaru.yum.daily works
Line 26: Line 27:
 * no more /usr/X11``R6  * /usr/X11``R6 still exists, but most usual content is somehwere else
  * app-defaults is in /usr/share/X11/
  * so is fonts
 * there now is a ''restorecond'' watching over some files and directories
  * restores security context if file changes
  * may come in handy, an maybe is a good candidate for a backport to SL4
  * configuration is in /etc/selinux/restorecond.conf; needs adjustment!
Line 34: Line 41:
== TODO ==

=== YUM ===
 * yum.conf and yum.repos.d are part of the yum package => overwritten by updates
  => trigger? run aaru.yum.create from it?

=== restorecond configuration ===
 * adjust /etc/selinux/restorecond.conf so that ~ isn't touched...

=== X ===
 * if not configured during install, cannot start xfs (avc:denied message for the socket)
  * reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !
 * NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better

=== /tmp ===
 * looking at the xfs issue, it's probably a bad idea to have /tmp being a symlink
 * => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead
Line 37: Line 62:
 * no token upon ssh login
Line 38: Line 64:
== Things to Understand == == Perl and SELinux ... ==
Line 40: Line 66:
Ain't this nice? FC6 comes with a new SELinux policy. Some things, like execution of code from the stack,
are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge
improvement for security. Unfortunately, our perl is not playing along:
Line 51: Line 80:
This can be remedied by allowing executable stacks: `setsebool -P allow_execstack on`.
Vamos_cmd now works, but here goes part of our improved security :-(

NB setsebool is buggy in FC6``T2: -P doesn't work.


Next problem:
{{{
[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.
}}}

Remedy: `setsebool -P allow_execmod on` X-( It should also help to relabel the shared object:
`chcon -t textrel_shlib_t .../Krb5.so`. But that's impossible in AFS.

Temporary fix: DL_sebool package installed in %post.

Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.

TableOfContents

Status

  • working with FC6T2 (50 is a link to that, script to create SL-like layout)

  • profiles generation works
  • adding to tftpboot works
  • kickstart installation with DHCP works
  • post, selection, firstboot are preliminary but working
  • openafs-1.4.2beta3 works (with some ugly ugly hacks in the SPEC)
    • without PAGs (syscall table is r/o)
      • need to rebuild kernel or use openafs-1.5 with keyring pag support
        • 1.5.6 still too hard to build
    • installation in %post (yum does not work in %post, and NFS still needs portmap start)

  • initial yum configuration ok (development->errata not yet mirrored)

  • aaru.yum.daily works

Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)

  • no more /proc/pci (-> use lspci)

  • /usr/X11R6 still exists, but most usual content is somehwere else

    • app-defaults is in /usr/share/X11/
    • so is fonts

  • there now is a restorecond watching over some files and directories

    • restores security context if file changes
    • may come in handy, an maybe is a good candidate for a backport to SL4
    • configuration is in /etc/selinux/restorecond.conf; needs adjustment!

New Possibilities of Installer (FC6T2; to be verified for RHEL5)

  • using additional repositories (how to configure kickstart for this?)
    • updates and additional packages

    • could alleviate need for SL's sites

TODO

YUM

  • yum.conf and yum.repos.d are part of the yum package => overwritten by updates

    • => trigger? run aaru.yum.create from it?

restorecond configuration

  • adjust /etc/selinux/restorecond.conf so that ~ isn't touched...

X

  • if not configured during install, cannot start xfs (avc:denied message for the socket)

    • reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !

  • NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better

/tmp

  • looking at the xfs issue, it's probably a bad idea to have /tmp being a symlink

  • => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

Problems to Solve

  • rsh access from trusted hosts does not work
  • no token upon ssh login

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along: 

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security :-(

NB setsebool is buggy in FC6T2: -P doesn't work.

Next problem: 

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

Remedy: setsebool -P allow_execmod on X-( It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

Temporary fix: DL_sebool package installed in %post.

Notes from manual FC6T2 installation

  • network install using DHCP - no media
  • first attempt with a rather large set of packages including Xen failed
    • system got stuck when starting firstboot
  • second attempt with smaller package set and without Xen worked
  • X came up with some 1900x1400 resolution, just about usable
    • minimal xorg.conf prefers highest mode possible
    • could not be changed with system-config-display (monitor could not be chosen)

SL5_Development (last edited 2008-11-03 12:19:29 by SimoneWassberg)