Re: [CentOS] Kernel downgrade on Centos 8
> > Kernel 3.10 in C7 is way to old to reliably support the 4.18 based C8 > runtime. > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel downgrade on Centos 8
Johnny Hughes wrote: > No, CentOS-8 uses different shared libraries and a different version > of the compiler than CentOS-7, so you can not run items compiled for > CentOS-7 on CentOS-8. The kernel does not rely on userspace libraries. -- Dimitri Zelenkin Devexperts, Inc ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel downgrade on Centos 8
On 2/4/20 4:03 AM, Akshar Kanak wrote: > Dear team > Is it possible of downgrade the kernel in Centos 8 to any kernel from > Centos 7 (or even latest kernel from Censto 7 Series) ? > Has this been disabled intensionally or it will not work all together > No, CentOS-8 uses different shared libraries and a different version of the compiler than CentOS-7, so you can not run items compiled for CentOS-7 on CentOS-8. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Relabel /usr directory
> Hi, > I've done the following: > - Copy usr content with rsync to another partition: > > rsync -av --partial --progress /usr/ /mnt I won't comment on you real question but just want to suggest to really add -H to the rsync here as there are hardlinks in /usr you really want to keep. Simon > > Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not > the directory itself). But I've found that is bad labeled: > > ls -Z /usr > unconfined_u:object_r:unlabeled_t:s0 bin > unconfined_u:object_r:unlabeled_t:s0 local > unconfined_u:object_r:unlabeled_t:s0 games > unconfined_u:object_r:unlabeled_t:s0 sbin > unconfined_u:object_r:unlabeled_t:s0 include > unconfined_u:object_r:unlabeled_t:s0 share > unconfined_u:object_r:unlabeled_t:s0 lib > unconfined_u:object_r:unlabeled_t:s0 src > unconfined_u:object_r:unlabeled_t:s0 lib64 > unconfined_u:object_r:unlabeled_t:s0 tmp > > How can I restore the default contexts? > > I've tried with restorecon and with fixfiles, but no luck, for example: > > matchpathcon -V /usr > /usr error: No data available > > How can I fix this? > > Thanks in advance. > -- > -- > Sergio Belkin > LPIC-2 Certified - http://www.lpi.org > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Relabel /usr directory
On 2/4/20 9:59 AM, Sergio Belkin wrote: > Hi, > I've done the following: > - Copy usr content with rsync to another partition: > > rsync -av --partial --progress /usr/ /mnt > > Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not > the directory itself). But I've found that is bad labeled: > > ls -Z /usr > unconfined_u:object_r:unlabeled_t:s0 bin > unconfined_u:object_r:unlabeled_t:s0 local > unconfined_u:object_r:unlabeled_t:s0 games > unconfined_u:object_r:unlabeled_t:s0 sbin > unconfined_u:object_r:unlabeled_t:s0 include > unconfined_u:object_r:unlabeled_t:s0 share > unconfined_u:object_r:unlabeled_t:s0 lib > unconfined_u:object_r:unlabeled_t:s0 src > unconfined_u:object_r:unlabeled_t:s0 lib64 > unconfined_u:object_r:unlabeled_t:s0 tmp > > How can I restore the default contexts? > > I've tried with restorecon and with fixfiles, but no luck, for example: > > matchpathcon -V /usr > /usr error: No data available > > How can I fix this? > > Thanks in advance. The -X option to rsync will copy all extended attributes from the old to the new filesystem. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hard disk activity will not die down
> Be patient... You are likely correct as the [ext4lazyinput] process is now gone. Probably finished up last night as the drives are quiet now. For completeness: > What did "cat /proc/mdstat" say? # cat /proc/mdstat Personalities : [raid1] md0 : active raid1 sdc1[1] sdb1[0] 3906885440 blocks super 1.2 [2/2] [UU] bitmap: 0/30 pages [0KB], 65536KB chunk unused devices: Unfortunely, I can not be 100% certain if the [ext4lazyinput] process was still active when I captured the mdstat output shown above. But that is what it says now that the process is gone. Thanks to everyone for their input. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Relabel /usr directory
