LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

January 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL January 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: openafs packages for SL6
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Wed, 12 Jan 2011 19:40:09 +0100
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2104 bytes) , smime.p7s (2302 bytes)

Hi Troy,

On Jan 12, 2011, at 17:57 , Troy Dawson wrote:

> On the subject of openafs, we're found one selinux bug.
> If you have selinux turned on, then the /afs directory, by default, has the wrong selinux settings.
> 
> To fix this you have to run
>  restorecon -v /afs
> (Actually you don't need the -v, but it's nice to see that something is done)
> And then you can start afs normally.
> 
> We'll have something in place by this friday's Alpha/Beta rollout.

it's certainly a bug, but I'm not sure where it's sitting. There are three ways I'm aware of to make sure the /afs mount point has the right context with rpm/yum:

1) guarantee that the policy rpm is installed after openafs client
 - not feasible, right?
2) make sure restorecond is running when /afs is created, and change its configuration to care for /afs
 - even worse, and creating an unnecessary dependency on policycoreutils
3) correct the context in openafs-client's %post
 - when using restorecon, creates an unnecessary dependency on policycoreutils
 - when using chcon, requires the package to know the "right" context to apply

And I think (2) and (3) violate the Fedora packaging guidelines.

Having an SL_ rpm to do the job is a solution, and easy to do, but users will get bitten if they miss to install it before they attempt to start the client for the first time. And it will have the same disadvantages as (2), (3) above. NB labels on the cache directory and items are just as important.

Another solution would be to have the init script check the security labels ("ls -Z", no extra dependencies) and refuse to start if SELinux is enabled and enforcing but the labels aren't right, with a useful message. ("You have SELinux enabled in enforcing mode. That's good, but some of the security labels of the openafs client files aren't right, and starting the client now would not work and cause serious problems. Please install SL_openafs_selinux to have the labels fixed, then try again.").

Thinking about it, the last one could be the way to go...

Cheers,
	Stephan

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV