diff options
Diffstat (limited to 'contrib/README.redhat_fhs.patch')
-rw-r--r-- | contrib/README.redhat_fhs.patch | 305 |
1 files changed, 305 insertions, 0 deletions
diff --git a/contrib/README.redhat_fhs.patch b/contrib/README.redhat_fhs.patch new file mode 100644 index 00000000..a36d33ef --- /dev/null +++ b/contrib/README.redhat_fhs.patch @@ -0,0 +1,305 @@ +The following is the contents of the post at +<http://mail.python.org/pipermail/mailman-developers/2004-October/017343.html>. + +The actual patch is at redhat_fhs.patch in this (contrib/) directory. + +Note that this patch only patches configure.in, so if you apply this patch, +you need to then run GNU autoconf to build the patched ./configure. + + +[Mailman-Developers] FHS installation changes +John Dennis jdennis at redhat.com +Mon Oct 18 22:26:21 CEST 2004 + +Overview: +--------- + +Earlier I wrote about our (Red Hat's) desire to make mailman be FHS +compliant, in part to allow mailman to fall under the protection of +SELinux security policy which is file and directory based and as a +consequence much easier to author when packages install into canonical +locations (e.g. FHS). + +Previously we had installed all of mailman under /var/mailman +(prefix=var_prefix=/var/mailman) and I had proposed a much simpler +change of just setting prefix=/usr/lib/mailman. This took care of the +majority of SELinux issues and limited the scope of changes. There was +a concern that sites and administrators who were familiar either with +our RPM, the upstream package, or were working with an existing +installation would run afoul of the location changes and keeping them +to absolute minimum was advantageous. However a few folks in private +email pointed out that if changes were going to occur its best to do +it all at once and not piecemeal, in other words endure the pain once. + +Thus I embarked on an exercise to make everything FHS compliant. There +are two reasons I'm addressing the developer community here: + +1) I want to apprise you of the exact changes, their rational, provide + a patch against 2.1.5 and solicit review. + +2) Test the results. + +Description: +------------ + +Currently the configuration allows for partitioning the mailman +installation between two installation roots, prefix for non-modifiable +files and var_prefix for variable data. This is a great start and +covers 90% of the installation, but there remains a small set of items +which even in this scheme are not FHS compliant, in summary: + +1) config files located under /etc + +2) pid file located under /var/run + +3) queue files located under /var/spool + +4) lock files located /var/lock + +5) log files located under /var/log + +I think one could characterize the competing installation philosophies +as follows: + +Mailman not knowing what type of system its going to be installed on +elects to group all of its files together (makes perfect sense). FHS +on the other hand says most packages share common traits and we group +by functional component thus spreading out package installations +across a diverse set of directories. + +Implementation: +--------------- + +I discovered I had to add some new directories to configure and alter +some of the *_DIR variables in Defaults.py.in so they pick up their +values from configure. My strategy was to allow configure when run +without providing any other parameters to produce the exact same set +of installation defaults as previously existed so unless you specify a +different installation mapping a user won't see any change. + +Configure added: + +--with_lock_dir +--with_log_dir +--with_config_dir +--with_data_dir +--with_pid_dir +--with_queue_dir + +I also modified bin/check_perms so it was aware of the new directory +specifications. The patch also made a few non FHS fixes to the install +target of the Makefiles, some generic issues were discovered when +testing check_perms. Those changes included: setting SETGID on the root +prefix and var_prefix directories, check_perms demands all +directories, including the roots are SETGID. The messages Makefile was +creating a two level directory hierarchy but only setting SETGID on +the child. Some of the "make install" logic seemed to depend on the +property that new child directories created under a parent that was +SETGID inherits the SETGID property. To the best of my understanding +this is true only on Linux and Solaris and not generally portable. I +replaced the use of the local mkinstalldirs (and subsequent chmod g+s) +with what I believe is much more standard "install -d" and with the +SETGID as part of the mode. All directories are created this way, +nothing depends on inheritance. I also removed some ancient Makefile +cruft that is no longer in use, variables no longer initialized by +configure, etc. (just confusing, accidents waiting to happen if +someone thought it was