Am 04.02.20 um 18:59 schrieb Sergio Belkin: Hi, I've done the following: - Copy usr content with rsync to another partition: rsync -av --partial --progress /usr/ /mnt Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not the directory itself). But I've found that is bad labeled: ls -Z /usr unconfined_u:object_r:unlabeled_t:s0 bin unconfined_u:object_r:unlabeled_t:s0 local unconfined_u:object_r:unlabeled_t:s0 games unconfined_u:object_r:unlabeled_t:s0 sbin unconfined_u:object_r:unlabeled_t:s0 include unconfined_u:object_r:unlabeled_t:s0 share unconfined_u:object_r:unlabeled_t:s0 lib unconfined_u:object_r:unlabeled_t:s0 src unconfined_u:object_r:unlabeled_t:s0 lib64 unconfined_u:object_r:unlabeled_t:s0 tmp How can I restore the default contexts? I've tried with restorecon and with fixfiles, but no luck, for example: matchpathcon -V /usr /usr error: No data available How can I fix this? restorecon -R /usr -- Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Switching from lokkit (iptables) to firewalld
Once upon a time, Stephen John Smoogen said: > It will because it is a linear list that every packet has to be 'judged' > against. Even if you break it down to 2 or 3 trees it will still take a > while. Putting them in ipset would be much better performance (uses hash, so not a linear search). It also makes for a much more readable and manageable firewall config. I use ipsets for most everything these days, even where there are just a few IPs/networks involved. However... > Any list of ip addresses is going to be outdated by a year because of how > ranges are so dynamic these days. Most 'bad-guys' can jump around a couple > hundred thousand or million ip addresses without much cost on their part > and can get new ranges to screw around weekly. Yeah, it's going to be a useless list. If you want to protect services, then short-term blocking like fail2ban is okay - better is to just allow your "known good" sources and not try to block things bit by bit. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Switching from lokkit (iptables) to firewalld
On Tuesday, February 4, 2020 4:13:50 PM CET Stephen John Smoogen wrote: > On Tue, 4 Feb 2020 at 05:37, Pete Biggs wrote: > > On Mon, 2020-02-03 at 19:04 -0500, Jerry Geis wrote: > > > Hi All, > > > > > > Over the last 20 some years I have a file with about 200K worth of > > > > address > > > > > that have "wrongly" tried to connect to my boxes running centos. So the > > > file has one line per address or group of addresses like: > > > 2.244.112.0/24 > > > > > > So using the OLD iptables I would run through my file build the > > > iptables.txt file and start that with DROP for the IP address. iptables > > > > ran > > > > > through the big list in no time. > > > > > > I was trying to run a script to go through each line and run: > > > firewall-cmd --zone=drop --add-source="$ipblock" --permanent > > > > > > but this takes a long time. > > > > > > What is a "better" way or more efficient way to keep my long list of bad > > > addresses and apply them? Thanks, > > > > To some extent you need to ask yourself if a 20 year old blacklist is > > really effective these days. Lots will have changed in that time and > > many of the addresses will have been reassigned. > > > > Also, a 200k lump of addresses will surely slow down the processing of > > incoming packets? > > It will because it is a linear list that every packet has to be 'judged' > against. Even if you break it down to 2 or 3 trees it will still take a > while. > > Any list of ip addresses is going to be outdated by a year because of