Re: [CentOS] No kernel-modules for 5.14.0-210 - Centos Stream 9 Vagrant Box

[Daniel Hiller]

Nevermind, it just seemed to have healed itself :-/

Am Mi., 14. Dez. 2022 um 12:40 Uhr schrieb Daniel Hiller <
daniel.hiller.1...@gmail.com>:

> Hi everyone,
>
> we are using
>
>
> https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.vagrant-libvirt.box
>
> together with
>
>
> http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/initrd.img
>
> http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/vmlinuz
>
> to create a vm inside a container. (Why we are doing this would be a
> longer story BTW)
>
> During the process of configuring the VM we are installing kernel-modules
>
> dnf install -y "kernel-modules-$(uname -r)"
>
> This has worked until around yesterday afternoon.
>
> Now it's failing with
>
> No match for argument: kernel-modules-5.14.0-210.el9.x86_64
> Error: Unable to find a match: kernel-modules-5.14.0-210.el9.x86_64
>
> What we noticed was that this occurred after the kernel had changed from
> 5.14.0-205. I suspect that this might be related to vmlinuz and/or
> initrd.img updates, since I've seen those having changed on 9th / 12th of
> Dec 2022.
>
> Does someone have an idea on how we can fix this in the short run? Or do
> we need to wait for "someone" to fix it, and who would that be?
>
> Thanks in advance,
> Daniel Hiller
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] No kernel-modules for 5.14.0-210 - Centos Stream 9 Vagrant Box

[Daniel Hiller]

Hi everyone,

we are using

https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.vagrant-libvirt.box

together with

http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/initrd.img
http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/vmlinuz

to create a vm inside a container. (Why we are doing this would be a longer
story BTW)

During the process of configuring the VM we are installing kernel-modules

dnf install -y "kernel-modules-$(uname -r)"

This has worked until around yesterday afternoon.

Now it's failing with

No match for argument: kernel-modules-5.14.0-210.el9.x86_64
Error: Unable to find a match: kernel-modules-5.14.0-210.el9.x86_64

What we noticed was that this occurred after the kernel had changed from
5.14.0-205. I suspect that this might be related to vmlinuz and/or
initrd.img updates, since I've seen those having changed on 9th / 12th of
Dec 2022.

Does someone have an idea on how we can fix this in the short run? Or do we
need to wait for "someone" to fix it, and who would that be?

Thanks in advance,
Daniel Hiller
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] unsubscribe

[Daniel Worden]

Could you please unsubscribe this email address. I was not aware of the volume 
of messages this would create and I would like to resubscire using a different 
email address.

Thank you,
Daniel Worden
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-docs] Spanish translator here!

[Daniel Aguilar]

Hello.

My name is Daniel Aguilar, I'm a linux administrator from Venezuela.
I've been using Centos distribution for the last 2 years and now I would
like to contribute to this community translating texts to spanish, my
native language.
I don't exactly what I have to do to start translate things. So if somebody
can give me a hint I'll appreciate it a lot.

Regards.
___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS-virt] CentOS-virt Digest, Vol 156, Issue 3

[Daniel Sichel]

Make sure that the interface that you are bridging to is not a wireless 
interface otherwise it won't work. Very deep in the documentation about setting 
up KVM there is a warning about that it's something about how they initiate 
connections on a wireless interface is different than on a wired one and it 
breaks things in KVM bridging.

Daniel Sichel


From: CentOS-virt  on behalf of 
centos-virt-requ...@centos.org 
Sent: Monday, September 14, 2020 5:00:03 AM
To: centos-virt@centos.org 
Subject: CentOS-virt Digest, Vol 156, Issue 3

Send CentOS-virt mailing list submissions to
centos-virt@centos.org

To subscribe or unsubscribe via the World Wide Web, visit

https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.centos.org%2Fmailman%2Flistinfo%2Fcentos-virtdata=02%7C01%7C%7C1b1ff21daaae47317c1d08d858a5b905%7C84df9e7fe9f640afb435%7C1%7C0%7C637356816074942137sdata=GhJFGCT2YcbsOcSHWcDOuAlirayGxiVvuD2L2XspkVk%3Dreserved=0
or, via email, send a message with subject or body 'help' to
centos-virt-requ...@centos.org

You can reach the person managing the list at
centos-virt-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-virt digest..."


Today's Topics:

   1. Re: Centos + VM + public ip (Subscriber)
   2. Re: Centos + VM + public ip (Soumya Bhowmik)


--

Message: 1
Date: Sun, 13 Sep 2020 15:47:00 +0300 (EEST)
From: Subscriber 
To: Discussion about the virtualization on CentOS

Subject: Re: [CentOS-virt] Centos + VM + public ip
Message-ID:
<1516494674.1906.161220556.javamail.zim...@agoris.net.ua>
Content-Type: text/plain; charset=utf-8

> Hi,
>
> I've got a dedicated server with OVH and I'd like to host a public VM. I'd 
> like
> Centos OS 7 or 8, I installed KVM already, I got the VM and bought the IP and
> created a virtual mac id. I know I have to bridge it somehow but I can't seem
> to find a proper tutorial. Do you know where to start?

You can do next:
1) Create bridge interface (for example br0) on dedicated server. Associate 
this interface with your Ethernet interface and assign IP address to br0.
2a) When you would create VM add parameter --network=bridge:br0 to the 
virt-install in command line. Or smth similar if you create VM in another way.
2b) Or edit xml file for your VM and add or change config:

  
  
  
  

3) Inside the VM assign real/public IP to you Ethernet (probably eth0) 
interface.

That's all.

If you have additional questions or you need more detail explanation you can 
write me directly.


--

Message: 2
Date: Sun, 13 Sep 2020 13:15:02 + (UTC)
From: Soumya Bhowmik 
To: Discussion about the virtualization on CentOS

Subject: Re: [CentOS-virt] Centos + VM + public ip
Message-ID: <868650482.1233750.162902...@mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"

You can create bridge in CentOS 7 withbr command line tool. In case if CentOS 
8, bridge can be created with nmcli, cockpit or nm-connection-editor.?


Sent from Yahoo Mail on Android

  On Mon, 7 Sep 2020 at 9:54 PM, Yoram Halberstam 
wrote:   Hi,
I've got a dedicated server with OVH and I'd like to host a public VM. I'd like 
Centos OS 7 or 8, I installed KVM already, I got the VM and bought the IP and 
created a virtual mac id. I know I have to bridge it somehow but I can't seem 
to find a proper tutorial. Do you know where to start?


Thanks
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.centos.org%2Fmailman%2Flistinfo%2Fcentos-virtdata=02%7C01%7C%7C1b1ff21daaae47317c1d08d858a5b905%7C84df9e7fe9f640afb435%7C1%7C0%7C637356816074942137sdata=GhJFGCT2YcbsOcSHWcDOuAlirayGxiVvuD2L2XspkVk%3Dreserved=0

-- next part --
An HTML attachment was scrubbed...
URL: 
<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.centos.org%2Fpipermail%2Fcentos-virt%2Fattachments%2F20200913%2F79fba96f%2Fattachment-0001.htmldata=02%7C01%7C%7C1b1ff21daaae47317c1d08d858a5b905%7C84df9e7fe9f640afb435%7C1%7C0%7C637356816074942137sdata=rf239Nrz9rxRJ%2FsVe%2F5hKWDAqucGXzHhbMd%2BaXTscmU%3Dreserved=0>

--

Subject: Digest Footer

___
CentOS-virt mailing list
CentOS-virt@centos.org
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.centos.org%2Fmailman%2Flistinfo%2Fcentos-virtdata=02%7C01%7C%7C1b1ff21daaae47317c1d08d858a5b905%7C84df9e7fe9f640afb435%7C1%7C0%7C637356816074952133sdata=LZJcnDWdjiEMLYSayDjvazxznLSLntO%2B9XcZnVZ%2BMRY%3Dreserved=0

Re: [CentOS] Docker container isolation not working in CentOS 7

[Daniel Walsh]

On 8/10/20 11:33, Nicolas Kovacs wrote:
> Le 10/08/2020 à 17:03, Roberto Ragusa a écrit :
>> Where is your docker coming from?
> From the CentOS repository on Docker.com:
>
> $ head -n 7 /etc/yum.repos.d/docker-ce.repo
> [docker-ce-stable]
> name=Docker CE Stable - $basearch
> baseurl=https://download.docker.com/linux/centos/7/$basearch/stable
> enabled=1
> gpgcheck=1
> gpgkey=https://download.docker.com/linux/centos/gpg
>
> Nearly all the online tutorials and Docker documentation strongly suggest to
> install Docker CE from this source.
>
>
You might want to take a look at Podman while you are at it.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Running CentOS 6 in a Docker container on a non-CentOS host

[Daniel Walsh]

On 3/10/20 04:31, Peter Kjellström wrote:
> On Mon, 9 Mar 2020 16:16:01 -0400
> Alfred von Campe  wrote:
>
>>> On Mar 5, 2020, at 6:05, Peter Kjellström wrote:
>>>
>>> You can use singularity. The following example makes an image by
>>> pulling from centos on dockerhub:  
>> Interesting!  However, I would prefer to use more “native” Docker
>> commands, as I would rather not have all developers install and
>> configure Singularity when they already have Docker installed on
>> their systems.
> Docker could pull from the same dockerhub url as singularity. I just
> used singularity in my example because thats what I use and know. Its
> main advantage is the no-root-required part..
>
> /Peter
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

You could always  use podman and get the best of both worlds.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Good wifi NIC?

[Daniel Abad Abanades]

Hi Jeff,

May I ask whether you have used this very same NIC successfully with CentOS 7?

Cheers,
Daniel


De : CentOS [centos-boun...@centos.org] de la part de Jeffrey Layton 
[layto...@gmail.com]
Envoyé : mercredi 22 janvier 2020 15:13
À : centos@centos.org
Objet : [CentOS] Good wifi NIC?

Good morning,

I'm looking for a good USB Wifi NIC that will work with the kernel modules
for a stock CentOS 8.1. I have an ALFA AWUS036ACH NIC but it looks like the
drivers need to compiler for the kernel and I'm having trouble with that.
So I'd like something that works, but not necessarily high performing, so I
can build the drivers for the ALFA NIC.

Thanks!

Jeff
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] using RedHat binary packages?

[Daniel Pacek]

some light reading 
https://www.redhat.com/licenses/Appendix_1_Global_English_20190625.pdf


Dan Pacek




> On Jul 3, 2019, at 11:11 AM, Mark Rousell  wrote:
> 
> On 03/07/2019 15:58, Valeri Galtsev wrote:
>> RHEL binary packages are only available to paid customers who are explicitly 
>> prohibited to redistribute them.
> 
> For the sake of completeness, not everyone with legitimate access to
> RHEL binaries is necessarily a *paid* customer. Red Hat provides a free
> dev licence so anyone can legitimately access RHEL binaries (and source
> RPMs of course) for free, although the use to which one may put the
> binaries is limited by the licence.
> 
> 
> -- 
> Mark Rousell
> 
> 
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Own CentOS MirrorList

[Daniel Watson]

Hi Guys

Apologies in advance for the noise.

I am interested in setting up my OWN mirrorlist  like 
http://mirrorlist.centos.org/?release=7=x86_64=os=stock where 
it pulls a few local mirrors,  but mine would be statically set with 3 or 4 
different location URL's

Basically my plan here is,  if the closest mirror I operate cannot be reached, 
it will try another mirror from a different geographic location

I was wondering if anybody on-list might be able to provide some insight on how 
I can accomplish this? And use ?release=  and =  and =  ?

Any assistance would be greatly appreciated.

Cheers

D 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Docker on Centos 7

[Daniel Walsh]

On 1/4/19 9:50 PM, H wrote:
> On 01/04/2019 09:16 PM, H wrote:
>> On 01/04/2019 08:27 AM, Daniel Walsh wrote:
>>> On 1/4/19 8:22 AM, Daniel Walsh wrote:
>>>> On 1/3/19 10:19 PM, H wrote:
>>>>> I recently updated docker to version 18.09 and I seem to have lost the 
>>>>> container id in the command prompt when I exec into a running container, 
>>>>> a very useful feature in the previous version I was running. I have not 
>>>>> found any information in the Docker General Forum.
>>>>>
>>>>> Has anyone else seen this?
>>>>>
>>>>> ___
>>>>> CentOS mailing list
>>>>> CentOS@centos.org
>>>>> https://lists.centos.org/mailman/listinfo/centos
>>>> Most likely you had hostname set in the bash prompt.  By default
>>>> containers run with the hostname=containerid.
>>>>
>>>>
>>>> # podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname
>>>> 3ac978bc84be
>>>>
>>>>
>>>> |PS1="\h$ " Should give you what you want # podman run -ti fedora sh
>>>> sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to
>>>> be added to the .bashrc or .bash_profile inside of the container image
>>>> you are running. |
>>> Also if you execute sh -l instead of sh, it will do what you want.
>>>
>>>
>>> podman run -ti fedora sh -l
>>> [root@81674750cd2a /]#
>>> [root@81674750cd2a /]# exit
>>>
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> But when/why did this change? Is there a change in docker that resulted in 
>> this? Or was it the latest update to CentOS 7?
>>
>> I have not made any changes otherwise.
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> I should have added that I do not use podman to run my docker containers.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

I don't think this is a change in either podman or docker.  Their might
have been a change in the container image that you were running and
seeing this behavior.  Perhaps the centos image was setup to do this
automatically.

BTW Podman and Docker run the same containers,  IE Any container image
stored at any container registry,  (Docker.io, Quay.io,
registry.centos.org ...)




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Docker on Centos 7

[Daniel Walsh]

On 1/4/19 8:22 AM, Daniel Walsh wrote:
> On 1/3/19 10:19 PM, H wrote:
>> I recently updated docker to version 18.09 and I seem to have lost the 
>> container id in the command prompt when I exec into a running container, a 
>> very useful feature in the previous version I was running. I have not found 
>> any information in the Docker General Forum.
>>
>> Has anyone else seen this?
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> Most likely you had hostname set in the bash prompt.  By default
> containers run with the hostname=containerid.
>
>
> # podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname
> 3ac978bc84be
>
>
> |PS1="\h$ " Should give you what you want # podman run -ti fedora sh
> sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to
> be added to the .bashrc or .bash_profile inside of the container image
> you are running. |

Also if you execute sh -l instead of sh, it will do what you want.


podman run -ti fedora sh -l
[root@81674750cd2a /]#
[root@81674750cd2a /]# exit


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Docker on Centos 7

[Daniel Walsh]

On 1/3/19 10:19 PM, H wrote:
> I recently updated docker to version 18.09 and I seem to have lost the 
> container id in the command prompt when I exec into a running container, a 
> very useful feature in the previous version I was running. I have not found 
> any information in the Docker General Forum.
>
> Has anyone else seen this?
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Most likely you had hostname set in the bash prompt.  By default
containers run with the hostname=containerid.


# podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname
3ac978bc84be


|PS1="\h$ " Should give you what you want # podman run -ti fedora sh
sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to
be added to the .bashrc or .bash_profile inside of the container image
you are running. |

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos docker which repo (centos or docker)

[Daniel Walsh]

On 12/27/18 6:48 AM, Yamaban wrote:
> On Thu, 27 Dec 2018 11:56 CET, ralf.prengel@... wrote:
> 
>> My question:
>>
>> Should I use docker from the standard repo or the version from the
>> docker-repo?
>
> Main diff between std-repo and docker-repo:
>
> std-repo:
>    works. stable. not the newest, shiniest version, but one that works.
>
> docker-repo:
>    works most of the time mostly, has sometimes a erratic or
> memory-eating
>    behavior, the newest, most feature-rich, shiniest version, with all
> the
>    bugs of new-new-new.
>
> It's a matter of choose your poision. If you are happy with the features
> of the std-repo version, imho stay with it.
>
> That's my exp. Yours may differ. Others should speak up, too, please.
>
>  - Yamaban.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

You could also take a look at `podman`.  As an daemonless alternative to
Docker.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos7 & Selinux & Tor

[Daniel Walsh]

On 10/23/18 2:49 PM, Robin Lee wrote:
> On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
>> I've just encountered a problem starting tor. When I do 'systemctl
>> start tor' it fails and I get selinux errors in the log. There was
>> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'.
>> Which I did and it gave the following
>>
>> type=PROCTITLE msg=audit(1539540150.692:60570):
>> proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002
>> D2
>> D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661
>> 75
>> 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D766572696
>> 67
>> 92D636F6E666967
>>
>> type=PATH msg=audit(1539540150.692:60570): item=0
>> name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02
>> mode=040700 ouid=494 ogid=490 rdev=00:00
>> obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL
>> cap_fp= cap_fi= cap_fe=0 cap_fver=0
>>
>> type=CWD msg=audit(1539540150.692:60570):  cwd="/"
>>
>> type=SYSCALL msg=audit(1539540150.692:60570): arch=c03e syscall=2
>> success=no exit=-13 a0=562d3767da80 a1=2 a2=0 a3=1 items=1 ppid=1
>> pid=18283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor"
>> exe="/usr/bin/tor"
>> subj=system_u:system_r:tor_t:s0 key=(null)
>>
>> type=AVC msg=audit(1539540150.692:60570): avc:  denied  {
>> dac_read_search } for  pid=18283 comm="tor"
>> capability=2  scontext=system_u:system_r:tor_t:s0
>> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>>
>> type=AVC msg=audit(1539540150.692:60570): avc:  denied  {
>> dac_override
>> } for  pid=18283 comm="tor"
>> capability=1  scontext=system_u:system_r:tor_t:s0
>> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>>
>> So I had a look at the permissions for /var/lib/tor/hidden_service/
>> and
>> they were 
>>
>> drwx--. toranon toranon system_u:object_r:tor_var_lib_t:s0
>> hidden_service
> Still trying to figure out this selinux issue :( 
>
> Perhaps somebody could point me to the best mailing list/forum/tracker
> for this kind of issue?
Most likely this is tor running as root and trying to access this file.
> Cheers
> Robin
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Type enforcement / mechanism not clear

[Daniel Walsh]

On 09/10/2018 09:41 AM, Leon Fauster via CentOS wrote:

Am 09.09.2018 um 16:19 schrieb Daniel Walsh :

On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:

Am 09.09.2018 um 14:49 schrieb Daniel Walsh :

On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:

Any SElinux expert here - briefly:

# getenforce
Enforcing

# sesearch -ACR -s httpd_t  -c file -p read |grep system_conf_t


# sesearch -ACR -s httpd_t  -c file -p read |grep syslog_conf_t


# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf

# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13 
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295 
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 
key=(null)
type=AVC msg=audit(1536457230.922:85): avc:  denied  { getattr } for  pid=1364 
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file


My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?


Because almost no apache servers would normally be walking through /etc reading
configuration files.  Do you scripts actually need to read these config files?


Normally, sure - but a malicious developer (or attacker) will do. So, I'm 
evaluating different
approaches to secure our platform. Its possible to limit fs access in PHP but 
this comes with
a massive performance penalty.

Well, I do not want to discuss that all "etc_t" files can be read but why
sysctl.conf with "system_conf_t" type can be read where it shouldn't??

Any pointer would be greatly appreciated.


We allow apache and all domains to read all of what we define as 
base_ro_file_type types.

sesearch -A -s httpd_t -t system_conf_t -p read
allow domain base_ro_file_type:dir { getattr ioctl lock open read search };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl 
lock map open read };


The base_ro_file_types are files executables that we consider part of the OS.  
So reading them should not reveal secrets.



Thanks for the pointer. Puuh, this gets very layered but the big picture on the 
other side gets more clear

So, to get a list of files that are allowed to be read, the masking attributes 
must be resolved:

# sesearch -ACR -s httpd_t  -p read | grep -v "_t " | head -7

You could add a -c file to the above to only look at `class files`

Found 694 semantic av rules:
allow domain tmpfile : file { ioctl read getattr lock append } ;
allow domain configfile : file { ioctl read getattr lock open } ;
allow domain configfile : dir { ioctl read getattr lock search open } ;
allow domain configfile : lnk_file { read getattr } ;
allow domain rpm_transition_domain : fifo_file { ioctl read write getattr 
lock append } ;
allow domain base_ro_file_type : file { ioctl read getattr lock open } ;


Looking for sysctl.conf's type :

# for m in tmpfile configfile rpm_transition_domain base_ro_file_type ; do echo 
${m}:$(seinfo -a${m} -x |grep system_conf_t) ; done
tmpfile:
configfile: system_conf_t
rpm_transition_domain:
base_ro_file_type: system_conf_t


If the output of sesearch shows the preferred order then the "configfile" 
attribute allows actually the access ??




If you feel that these files should not be part of the base_ro_files then we 
should open that for discussion.

Despite this concrete case, a good practice is the one that follows the "need to 
known" principle.
I will "disable" some read access here locally and accumulate some experiences 
with this approach.

--
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Type enforcement / mechanism not clear

[Daniel Walsh]

On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:

Am 09.09.2018 um 14:49 schrieb Daniel Walsh :

On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:

Any SElinux expert here - briefly:

# getenforce
Enforcing

# sesearch -ACR -s httpd_t  -c file -p read |grep system_conf_t


# sesearch -ACR -s httpd_t  -c file -p read |grep syslog_conf_t


# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf

# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13 
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295 
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 
key=(null)
type=AVC msg=audit(1536457230.922:85): avc:  denied  { getattr } for  pid=1364 
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file


My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?


Because almost no apache servers would normally be walking through /etc reading
configuration files.  Do you scripts actually need to read these config files?



Normally, sure - but a malicious developer (or attacker) will do. So, I'm 
evaluating different
approaches to secure our platform. Its possible to limit fs access in PHP but 
this comes with
a massive performance penalty.

Well, I do not want to discuss that all "etc_t" files can be read but why
sysctl.conf with "system_conf_t" type can be read where it shouldn't??

Any pointer would be greatly appreciated.

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


We allow apache and all domains to read all of what we define as 
base_ro_file_type types.


sesearch -A -s httpd_t -t system_conf_t -p read
allow domain base_ro_file_type:dir { getattr ioctl lock open read search };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr 
ioctl lock map open read };



The base_ro_file_types are files executables that we consider part of 
the OS.  So reading them should not reveal secrets.  If you feel that 
these files should not be part of the base_ro_files then we should open 
that for discussion.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Type enforcement / mechanism not clear

[Daniel Walsh]

On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:

Any SElinux expert here - briefly:


# getenforce
Enforcing

# sesearch -ACR -s httpd_t  -c file -p read |grep system_conf_t


# sesearch -ACR -s httpd_t  -c file -p read |grep syslog_conf_t


# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf

# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13 
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295 
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 
key=(null)
type=AVC msg=audit(1536457230.922:85): avc:  denied  { getattr } for  pid=1364 
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file


My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?

--
Thanks,
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Because almost no apache servers would normally be walking through /etc 
reading configuration files.  Do you scripts actually need to read these 
config files?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux question

[Daniel Walsh]

On 08/21/2018 12:27 PM, Nataraj wrote:

I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).  Is there any
reason why sudo would would require sys_ptrace access for this?  I only
get this violation intermittenly, and not with every call to sudo.
Here's the violation:
Most likely you can just dontaudit this access.  sys_ptrace is often 
caused by processes trying to read content in /proc.

Summary:

SELinux is preventing sudo (httpd_t) "sys_ptrace" to  (httpd_t).

Detailed Description:

SELinux denied access requested by sudo. It is not expected that this access is
required by sudo and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:httpd_t
Target Contextsystem_u:system_r:httpd_t
Target ObjectsNone [ capability ]
Sourcesudo
Source Path   /usr/bin/sudo
Port  
Host  myhost.mydomain.com
Source RPM Packages   sudo-1.7.2p1-29.el5_10
Target RPM Packages
Policy RPMselinux-policy-2.4.6-351.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name myhost.mydomain.com
Platform  Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP 
Fri Feb
   24 22:06:09 UTC 2017 i686 i686
Alert Count   359
First SeenTue Oct  8 09:24:50 2013
Last Seen Tue Aug 21 10:26:26 2018
Local ID  717eb9a4-cc7f-4ed1-b638-5db1a841abe4
Line Numbers

Raw Audit Messages

host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc:  denied  { 
sys_ptrace } for  pid=8458 comm="sudo" capability=19 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 
tclass=capability

host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=4003 syscall=3 
success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 
uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)


Thank You,

Nataraj



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-docs] CentOS PaaS SIG wiki

[Daniel Comnea]

Hi,

Being part of the CentOS PaaS SIG committee i'd like to request access to
the PaaS wiki page and all its child pages so i can start editing the
content and keep it up to date.


My Wiki user name is DanielComnea.

Please let me know if you need any other information.


Thank you,
Daniel
___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] Unable to access network from docker container

[Daniel Walsh]

On 04/06/2018 03:50 PM, H wrote:

On April 5, 2018 4:49:57 PM EDT, H  wrote:

I have recently installed docker and playing around with it. On a
CentOS 7 machine, however, I am unable to get access to the outside
internet, thus yum ... fails. The host machine runs fine.

I am wondering if there are some networking setting on the host I need
to modify to allow the docker container to connect to the outside?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Resolved the issue by rebooting the computer but had to do that again later 
today. Does anyone have experience with docker under Centos 7?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Lots of people have experience, and it works well.  I believe the issue 
you are seeing, is that the Firewall rules are being modified and 
something is removing the rule that Docker adds to allow containers to 
use the host machines network interface.  When you reboot and restart 
the Docker daemon and the container, the network is correct again, but 
some tool (Firewalld) or something else is mucking around with the iptables.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] Centos 6.9 una de VirtualHost

[Daniel Calvo Jiménez]

NameVirtualHost *:80

Prueba!

Enviado desde mi iPhone

> El 15 oct 2017, a las 0:23, Carlos Martinez  escribió:
> 
> Saludos.
> 
> Asumo que deseas manejar virtualhost basados en nombres
> (https://httpd.apache.org/docs/2.4/vhosts/name-based.html) . La
> definición debe ser de la siguiente forma:
> 
> 
>   ServerName www.oficina.salman.psl
>   ServerAlias oficina.salman.psl
>   DocumentRoot "/home/ftp_salman_psl/www"
>   CustomLog logs/oficina.salman.psl-access_log common
> 
> 
> 
>ServerName www.oficina.psl
>ServerAlias oficina.psl
>DocumentRoot "/home/ftp_oficina/www"
>CustomLog logs/oficina.psl-access_log common
> 
> 
> 
>   ServerName www.celta.devigo.psl
>   ServerAlias celta.devigo.psl
>   DocumentRoot "/home/ftp_celta_devigo/www"
>   CustomLog logs/celta.devigo.psl-access_log common
> 
> 
> En los DNS internos como externos, deben estar registrados los nombres
> de cada virtualhost en cada uno de los dominios usados. En los DNS
> externos, el IP público y en los DNS internos el IP privado del
> servidor. Por defecto en Apache en CentOS están cargados los módulos
> necesarios. Con esto debe arreglarse el problema.
> 
> Hasta la próxima
> 
> Carlos Martínez
> 
> 
> 2017-10-14 4:50 GMT-05:00 L.C. - Salman PSL :
>> 
>> 
>> 
>> *::   O no me he explicado bien, o no lo has leido completo.
>> 
>> No se trata de que sean .es .pepito, o .psl
>> 
>> En el router redirijo el puerto 80, no los dominios .es
>> 
>> La IP publica es la IP del servidor ( para SSH por ejemplo )
>> 
>> Ya probe *
>> 
>> NameVirtualHost 213.60.147.68
>> 
>> Y no va pues no es un "Virtual", sino un "real"
>> 
>> Y lo que me indicas:
>> 
>> 
>>   DocumentRoot "/home/ftp_salman_psl/www"
>>   ServerName www.oficina.salman.es
>>   CustomLog logs/oficina.salman.es-access_log common
>> 
>> 
>> Por un lado no es un Virtual y por otro, no quiero que tome ese
>> DocumentRoot, sino el DocumentRoot definido en el httpd.conf ( /var/www/html
>> )
>> 
>> 
>> ::
>> 
 *** Fin del mensaje *** <<
>> 
>> 
>> Saludos
>> Salvador Guzman
>> Salman PSL
>> Vigo, Galicia, España
>> +34 986.21.30.27
>> +34 60 400 30 20
>> www.Salman.EU
>> 
>>> O sea que los dominios .es apuntan a una IP publica y los .psl a una IP de
>>> LAN?
>>> 
>>> Y todo esta alojado en el mismo servidor, al que accedes directamente por
>>> LAN
>>> a los .psl y por IP publica nateando en el router a los .es?
>>> 
>>> Quizas entonces lo que falte sea definir la IP publica en la config de
>>> apache,
>>> ej.:
>>> 
>>> NameVirtualHost 213.60.147.68
>>> 
>>> 
>>> Pero si no tienes ni un VirtualHost ni un ServerAlias, como sabe apache
>>> que
>>> DocumentRoot mostrarte? No lo sabe y te manda al por defecto :)
>>> 
>>> Deberias, entonces, tener un VirtualHost para el .es, algo asi (ajustando
>>> la
>>> ruta al DocumentRoot si es necesario):
>>> 
>>> 
>>>DocumentRoot "/home/ftp_salman_psl/www"
>>>ServerName www.oficina.salman.es
>>>CustomLog logs/oficina.salman.es-access_log common
>>> 
>>> 
>>> 
>>> Saludos,
>>> 
 El Viernes 13/10/2017 a las 12:51, L.C. - Salman PSL escribió:
 
 Es que oficina.salman.es es el servidor por defecto en una IP publica, y
 los virtualhost estan definidos para otra IP, la privada
 
 ** Tengo 3 servidores en produccion en un data center, y la
 configuracion es la misma.
 
>> *** Fin del mensaje *** <<
 
 Saludos
 Salvador Guzman
 Salman PSL
 Vigo, Galicia, España
 +34 986.21.30.27
 +34 60 400 30 20
 www.Salman.EU
 
> No veo VirtualHost ni ServerAlias para oficina.salman.es, sino para
> oficina.salman.psl.
> 
> Podrias intentar con algo asi?
> 
> 
>DocumentRoot "/home/ftp_salman_psl/www"
>ServerName www.oficina.salman.psl
>ServerAlias oficina.salman.es www.oficina.salman.es
>CustomLog logs/oficina.salman.psl-access_log common
>  
> O bien otr o VirtualHost exclusivo para oficina.salman.es apuntando al
> mismo directorio que oficina.salman.psl
> 
> 
> Saludos,
> 
>> El Viernes 13/10/2017 a las 07:08, L.C. - Salman PSL escribió:
>> 
>> Bueno tengo el apache funcionando, pero sigue haciendo algo extraño.
>> 
>> Os explico.
>> 
>> Los tres VirtualHosts que tengo de pruebas, muestran lo que deben
>> mostrar y en los logs figura la IP 192.168.0.100 que es la que se
>> corresponde con mi ordenador en windows, que es con el que trabajo.
>> 
>> Ahora bien, el problema me surje cuando llamo a oficina.salman.es, que
>> en lugar de mostrarme lo que hay en /var/www/html/, me muestra el
>> contenido del primer VirtualHost definido, sea el que sea, y en el log
>> aparece mi IP publica.
>> 
>> El log "access.log" se queda siempre vacio
>> 
>> 
>> Dominios configurados:
>> 
>> Defecto oficina.salman.es en 

Re: [CentOS] more selinux problems ...

[Daniel Walsh]

On 09/23/2017 08:37 AM, hw wrote:


Hi,

how do I allow lighttpd access to a directory like this:

dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 
files_articles


I tried to create and install a selinux module, and it didn´t work.
The non-working module can not be removed, either:

semodule -r lighttpd-files_articles.pp
libsemanage.semanage_direct_remove_key: Unable to remove module 
lighttpd-files_articles.pp at priority 400. (No such file or directory).

semodule:  Failed!


Currently, only read access is required.  Write access may be
required later.


type=AVC msg=audit(1506168999.456:2350): avc:  denied  { getattr } 
for  pid=28956 comm="lighttpd" 
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" 
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2350): arch=c03e syscall=4 
success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 
a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 
gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 
tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168999.456:2351): avc:  denied  { open } for  
pid=28956 comm="lighttpd" 
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" 
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2351): arch=c03e syscall=2 
success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0 
ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 
fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 
comm="lighttpd" exe="/usr/sbin/lighttpd" 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168723.591:2342): avc:  denied  { read } for  
pid=28956 comm="lighttpd" name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" 
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168723.591:2342): arch=c03e syscall=2 
success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0 
ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 
fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 
comm="lighttpd" exe="/usr/sbin/lighttpd" 
subj=system_u:system_r:httpd_t:s0 key=(null)



Why isn´t there a simple way to allow access to files as needed?
Being like this, selinux is entirely unmanagable.  Does it even do
any more good than it keeps getting in the way?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


SELinux is a labelling system, every process has a label, every object 
on the system has a label.  There are rules in the kernel that allow 
access between process labels and system object labels, the kernel 
enforces the rules.


Some how this content on your system. /srv/data/files_articles, got 
labeled as samba content (samba_share_t). Now you want to share it via 
lighthttp (httpd_t).  If this content is only to be shared via 
lighthttpd, you would need to set the label to something that httpd_t 
can read.


man http_selinux (selinux-policy-docs rpm)

Will show you the labels.

httpd_sys_content_t is the usually type for httpd read only content.  
httpd_sys_content_rw_t is the type for read/write content.There are 
commands in the man page that explain how to change the default labels.


If you need to share this content via httpd and samba there are a couple 
of label types public_content_t, which allow you to share content with 
multiple services.  Also explained in the man page.



audit2allow is usually a secondary thing to use when there is no way to 
allow access.



http://danwalsh.livejournal.com/30837.html



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux prevents lighttpd from printing

[Daniel Walsh]

On 09/22/2017 08:24 AM, hw wrote:

Daniel Walsh wrote:

On 09/22/2017 06:58 AM, hw wrote:


PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) 
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
ses=unset comm=sendmail exe=/usr/sbin/exim 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied  { 
setgid } for  pid=19418 comm=sendmail capability=setgid 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability


type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd 
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset 
comm=lpr exe=/usr/bin/lpr.cups 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file



So I can see that sending email and printing was denied -- which I 
already

found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s 
enforcing,

the printer
does not print, and I´m getting the log message '/bin/lpr: 
Permission

denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make 
out

to be responsible
for this.

