Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available.

Status

Features with major known problems:

Features to do:

scout vamos

Features not rpefect yet:

Features to keep an eye on:

Features we may not use:

Features finished/checked:

aaru afs_client automount conmgr cfengine gdm group hosts inetd kerberos kernel klogin kvm ldap linux localdisks motd nagios netgroup nsswitch pam passwd passwd_prog products security ssh sue syslog tcp_wrapper tidy_up trusted xntp ypclient zzz

Differences w.r.t SL4

New Possibilities of Installer (verified in EL5 GA)

pam/krb5/AFS/ssh

This now works out of the box with minor configuration tweaks:

Complete working /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf:

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

minor items

Software

Finished

Software

restorecond configuration

Problems to Solve

utmp

There's no /var/log/utmp. The who and w commands are completely broken.

GNOME Trash in AFS

Longstanding issue, see GNOME_Trash_in_AFS_problem

X won't pick highest possible refresh rate

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216409

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security :-(

Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1.

Remedy in some other cases: setsebool -P allow_execmod on X-( It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

NB setsebool is buggy in FC6T2: -P doesn't work.

Perl modules that need to be linked against prebuilt static libraries will not work out of the box. Cure: chcon -t textrel_shlib_t /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/AFS/AFS.so

Currently the only modules where this needs to be done are the AFS related modules AFS.so and Quota.so and most probably Oracle.so (untested)

The solution for all this to install perl-5.8.8 locally, which also means it must be kept to a minmum, and have a trigger package to set the contexts where required.

Remote X with local fonts

Remote X connections get the local font server appended to the font path. For this to work, the host must have the remote-x-host modifier set. Unfortunately the xset fp command fails if called from /etc/X11/xinit/xinitrc.d/desy-zn.sh with this error: xset: bad font path element (#59)

Problems Solved

gnome-screensaver fails to unlock screen

apache and SELinux

basically the procedure described for SL4 applies with some modifications. First do check the settings of the booleans httpd_enable_homedirs and use_nfs_home_dirs and set them to on if they are off.

getsebool -a |egrep 'httpd_enable_homedirs|use_nfs_home_dirs'
setsebool use_nfs_home_dirs=1
setsebool httpd_enable_homedirs=1

Then add new policy modules to allow key searches (new feature for keyrings in the kernel) by creating a script mysearch.te

module mysearch 1.0;

require {
        class key search;
        type httpd_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t unconfined_t:key search;

and executing

checkmodule -M -m -o mysearch.mod mysearch.te
semodule_package -o mysearch.pp -m mysearch.mod
semodule -i mysearch.pp

and another script to allow for udp packets in AFS

module myafs 1.0;

require {
        class udp_socket write;
        type httpd_t;
        type initrc_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t initrc_t:udp_socket write;
# needed if afs is ever restarted:
allow httpd_t unconfined_t:udp_socket write;

and executing

checkmodule -M -m -o myafs.mod myafs.te
semodule_package -o myafs.pp -m myafs.mod
semodule -i myafs.pp

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick:

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem:

[a] ~ # rsh em64t whoami
root
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ # 

If SELinux is disabled ("setenforce 0") it will work:

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]# 

Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option.

Anyway, we should get rid of this...

{i} This one solved itself: It works like on SL3/4 since SL5beta1.

Perl and SELinux ...

Wolfgang sorted this out with new builds of modules:

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

arcx doesn't work

<!> Wolfgang has new modules alleviating this. They are rolled out meanwhile.

This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps...

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328
[ahaupt@em64t]~% 

With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works.

vamos_cmd w/ krb5 works - but on amd64 only

afslive doesn't work because their perl module doesn't

Atrans dumping core fixed

(P)RPM and SELinux

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

  1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

  2. Execute prpm in the rpm_t domain:

    runcon -t rpm_t -- /opt/products/bin/prpm -ivh ...

    We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

In addition, this behaviour was obviously reverted in RHEL5beta2.

Cups server and SELinux

    yum install audit, start audit
    semodule -b /usr/share/selinux/targeted/enableaudit.pp
    mkdir /usr/share/policy-module-cups; cd /usr/share/policy-module-cups
    /etc/init.d/cups restart 
    tail -50 /var/log/audit/audit.log | audit2allow -m cups >|cups.te
    checkmodule -M -m -o cups.mod cups.te
    semodule_package -o cups.pp -m cups.mod
    semodule -i cups.pp
    semodule -l
    /etc/init.d/cups restart
    netstat -ltn | grep 443  # I'm soo happy! 
    semodule -b /usr/share/selinux/targeted/base.pp
    stop audit

init scripts and SELinux

Notes from manual FC6T2 installation

SL5_Development (last edited 2008-11-03 12:19:29 by SimoneWassberg)