how > ranges are so dynamic these days. Most 'bad-guys' can jump around a couple > hundred thousand or million ip addresses without much cost on their part > and can get new ranges to screw around weekly. > > > Perhaps it's time to rethink what you do. Can you define what addresses > > would "rightly" try and connect to your machine and whitelist those on > > a normally closed system (rather than blacklisting those on a normally > > open system). > > > > If you need the system to be open, then I find Fail2Ban useful in > > blacklisting addresses that are being naughty. Is it useful to block IP addresses at all? Either all addresses are blocked anyway, or a particular port is open and addresses are not blocked. If you need a port open and not all addresses blocked, then block all addresses except for the ones you want to allow. You can't prevent undesirable traffic from occupying your bandwidth anyway. Give it another 20 years and you might want to block 200 billion ipv6 addresses on top on your 200k ipv4 ones and you won't be able to tell anymore whether you live on Mars, Venus, Earth or further out. (But then, I kinda question that already all the time here.) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Relabel /usr directory
nevermind, I think is fixed: ls -Z /usr unconfined_u:object_r:bin_t:s0 bin unconfined_u:object_r:usr_t:s0 local unconfined_u:object_r:usr_t:s0 gamesunconfined_u:object_r:bin_t:s0 sbin unconfined_u:object_r:usr_t:s0 include unconfined_u:object_r:usr_t:s0 share unconfined_u:object_r:lib_t:s0 lib unconfined_u:object_r:usr_t:s0 src unconfined_u:object_r:lib_t:s0 lib64unconfined_u:object_r:usr_t:s0 tmp unconfined_u:object_r:bin_t:s0 libexec isn't it? I simply re-enabled selinux in /etc/selinux/config and rebooted... HTH El mar., 4 feb. 2020 a las 14:59, Sergio Belkin () escribió: > Hi, > I've done the following: > - Copy usr content with rsync to another partition: > > rsync -av --partial --progress /usr/ /mnt > > Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not > the directory itself). But I've found that is bad labeled: > > ls -Z /usr > unconfined_u:object_r:unlabeled_t:s0 bin > unconfined_u:object_r:unlabeled_t:s0 local > unconfined_u:object_r:unlabeled_t:s0 games > unconfined_u:object_r:unlabeled_t:s0 sbin > unconfined_u:object_r:unlabeled_t:s0 include > unconfined_u:object_r:unlabeled_t:s0 share > unconfined_u:object_r:unlabeled_t:s0 lib > unconfined_u:object_r:unlabeled_t:s0 src > unconfined_u:object_r:unlabeled_t:s0 lib64 > unconfined_u:object_r:unlabeled_t:s0 tmp > > How can I restore the default contexts? > > I've tried with restorecon and with fixfiles, but no luck, for example: > > matchpathcon -V /usr > /usr error: No data available > > How can I fix this? > > Thanks in advance. > -- > -- > Sergio Belkin > LPIC-2 Certified - http://www.lpi.org > -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Relabel /usr directory
Hi, I've done the following: - Copy usr content with rsync to another partition: rsync -av --partial --progress /usr/ /mnt Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not the directory itself). But I've found that is bad labeled: ls -Z /usr unconfined_u:object_r:unlabeled_t:s0 bin unconfined_u:object_r:unlabeled_t:s0 local unconfined_u:object_r:unlabeled_t:s0 games unconfined_u:object_r:unlabeled_t:s0 sbin unconfined_u:object_r:unlabeled_t:s0 include unconfined_u:object_r:unlabeled_t:s0 share unconfined_u:object_r:unlabeled_t:s0 lib unconfined_u:object_r:unlabeled_t:s0 src unconfined_u:object_r:unlabeled_t:s0 lib64 unconfined_u:object_r:unlabeled_t:s0 tmp How can I restore the default contexts? I've tried with restorecon and with fixfiles, but no luck, for example: matchpathcon -V /usr /usr error: No data available How can I fix this? Thanks in advance. -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Switching from lokkit (iptables) to firewalld
