Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available.



Features with major known problems:

Features to do:

cfengine conmgr inetd kerberos kernel localdisks pam scout syslog trusted vamos

Features finished/checked:

aaru afs_client automount gdm group hosts klogin kvm ldap linux motd nagios netgroup nsswitch passwd passwd_prog products security ssh sue tcp_wrapper tidy_up xntp ypclient zzz

Differences w.r.t SL4 (EL5beta2; to be verified for RHEL5)

invalid opcode: 0000 [#1] }}}

New Possibilities of Installer (verified in EL5 beta2)



This now works out of the box with minor configuration tweaks:

Complete working /etc/pam.d/system-auth:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass debug
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass debug
auth        required

account     required broken_shadow
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nis nullok try_first_pass use_a
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     required
session     optional

Complete working example of appdefaults section in /etc/krb5.conf:

 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


minor items




restorecond configuration

Problems to Solve

GNOME Trash in AFS

Longstanding issue, see ["GNOME Trash in AFS problem"]

X won't pick highest possible refresh rate


rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick:

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem:

[a] ~ # rsh em64t whoami
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ # 

If SELinux is disabled ("setenforce 0") it will work:

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]# 

Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option.

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security :-(

Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1.

Remedy in some other cases: setsebool -P allow_execmod on X-( It should also help to relabel the shared object: chcon -t textrel_shlib_t .../ But that's impossible in AFS.

NB setsebool is buggy in FC6T2: -P doesn't work.

The AFS modules from SL4 (needed by tklife, for example) are having problems as well.

Problems Solved

gnome-screensaver fails to unlock screen

Perl and SELinux ...

Wolfgang sorted this out with new builds of modules:

[root@em64t ~]# /afs/ yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/' for module Crypt::OpenSSL::RSA: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/ line 230.
 at /project/VAMOS/prod//client/Auth/ line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/ line 9.

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/ cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/ line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/ line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/ line 34.

arcx doesn't work

<!> Wolfgang has new modules alleviating this, but they're not yet in any repository.

Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps...

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from [] Port 54328

With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works.

=== (P)RPM and SELinux ==-

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

  1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

  2. Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

In addition, this behaviour was obviously reverted in RHEL5beta2.

Notes from manual FC6T2 installation

SL5_Development (last edited 2007-01-08 15:18:27 by WaltrautNiepraschk)