Any idea what I need to do/change to allow printing without 
disabling

selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should 
see the

issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 



Thanks!  I´m guessing I´m supposed to use ausearch to search for 
something, and

I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using 
MIME::Lite) unless

selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
syscall=open success=no exit=EACCES(Permission denied) 
a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 
a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root 
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { 
write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir



Any idea what I would need to search for, or how to figure out what 
I would

need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


First thing to enable httpd to send mail, you can turn on the send 
mail boolean.


# setsebool -P httpd_can_sendmail 1


Oh I looked at these variables and somehow didn´t see it.


The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these 
commands a couple of times.


Thank you very much!  Both problems are now fixed :)

However:

grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
could not open interface info [/var/lib/sepolgen/interface_i

Re: [CentOS] selinux prevents lighttpd from printing

[Daniel Walsh]

On 09/22/2017 06:58 AM, hw wrote:


PS: Now I found this:


type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
syscall=setgroups success=no exit=EPERM(Operation not permitted) 
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
ses=unset comm=sendmail exe=/usr/sbin/exim 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc:  denied  { 
setgid } for  pid=19418 comm=sendmail capability=setgid 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability


type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd 
sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr 
exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 
key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file



So I can see that sending email and printing was denied -- which I 
already

found out --- and I don´t have any idea how to allow it.


hw wrote:

Johnny Hughes wrote:

On 09/20/2017 07:19 AM, hw wrote:

hw wrote:


Hi,

how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.

'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.

Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Nobody knows?



Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:

https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 



Thanks!  I´m guessing I´m supposed to use ausearch to search for 
something, and

I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using 
MIME::Lite) unless

selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get


type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
syscall=open success=no exit=EACCES(Permission denied) 
a0=0x559fc8094740 
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 
items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root 
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied { 
write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir



Any idea what I would need to search for, or how to figure out what I 
would

need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


First thing to enable httpd to send mail, you can turn on the send mail 
boolean.


# setsebool -P httpd_can_sendmail 1

The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these commands 
a couple of times.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-virt] OVS+DPDK Problem

[Daniel Petrescu]

Hi All,

First time mailing here.
I have installed on a CentOS 7.0 KVM (with DPDK and OVS) one Deep Packet
Inspection VM.
I have one channel and some virtual traffic generator.
The traffic is lost between dpdk vhostuser and the DPI VM.
The setup is attached. Any suggestions or ideas?
Regarding the OVS+DPDK configuration, the following configuration is
already made:
- SELINUX is disabled
- QEMU 2.9.0 was downloaded from sources
- All Linux packages were updated for QEMU 2.9.0
- DPDK source was downloaded
- Paths were set
- epel repo was installed
- DPDK 16.11 was installed
- OVS 2.7.0 was installed with DPDK option
- Hugepages VM is set
- NICs are configured for DPDK
- Permissions are set for DPDK

Regarding the OVS+DPDK startup steps, the following configuration is in
place:
B. OVS+DPDK startup and configuration
1. Set and verify the memory hugepages
mount -t hugetlbfs nodev /mnt/huge
echo 64 > /sys/devices/system/node/node0/hugepages/hugepages-
1048576kB/nr_hugepages
2. Setting the driver permissions
modprobe vfio-pci
/usr/bin/chmod a+x /dev/vfio
/usr/bin/chmod 0666 /dev/vfio/*
3. Configure the PATHS to DPDK and OVS database
cd dpdk-stable-16.11.1/
export DPDK_DIR=$PWD
export PATH=$PATH:/usr/local/share/openvswitch/scripts
export DB_SOCK=/usr/local/var/run/openvswitch/db.sock
4. Re-initializing OVS
rm /usr/local/etc/openvswitch/conf.db
mkdir -p /usr/local/etc/openvswitch
mkdir -p /usr/local/var/run/openvswitch
ovsdb-tool create /usr/local/etc/openvswitch/conf.db
 /usr/local/share/openvswitch/vswitch.ovsschema
5. Starting OVS + DPDK
ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock
--remote=db:Open_vSwitch,Open_vSwitch,manager_options --pidfile --detach
ovs-vsctl --no-wait set Open_vSwitch . other_config:dpdk-init=true
ovs-vsctl --no-wait set Open_vSwitch . other_config:dpdk-socket-mem="
1024,1024"
ovs-ctl --no-ovsdb-server --db-sock="$DB_SOCK" start
6. Cheking driver mapping for NICs
driverctl -v list-devices | grep -i net
$DPDK_DIR/tools/dpdk-devbind.py --status
7. Adding OVS+DPDK bridge and ports
ovs-vsctl add-br ch1int_dpdk -- set bridge ch1int_dpdk datapath_type=netdev
ovs-vsctl add-br ch1ext_dpdk -- set bridge ch1ext_dpdk datapath_type=netdev
ovs-vsctl add-port ch1int_dpdk nic810 -- set Interface nic810 type=dpdk
options:dpdk-devargs=:81:00.0
ovs-vsctl add-port ch1ext_dpdk nic811 -- set Interface nic811 type=dpdk
options:dpdk-devargs=:81:00.1
8. Adding OVS (no DPDK) bridge and ports
ovs-vsctl add-br br0
ovs-vsctl add-port br0 myportnameone
9. Adding VM ports to OVS (or OVS+DPDK) bridge
#
# 
# 
# 
# ...
#
10. Adding dpdkvhostuser to the ovs switch - these are used for the socket
created between the VM and the OVS bridge
ovs-vsctl add-port ch1int_dpdk ch1int_dvhu -- set Interface ch1int_dvhu
type=dpdkvhostuser
ovs-vsctl add-port ch1ext_dpdk ch1ext_dvhu -- set Interface ch1ext_dvhu
type=dpdkvhostuser
11. DPI deployment
virt-install --connect qemu:///system --name=DPI --memory=16384 --vcpus=16
--os-type=linux --os-variant=virtio26 --disk
path=/path/image.qcow2,format=qcow2,bus=virtio,cache=none
--network bridge=admin,model=e1000 --nographics --noautoconsole --import
12. Adding vhostuser ports to guest VM - for this the XML file for the
virtual machine found at etc/libvirt/qemu/.xml was edited

 
 
 
 


 
 

 



Thanks,
Daniel
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS] weird SELinux denial

[Daniel Walsh]

On 06/06/2017 01:19 PM, Vanhorn, Mike wrote:

On 6/6/17, 12:38 PM, "Daniel Walsh" <dwa...@redhat.com> wrote:


I am asking if you run it again, does it change.  If the boolean is set
the audit2why should say that the AVC is allowed.

Well, if I just run audit2why again, it always tells me the same thing. 
However, I have now discovered that if I unset allow_ypbind, and then reset it 
to 1, audit2why then says

type=AVC msg=audit(1496768649.872:1338): avc:  denied  { name_connect } for  pid=2413 
comm="dbus-daemon" dest=111 
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which 
the audit message was generated.

Possible mismatch between current in-memory boolean settings 
vs. permanent ones.


---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu


Ok, that works then.  The way I read your email indicated that setting 
the boolean did not allow the access.  I take it you are not running 
with NIS/Yellow pages and yet you see dbus connecting to port 111?




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] weird SELinux denial

[Daniel Walsh]

On 06/06/2017 09:41 AM, Vanhorn, Mike wrote:

It says what it is my original post; that’s the output from audit2allow –w 
(which is audit2why):

Was caused by:
The boolean allow_ypbind was set incorrectly.
Description:
Allow system to run with NIS

Allow access by executing:
# setsebool -P allow_ypbind 1

---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu

On 6/6/17, 9:29 AM, "Daniel Walsh" <dwa...@redhat.com> wrote:

If you run this avc though audit2why what does it say?



I am asking if you run it again, does it change.  If the boolean is set 
the audit2why should say that the AVC is allowed.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] weird SELinux denial

[Daniel Walsh]

On 06/06/2017 09:17 AM, Vanhorn, Mike wrote:

I keep seeing this in my audit.logs:

type=AVC msg=audit(1496336600.230:6): avc:  denied  { name_connect } for  pid=2411 
comm="dbus-daemon" dest=111 
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Was caused by:
The boolean allow_ypbind was set incorrectly.
Description:
Allow system to run with NIS

Allow access by executing:
# setsebool -P allow_ypbind 1


The weirdness is that when I check allow_ypbind, it’s already on:

  # getsebool allow_ypbind
allow_ypbind --> on
#


Does anyone with more experience with SELinux than me have any idea why this is 
happening?

---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


If you run this avc though audit2why what does it say?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Disabling user list in Gnome

[Daniel Ruiz Molina]

Hello,

how can I disable user list that has been logged, at least, one time 
into X environment in Gnome running Centos 7?


Thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Lock Screen in Gnome and using keyboard

[Daniel Ruiz Molina]

Hello,

I need to reconfigure Gnome in CentOS for avoiding that a normal user 
could lock screen using task bar option and/or "Super L" key (Windows 
Key + L). How could I configure Gnome? I need to do that in several 
computers, so I can't do "login" in X environment of each computer, but 
I need to reconfigure executing from command line (multiple SSH 
connections).


Thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-5 End of Life

[Daniel J Pacek]

On 03/01/2017 09:52 AM, Johnny Hughes wrote:
> On 03/01/2017 05:28 AM, Johnny Hughes wrote:
>> Just a message to remind everyone that CentOS-5 has an End of Life date
>> of March 31, 2017.
>>
>> This means that there will be no new security updates released by Red
>> Hat for RHEL-5 after that date.
> This is for their main RHEL-5 Tree.
>
>> Sometime in early April, the current 5.11 tree will be moved onto
>> vault.centos.org (like CentOS-3 and CentOS-4 have been since their EOL).
>>
> For CentOS-5 users that can not shift from EL5 workloads, Red Hat does
> offer EUS (Extended Update Support) past the 10 year point for RHEL-5.
> You can see this link for more info on EL5 EUS support:
>
>
> https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux


Actually it's called ELS - Extended Lifecycle support
https://access.redhat.com/support/policy/updates/errata

EUS - Extended Update Support is an add-on for RHEL customers that need
patches and updates
for Minor releases of RHEL for up to 24 months from GA.


>
> Thanks,
> Johnny Hughes
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
Daniel J. Pacek
Strategic Market Analyst
Red Hat, Inc.
314 Littleton Rd.
Westford, MA 01886

dpa...@redhat.com
Tel: 978-392-3138

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELInux conflict with Postfixadmin

[Daniel J Walsh]

On 02/21/2017 11:52 AM, Robert Moskowitz wrote:
>
>
> On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:
>> On 2017-02-21 17:30, Robert Moskowitz wrote:
>>> postfixadmin setup.php is claiming:
>>>
>>> *Error: Smarty template compile directory templates_c is not writable.*
>>> *Please make it writable.*
>>> *If you are using SELinux or AppArmor, you might need to adjust their
>>> setup to allow write access.*
>>>
>>>
>>> This goes away with 'setenforce 0', so it is an SELinux issue.  I have
>>> tried both:
>>>
>>> restorecon -Rv /usr/share/postfixadmin
>>>
>>> and
>>>
>>> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>>>
>>> and they are not the problem.  Googling this message doe snot produce
>>> any SELinux advice.
>>>
>>> Any ideas?
>>>
>>> thanks
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Hi,
>>
>> after 'setenforce 0' check the /var/log/audit/audit.log:
>>
>> # grep /var/log/audit/audit.log | audit2why
>
> Don't I need a search string in that grep command?
>
>> to see where  the problem could be.
>
> Anyway the last three entries are:
>
> type=AVC msg=audit(1487695678.704:128): avc:  denied  { write } for
> pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> permissive=1
>
If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.
> type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
> per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
> ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> type=PROCTITLE msg=audit(1487695678.704:128):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Script not running correctly as cronjob

[Daniel Reich]

Thank you for the hints

I modified like you described.
I also moved the permission part out of the loop (once at the end of the script 
is enough).

Now with the "set -x" the script is working also in cron.

Best regards
Daniel



-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Tony Mountifield
Sent: Wednesday, February 1, 2017 11:04 AM
To: centos@centos.org
Subject: Re: [CentOS] Script not running correctly as cronjob

In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich <daniel.re...@2sic.com> wrote:
> Hi
> 
> I have a script to resign all DNS zones every two weeks. When i run 
> the script from bash, it works like it should. But when it is executed in 
> cron not. Its starting normal as cronjob:
> Feb  1 03:00:01 xxx CROND[20116]: (root) CMD (sh 
> /opt/dnssec/resign_dnssec_zones.sh)
> 
> But after i get a mail that everything is finsihed, but it isn't.
> 03:04:28 DNSSEC-Signierung abgeschlossen
> 
> The script deletes the old signed zones, but don't resign it. The mail is 
> also sent.
> Below the script.
> 
> Anybody an idea why it doesn't work in cron?^ I cannot find any error 
> in any log.

After the first line, add a line saying: set -x

Then set cron to run it and examine the output that gets mailed to you.

The -x tells it to echo each command it is about to execute. That will help you 
to see how far it is getting.

Further comments below.

Cheers
Tony

> Best regards
> Daniel
> 
> 
> #!/bin/bash
> KSKDIR="/etc/named/KSK"
> ZSKDIR="/etc/named/ZSK"
> ZONEDIR="/var/named/chroot/var/named"
> LOG="/var/named/chroot/var/log/dnssec_resign.log"
> MAILREC="monitor@xx"
> 
> #delete old signed files
> rm -rf $ZONEDIR/*.signed
> 
> #delete the old log
> rm -rf $LOG
> 
> #read the zonefiles
> ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
> 
> for FILES in $ZONEFILES; do
> #remove the .zone at the end
> ZONE=$(echo "${FILES%.*}")

Why not just: ZONE=${FILES%.*}

> #remove the old signed zone
> rm -rf $ZONEDIR/$ZONE.signed

You deleted them all further up.

> #Sign the zone
> cd $ZONEDIR

Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.

> dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 
> -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
> 
> #Set the correct permissions
> chown named.named $ZONEDIR/*.signed
> chmod 755 $ZONEDIR/*.signed
> sleep 5
> done
> rm -rf $ZONEDIR/named.zone
> 
> echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des 
> Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung 
> abgeschlossen auf xxx" $MAILREC
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 


--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Script not running correctly as cronjob

[Daniel Reich]

Hi

I have a script to resign all DNS zones every two weeks. When i run the script 
from bash, it works like it should. But when it is executed in cron not. Its 
starting normal as cronjob:
Feb  1 03:00:01 xxx CROND[20116]: (root) CMD (sh 
/opt/dnssec/resign_dnssec_zones.sh)

But after i get a mail that everything is finsihed, but it isn't.
03:04:28 DNSSEC-Signierung abgeschlossen

The script deletes the old signed zones, but don't resign it. The mail is also 
sent.
Below the script.

Anybody an idea why it doesn't work in cron?^
I cannot find any error in any log.

Best regards
Daniel


#!/bin/bash
KSKDIR="/etc/named/KSK"
ZSKDIR="/etc/named/ZSK"
ZONEDIR="/var/named/chroot/var/named"
LOG="/var/named/chroot/var/log/dnssec_resign.log"
MAILREC="monitor@xx"

#delete old signed files
rm -rf $ZONEDIR/*.signed

#delete the old log
rm -rf $LOG

#read the zonefiles
ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')

for FILES in $ZONEFILES; do
#remove the .zone at the end
ZONE=$(echo "${FILES%.*}")

#remove the old signed zone
rm -rf $ZONEDIR/$ZONE.signed

#Sign the zone
cd $ZONEDIR
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f 
$ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG

#Set the correct permissions
chown named.named $ZONEDIR/*.signed
chmod 755 $ZONEDIR/*.signed
sleep 5
done
rm -rf $ZONEDIR/named.zone

echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> 
$LOG
echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

[Daniel J Walsh]

On 01/19/2017 08:57 AM, Marcin Trendota wrote:
> W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
>
>>> So, it looks like something with docker-selinux and container-selinux...
>> Right, I wanted to mention that docker-selinux was replaced with
>> container-selinux in the lasest version.
> Shouldn't be docker-selinux automatically removed then?
>
container-selinux should disable docker policy and then install its own.

container-selinux-1.12.5-14
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] username.pem

[Daniel J Walsh]

Best label available I can see is sshd_var_run_t.  Not exactly named 
well but it would work.



chcon -R -t sshd_var_run_t /var/lib/ssh-x509-auth



On 04/26/2016 11:31 AM, m.r...@5-cent.us wrote:

Hi, folks,

Our system gets/creates /var/lib/ssh-x509-auth/,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#= sshd_t ==
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };

So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?