valid). + +Issues: +------- + +Most of the changes were isolated to whole directories and were well +defined. Only the contents of DATA_DIR required splitting its contents +across more than one directory. DATA_DIR contained both pickle files +created during processing and what would be characterized as +configuration files (e.g. password files, MTA alias +files. sitelist.cfg). A new directory CONFIG_DIR was created (in FHS +its /etc/mailman) to hold what has traditionally been in /etc +(e.g. configuration, passwords, aliases, etc). The other things that +were in DATA_DIR was left there. + +The mailman configuration file presented the biggest challenge and the +one exception to FHS. The culprit is mm_cfg.py. This is really +mailman's configuration file and it should be located in CONFIG_DIR +(/etc/mailman). But there were several major problems with moving that +file there. + +1) It's executable python code, not a text file containing + configuration parameters. Executable code should be in a "lib" or + "bin" location. Why is this an issue? Because SELinux pays very + close attention to who can execute and with precise control over a + host of run time operations, its often based on directory + location. But most importantly config files have to be editable, + security properties transit when modified and new files pick up + security properties of the directory that contains the file. We do + not want any file created (or modified) in a configuration + directory to pick up security permissions granting execution + rights or for that matter any other run time security permissions. + +2) The import of mm_cfg and its directory (Mailman) is all through the + code, it would be very invasive to change. If mm_cfg continues to be + executable python code as opposed to a text file then paths.py + would have to be altered to prepend /etc/mailman to the import + path, another significant security violation. + +3) Any experienced mailman admin will know that mm_cfg.py is located + with the rest of the mailman executable code under $prefix/Mailman + and will expect to find this critical file there. + +I concluded for the above reasons that mm_cfg.py in the 2.1.x +time frame was best handled as an FHS exception. Our rpm does however +create a symbolic link from /etc/mailman/mm_cfg.py to +$prefix/Mailman/mm_cfg.py so that it "appears" in configuration +directory. This will prepare admins to start looking for mm_cfg along +with the other configuration files. Note that security policies do not +transit across links therefore there are no security policy issues +with the sym link in /etc/mailman. Hopefully in MM 3.0 the +configuration file will be textural which will eliminate the security +policy issue. Also note that sitelist.cfg was completely moved to +/etc/mailman as that is not executed, but rather "evaluated" (I think +evaluation in /etc is fine, but I'm not 100% positive :-). + +Request for testing: +-------------------- + +I have created RPM's with the changes outlined above and documented +below, you may obtain them here: + +ftp://people.redhat.com/jdennis/mailman-2.1.5-26.i386.rpm +ftp://people.redhat.com/jdennis/mailman-2.1.5-26.src.rpm + +I have tested the new rpm and have not found any problems. The +modified check_perms does not report any problems. But I'm well aware +my testing is limited and my comprehension of mailman is limited, it +is inevitable something has been missed that only wider testing will +reveal and I would appreciate that testing by experts. These changes +are slated to appear in our Fedora Core 3 release which is closing in +a couple of days in preparation for release. Testing prior to that +close would be appreciated. Note that with Fedora Core 3 SELinux will +be enabled by default in "targeted mode". This means that SELinux +policy will be applied to key system services only, mail and hence +mailman is one of those key system services. Ideally any testing +should be done from "rawhide" with the 2.1.5-26 version of mailman and +the new matching SELinux security policy, but I would be perfectly +happy for any testing of the basic rpm even if its not running under +targeted security policy. + +Patch File: +----------- + +Attached is the patch made against a virgin 2.1.5 tarball with the +changes outlined above. + + +User / Admin Documentation: +--------------------------- + +The following is what I prepared for our installation documentation +which can be found in /usr/share/doc/mailman-* + + + +IMPORTANT NOTE FOR USERS UPGRADING FROM A PREVIOUS RED HAT MAILMAN +INSTALLATION OR THOSE FAMILIAR WITH "STANDARD MAILMAN INSTALLATIONS" + + Earlier Red Hat mailman rpms installed all of the mailman files under + /var/mailman. This did not conform to the Filesystem Hierarchy + Standard (FHS) and created security violations when SELinux is + enabled. As of mailman-2.1.5-21 the following directory and file + changes occurred: + + variable data (e.g. lists) is in /var/lib/mailman, library code, + executables, and scripts are located in /usr/lib/mailman, lock files are in + /var/lock/mailman, the pid file is in /var/run/mailman, qfiles are in /var/spool/mailman, + and configuration files have been moved to the new /etc/mailman + + If you previously had mailman installed and have edited files in + /var/mailman (e.g. configuration) you will need to move those changes + to their new locations. + + The mapping of old locations to new locations is as follows: + + Directory Mapping: + /var/mailman --> /var/lib/mailman + /var/mailman/Mailman --> /usr/lib/mailman/Mailman + /var/mailman/archives --> /var/lib/mailman/archives + /var/mailman/bin --> /usr/lib/mailman/bin + /var/mailman/cgi-bin --> /usr/lib/mailman/cgi-bin + /var/mailman/cron --> /usr/lib/mailman/cron + /var/mailman/data --> /var/lib/mailman/data + /var/mailman/lists --> /var/lib/mailman/lists + /var/mailman/locks --> /var/lock/mailman + /var/mailman/logs --> /var/log/mailman + /var/mailman/mail --> /usr/lib/mailman/mail + /var/mailman/messages --> /usr/lib/mailman/messages + /var/mailman/pythonlib --> /usr/lib/mailman/pythonlib + /var/mailman/qfiles --> /var/spool/mailman + /var/spool/mailman/qfiles --> /var/spool/mailman + /var/mailman/scripts --> /usr/lib/mailman/scripts + /var/mailman/spam --> /var/lib/mailman/spam + /var/mailman/templates --> /usr/lib/mailman/templates + /var/mailman/tests --> /usr/lib/mailman/tests + + File Mapping: + /var/mailman/data/adm.pw --> /etc/mailman/adm.pw + /var/mailman/data/creator.pw --> /etc/mailman/creator.pw + /var/mailman/data/aliases --> /etc/mailman/aliases + /var/mailman/data/virtual-mailman --> /etc/mailman/virtual-mailman + /var/mailman/data/sitelist.cfg --> /etc/mailman/sitelist.cfg + /var/mailman/data/master-qrunner.pid --> /var/run/mailman/master-qrunner.pid + + Discussion of directory and file relocation: + + Two new directories were created and three existing directories which + were hardcoded are now configurable. + + PID_DIR is used to hold the process id and is new because FHS wants + pid files to be located in /var/run. The FHS says when there is only a + single pid file it should be located in /var/run/<name>.pid, and when + there are multiple pid's files they should be located together in a + subdirectory, /var/run/<name>/. Currently mailman only has a single + pid file, but it does have multiple processes (qrunners). Also SELinux + security policy is easier to write if processes are segregated into + individual subdirectories. Therefore we elected to place the mailman + pid file in its own subdirectory, there is some debate if this is 100% + FHS compliant because there is only currently a single pid file, but + this gives us greater future flexibility and is in the spirit of FHS. + + CONFIG_DIR is used to hold the site configuration files. FHS wants + configuration files stored in /etc/mailman. Previously configuration + files were mixed in with data files in DATA_DIR and with the run-time + code (e.g. Mailman/mm_cfg.py). CONFIG_DIR continues to exist but is + now restricted to data files (e.g. python pickle files). The password + files, alias files, and .cfg (e.g. sitelist.cfg) files have been moved + to CONFIG_DIR. mm_cfg.py which is the primary mailman configuration + file was presented a bit of a dilemma. In theory it should be located + in /etc/mailman, however it is executable code which argues it should + be located with the other executable files, it has traditionally lived + in $PREFIX/Mailman and experienced mailman admins will expect to find + it there. Modifying all the mm_cfg import statements and paths.py was + believed to be too invasive a change, and technically its part of the + "Mailman" package and moving it would take it out of the package + (although currently I don't think that presents any known + issues). Instead a compromise approach was adopted, mm_cfg.py is + symbolically linked into the /etc/mailman directory pointing to + $PREFIX/Mailman/mm_cfg.py. Thus mm_cfg.py "appears" in the + configuration directory but retains its traditional location, this was + deemed a reasonable compromise for the mailman 2.1.x timeframe. + + sitelist.cfg has a symbolic link in its old location in the DATA_DIR + pointing to its new location in the CONFIG_DIR. + + New Directories (can be specified as parameter to configure): + + CONFIG_DIR: default=$VAR_PREFIX/data FHS=/etc/mailman + PID_DIR default=$VAR_PREFIX/data FHS=/var/run/mailman + + Existing directories that can now be specified as parameter to configure: + + LOCK_DIR: default=$VAR_PREFIX/locks FHS=/var/lock/mailman + LOG_DIR: default=$VAR_PREFIX/logs FHS=/var/log/mailman + QUEUE_DIR default=$VAR_PREFIX/qfiles FHS=/var/spool/mailman + + +-- +John Dennis <jdennis at redhat.com> |