On Tue, 4 Feb 2020 at 05:37, Pete Biggs wrote: > On Mon, 2020-02-03 at 19:04 -0500, Jerry Geis wrote: > > Hi All, > > > > Over the last 20 some years I have a file with about 200K worth of > address > > that have "wrongly" tried to connect to my boxes running centos. So the > > file has one line per address or group of addresses like: > > 2.244.112.0/24 > > > > So using the OLD iptables I would run through my file build the > > iptables.txt file and start that with DROP for the IP address. iptables > ran > > through the big list in no time. > > > > I was trying to run a script to go through each line and run: > > firewall-cmd --zone=drop --add-source="$ipblock" --permanent > > but this takes a long time. > > > > What is a "better" way or more efficient way to keep my long list of bad > > addresses and apply them? Thanks, > > > > To some extent you need to ask yourself if a 20 year old blacklist is > really effective these days. Lots will have changed in that time and > many of the addresses will have been reassigned. > > Also, a 200k lump of addresses will surely slow down the processing of > incoming packets? > > It will because it is a linear list that every packet has to be 'judged' against. Even if you break it down to 2 or 3 trees it will still take a while. Any list of ip addresses is going to be outdated by a year because of how ranges are so dynamic these days. Most 'bad-guys' can jump around a couple hundred thousand or million ip addresses without much cost on their part and can get new ranges to screw around weekly. > Perhaps it's time to rethink what you do. Can you define what addresses > would "rightly" try and connect to your machine and whitelist those on > a normally closed system (rather than blacklisting those on a normally > open system). > > If you need the system to be open, then I find Fail2Ban useful in > blacklisting addresses that are being naughty. > > P. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 180, Issue 1
Send CentOS-announce mailing list submissions to centos-annou...@centos.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-requ...@centos.org You can reach the person managing the list at centos-announce-ow...@centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CESA-2020:0316 Important CentOS 6 git SecurityUpdate (Johnny Hughes) -- Message: 1 Date: Mon, 3 Feb 2020 17:18:41 + From: Johnny Hughes To: centos-annou...@centos.org Subject: [CentOS-announce] CESA-2020:0316 Important CentOS 6 git SecurityUpdate Message-ID: <20200203171841.ga7...@bstore1.rdu2.centos.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2020:0316 Important Upstream details at : https://access.redhat.com/errata/RHSA-2020:0316 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 09c33fa3d854ec572d47e1777eb492bad4da601c75f062705eb28e3c0d398d8c emacs-git-1.7.1-10.el6_10.noarch.rpm 4c6f1d6ba510e21725bd62b8dfb6c6d9e47d37466967b99fcbe721e4d51ca185 emacs-git-el-1.7.1-10.el6_10.noarch.rpm ed0db4ea5dac059c68b717c65588d09381c7e039364bdc40799874deb86bd186 git-1.7.1-10.el6_10.i686.rpm d4d3cf83bcf420dec15a40ece1e46eae11d25c10e8f3520395f23de0b3cd7942 git-all-1.7.1-10.el6_10.noarch.rpm 5e1f9333c06d91919bbf91b952f1a05e6019e434dddc658c909b1ef437bd633d git-cvs-1.7.1-10.el6_10.noarch.rpm 94521254452a54a6f286b40d56b5d16f928a4b0c49e31d65190b5def872a62cf git-daemon-1.7.1-10.el6_10.i686.rpm 6a7f7d56168682c1fee9d7444199dc25ceda8769e335f32fdfcb1306f56c7278 git-email-1.7.1-10.el6_10.noarch.rpm a5e11eb05ff35c1010924cfb5e49dbe607cd7ae33ccd2e3056ae1756c1940862 git-gui-1.7.1-10.el6_10.noarch.rpm 29a29cc9354d4c274ad1bdc1d745812f5e279361a6703d10e485a1979cf1a1c6 gitk-1.7.1-10.el6_10.noarch.rpm 0aeea040a18f1f12bafdeebc8602a50cae513718c3f468c029ee3141deca1ded git-svn-1.7.1-10.el6_10.noarch.rpm d1be7f6d39e863a3c77312ad75fc28f2f65c2ce6ae0dccf592f76a1a94f49e96 gitweb-1.7.1-10.el6_10.noarch.rpm a781d5c9c019eac9c075f9f920102f2e23af56ecdf331266e6a34e12021ac9c8 perl-Git-1.7.1-10.el6_10.noarch.rpm x86_64: 09c33fa3d854ec572d47e1777eb492bad4da601c75f062705eb28e3c0d398d8c emacs-git-1.7.1-10.el6_10.noarch.rpm 4c6f1d6ba510e21725bd62b8dfb6c6d9e47d37466967b99fcbe721e4d51ca185 emacs-git-el-1.7.1-10.el6_10.noarch.rpm 602e2888e6c62425064d00ffc0d5b32d88744dbd649514c62ea883f3fbba843b git-1.7.1-10.el6_10.x86_64.rpm d4d3cf83bcf420dec15a40ece1e46eae11d25c10e8f3520395f23de0b3cd7942 git-all-1.7.1-10.el6_10.noarch.rpm 5e1f9333c06d91919bbf91b952f1a05e6019e434dddc658c909b1ef437bd633d git-cvs-1.7.1-10.el6_10.noarch.rpm 13966625db9708d112fcfacfdbe0daf35fcebca0cb0aba8195eb890b3939717c git-daemon-1.7.1-10.el6_10.x86_64.rpm 6a7f7d56168682c1fee9d7444199dc25ceda8769e335f32fdfcb1306f56c7278 git-email-1.7.1-10.el6_10.noarch.rpm a5e11eb05ff35c1010924cfb5e49dbe607cd7ae33ccd2e3056ae1756c1940862 git-gui-1.7.1-10.el6_10.noarch.rpm 29a29cc9354d4c274ad1bdc1d745812f5e279361a6703d10e485a1979cf1a1c6 gitk-1.7.1-10.el6_10.noarch.rpm 0aeea040a18f1f12bafdeebc8602a50cae513718c3f468c029ee3141deca1ded git-svn-1.7.1-10.el6_10.noarch.rpm d1be7f6d39e863a3c77312ad75fc28f2f65c2ce6ae0dccf592f76a1a94f49e96 gitweb-1.7.1-10.el6_10.noarch.rpm a781d5c9c019eac9c075f9f920102f2e23af56ecdf331266e6a34e12021ac9c8 perl-Git-1.7.1-10.el6_10.noarch.rpm Source: 54ae1f568bb597329f85bb642aac8521d1143f5f09acd7627eff890ec9fd508a git-1.7.1-10.el6_10.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net Twitter: @JohnnyCentOS -- Subject: Digest Footer ___ CentOS-announce mailing list centos-annou...@centos.org https://lists.centos.org/mailman/listinfo/centos-announce -- End of CentOS-announce Digest, Vol 180, Issue 1 *** ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Switching from lokkit (iptables) to firewalld
On Mon, 2020-02-03 at 19:04 -0500, Jerry Geis wrote: > Hi All, > > Over the last 20 some years I have a file with about 200K worth of address > that have "wrongly" tried to connect to my boxes running centos. So the > file has one line per address or group of addresses like: > 2.244.112.0/24 > > So using the OLD iptables I would run through my file build the > iptables.txt file and start that with DROP for the IP address. iptables ran > through the big list in no time. > > I was trying to run a script to go through each line and run: > firewall-cmd --zone=drop --add-source="$ipblock" --permanent > but this takes a long time. > > What is a "better" way or more efficient way to keep my long list of bad > addresses and apply them? Thanks, > To some extent you need to ask yourself if a 20 year old blacklist is really effective these days. Lots will have changed in that time and many of the addresses will have been reassigned. Also, a 200k lump of addresses will surely slow down the processing of incoming packets? Perhaps it's time to rethink what you do. Can you define what addresses would "rightly" try and connect to your machine and whitelist those on a normally closed system (rather than blacklisting those on a normally open system). If you need the system to be open, then I find Fail2Ban useful in blacklisting addresses that are being naughty. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Kernel downgrade on Centos 8
Dear team Is it possible of downgrade the kernel in Centos 8 to any kernel from Centos 7 (or even latest kernel from Censto 7 Series) ? Has this been disabled intensionally or it will not work all together Thanks and regards Akshar ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS bookmarks
Hi, A minor thing: in CentOS bookmarks (those are provided by the Firefox package I think) there is a link to CentOS documentation: http://www.centos.org/docs/7/ ; it gives 404. Best regards -- Dimitri Zelenkin Devexperts Inc ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos