LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

January 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL January 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: openafs packages for SL6
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Fri, 14 Jan 2011 15:32:12 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (68 lines)

Troy J Dawson wrote:
> Troy J Dawson wrote:
>> Stephan Wiesand wrote:
>>> Hi Troy,
>>>
>>> On Jan 12, 2011, at 17:57 , Troy Dawson wrote:
>>>
>>>> On the subject of openafs, we're found one selinux bug.
>>>> If you have selinux turned on, then the /afs directory, by default, has the wrong selinux settings.
>>>>
>>>> To fix this you have to run
>>>>  restorecon -v /afs
>>>> (Actually you don't need the -v, but it's nice to see that something is done)
>>>> And then you can start afs normally.
>>>>
>>>> We'll have something in place by this friday's Alpha/Beta rollout.
>>> it's certainly a bug, but I'm not sure where it's sitting. There are three ways I'm aware of to make sure the /afs mount point has the right context with rpm/yum:
>>>
>>> 1) guarantee that the policy rpm is installed after openafs client
>>>  - not feasible, right?
>>> 2) make sure restorecond is running when /afs is created, and change its configuration to care for /afs
>>>  - even worse, and creating an unnecessary dependency on policycoreutils
>>> 3) correct the context in openafs-client's %post
>>>  - when using restorecon, creates an unnecessary dependency on policycoreutils
>>>  - when using chcon, requires the package to know the "right" context to apply
>>>
>> Found the solution
>>
>> 4) put a --triggers on openafs-client that triggers on policycoreutils 
>> (the package that has restorecond)
>>
>> %triggerin  -n openafs-client -- policycoreutils
>> /sbin/restorecon /afs
>>
>> Since it is a trigger, it doesn't automatically pull in policycoreutils 
>> as a dependancy.  This way if someone does have selinux installed, this 
>> trigger will set /afs to the proper settings.  And if they don't have 
>> selinux installed, nothing happens.
>>
>> And, if you are wondering, I've tested to make sure this builds with the 
>> proper dependencies, but I haven't yet tested to make sure it properly 
>> fixes the problem.
>>
>> Troy
> 
> And now I've tested it completely.  Having trigger do the work, works.
> 
> Troy

OK, so it looks like I didn't test it good enough.
If you install your openafs packages by hand, the trigger script fixes 
the problem.
If you install openafs when you install your system, you still get the 
wrong selinux setting on /afs when everything is done.

For right now ... I'm just going to leave it as it is and let people 
know in the release notes for Alpha 5.

Troy
p.s. I'm still working on the openafs-firstboot script.  It has to 
totally be rewritten.  The general openafs community doesn't happen to 
have one do they?
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV