Revision 42 as of 2007-04-05 09:56:53

Clear message

Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available.

TableOfContents

Status

Features with major known problems:

Features to do:

Features to keep an eye on:

Features we may not do:

Features finished/checked:

aaru afs_client automount cfengine gdm group hosts kerberos kernel klogin kvm ldap linux motd nagios netgroup nsswitch pam passwd passwd_prog products security ssh sue tcp_wrapper tidy_up xntp ypclient zzz

Differences w.r.t SL4

invalid opcode: 0000 [#1] }}} 

allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on

New Possibilities of Installer (verified in EL5 GA)

}}}

pam/krb5/AFS/ssh

This now works out of the box with minor configuration tweaks:

Complete working /etc/pam.d/system-auth: 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf: 

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

minor items

Software

Finished

Software

restorecond configuration

Problems to Solve

GNOME Trash in AFS

Longstanding issue, see ["GNOME Trash in AFS problem"]

X won't pick highest possible refresh rate

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216409

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick: 

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem: 

[a] ~ # rsh em64t whoami
root
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ #

If SELinux is disabled ("setenforce 0") it will work: 

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]#

Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option.

Anyway, we should get rid of this...

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security :-(

Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1.

Remedy in some other cases: setsebool -P allow_execmod on X-( It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

NB setsebool is buggy in FC6T2: -P doesn't work.

The AFS modules from SL4 (needed by tklife, for example) are having problems as well. Cure: chcon -t textrel_shlib_t /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/AFS/AFS.so

The solution for all this to install perl-5.8.8 locally, which also means it must be kept to a minmum, and have a trigger package to set the contexts where required.

Atrans

Just segfaults, and it's not an SELinux problem, rather looks like glibc/pthread/NPTL. Clueless...

Problems Solved

gnome-screensaver fails to unlock screen

apache and SELinux

basically the procedure described for SL4 applies with some modifications. First do check the settings of the booleans httpd_enable_homedirs and use_nfs_home_dirs and set them to on if they are off. 

getsebool -a |egrep 'httpd_enable_homedirs|use_nfs_home_dirs'
setsebool use_nfs_home_dirs=1
setsebool httpd_enable_homedirs=1

Then add new policy modules to allow key searches (new feature for keyrings in the kernel) by creating a script mysearch.te 

module mysearch 1.0;

require {
        class key search;
        type httpd_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t unconfined_t:key search;

and executing 

checkmodule -M -m -o mysearch.mod mysearch.te
semodule_package -o mysearch.pp -m mysearch.mod
semodule -i mysearch.pp

and another script to allow for udp packets in AFS 

module myafs 1.0;

require {
        class udp_socket write;
        type httpd_t;
        type initrc_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t initrc_t:udp_socket write;
# needed if afs is ever restarted:
allow httpd_t unconfined_t:udp_socket write;

and executing 

checkmodule -M -m -o myafs.mod myafs.te
semodule_package -o myafs.pp -m myafs.mod
semodule -i myafs.pp

Perl and SELinux ...

Wolfgang sorted this out with new builds of modules: 

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

arcx doesn't work

<!> Wolfgang has new modules alleviating this, but they're not yet in any repository.

Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps... 

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328
[ahaupt@em64t]~%

With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works.

=== (P)RPM and SELinux ==-

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

  1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

  2. Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

In addition, this behaviour was obviously reverted in RHEL5beta2.

Notes from manual FC6T2 installation