Thanks in advance.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, selinux issue

[Daniel J Walsh]

Can you attach one of the AVC's. Mos likely ssh-x509-auth needs to be 
labeled sshd_key_t

or ssh_home_t

On 04/06/2016 02:54 PM, m.r...@5-cent.us wrote:

I'm seeing a lot of noise in the logs, to the effect of:
setroubleshoot: SELinux is preventing /bin/ksh93 from write access on the
directory /var/lib/ssh-x509-auth

as well as others related to find, cat, etc on .pem's in that directory.
Is this a policy bug, or just no policy covering this?

mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] VM dentro de VM con KVM

[daniel]

Gracias Ernesto,

Solucionado, siguiendo estos pasos =>
https://fedoraproject.org/wiki/How_to_enable_nested_virtualization_in_KVM

Saludos

Daniel Ortiz Gutiérrez


El lun., 1 de feb. de 2016 a la(s) 10:56, Ernesto Pérez Estévez <
ernesto.pe...@cedia.org.ec> escribió:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
>
> On 02/01/2016 11:44 AM, daniel wrote:
> > Buenos Dias Lista,
> >
> > Con la novedad de que necesito virtualizar un hipervisor que
> > contiene una maquina virtual, alguien me puede decir si esto es
> > posible? Estoy utlizando KVM y al crear la máquina virtual en la
> > opción del procesador selecciono "Copy host CPU configuration".
> > Pero parece no tomar los cambios, ya que el
>
> eso se llama nested virtualization, efectivamente le he usado... funcion
> a.
>
> saludos
> epe
>
> > tipo de procesador me aparece como un Broadwell pero yo tengo un
> > Haswell, si selecciono la opción de Haswell el hypervisor si ve un
> > procesador Haswell pero no ve la bandera VMX por lo que cuando
> > trato de encender una VM me dice que la virtualizacion no esta
> > activada en la configuración del CPU.
> >
> > Saludos
> >
> > Daniel Ortiz Gutiérrez
> > ___ CentOS-es mailing
> > list CentOS-es@centos.org
> > https://lists.centos.org/mailman/listinfo/centos-es
> >
>
>
> - --
> CEDIA
> La principal herramienta de Investigación en el Ecuador.
>
> Calle La Condamine 12-109 "Casa Rivera".
> Cuenca -  Ecuador
> Telf: (593) 7405 1000 Ext. 4220/4223
> i...@cedia.org.ec
> www.cedia.org.ec
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWr44eAAoJEI8SQ0eoZD/X8NAQAI2xevJynqkzhFG4skvbP2ln
> BXjf7knB9zjlm6nUSp+l8UzLjH5QVYpfuD1NeHTLDnNYc7l8/+RaMcYbVr/idovo
> LcEAN9Pcp0k0ZJndIPPiBeLCopK0CHjLr2Na4V6xLlXKwguRfs1yWSODFi/Hepq+
> kUgmG7c6EA6oM+1CrO/gMyMK69Fk3s/7pKGk2Cgs4JyxvHkgknTYfITBiwbdAoDR
> zhta+fz+C65hP0kxdtpD+kLe/ROtfHyJREBFWyOpq2o62dqZAmZ7z1TJKezriZ8B
> F2sBafAsWKwL+L/VzxCC8PXGfhTbOfUBu8O2CzTJ83unpkrsjkshZQlEji9XxcIR
> DyNN+GYRh8ItP3p2jiv7NRWOfXACb1tfjixjBanrOsdnB1mlXlA2pK220OXbufb+
> uM1Kk5PqfIpfmIzqnJY6wCNGMdwQLoubrYBLLfcSt0B4TdrvB9fJ/1j1njfq6kwA
> az+SW7TpAtvfMHB8icznCw3Vmta2ndLg9zWmlTrnAzPaBBfpNakJuhWfUq8S5P9a
> 0m2uiPyf2Ecbp0cObUMtQKIXe2BJZjwOUy0txR8KOUitRlsq34b9XH/k7vQCRrL+
> OS67xYuVIWzHdaWlOwP50dROyGBy6R4URmAtbVV1Iun/L39bqz5UyXdh9MRHiYDj
> dp0bXix37Sge2mJk2ulK
> =+ra6
> -END PGP SIGNATURE-
>
> Email secured by Check Point
> ___
> CentOS-es mailing list
> CentOS-es@centos.org
> https://lists.centos.org/mailman/listinfo/centos-es
>
___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

[CentOS] NICs order

[Daniel Ruiz Molina]

Hi,

After installing CentOS 7 in a server with 2 NICs, system detects eth0 
and eth1 in reserve order. I would like to have eth1 as eth0 and eth0 as 
eth1. I have forced HWADDR attribute in 
/etc/sysconfig/network-scripts/ifcfg-etc{0,1}, but after rebooting, 
order is the same...


How can I solve it?

Thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-es] VM dentro de VM con KVM

[daniel]

Buenos Dias Lista,

Con la novedad de que necesito virtualizar un hipervisor que contiene una
maquina virtual, alguien me puede decir si esto es posible? Estoy utlizando
KVM y al crear la máquina virtual en la opción del procesador selecciono
"Copy host CPU configuration". Pero parece no tomar los cambios, ya que el
tipo de procesador me aparece como un Broadwell pero yo tengo un Haswell,
si selecciono la opción de Haswell el hypervisor si ve un procesador
Haswell pero no ve la bandera VMX por lo que cuando trato de encender una
VM me dice que la virtualizacion no esta activada en la configuración del
CPU.

Saludos

Daniel Ortiz Gutiérrez
___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

[CentOS] CentOS 6.6 - reshape of RAID 6 is stucked

[Daniel Reich]

Hello

I have a CentOS 6.6 Server with 13 disks in a RAID 6. Some weeks ago, i 
upgraded it to 17 disks, two of them configured as spare. The reshape worked 
like normal in the beginning. But at 69% it stopped.

md2 : active raid6 sdj1[0] sdg1[18](S) sdh1[2] sdi1[5] sdm1[15] sds1[12] 
sdr1[14] sdk1[9] sdo1[6] sdn1[13] sdl1[8] sdd1[20] sdf1[19] sdq1[16] sdb1[10] 
sde1[17](S) sdc1[21]
  19533803520 blocks super 1.2 level 6, 1024k chunk, algorithm 2 [15/15] 
[UUU]
  [=...]  reshape = 69.0% (1347861324/1953380352) 
finish=46103134.8min speed=0K/sec

I already tried to stop the raid and start it again, the reshape will start but 
stop again after some minutes. If I reboot the server, the reshape won't start:

md2 : active raid6 sdj1[0] sdg1[18](S) sdh1[2] sdi1[5] sdm1[15] sds1[12] 
sdr1[14] sdk1[9] sdo1[6] sdn1[13] sdl1[8] sdd1[20] sdf1[19] sdq1[16] sdb1[10] 
sde1[17](S) sdc1[21]
  19533803520 blocks super 1.2 level 6, 1024k chunk, algorithm 2 [15/15] 
[UUU]
   resync=PENDING

Just if I restart the raid again, it will start the reshape process and stop it 
like above.

In dmesg and messages logs I just found:

dmesg
md/raid:md2: reshape: not enough stripes.  Needed 1024

messages
23:14:56 data kernel: md/raid:md2: not clean -- starting background 
reconstruction
23:14:56 data kernel: md/raid:md2: reshape will continue
23:14:56 data kernel: md/raid:md2: device sdj1 operational as raid disk 0
23:14:56 data kernel: md/raid:md2: device sdh1 operational as raid disk 2
23:14:56 data kernel: md/raid:md2: device sdi1 operational as raid disk 5
23:14:56 data kernel: md/raid:md2: device sdn1 operational as raid disk 11
23:14:56 data kernel: md/raid:md2: device sds1 operational as raid disk 3
23:14:56 data kernel: md/raid:md2: device sdm1 operational as raid disk 1
23:14:56 data kernel: md/raid:md2: device sdf1 operational as raid disk 14
23:14:56 data kernel: md/raid:md2: device sdd1 operational as raid disk 13
23:14:56 data kernel: md/raid:md2: device sdb1 operational as raid disk 10
23:14:56 data kernel: md/raid:md2: device sdq1 operational as raid disk 7
23:14:56 data kernel: md/raid:md2: device sdr1 operational as raid disk 4
23:14:56 data kernel: md/raid:md2: device sdl1 operational as raid disk 8
23:14:56 data kernel: md/raid:md2: device sdk1 operational as raid disk 9
23:14:56 data kernel: md/raid:md2: device sdc1 operational as raid disk 12
23:14:56 data kernel: md/raid:md2: device sdo1 operational as raid disk 6
23:14:56 data kernel: md/raid:md2: allocated 0kB
23:14:56 data kernel: md/raid:md2: raid level 6 active with 15 out of 15 
devices, algorithm 2
23:14:56 data kernel: md2: Warning: Device sdi1 is misaligned
23:14:56 data kernel: md2: detected capacity change from 0 to 20002614804480
23:14:56 data kernel: md2: unknown partition table
23:14:56 data kernel: XFS (md2): Mounting Filesystem
23:14:56 data kernel: md/raid:md2: reshape: not enough stripes.  Needed 1024
23:14:56 data kernel: XFS (md2): Ending clean mount

So i fixed the stripes:
cat /sys/block/md2/md/stripe_cache_size
16384

But the reshape is still not working and the same error still appears in the 
logs.

Have anyone some idea?

Regards
Daniel


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-docs] Contributing to the CentOS wiki

[Daniel Farrell]

- Original Message -
 On Thu, Jul 9, 2015 at 4:23 PM, Daniel Farrell dfarr...@redhat.com wrote:
 
  Per the suggestion in [0], I'd also like to request for a member of
  the admin group to create my homepage[2].
 
  [2]: http://wiki.centos.org/DanielFarrell
 
 Done.

Thank you. :)

 Akemi
 ___
 CentOS-docs mailing list
 CentOS-docs@centos.org
 http://lists.centos.org/mailman/listinfo/centos-docs
 
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS-docs] Contributing to the CentOS wiki

[Daniel Farrell]

- Original Message -
 On 10/07/15 00:23, Daniel Farrell wrote:
  Hello all,
  
  I'd like to contribute to the CentOS wiki. Per these docs[0], I
  should email this list with the following information.
  
  Username: DanielFarrell
  Contribution subject: Update CBS Koji Poodle patch docs
  Contribution location: http://goo.gl/7Oe9QO (CBS HOWTO#Quickstart)
 
 for the sake of clarity, this is
 http://wiki.centos.org/HowTos/CommunityBuildSystem

+1

  
  I'd like to make the docs related to patching Koji for the Poodle
  exploit[1] generally more clear. For example, it's worth noting the
  commit (5b5b7d95) that will need to be included in a release for
  the patch step to become unnecessary. I'd also note that that 1.9.0
  (the latest release, March 2014) doesn't include the fix. Finally, I'd
  document how to build a patched version of Koji.
  
  Per the suggestion in [0], I'd also like to request for a member of
  the admin group to create my homepage[2].
  
  [0]: http://goo.gl/dzq0yU (CentOS wiki contribution docs)
  [1]: http://goo.gl/7Oe9QO (Contribution location, CBS HOWTO#Quickstart)
  [2]: http://wiki.centos.org/DanielFarrell
  
 
 can we please not use these short urls, since now there is no way to map
 really what you are doing :)

Yeah, I went back on forth over shortening/obfuscating them or using
way-too-long links. Lesson learned. :)

 but I've setup acl for you to edit the cbs page, let me know if you run
 into any issues.

Thanks!

 once you have a few edits in, we can set you up with wider access to the
 rest of the wiki!

Sounds great, thanks.

 thanks,
 
 --
 Karanbir Singh
 +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
 GnuPG Key : http://www.karan.org/publickey.asc
 ___
 CentOS-docs mailing list
 CentOS-docs@centos.org
 http://lists.centos.org/mailman/listinfo/centos-docs
 
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

[CentOS-docs] Contributing to the CentOS wiki

[Daniel Farrell]

Hello all,

I'd like to contribute to the CentOS wiki. Per these docs[0], I
should email this list with the following information.

Username: DanielFarrell
Contribution subject: Update CBS Koji Poodle patch docs
Contribution location: http://goo.gl/7Oe9QO (CBS HOWTO#Quickstart)

I'd like to make the docs related to patching Koji for the Poodle
exploit[1] generally more clear. For example, it's worth noting the
commit (5b5b7d95) that will need to be included in a release for
the patch step to become unnecessary. I'd also note that that 1.9.0
(the latest release, March 2014) doesn't include the fix. Finally, I'd
document how to build a patched version of Koji.

Per the suggestion in [0], I'd also like to request for a member of
the admin group to create my homepage[2].

[0]: http://goo.gl/dzq0yU (CentOS wiki contribution docs)
[1]: http://goo.gl/7Oe9QO (Contribution location, CBS HOWTO#Quickstart)
[2]: http://wiki.centos.org/DanielFarrell

Thank you for your time and contributions,

Daniel Farrell
Software Engineer, Red Hat SDN Team
https://twitter.com/dfarrell07
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] puppet files denied by SELinux

[Daniel J Walsh]

I have no idea of the current dependency problem.  I think your original
problem was caused by mv'ing files from an nfs share to /etc which
maintained the context.  And SELinux prevented puppet from accessing
nfs_t type.  If you had just run restorecon on the object it would have
set it back to the correct/default context.

You might want to setup an alias mv mv -Z

This changes the way mv works to set the context after mv rather then
maintaining the source context.

On 06/21/2015 02:05 PM, Tim Dunphy wrote:
 Hey guys,

  Quick update. I grepped through the output of getsebool -a to see that
 related to puppet. And I found this setting: puppetagent_manage_all_files.

  So I tried running this command: setsebool -P puppetagent_manage_all_files
 0

  And did a restorecon on my modules directory: restorecon -R -v
 environments/production/moudles

  So there's good news and bad news to report! It seems that now puppet on
 the client isn't complaining about not having access to the cert and key
 files anymore! That's the good news. The bad news is, when I do puppet runs
 on all the hosts now, I get the following errors:

 Notice: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Dependency
 File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Skipping
 because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Dependency
 File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Skipping because of
 failed dependencies
 Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]:
 Skipping because of failed dependencies
 Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]:
 Skipping because of failed dependencies
 Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]:
 Skipping because of failed dependencies
 Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Dependency
 File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Skipping because of
 failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/provider/vcsrepo/cvs.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/provider/vcsrepo/cvs.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/strftime.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/strftime.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/chop.rb]:
 Dependency File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/chop.rb]:
 Skipping because of failed dependencies
 Notice: /File[/var/lib/puppet/lib/puppet/util/firewall.rb]: Dependency
 File[/var/lib/puppet/lib] has failures: true
 Warning: /File[/var/lib/puppet/lib/puppet/util/firewall.rb]: Skipping
 because of failed 

Re: [CentOS] more newbie questions -- init 5 works, init 3 doesn't for normal users

[Daniel J Walsh]

On 06/11/2015 05:27 PM, m.r...@5-cent.us wrote:
 Kay Schenk wrote:
 On 06/11/2015 08:28 AM, m.r...@5-cent.us wrote:
 Kay Schenk wrote:
 On 06/10/2015 10:06 PM, Gordon Messmer wrote:
 On 06/10/2015 05:25 PM, Kay Schenk wrote:
 I get /home/username not found when it's there and
 setup with correct permissions -- well here I am using it
 in run level 5 just fine!
 SNIP
 The file startx.trace will have a list of all of the
 commands run, and all of their output (including errors).

 /var/log/X* might be interesting as well.
 OK, this last bit sounds promising although this works as expected for
 root -- starts up gnome flawlessly. My previous setup imported settings
 to use a display manager, etc. So, I need to check on this.

 Right now, one of my main concerns is that my old /home
 partition/direction is supposedly associated WITH current users I setup
 and yet...NOT! The system does not recognize this association even
 though it asked me about setting it up when I created my first real
 user
 on installation. I had to go in and reset uids but that's no biggie and
 this process has worked fine before.  I can't help but think this is
 related to the startx issue.
 I missed parts of this thread: are any of them mounted NFS? From root,
 su
 - user, and then do ls -laF, and check the ownership and group,
 *including* of ./ (the current directory).

 I mention NFS because of issues we've been having here, but we're
 connected to AD, and I need to fix /etc/idmapd.conf to have our domain.
 Thanks for everyone's help. It seems the not locating /home for users
 was related to startx problem.

 The /home partition in question had been an old one, ext3, and requested
 not to format. All that was well. Partition mounted, etc. Unfortunately,
 I had inadvertently installed selinux (OK, I saw that but didn't'
 understand the consequences) and this was what was causing my odd
 non-root user login behavior (couldn't locate /home) AND the startx
 problems from init 3 level. After talking to an RH admin colleague, all
 fine now. On to more fun items as I get up to speed on CentOS! :)

 Check to see if the setroubleshoot package is installed. If not, do it.
 It'll generate log entries with sealerts, which will help you figure out
 how to shut up selinux Run it in permissive mode, in the meantime.

  mark one of my permanent goals: shutting up selinux

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
You probably want to execute

# semanage fcontext -a -e /home /PATHTOYOURHOME
# restorecon -R -v /PATHTOYOURHOME

This tells SELinux to label content under /PATHTOYOURHOME as if it was
under /home, and should fix most of your problems.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Daniel J Walsh]

On 06/17/2015 04:03 PM, Jonathan Billings wrote:
 On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
 No prob! Thanks for all the help! But in searching my system I don't find
 anything of the sort.

 [root@monitor2:~] #updatedb
 [root@monitor2:~] #locate myzabbix.te
 [root@monitor2:~] #find / -name myzabbix.*

 I also did search using 'yum provides' to find something similar. But
 wasn't' able to find anything.
 What we're asking for is the contents of the .te file that is created
 when you run audit2allow.

Go back to the original email and do what you were told

# grep zabbix /var/log/audit/audit.log  | audit2allow -M myzabbix
# semodule -i myzabbix.pp

You did audit2allow -M zabbix

Which created zabbix.te and zabbix.pp, which is bad.  It will attempt to
replace the system module.

If you use myzappix, it will add the allow rules.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Try II: selinux, xfs, and CentOS 6 and 5 issue

[Daniel J Walsh]

On 06/02/2015 11:30 AM, m.r...@5-cent.us wrote:
 Tried just the selinux list yesterday, no answers, so I'm trying again.

 I partitioned GPT, and formatted, as xfs,  a large (3TB) drive on a CentOS
 6 system, which has selinux in permissive mode. I then moved the drive to
 a CentOS 5 system. When we run a copy (it mirror-copies from another
 system), we get a ton of errors. I discovered that the CentOS 5 system was
 enforcing. I changed it to permissive, I labelled the directories and
 files w/ semanage, did a restorecon, and even did a fixfiles, and *then* I
 tried /.autorelabel and rebooted, and we still get a ton of errors:
 Jun  1 17:01:32 server kernel: inode_doinit_with_dentry: 
 context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1
 ino=2151541032

 I had to reboot to disabled to get it to shut up.

 So: is there something that selinux does in CentOS 6 that is in the
 labelling on the xfs filesystem that I can do something about on the
 CentOS 5 system, or do I just have to leave selinux disabled (until, maybe
 in the next year, we can rebuild to 7)?

mark

 --
 selinux mailing list
 seli...@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux on RHEL5 did not have a MLS field in the label, so the directory
can not be used by both rhel5 and RHEL6 easily.

If all of the content on the device is going to be labeled the same,
then just use a context mount option

context=system_u:object_r:usr_t:s0  for example.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 selinux policy bug

[Daniel J Walsh]

On 05/29/2015 09:20 AM, m.r...@5-cent.us wrote:
 Hi, folks,

CentOS 7.1. Selinux policy, and targetted, updated two days ago.

 May 28 17:02:41 servername python: SELinux is preventing /usr/bin/bash
 from execute access on the file /usr/bin/bash.#012#012* ...
 May 28 17:02:45 servername python: SELinux is preventing /usr/bin/bash
 from execute access on the file /usr/bin/uname.#012#012*  ...
 May 28 17:02:45 servername python: SELinux is preventing /usr/bin/uname
 from execute_no_trans access on the file /usr/bin/uname.#012#012*
 ...
 May 28 17:02:47 servername python: SELinux is preventing /usr/bin/bash
 from execute access on the file /usr/bin/mailx.#012#012*  ...

 I did do an ll =Z /usr/bin, and everything looks correct
 (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug.
 No? Yes? File a bug report?

 mark

 --
 selinux mailing list
 seli...@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/selinux
What is the avc that you are seeing?

ausearch -m avc -ts recent

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SEmodule dependency hell.

[Daniel J Walsh]

You should be able to modify the definition of a port. Or create a new
port type and modify the existing
port to use it.

http_port_t is just a name (type) that we can use to group a number of
ports together.  Sadly we do not separate
the port types of incoming and outgoing connections.  So if you confined
httpd and firefox on the same machine
it gets difficult to say firefox is allowed to connect to port
80,8080,8000 while your httpd service is only able to bind to port 8000,
without defining new types and installing custom policy modules.

On 04/02/2015 11:03 AM, Andrew Holway wrote:
 File a bug!!!

 On 2 April 2015 at 16:20, James B. Byrne byrn...@harte-lyne.ca wrote:

 On Wed, April 1, 2015 16:09, Andrew Holway wrote:
 I used the command: semanage port -m -t http_port_t -p tcp 8000
 to relabel a port. perhaps you could try:
 semanage port -m -t unconfined_t -p tcp 8000
 Failing that; would it work to run your application in the httpd_t
 domain?

 I ended up having to create a custom policy to allow the other
 application to have access to the http_port_t context.  Which is not
 an issue given that no httpd service is, or will ever be, installed on
 that host.

 However, it seems a rather dangerous hole in the logical design of
 SELinux that one cannot explicitly remove and reassign contexts to
 ports.  In order to accomplish this on a system running httpd but
 attached to non-standard ports one perforce is required to cross link
 permissions between all of the affected processes.  Which I cannot
 conceive as a security enhancement.


 --
 ***  E-Mail is NOT a SECURE channel  ***
 James B. Byrnemailto:byrn...@harte-lyne.ca
 Harte  Lyne Limited  http://www.harte-lyne.ca
 9 Brockley Drive  vox: +1 905 561 1241
 Hamilton, Ontario fax: +1 905 561 0757
 Canada  L8E 3C3

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] Reducir particion ext4

[Daniel]

Si el UUID de tu partición cambiara si tendrías problemas, pero como la 
reducción no cambia el UUID no hay ningún problema.

El 27/01/2015 09:19, =?ISO-8859-1?Q?Ernesto_P=E9rez_Est=E9vez?= 
ernesto.pe...@cedia.org.ec escribió:

 Nada mas. Sólo reduce y ya. 

 On January 27, 2015 10:13:20 AM GMT-05:00, Peter Q. btove...@gmail.com 
 wrote: 
 Gracias a ambos, pero mi duda es que si después de la reducción, al 
 momento 
 de iniciar me apareciera un error con el archivo fstab o al montar las 
 particiones reducidas 
 On Jan 27, 2015 8:20 AM, David González Romero dgrved...@gmail.com 
 wrote: 
  
  También puedes usar un ubuntu en tu flash con el gparted que viene... 
  
  Saludos, 
  David 
  
  2015-01-26 19:33 GMT-03:00 Ernesto Pérez Estévez  
  ernesto.pe...@cedia.org.ec: 
   -BEGIN PGP SIGNED MESSAGE- 
   Hash: SHA256 
   
   On 26/01/15 17:00, Peter Q. wrote: 
   Esto se realizaria con un LiveCD o desde el inicio con single user 
   ¿? 
   
   Les envio unas imágenes de como esta el sistema particionado en / 
 y 
   swap que esta en otra participación extendida. 
   es muy cómodo si usas gparted (http://gparted.sourceforge.net) 
   
   le pones en una flash o un CDROM y le reduces 
   saludos 
   epe 
   
   -BEGIN PGP SIGNATURE- 
   Version: GnuPG v1 
   
   iQIcBAEBCAAGBQJUxsDNAAoJEI8SQ0eoZD/X51QP/jdslFWIaIQBy0d0DgfzAw1v 
   O3UVOHDxP2/DlZCUPZwsl78OpEu1BfGAGE5h4RvyveQGCVj0p3MhzAukQq+8i8Kq 
   mzeQ1d9ad5AhRlcskbNjW8cZtoGk7WsSYmuS53EcxjhLkKJ3EA7R2JHnh6AkpTib 
   dnlxjpbCAvt2eIXv8Wk1NKFsnlb7qo3Ts9zcw5CnYBW0YFdtU5CNLkSxpmTI0ih2 
   xaiRJmLL4D0MoTIT1ePG6slKVemkpWAFqpUBa2Osp2UIWo9JuJfVB+Ls1wP21VsY 
   BWKTW7OmxFZredwGbaOEUtwvZhImvgMRI4PFNY5n/f9AAPC6yyHewGpuPFeSB8Vv 
   QTy3Mw46cC9x5tn0xQ6A68xj7knEb46qObyyh0XPqLrrOg/qzgdQxq+G2zjNEU4Z 
   oGyuAEE1J3ORFO/ICdupPKsGicQsur9rckJrGxXhly+C2Th8tlUI5UFi//Nu66up 
   wICp0guRViFTNf4goRaVT4Z+03pe5AGJEk/Xzz0XU4pX0SqqS0j5QhXbOk6ZaWoN 
   zLP8XEqote2DunpGgK8Fqf7ZV9dsZ7Pc3zQHrniUJdWySYCM6Qa3Gi4p7jYQ4bfm 
   0xUo1H8F7hYggv1RQAGw/tLi6gRJZcjoqfz8uw1eUM+oVdFabgSLG9Jk1xtej4s+ 
   5KmU7ypqZ7UPKhMSX81A 
   =jU5p 
   -END PGP SIGNATURE- 
   
   Email secured by Check Point 
   ___ 
   CentOS-es mailing list 
   CentOS-es@centos.org 
   http://lists.centos.org/mailman/listinfo/centos-es 
  ___ 
  CentOS-es mailing list 
  CentOS-es@centos.org 
  http://lists.centos.org/mailman/listinfo/centos-es 
  
 ___ 
 CentOS-es mailing list 
 CentOS-es@centos.org 
 http://lists.centos.org/mailman/listinfo/centos-es 
  
 Email secured by Check Point 

 -- 
 Sent from my Android device with K-9 Mail. Please excuse my brevity. 

 Email secured by Check Point 
 ___ 
 CentOS-es mailing list 
 CentOS-es@centos.org 
 http://lists.centos.org/mailman/listinfo/centos-es 
___
CentOS-es mailing list
CentOS-es@centos.org
http://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] How to prevent root from managing/disabling SELinux

[Daniel J Walsh]

On 01/23/2015 06:01 PM, Stephen Harris wrote:
 At work I'm used to tools like eTrust Access Control (aka SEOS).  eTrust
 takes away the ability to manage the eTrust config from root and puts it
 in the hands of security admin.  So there's a good separation of duties;
 security admin control the security ruleset, but are limited by the OS
 permissions (so even if they granted themselves permission to modify
 /etc/shadow, the standard OS permissions would block them) and system admins
 control the OS (so they can be root, but can't override eTrust).

 Ideally this type of separation would be useful in the SELinux world
 as well.  OK, maybe this is a bit of an overkill for my own machines,
 but then I do have bastion hosts and internal segmented networking at
 home; I do overkill at times :-)

 The problem is that I can't see how to prevent this.  There are too many
 access points (not just the CLI tools but the pp files and the /sys tree
 and I don't know what else).

 I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
 has security_t so maybe a policy that deny's everyone except a new
 security_admin_t permission to modify those files might work?

 Has anyone actually attempted this?

You would need to disable the unconfined.pp module and the
unconfineduser.pp module
and run all of your users as confined user including the admin user as
sysadm_t.

You could also set the secure_ booleans

 getsebool -a | grep secure_*
secure_mode -- off
secure_mode_insmod -- off
secure_mode_policyload -- off


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] building RPMs with SELinux

[Daniel J Walsh]

On 01/22/2015 05:40 AM, Andrew Holway wrote:
 Hello,

 Im trying to find some good info on building RPMs that set the correct
 SELinux contexts for the installed packages.

 Any ideas?

 Thanks,

 Andrew
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
rpm should do this by itself.

If the policy file is installed before the rpm is layed down.

You could consider two package


foobar-policy.rpm
foobar.rpm then make foobar rely on foobar-policy.rpm

But we usually install rpm in post install of the package and then run
restorecon on the content.

This presentation has some rpm examples.

https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6, CUPS and Canon printers problem

[Daniel J Walsh]

On 01/21/2015 04:11 AM, Emmanuel Noobadmin wrote:
 Just to follow up to myself and leave a record, the problem is SELinux
 blocking the driver from creating/reading/writing temporary files
 under CUPS.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
Do you have the AVC's?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6.6 Fail2Ban and Postfix Selinux AVCs

[Daniel J Walsh]

On 01/19/2015 01:59 PM, James B. Byrne wrote:
 On Mon, January 19, 2015 11:50, James B. Byrne wrote:
 I am seeing these in the log of one of our off-site NX hosts running
 CentOS-6.6.

 type=AVC msg=audit(1421683972.786:4372): avc:  denied  { create } for
 pid=22788 comm=iptables scontext=system_u:system_r:fail2ban_t:s0
 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket
 Was caused by:
 Missing type enforcement (TE) allow rule.

 You can use audit2allow to generate a loadable module
 to allow this access.

 SELinux is preventing /sbin/iptables-multi-1.4.7 from search access on
 the directory .

 *  Plugin catchall (100. confidence) suggests
 ***

 If you believe that iptables-multi-1.4.7 should be allowed search
 access on the  directory by default.
 Then you should report this as a bug.
 You can generate a local policy module to allow this access.
 Do
 allow this access for now by executing:
 # grep iptables /var/log/audit/audit.log | audit2allow -M mypol
 # semodule -i mypol.pp


 It appears that the starting date of these errors corresponds to the
 day on which we first began to jail SSH attempts on that host.

 We eventually ended up with a custom policy that looks like this:

 #= fail2ban_t ==
 allow fail2ban_t ldconfig_exec_t:file { read execute open getattr
 execute_no_trans };

 allow fail2ban_t insmod_exec_t:file { read execute open };
 allow fail2ban_t self:capability { net_admin net_raw };
 allow fail2ban_t self:rawip_socket { getopt create setopt };
 allow fail2ban_t sysctl_kernel_t:dir search;
 allow fail2ban_t sysctl_modprobe_t:file read;

 allow system_mail_t inotifyfs_t:dir read;
THese avc's are related to fail2ban inserting kernel modules, which
seems like a dangerous thing
to do.

 I am not sure whether this issue is the result of something that we
 have done or left undone.  We have another host configured in much the
 same fashion as this one and it does not display these errors.  On the
 other hand the second host was installed several years ago and has a
 number of custom polices already applied. It is possible that this
 problem was dealt with piecemeal or is submerged due to other
 customisations.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux-alert: aide wants to write to /var/run/winbindd/pipe

[Daniel J Walsh]

On 01/13/2015 05:09 AM, Patrick Bervoets wrote:
 Hi,

 does anyone know if aide should have access to this socket?

 SELinux is preventing /usr/sbin/aide from write access on the
 sock_file /var/run/winbindd/pipe.

 Thanks
 Patrick

Looks like it is doing some call to getpw* which is using winbindd for
authentication.  I would assume.

 (on CentOS6 if that matters)
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] LVM - pvmove and multiple servers

[Daniel Hoffman]

Hi All.

Looking for some guidance/experience with LVM and pvmove.

I have a LUN/PV being presented from a iscsi SAN. The LUN/PV is presented
to 5 servers as a shared VG they all have LV's they use for data, they are
all connected via iSCSI.

As the SAN I am using is being replaced I need to move onto a new unit.

My migration strategy at this time is to

1. Present a new LUN from the new SAN to all machines.
2. Make a PV with the new LUN.
3. Add it to the existing VG.
4. Use pvmove to move all the data from one PV to another.
5. Once the old LUN is empty, complete a pvresize to remove the old LUN.

This all seems sound but looking for advice, specifically around the fact
that the VG/PV data is being used by a number of machines/servers and the
LV's are active on a number of different nodes.

All the documentation/examples I can find assume a disk in a server, not a
LUN on a SAN being shared by a number of servers.

Any advice is appreciated.

Thanks

Daniel
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to configure xguest Firefox home page

[Daniel J Walsh]

This is actually an old problem with pulseaudio processes no dying
properly on exit.

I think if you remove the exclusive flag from

 /etc/security/sepermit.conf

This will work in all situations.  The exclussive flag is there to make
sure two different users can not login at the same time.

On 12/09/2014 03:53 AM, Nux! wrote:
 Somewhat offtopic, watch out for xguest; it can create problems. I.e. if you 
 logout from xguest you can't log back in, you need to reboot.

 HTH
 Lucian

 --
 Sent from the Delta quadrant using Borg technology!

 Nux!
 www.nux.ro

 - Original Message -
 From: David McGuffey davidmcguf...@verizion.net
 To: CentOS mailing list centos@centos.org
 Sent: Tuesday, 9 December, 2014 02:12:23
 Subject: [CentOS] How to configure xguest Firefox home page
 I've installed CentOS 6.6 on a workstation at a local non-profit as a
 kiosk machine. I used xguest.  Works great, except now the customer
 wants the Firefox homepage to be one pointing to a particular site.
 Doesn't seem to be much documentation on how to make minor changes to
 the account. Lots of SELinux guidance, but nothing about default home
 page, etc.

 Dave


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to configure xguest Firefox home page

[Daniel J Walsh]

On 12/09/2014 02:39 PM, James B. Byrne wrote:
 On Mon, December 8, 2014 21:12, David McGuffey wrote:
 I've installed CentOS 6.6 on a workstation at a local non-profit as a
 kiosk machine. I used xguest.  Works great, except now the customer
 wants the Firefox homepage to be one pointing to a particular site.
 Doesn't seem to be much documentation on how to make minor changes to
 the account. Lots of SELinux guidance, but nothing about default home
 page, etc.

 Dave




 See: /usr/lib/firefox/firefox.cfg

 Add: lockPref(browser.startup.homepage, http://www.example.com/path/);

 Google: FireFox Kiosk

You can setup default configuration for the tmpfs account in /etc/skel.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?

[Daniel J Walsh]

On 12/17/2014 05:07 AM, Patrick Bervoets wrote:
 Hi,

 On an internal webserver (latest C6) I want smb-access to /var/www/html/
 In april I did
 chcon -R -t public_content_rw_t /var/www/html/
 setsebool -P allow_smbd_anon_write 1
 setsebool -P allow_httpd_anon_write 1
 echo /var/www/html/  --
 unconfined_u:object_r:public_content_rw_t:s0 
 /etc/selinux/targeted/contexts/files/file_contexts

This is incorrect. 

# semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)'
# restorecon -R -v /var/www/html

Should change the label and it should survive relabel.

After the latest round of updates (including selinux-policy.noarch
0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch
0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied.
 Applying the commands above re-enabled samba-access.

 Anyone knows how I can configure selinux to remeber this after an
 update to the policies?

 Thanks
 Patrick
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix avc (SELinux)

[Daniel J Walsh]

On 12/05/2014 01:24 PM, James B. Byrne wrote:
 On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
 On 12/04/2014 03:22 PM, James B. Byrne wrote:
 On Thu, December 4, 2014 12:29, James B. Byrne wrote:
 Re: SELinux. Do I just build a local policy or is there some boolean
 setting
 needed to handle this?  I could not find one if there is but. . .

 Anyone see any problem with generating a custom policy consisting of the
 following?

 grep avc /var/log/audit/audit.log | audit2allow


 #= amavis_t ==
 allow amavis_t shell_exec_t:file execute;
 allow amavis_t sysfs_t:dir search;

 #= clamscan_t ==
 allow clamscan_t amavis_spool_t:dir read;
 In the latest rhel6 policies amavas_t and clamscan_t have been merged
 into antivirus_t?  Is you selinux-policy up 2 date?
 Yes, everything is up-to-date as of the time of report and I have checked
 again this morning.  That system has no unapplied fixes for software provided
 through the official CentOS-6 repositories.  Does this change apply only to 7
 or has it been backported?  Both amavisd-new and clamav are provided via the
 epel repository.

rpm -q selinux-policy

selinux-policy-3.7.19-260.el6 is the current policy in development.

 #= logwatch_mail_t ==
 allow logwatch_mail_t usr_t:lnk_file read;

 #= postfix_master_t ==
 allow postfix_master_t tmp_t:dir read;

 #= postfix_postdrop_t ==
 allow postfix_postdrop_t tmp_t:dir read;

 #= postfix_showq_t ==
 allow postfix_showq_t tmp_t:dir read;
 Any reason postfix would be listing the contents of /tmp or /var/tmp?
 Did you put some content into these directories that have something to
 do with mail?
 That question I need put to the Postfix mailing list. I see nothing in the
 spec file that bears on the matter and the tarball was pulled from:

  ftp://ftp.porcupine.org/mirrors/postfix-release/official/

 #= postfix_smtp_t ==
 allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };





___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix avc (SELinux)

[Daniel J Walsh]

On 12/04/2014 03:22 PM, James B. Byrne wrote:
 On Thu, December 4, 2014 12:29, James B. Byrne wrote:
 Re: SELinux. Do I just build a local policy or is there some boolean setting
 needed to handle this?  I could not find one if there is but. . .

 Anyone see any problem with generating a custom policy consisting of the
 following?

 grep avc /var/log/audit/audit.log | audit2allow


 #= amavis_t ==
 allow amavis_t shell_exec_t:file execute;
 allow amavis_t sysfs_t:dir search;

 #= clamscan_t ==
 allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged
into antivirus_t?  Is you selinux-policy up 2 date?
 #= logwatch_mail_t ==
 allow logwatch_mail_t usr_t:lnk_file read;

 #= postfix_master_t ==
 allow postfix_master_t tmp_t:dir read;

 #= postfix_postdrop_t ==
 allow postfix_postdrop_t tmp_t:dir read;

 #= postfix_showq_t ==
 allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp? 
Did you put some content into these directories that have something to
do with mail?
 #= postfix_smtp_t ==
 allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

Are you seeing other AVCs?

On 12/03/2014 05:36 AM, John Beranek wrote:
 Indeed, thanks Dan - it doesn't get us to a completely clean running that
 would allow us to run our Node app as we are under Passenger with SELinux
 enforcing, but it at least has stopped the excessive amount of AVCs we were
 getting.

 John

 On 3 December 2014 at 10:01, Daniel J Walsh dwa...@redhat.com wrote:

 Looks like turning on three booleans will solve most of the problem.

 httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write


 On 12/03/2014 03:55 AM, John Beranek wrote:
 Mark: Labels look OK, restorecon has nothing to do, and:

 -rwxr-xr-x. root root system_u:object_r:bin_t:s0   /bin/ps

 dr-xr-xr-x. root root system_u:object_r:proc_t:s0  /proc

 I'll send the audit log on to Dan.

 Cheers,

 John

 On 2 December 2014 at 16:10, Daniel J Walsh dwa...@redhat.com wrote:

 Could you send me a copy of your audit.log.

 You should not be getting hundreds of AVC's a day.

 ausearch -m avc,user_avc -ts today

 On 12/02/2014 05:08 AM, John Beranek wrote:
 I'll jump in here to say we'll try your suggestion, but I guess what's
 not
 been mentioned is that we get the setroubleshoot abrt's only a few
 times
 a
 day, but we're getting 1s of setroubleshoot messages in
 /var/log/messages a day.

 e.g.

 Dec  2 10:03:55 server audispd: queue is full - dropping event
 Dec  2 10:04:00 server audispd: last message repeated 199 times
 Dec  2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages
 from
 pid 5967 due to rate-limiting
 Dec  2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid
 5967 due to rate-limiting
 Dec  2 10:04:01 server audispd: queue is full - dropping event
 Dec  2 10:04:02 server audispd: last message repeated 134 times
 Dec  2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps
 from
 read access on the file /proc/pid/stat. For complete SELinux
 messages.
 run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4
 Dec  2 10:04:02 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 48 times
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps
 from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l 2d09d555-8834-4c27-976b-6647f8673286
 Dec  2 10:04:03 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 15 times
 Dec  2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages
 from
 pid 5967 due to rate-limiting
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps
 from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069
 Dec  2 10:04:04 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps
 from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps
 from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f
 Dec  2 10:04:05 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps
 from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be
 Dec  2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps
 from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c
 Dec  2 10:04:06 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:06 server sedispatch: AVC Message for setroubleshoot,
 dropping
 message
 Dec  2 10:04:06 server sedispatch: last message repeated 3 times

 Cheers,

 John

 On 1 December 2014 at 17:19, Daniel J Walsh dwa...@redhat.com wrote:

 On 12/01/2014 10:39 AM, Gary Smithson wrote:
 We are currently running libxml2-2.7.6-14.el6_5.2.x86_64

 How far back would you suggest we go? would
 libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient
 Ok might not be related.  One other suggestion would be to clear the
 database out.  And see if there
 was something in the database that was causing it problems.

 Make sure there is no setroubleshootd running and

 /var/lib/setroubleshoot/setroubleshoot_database.xml
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org]
 On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 15:10
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 I am not sure.  I was just seeing email on this today.  Could you try
 to
 downgrade the latest version of libxml to see if the problem goes
 away.
 On 12/01/2014 10:01 AM, Gary Smithson wrote:
 Thanks

 Could you please clarify, which version libxml is broken

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

Looks like turning on three booleans will solve most of the problem.

httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write


On 12/03/2014 03:55 AM, John Beranek wrote:
 Mark: Labels look OK, restorecon has nothing to do, and:

 -rwxr-xr-x. root root system_u:object_r:bin_t:s0   /bin/ps

 dr-xr-xr-x. root root system_u:object_r:proc_t:s0  /proc

 I'll send the audit log on to Dan.

 Cheers,

 John

 On 2 December 2014 at 16:10, Daniel J Walsh dwa...@redhat.com wrote:

 Could you send me a copy of your audit.log.

 You should not be getting hundreds of AVC's a day.

 ausearch -m avc,user_avc -ts today

 On 12/02/2014 05:08 AM, John Beranek wrote:
 I'll jump in here to say we'll try your suggestion, but I guess what's
 not
 been mentioned is that we get the setroubleshoot abrt's only a few times
 a
 day, but we're getting 1s of setroubleshoot messages in
 /var/log/messages a day.

 e.g.

 Dec  2 10:03:55 server audispd: queue is full - dropping event
 Dec  2 10:04:00 server audispd: last message repeated 199 times
 Dec  2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages
 from
 pid 5967 due to rate-limiting
 Dec  2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid
 5967 due to rate-limiting
 Dec  2 10:04:01 server audispd: queue is full - dropping event
 Dec  2 10:04:02 server audispd: last message repeated 134 times
 Dec  2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from
 read access on the file /proc/pid/stat. For complete SELinux messages.
 run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4
 Dec  2 10:04:02 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 48 times
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l 2d09d555-8834-4c27-976b-6647f8673286
 Dec  2 10:04:03 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 15 times
 Dec  2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages
 from
 pid 5967 due to rate-limiting
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069
 Dec  2 10:04:04 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f
 Dec  2 10:04:05 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux
 messages.
 run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be
 Dec  2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c
 Dec  2 10:04:06 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:06 server sedispatch: AVC Message for setroubleshoot,
 dropping
 message
 Dec  2 10:04:06 server sedispatch: last message repeated 3 times

 Cheers,

 John

 On 1 December 2014 at 17:19, Daniel J Walsh dwa...@redhat.com wrote:

 On 12/01/2014 10:39 AM, Gary Smithson wrote:
 We are currently running libxml2-2.7.6-14.el6_5.2.x86_64

 How far back would you suggest we go? would
 libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient
 Ok might not be related.  One other suggestion would be to clear the
 database out.  And see if there
 was something in the database that was causing it problems.

 Make sure there is no setroubleshootd running and

 /var/lib/setroubleshoot/setroubleshoot_database.xml
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 15:10
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 I am not sure.  I was just seeing email on this today.  Could you try
 to
 downgrade the latest version of libxml to see if the problem goes away.
 On 12/01/2014 10:01 AM, Gary Smithson wrote:
 Thanks

 Could you please clarify, which version libxml is broken and has there
 been a newer version released that will fix it.
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 14:58
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 This seems to be a problem with an updated version of libxml.
 On 11/28/2014 09:04 AM, Gary Smithson wrote:
 When

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

Could you send me a copy of your audit.log.

You should not be getting hundreds of AVC's a day. 

ausearch -m avc,user_avc -ts today

On 12/02/2014 05:08 AM, John Beranek wrote:
 I'll jump in here to say we'll try your suggestion, but I guess what's not
 been mentioned is that we get the setroubleshoot abrt's only a few times a
 day, but we're getting 1s of setroubleshoot messages in
 /var/log/messages a day.

 e.g.

 Dec  2 10:03:55 server audispd: queue is full - dropping event
 Dec  2 10:04:00 server audispd: last message repeated 199 times
 Dec  2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages from
 pid 5967 due to rate-limiting
 Dec  2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid
 5967 due to rate-limiting
 Dec  2 10:04:01 server audispd: queue is full - dropping event
 Dec  2 10:04:02 server audispd: last message repeated 134 times
 Dec  2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from
 read access on the file /proc/pid/stat. For complete SELinux messages.
 run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4
 Dec  2 10:04:02 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 48 times
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux messages.
 run sealert -l 2d09d555-8834-4c27-976b-6647f8673286
 Dec  2 10:04:03 server audispd: queue is full - dropping event
 Dec  2 10:04:03 server audispd: last message repeated 15 times
 Dec  2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages from
 pid 5967 due to rate-limiting
 Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069
 Dec  2 10:04:04 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux messages.
 run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc
 Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f
 Dec  2 10:04:05 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from
 getattr access on the directory /proc/pid. For complete SELinux messages.
 run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be
 Dec  2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from
 search access on the directory /proc/pid/stat. For complete SELinux
 messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c
 Dec  2 10:04:06 server setroubleshoot: last message repeated 2 times
 Dec  2 10:04:06 server sedispatch: AVC Message for setroubleshoot, dropping
 message
 Dec  2 10:04:06 server sedispatch: last message repeated 3 times

 Cheers,

 John

 On 1 December 2014 at 17:19, Daniel J Walsh dwa...@redhat.com wrote:

 On 12/01/2014 10:39 AM, Gary Smithson wrote:
 We are currently running libxml2-2.7.6-14.el6_5.2.x86_64

 How far back would you suggest we go? would
 libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient
 Ok might not be related.  One other suggestion would be to clear the
 database out.  And see if there
 was something in the database that was causing it problems.

 Make sure there is no setroubleshootd running and

 /var/lib/setroubleshoot/setroubleshoot_database.xml
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 15:10
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 I am not sure.  I was just seeing email on this today.  Could you try to
 downgrade the latest version of libxml to see if the problem goes away.
 On 12/01/2014 10:01 AM, Gary Smithson wrote:
 Thanks

 Could you please clarify, which version libxml is broken and has there
 been a newer version released that will fix it.
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 14:58
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 This seems to be a problem with an updated version of libxml.
 On 11/28/2014 09:04 AM, Gary Smithson wrote:
 When running Node.js through Phusion Passenger on Centos 6.5 ( Linux
 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64
 x86_64 x86_64 GNU/Linux), with SELinux enabled in permissive mode we
 receive a large number of entries in the audit.log and setroubleshootd
 randomly crashes with the following error, We have resolved the selinux
 alerts by following the troubleshooting steps recommend by running
 sealert,However we are concerned by setroubleshootd crashing and are
 concered

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

This seems to be a problem with an updated version of libxml.
On 11/28/2014 09:04 AM, Gary Smithson wrote:
 When running Node.js through Phusion Passenger on Centos 6.5 ( Linux 
 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 
 x86_64 GNU/Linux), with SELinux enabled in permissive mode we receive a large 
 number of entries in the audit.log and setroubleshootd randomly crashes with 
 the following error, We have resolved the selinux alerts by following the 
 troubleshooting steps recommend by running sealert,However we are concerned 
 by setroubleshootd crashing and are concered that we may have masked the 
 issue by fixing the entries in the audit.log.



 abrt_version:   2.0.8

 cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f ''

 executable: /usr/sbin/setroubleshootd

 kernel: 2.6.32-431.23.3.el6.x86_64

 last_occurrence: 1417101625

 time:   Thu 27 Nov 2014 03:20:25 PM UTC

 uid:0

 username:   root



 sosreport.tar.xz: Binary file, 3642240 bytes



 backtrace:

 :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature not 
 found

 :

 :Traceback (most recent call last):

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 401, in auto_save_callback

 :self.save()

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 377, in save

 :self.prune()

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 340, in prune

 :self.delete_signature(sig, prune=True)

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 471, in delete_signature

 :siginfo = self.lookup_signature(sig)

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 426, in lookup_signature

 :raise ProgramError(ERR_NO_SIGNATURE_MATCH)

 :ProgramError: [Errno 1001] signature not found

 :

 :Local variables in innermost frame:

 :matches: []

 :siginfo: None

 :self: setroubleshoot.analyze.SETroubleshootDatabase object at 0x151d590

 :sig: setroubleshoot.signature.SEFaultSignature object at 0x645a050



 We are running the following versions Passenger/htttpd/node


 passenger --version

 Phusion Passenger version 4.0.53


 httpd -v
 Server version: Apache/2.2.15 (Unix)
 Server built:   Jul 23 2014 14:17:29


 node -v
 v0.10.32

 This email is from the Press Association. For more information, see 
 www.pressassociation.com. This email may contain confidential information. 
 Only the addressee is permitted to read, copy, distribute or otherwise use 
 this email or any attachments. If you have received it in error, please 
 contact the sender immediately. Any opinion expressed in this email is 
 personal to the sender and may not reflect the opinion of the Press 
 Association. Any email reply to this address may be subject to interception 
 or monitoring for operational reasons or for lawful business practices.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

I am not sure.  I was just seeing email on this today.  Could you try to
downgrade the latest version of libxml to see if the
problem goes away.

On 12/01/2014 10:01 AM, Gary Smithson wrote:
 Thanks

 Could you please clarify, which version libxml is broken and has there been a 
 newer version released that will fix it.

 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf 
 Of Daniel J Walsh
 Sent: 01 December 2014 14:58
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 This seems to be a problem with an updated version of libxml.
 On 11/28/2014 09:04 AM, Gary Smithson wrote:
 When running Node.js through Phusion Passenger on Centos 6.5 ( Linux 
 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 
 x86_64 GNU/Linux), with SELinux enabled in permissive mode we receive a 
 large number of entries in the audit.log and setroubleshootd randomly 
 crashes with the following error, We have resolved the selinux alerts by 
 following the troubleshooting steps recommend by running sealert,However we 
 are concerned by setroubleshootd crashing and are concered that we may have 
 masked the issue by fixing the entries in the audit.log.



 abrt_version:   2.0.8

 cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f ''

 executable: /usr/sbin/setroubleshootd

 kernel: 2.6.32-431.23.3.el6.x86_64

 last_occurrence: 1417101625

 time:   Thu 27 Nov 2014 03:20:25 PM UTC

 uid:0

 username:   root



 sosreport.tar.xz: Binary file, 3642240 bytes



 backtrace:

 :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature not 
 found

 :

 :Traceback (most recent call last):

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 401, in auto_save_callback

 :self.save()

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 377, in save

 :self.prune()

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 340, in prune

 :self.delete_signature(sig, prune=True)

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 471, in delete_signature

 :siginfo = self.lookup_signature(sig)

 :  File /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line 
 426, in lookup_signature

 :raise ProgramError(ERR_NO_SIGNATURE_MATCH)

 :ProgramError: [Errno 1001] signature not found

 :

 :Local variables in innermost frame:

 :matches: []

 :siginfo: None

 :self: setroubleshoot.analyze.SETroubleshootDatabase object at 0x151d590

 :sig: setroubleshoot.signature.SEFaultSignature object at 0x645a050



 We are running the following versions Passenger/htttpd/node


 passenger --version

 Phusion Passenger version 4.0.53


 httpd -v
 Server version: Apache/2.2.15 (Unix)
 Server built:   Jul 23 2014 14:17:29


 node -v
 v0.10.32

 This email is from the Press Association. For more information, see 
 www.pressassociation.com. This email may contain confidential information. 
 Only the addressee is permitted to read, copy, distribute or otherwise use 
 this email or any attachments. If you have received it in error, please 
 contact the sender immediately. Any opinion expressed in this email is 
 personal to the sender and may not reflect the opinion of the Press 
 Association. Any email reply to this address may be subject to interception 
 or monitoring for operational reasons or for lawful business practices.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 This email is from the Press Association. For more information, see 
 www.pressassociation.com. This email may contain confidential information. 
 Only the addressee is permitted to read, copy, distribute or otherwise use 
 this email or any attachments. If you have received it in error, please 
 contact the sender immediately. Any opinion expressed in this email is 
 personal to the sender and may not reflect the opinion of the Press 
 Association. Any email reply to this address may be subject to interception 
 or monitoring for operational reasons or for lawful business practices.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SEtroubleshootd Crashing

[Daniel J Walsh]

On 12/01/2014 10:39 AM, Gary Smithson wrote:
 We are currently running libxml2-2.7.6-14.el6_5.2.x86_64

 How far back would you suggest we go? would libxml2-2.7.6-14.el6_5.1.x86_64 
 be sufficient
Ok might not be related.  One other suggestion would be to clear the
database out.  And see if there
was something in the database that was causing it problems.

Make sure there is no setroubleshootd running and

/var/lib/setroubleshoot/setroubleshoot_database.xml
 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf 
 Of Daniel J Walsh
 Sent: 01 December 2014 15:10
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 I am not sure.  I was just seeing email on this today.  Could you try to 
 downgrade the latest version of libxml to see if the problem goes away.

 On 12/01/2014 10:01 AM, Gary Smithson wrote:
 Thanks

 Could you please clarify, which version libxml is broken and has there been 
 a newer version released that will fix it.

 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Daniel J Walsh
 Sent: 01 December 2014 14:58
 To: CentOS mailing list
 Subject: Re: [CentOS] SEtroubleshootd Crashing

 This seems to be a problem with an updated version of libxml.
 On 11/28/2014 09:04 AM, Gary Smithson wrote:
 When running Node.js through Phusion Passenger on Centos 6.5 ( Linux 
 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 
 x86_64 x86_64 GNU/Linux), with SELinux enabled in permissive mode we 
 receive a large number of entries in the audit.log and setroubleshootd 
 randomly crashes with the following error, We have resolved the selinux 
 alerts by following the troubleshooting steps recommend by running 
 sealert,However we are concerned by setroubleshootd crashing and are 
 concered that we may have masked the issue by fixing the entries in the 
 audit.log.



 abrt_version:   2.0.8

 cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f ''

 executable: /usr/sbin/setroubleshootd

 kernel: 2.6.32-431.23.3.el6.x86_64

 last_occurrence: 1417101625

 time:   Thu 27 Nov 2014 03:20:25 PM UTC

 uid:0

 username:   root



 sosreport.tar.xz: Binary file, 3642240 bytes



 backtrace:

 :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature
 not found

 :

 :Traceback (most recent call last):

 :  File
 /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line
 401, in auto_save_callback

 :self.save()

 :  File
 /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line
 377, in save

 :self.prune()

 :  File
 /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line
 340, in prune

 :self.delete_signature(sig, prune=True)

 :  File
 /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line
 471, in delete_signature

 :siginfo = self.lookup_signature(sig)

 :  File
 /usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py, line
 426, in lookup_signature

 :raise ProgramError(ERR_NO_SIGNATURE_MATCH)

 :ProgramError: [Errno 1001] signature not found

 :

 :Local variables in innermost frame:

 :matches: []

 :siginfo: None

 :self: setroubleshoot.analyze.SETroubleshootDatabase object at
 0x151d590

 :sig: setroubleshoot.signature.SEFaultSignature object at 0x645a050



 We are running the following versions Passenger/htttpd/node


 passenger --version

 Phusion Passenger version 4.0.53


 httpd -v
 Server version: Apache/2.2.15 (Unix)
 Server built:   Jul 23 2014 14:17:29


 node -v
 v0.10.32

 This email is from the Press Association. For more information, see 
 www.pressassociation.com. This email may contain confidential information. 
 Only the addressee is permitted to read, copy, distribute or otherwise use 
 this email or any attachments. If you have received it in error, please 
 contact the sender immediately. Any opinion expressed in this email is 
 personal to the sender and may not reflect the opinion of the Press 
 Association. Any email reply to this address may be subject to interception 
 or monitoring for operational reasons or for lawful business practices.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 This email is from the Press Association. For more information, see 
 www.pressassociation.com. This email may contain confidential information. 
 Only the addressee is permitted to read, copy, distribute or otherwise use 
 this email or any attachments. If you have received it in error, please 
 contact the sender immediately. Any opinion expressed in this email is 
 personal to the sender and may not reflect the opinion of the Press 
 Association. Any email reply to this address may be subject

Re: [CentOS] Anyone have a Brother multifunction working on Centos 7?

[Daniel J Walsh]

On 11/12/2014 10:54 PM, Peter wrote:
 On 11/13/2014 12:10 PM, Negative wrote:
 I have a Brother MFC 7360N, and it is refusing to print.
 I have a DCP-540CN which is a similar but I think older network printer.
  I haven't tried it on CentOS 7 yet, but got it to work with Fedora 18
 and 19 which are very similar.  I do recall having to create an selinux
 policy to get it to work, so that may very well be your issue.


 Peter
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
Usually it should just work. But you might need to run restorecon -R -v
/usr after the install to set the SELinux labels correctly.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Xorg installation broken under docker

[Daniel J Walsh]

On 11/11/2014 12:11 PM, Jim Perrin wrote:

 On 11/11/2014 04:51 AM, Wander Costa wrote:
 Hi,

 I have been trying to build a docker image to run unit tests for the B2G 
 project [1]. However when I try to install Xorg I get this error [2].
 I have been searching on web but is still not clear for me if this is an 
 issue or if I should proceed like this link [3] says.
 Any idea?


 Yes, one of the packages you're attempting to install requires systemd
 as a dependency and so you would need to follow the instructions in that
 blog. You might still run into some issues even then, if you're trying
 to display X from the container on the host.

 If you'd like, I have a centos-systemd container already built
 (following that blog post) that you could try.


 a 'docker pull centos/c7-systemd'  should get you what you need:

 reference url: https://registry.hub.docker.com/u/centos/c7-systemd/



We need to get systemd-container into the default centos image.
We are working on this for RHEL7 also.  That way these problems
can be prevented and we can make it easier for people to run systemd
within a container.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Xorg installation broken under docker

[Daniel J Walsh]

On 11/11/2014 02:17 PM, Jim Perrin wrote:

 On 11/11/2014 12:45 PM, Daniel J Walsh wrote:

 We need to get systemd-container into the default centos image.
 We are working on this for RHEL7 also.  That way these problems
 can be prevented and we can make it easier for people to run systemd
 within a container.
 If the source for it is public, I would happily do this, as the current
 systemd/fakesystemd issue causes a fair amount of breakage. Where can I
 pull systemd-container source/spec?


Jim work with Vaclav on this.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ProFTPD SFTP with SELinux

[Daniel J Walsh]

On 11/05/2014 09:41 PM, Philip Gardner, Jr. wrote:
 Has anyone attempted to make SFTP on ProFTPD with SELinux work? I'd
 like to keep SELinux enabled on this particular system, but I prefer
 ProFTPD's SFTP solution over OpenSSH. The aureport tool reports the
 following:

 28. 11/05/2014 12:58:58 proftpd
 unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 4 file getattr
 system_u:object_r:sshd_key_t:s0 denied 86877

 I have the SFTP config setup to just use the OpenSSH host keys, and it
 appears to be getting denied read access to it. Thoughts?

If the access makes sense, then build a custom policy module and open a
bugzilla for it.
Probably should be a boolean to allow it.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.6 Bacula-SELinux issue

[Daniel J Walsh]

I see nothing about tape_device_t in bacula policy in Fedora, so I
please create a local policy and then send it to us, so it can get
merged into the upstream and back ported for RHEL/Centos.
On 10/30/2014 03:01 PM, Paul Heinlein wrote:
 I updated my backup server to CentOS 6.6 this morning. As usual, I
 unmounted the current (nightly) tape from the changer before the
 reboot. Now Bacula complains it cannot access the changer:

 3301 Issuing autochanger loaded? drive 0 command.
 3991 Bad autochanger loaded? drive 0 command: ERR=Child exited with
 code 1.
 Results=cannot open SCSI device '/dev/changer' - Permission denied

 SELinux is denying source context bacula_t from accessing target
 context tape_device_t. I took a look at the various SELinux boolean
 values but see none that applies.

 Has anyone else observed this symptom since upgrading?

 Is there a fix other than building a local policy by going through the
 ausearch | audit2allow iteration(s)?



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.6: KVM not found

[Daniel J Walsh]

On 10/31/2014 06:06 AM, Chris wrote:
 On 10/31/2014 10:47 AM, Karanbir Singh wrote:
 can you post the relevant selinux audit.log entries that were preventing
 kvm's ko to be loaded ?
 Sure.

 type=VIRT_CONTROL msg=audit(1414739214.851:62): user pid=2911 uid=0
 auid=4294967295 ses=4294967295
 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start
 reason=booted vm=
 tor2 uuid=xxx vm-pid=-1 exe=/usr/sbin/libvirtd hostname=? addr=?
 terminal=? res=failed'


Those are not avc's they are standard audit logs and have nothing to do
with SELinux.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.6: KVM not found

[Daniel J Walsh]

On 11/01/2014 12:12 AM, Chris wrote:
 On 10/31/2014 08:12 PM, Jonathan Billings wrote:
 Is there an AVC entry in
 the audit logs for when you try to load the module?
 I cannot say for sure if those entries were created when starting the vm
 or when rebooting the physical host.

These avc's have nothing to do with virtualization, they are about
prelink, and would have no effect on whether or not you can run VM's/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DHCP chown

[Daniel J Walsh]

On 11/02/2014 02:45 PM, John R Pierce wrote:
 On 11/2/2014 11:37 AM, Barry Brimer wrote:
 I just installed 6.5 and am trying to bring up DHCP.

 service dhcpd start fails with Can't chown new lease file:
 Operation  not
 permitted in /var/log/messages

 Check the permissions in /var/lib/dhcp directory. 

 also check the selinux logs...  or temporarily set selinux to
 'permissive' and see if it works, if it does, then something is fubar
 in the selinux rules.



Or simply run

restorecon -R -v /var

  TO make sure everything is labeled correctly.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule

[Daniel J Walsh]

On 10/26/2014 12:10 AM, admin wrote:
 I've just recreated the module and enabled it, yet I can't seem to
 allow fping to be used by the httpd process. It seems that the last
 error was just a byproduct of a bad module I had not properly removed.
 Are there any additional troubleshooting steps I could try?

 What I've done so far :

 1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
 2) semodule -i observium_fping.pp

 3) semodule -l | grep fping
 **
 fping   1.0
 observium_fping 1.0
 **

 4) cat /var/log/audit/audit.log | grep fping

 type=AVC msg=audit(1414295291.964:357): avc:  denied  { create } for 
 pid=5283 comm=fping scontext=unconfined_u:system_r:httpd_t:s0
 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket
 type=SYSCALL msg=audit(1414295291.964:357): arch=c03e syscall=41
 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282
 pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
 fsgid=48 tty=(none) ses=1 comm=fping exe=/usr/sbin/fping
 subj=unconfined_u:system_r:httpd_t:s0 key=(null)



 On 10/25/2014 8:30 PM, Greg Lindahl wrote:
 On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:

 # This avc is allowed in the current policy
 allow httpd_t self:capability net_raw;
 allow httpd_t self:rawip_socket create;
 This confusing output means that the first allow line is in the
 current policy, and the second is not.

 -- greg


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
You want to add this rule.

#cat observium_fping.te
policy_module(observium_fping, 1.0)
gen_require(`
type httpd_t;
')
allow httpd_t self:rawip_socket create_socket_perms;

# make -f /usr/share/selinux/devel/Makefile
# semodule -i observium_fping.pp


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SAMBA as AD DC

[Daniel J Walsh]

On 09/16/2014 10:50 AM, Markus Steinborn wrote:
 Hi Daniel,

 Daniel J Walsh wrote:
 What AVC's is SELinux giving you?
 Policy has been enforcing - and I see the folloqwing AVCs at the end
 of my audit log - but those repeated several times:

 type=AVC msg=audit(1410628837.928:422): avc:  denied  { connectto }
 for  pid=2330 comm=smbd path=/run/samba/winbindd/pipe
 scontext=system_u:system_r:smbd_t:s0
 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
 type=AVC msg=audit(1410628852.301:430): avc:  denied  { connectto }
 for  pid=2392 comm=smbd path=/run/samba/ncalrpc/np/netlogon
 scontext=system_u:system_r:smbd_t:s0
 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

This looks like you have something running as init_t that is listening
on /run/samba/winbindd/pipe

ps -eZ | grep init_t


 Greetings

 Markus
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SAMBA as AD DC

[Daniel J Walsh]

What AVC's is SELinux giving you?

On 09/15/2014 02:48 AM, Markus Steinborn wrote:
 Hi Miguel,

 Miguel Medalha wrote:
 Anyway, Sernet also provides a source rpm. Why not build up from
 that base?

 CentOS 7 is using systemd - that would cause problems.


 And anyway, I've used the package samba from CentOS-7 as base. This
 way, incmpatibilites with base samba4 are minimized (same paths etc.).

 I've already written in this thread: It has turned out that selinux is
 the problem - turning off selinux helps.. But that is not really what
 you want to...And since the problem is selinux, I am not sure if
 Sernet's source would have anything changed.

 Anyway, I do not think that my package is broken anymore since selinux
 configuration is a different thing.


 Greetings

 Markus
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux alert on Centos 7 yum update

[Daniel J Walsh]

What AVC messages are you seeing?  What does the setroubleshoot alert
message show?

On 09/10/2014 07:04 PM, Sven Kieske wrote:
 On 10.09.2014 10:40, dE wrote:

  I bet this has to do with troubleshootd (is it there in CentOS? I'm
  not sure but in Fedora 19 it was there).

 I bet this has to do with the flash-plugin and virtual box
 as they most likely don't get installed in an selinux compatible
 fashion.

 With standard EL7 components and selinux enabled I didn't have
 any warnings during yum update so far.

  Contents of /var/log/audit/audit.log will be more interesting.

 True

 kind regards

 Sven
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux vs. virsh

[Daniel J Walsh]

On 08/23/2014 10:45 AM, Bill Gee wrote:
 On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
 On 08/21/2014 10:03 AM, Bill Gee wrote:
 On Thursday, August 21, 2014 12:00:03 centos-requ...@centos.org wrote:
 Re: [CentOS] SELinux vs. logwatch and virsh
 From: Daniel J Walsh dwa...@redhat.com
 To: CentOS mailing list centos@centos.org

 On 08/18/2014 02:13 PM, Bill Gee wrote:
 Hi Dan -

 ausearch -m avc -ts recent produces no output.  If I run it as
 ausearch
 -f  virsh then it produces output similar to this.  Each day's run of
 logwatch produces three of these audit log entries.  The a1 and a2
 values
 are different for each entry, but everything else is the same.

 ===
 time-Mon Aug 18 03:21:03 2014
 type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21
 success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
 items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
 egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm=bash exe=/usr/bin/bash
 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
 for  pid=2816  comm=bash name=virsh dev=dm-0 ino=135911290
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
 ===

 I thought about using audit2allow as you suggest.  The problem is then I
 don't  really know what change is required.  What exactly will it
 do?  And is there a guarantee that it will work?
 logwatch is executing virsh probably to communicate with libvirt to
 rotate logs or something.  You can look in /etc/logrotate.d for a script
 with virsh to tell you what the command is trying to do.
 Hi Dan -

 I know EXACTLY what virsh is being called for.  I wrote the script!  It
 has
 nothing to do with logrotate.  I want virsh to tell logwatch what the
 status is of all virtual machines running on the host.  Logwatch will
 then include that in its daily summary report.  SELinux is getting in the
 way.

 Regards - Bill Gee
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 Well logrotate is calling the script, and you just need to add the allow
 rules to allow logrotate to execute the script and communicate with
 libvirt.   Or you need to run the script in a separate cron job to
 collect the data before the logrotate script runs.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 Hi Dan -

 Oops, I screwed up the subject line on the last posting.  Hopefully corrected 
 with this message.

 Comment - I changed my configuration so that virsh is run by a script in 
 cron.daily rather than being called from logwatch.  It saves output to a file 
 in /tmp.  Logwatch was changed to simply cat the file.  However, this STILL 
 produces an SELinux violation.  I am not any closer to the goal.

 Question - How do I add an allow rule to SELinux?  What exactly is to be 
 allowed and how is SELinux told to do it?

 Here is what ausearch finds:

 =
 time-Sat Aug 23 03:06:04 2014
 type=SYSCALL msg=audit(1408781164.014:1373): arch=c03e syscall=2 
 success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fff a3=7fffb24e31d0 
 items=0 
 ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
 fsgid=0 tty=(none) ses=127 comm=cat exe=/usr/bin/cat 
 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1408781164.014:1373): avc:  denied  { open } for  
 pid=25742 
 comm=cat path=/tmp/libvirt-status dev=dm-0 ino=768471 
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

 =

 Observation - My original idea on this is to have logwatch execute virsh 
 directly.  I know it is possible to make that work.  The same computer has 
 two 
 other logwatch items that I created.  One of them runs uptime and the other 
 runs sensors.  Both work perfectly.  I see that the uptime and sensors 
 programs are set for SELinux type=bin_t, which is not the same as what virsh 
 is set for.  I think what I need to do is figure out how to ADD (not replace) 
 a 
 new type on the virsh program.

 Thanks - Bill Gee


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
Change your script to write it to /var/log/virsh.log, then everything
should work.  I recommend that no priv process ever write to /tmp, /tmp
is for users.

logwatch can read log files, so SELinux requires it to have a log
label.  The default label for anything create in /var/log is var_log_t,
which is a log label.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS Digest, Vol 115, Issue 21

[Daniel J Walsh]

On 08/21/2014 10:03 AM, Bill Gee wrote:
 On Thursday, August 21, 2014 12:00:03 centos-requ...@centos.org wrote:
 Re: [CentOS] SELinux vs. logwatch and virsh
 From: Daniel J Walsh dwa...@redhat.com
 To: CentOS mailing list centos@centos.org

 On 08/18/2014 02:13 PM, Bill Gee wrote:
 Hi Dan -

 ausearch -m avc -ts recent produces no output.  If I run it as ausearch
 -f  virsh then it produces output similar to this.  Each day's run of
 logwatch produces three of these audit log entries.  The a1 and a2 values
 are different for each entry, but everything else is the same.

 ===
 time-Mon Aug 18 03:21:03 2014
 type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21 
 success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
 items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
 egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm=bash exe=/usr/bin/bash
 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
 for  pid=2816  comm=bash name=virsh dev=dm-0 ino=135911290
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
 ===

 I thought about using audit2allow as you suggest.  The problem is then I
 don't  really know what change is required.  What exactly will it
 do?  And is there a guarantee that it will work?
 logwatch is executing virsh probably to communicate with libvirt to
 rotate logs or something.  You can look in /etc/logrotate.d for a script
 with virsh to tell you what the command is trying to do.
 Hi Dan -

 I know EXACTLY what virsh is being called for.  I wrote the script!  It has 
 nothing to do with logrotate.  I want virsh to tell logwatch what the status 
 is of all virtual machines running on the host.  Logwatch will then include 
 that in its daily summary report.  SELinux is getting in the way.

 Regards - Bill Gee
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
Well logrotate is calling the script, and you just need to add the allow
rules to allow logrotate to execute the script and communicate with
libvirt.   Or you need to run the script in a separate cron job to
collect the data before the logrotate script runs.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 lockup

[Daniel J Walsh]

On 08/21/2014 02:09 PM, Les Mikesell wrote:
 On Thu, Aug 21, 2014 at 12:23 PM,  m.r...@5-cent.us wrote:
 Les Mikesell wrote:
 A machine I set up to run OpenNMS stopped working last night - no
 hardware alarm lights, but keyboard/monitor/network unresponsive.
 After a reboot I see a large stack of messages like this in
 /var/log/messages:

 
 Aug 20 14:02:34 opennms-h-03 python: SELinux is preventing
 /usr/sbin/monitor-get-edid-using-vbe from mmap
 _zero access on the memprotect .
 --
 and then this final message

 Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute
 'split'


 Do either of those look fatal?   And where else should I look for the
 underlying problem?

 Looks like all selinux to me, esp. the wording. Is it in enforcing mode? I
 wonder if it's possible that there's a bug in an selinux policy that
 results in IT'S NOT SAFE!!! SHUT IT DOWN!!!.
 /var/log/audit/audit.log says:
 type=AVC msg=audit(1408478520.792:7016): avc:  denied  { mmap_zero }
 for  pid=17977 comm=monitor-get-edi
 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
 tclass=memprotect

 which isn't particularly readable but I would guess means that it
 blocked the ocsinventory-agent from getting the monitor type.  Not
 sure why that is supposed to be helpful, but it also doesn't sound
 fatal.  And somewhat irrelevant on a normally headless server.

 Does that dbus error looks serious?
 Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute 
 'split'

  --
Les Mikesell
  lesmikes...@gmail.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
mmap_zero is a fairly dangerous access. It means the object is
attempting to memeory map
low memory in the kernel.  Bugs in the kernel have been known to allow
priv escallation, can be prevented by this check.

http://eparis.livejournal.com/

Talks about the access check.

I usually tell people to avoid these apps, but if you need to run it,
you can turn the protection off as the alert told you.

setsebool -P mmap_low_allowed 1



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux vs. logwatch and virsh

[Daniel J Walsh]

On 08/18/2014 02:13 PM, Bill Gee wrote:
 Hi Dan -

 ausearch -m avc -ts recent produces no output.  If I run it as ausearch -f 
 virsh then it produces output similar to this.  Each day's run of logwatch 
 produces three of these audit log entries.  The a1 and a2 values are 
 different 
 for each entry, but everything else is the same.

 ===
 time-Mon Aug 18 03:21:03 2014
 type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21 
 success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 items=0 
 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
 fsgid=0 tty=(none) ses=981 comm=bash exe=/usr/bin/bash 
 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
 type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read } for  pid=2816 
 comm=bash name=virsh dev=dm-0 ino=135911290 
 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
 tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
 ===

 I thought about using audit2allow as you suggest.  The problem is then I 
 don't 
 really know what change is required.  What exactly will it do?  And is there 
 a 
 guarantee that it will work?
logwatch is executing virsh probably to communicate with libvirt to
rotate logs or something.  You can look in /etc/logrotate.d for a script
with virsh to tell you what the command is trying to do.
 Regarding your general question ...  It seems to me that logwatch can be used 
 to provide feedback on operational status of almost anything on the system.  
 If you go beyond the typical reading of log files, then that often requires 
 running some script or utility program or something.  Anytime that is done, I 
 think this kind of problem will appear.
Right, but I am looking for packages that drop logrotate scripts rather
then just thowing in the tile and saying lograte
is an unconfined domain.  If a package ships a script that SELinux will
break, I want to know what is the risk of a
hacked logrotate executable causing havoc on a system.  Potentially I
can add a boolean to policy to allow the access
but deny it by default.
 Much of what logwatch does is running files through cat.  That process runs 
 as bin_t which must be a general type.  I wonder what would happen if I 
 changed virsh to the same type.
You could try that, I think you will end up with other AVC's concerning
logratote talking to libvirt.
 For what it is worth, I have another computer running CentOS 6.5 and 
 VirtualBox.  The VBoxManage program must run as the same user which is 
 running 
 the virtual machines, which frustrates me to no end.  I finally figured out a 
 way to work around it by setting up a user cron job under that user.  It 
 saves 
 the output to a text file.  The logwatch script then comes along and reads 
 that 
 file into its output.  It works, but it is not ideal.  There are obvious 
 problems with synchronization, plus if a computer is running VMs under 
 multiple user accounts, then multiple user cron jobs are needed.

 Thanks - Bill Gee


 =
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 What AVC messages are you seeing?

 ausearch -m avc -ts recent.
 I would put the machine in permissive mode, run your tests and then add
 the allow rules using

 audit2allow -M mylogwatch





 Message: 8
 Date: Fri, 15 Aug 2014 11:22:40 -0400
 From: Daniel J Walsh dwa...@redhat.com
 Subject: Re: [CentOS] SELinux vs. logwatch and virsh
 To: CentOS mailing list centos@centos.org
 Message-ID: 53ee25c0.3040...@redhat.com
 Content-Type: text/plain; charset=windows-1252


 On 08/14/2014 11:02 AM, Bill Gee wrote:
 Hello everyone -

 I am stumped ...  Does anyone have suggestions on how to proceed?  Is there 
 a way 
 to get what I want?

 The environment:  CentOS 7.0 with latest patches. 

 The goal:  I want logwatch to include a report on the status of kvm virtual 
 computers.
 The problem:  When run from anacron, SELinux denies permission for the virsh 
 utility.  
 Here is a portion of the logwatch output:

 - KVM libvirt status report Begin 
  
  Date Range: yesterday
  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission 
 denied
  
 -- KVM libvirt status report End 
 - 
 If I run-parts  /etc/cron.daily from a root console, it all works.  Same 
 if I run logwatch 
 from a root console.

 I set SELinux to permissive and that allows virsh to run.  Therefore I know 
 it is 
 something to do with SELinux.

 The logwatch script is:

   #Lots of comments
   /usr/bin/virsh list --all

 I see the selinux security context of virsh is

   system_u:object_r:virsh_exec_t:s0

 while logwatch.pl runs as 

   system_u:object_r:logwatch_exec_t:s0

 As I understand it, selinux does not permit having multiple type settings 
 for a file.  Any 
 file

Re: [CentOS] SELinux vs. logwatch and virsh

[Daniel J Walsh]

On 08/14/2014 11:02 AM, Bill Gee wrote:
 Hello everyone -

 I am stumped ...  Does anyone have suggestions on how to proceed?  Is there a 
 way 
 to get what I want?

 The environment:  CentOS 7.0 with latest patches. 

 The goal:  I want logwatch to include a report on the status of kvm virtual 
 computers.

 The problem:  When run from anacron, SELinux denies permission for the virsh 
 utility.  
 Here is a portion of the logwatch output:

 - KVM libvirt status report Begin 
  

  Date Range: yesterday
  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission 
 denied
  
 -- KVM libvirt status report End 
 - 

 If I run-parts  /etc/cron.daily from a root console, it all works.  Same if 
 I run logwatch 
 from a root console.

 I set SELinux to permissive and that allows virsh to run.  Therefore I know 
 it is 
 something to do with SELinux.

 The logwatch script is:

   #Lots of comments
   /usr/bin/virsh list --all

 I see the selinux security context of virsh is

   system_u:object_r:virsh_exec_t:s0

 while logwatch.pl runs as 

   system_u:object_r:logwatch_exec_t:s0

 As I understand it, selinux does not permit having multiple type settings for 
 a file.  Any 
 file can have exactly one type setting.  

 I ran this command hoping it would add another type to the virsh program.

   semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh

   semanage fcontext --list /usr/bin/virsh | grep virsh
 /usr/bin/virsh all files 
 system_u:object_r:logwatch_exec_t:s0 
 /usr/bin/virsh regular file  
 system_u:object_r:virsh_exec_t:s0 
 /usr/sbin/xl   regular file  
 system_u:object_r:virsh_exec_t:s0 
 /usr/sbin/xm   regular file  
 system_u:object_r:virsh_exec_t:s0 

 Semanage did add the new type, but that did not fix the problem.  Virsh still 
 gets 
 permission denied when logwatch tries to run it.

 Thanks - Bill Gee
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
What AVC messages are you seeing?

ausearch -m avc -ts recent.
I would put the machine in permissive mode, run your tests and then add
the allow rules using

audit2allow -M mylogwatch


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux vs. logwatch and virsh

[Daniel J Walsh]

On 08/14/2014 11:02 AM, Bill Gee wrote:
 Hello everyone -

 I am stumped ...  Does anyone have suggestions on how to proceed?  Is there a 
 way 
 to get what I want?

 The environment:  CentOS 7.0 with latest patches. 

 The goal:  I want logwatch to include a report on the status of kvm virtual 
 computers.

 The problem:  When run from anacron, SELinux denies permission for the virsh 
 utility.  
 Here is a portion of the logwatch output:

 - KVM libvirt status report Begin 
  

  Date Range: yesterday
  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission 
 denied
  
 -- KVM libvirt status report End 
 - 

 If I run-parts  /etc/cron.daily from a root console, it all works.  Same if 
 I run logwatch 
 from a root console.

 I set SELinux to permissive and that allows virsh to run.  Therefore I know 
 it is 
 something to do with SELinux.

 The logwatch script is:

   #Lots of comments
   /usr/bin/virsh list --all

 I see the selinux security context of virsh is

   system_u:object_r:virsh_exec_t:s0

 while logwatch.pl runs as 

   system_u:object_r:logwatch_exec_t:s0

 As I understand it, selinux does not permit having multiple type settings for 
 a file.  Any 
 file can have exactly one type setting.  

 I ran this command hoping it would add another type to the virsh program.

   semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh

   semanage fcontext --list /usr/bin/virsh | grep virsh
 /usr/bin/virsh all files 
 system_u:object_r:logwatch_exec_t:s0 
 /usr/bin/virsh regular file  
 system_u:object_r:virsh_exec_t:s0 
 /usr/sbin/xl   regular file  
 system_u:object_r:virsh_exec_t:s0 
 /usr/sbin/xm   regular file  
 system_u:object_r:virsh_exec_t:s0 

 Semanage did add the new type, but that did not fix the problem.  Virsh still 
 gets 
 permission denied when logwatch tries to run it.

 Thanks - Bill Gee
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
BTW if you think this is something we should do in general in such a way
as logwatch can only look at the content in Read Only mode, then we
might want it to become default.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] when will docker 1.1.2 for rhel7 be released?

[Daniel J Walsh]

We are working on an update to docker within RHEL7.  First we are
releasing it to our High Touch Beta process.  If you are on HTB you
should see a release in the next week.


On 08/12/2014 08:54 AM, Jim Perrin wrote:

 On 08/11/2014 07:02 PM, Dennis Jacobfeuerborn wrote:

 Looks like docker-io-1.0.0 is available in EPEL:
 http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/repoview/docker-io.html
 This package is due to be removed from EPEL soon, because of EPEL's
 policy of not competing/conflicting with base offerings. I wouldn't rely
 on this particular package


 If you really want to use the latest version of docker you cannot rely
 on RHEL packages though as they only get updated with important fixes
 and usually only with point releases (unless it's a security bug).

 Keep in mind that docker is part of upstream's 'Extras' repository,
 which doesn't have the same lifecycle that the rest of EL7 has. It's a
 shorter 18 month cycle I believe, so you might very well see re-basing
 going on there.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsyslog does not log on a separate partition/FS mounted on /var/log/

[Daniel J Walsh]

On 08/07/2014 05:48 AM, Arun Khan wrote:
 SOLVED

 On Wed, Aug 6, 2014 at 10:28 PM, James A. Peltier jpelt...@sfu.ca wrote:
 - Original Message -
 | On Wed, Aug 06, 2014 at 04:50:41PM +, Tony Mountifield wrote:
 | 
 |  Probably rsyslog is being started before /var/log is mounted, and
 |  so it
 |  is opening files within /var/log on the root device.
 |
 | rsyslog should start after local mounts are finished.
 |
 | I suspect it's selinux; /var/log should have a var_log_t context
 | and I
 | suspect it doesn't.

 running a restorecon -vv on /var/log should correct that automatically I 
 would think.

 I had suspected SElinux and have it disabled still rsyslogd was not
 logging on the new device mounted on /var/log/

 ***  restorecon -vv /var/log does the trick! ***

 @ James A. Peltier Thank you!

 FWIW - here are the steps

 1. service rsyslog stop
 2. mount new var log device /mnt/
 3. rsync -aP /var/log/ /mnt/
 4. rm -fr /var/log/*
 5. umount /mnt
 6. mount new var log device /var/log/  (also make change to /etc/fstab)
 7. restorecon -vv /var/logthe solution
 8. service rsyslog start.
 9. logger this is a test
 10. tail /var/log/messages to verify that indeed the logger string was logged.

 -- Arun Khan
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
If restorecon fixes the problem, then you never disabled SELinux

If you untar files into a location, you should always run restorecon on
the directory to fix the SELinux labels.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS-virt] Frequent Kernel Oops' on CentOS 6 / Xen

[Daniel Bradler]

Hi,

we have a couple of nodes based on CentOS 6 and Xen4CentOS. Unfortunately
some of these nodes keep crashing frequenly.

We use the latest versions:

# uname -r
3.10.43-11.el6.centos.alt.x86_64

# xm info
host   : vserver20
release: 3.10.43-11.el6.centos.alt.x86_64
version: #1 SMP Mon Jun 16 14:22:02 UTC 2014
machine: x86_64
nr_cpus: 24
nr_nodes   : 2
cores_per_socket   : 6
threads_per_core   : 2
cpu_mhz: 2400
hw_caps: 
bfebfbff:2c100800::3f40:009ee3fd::0001:
virt_caps  : hvm hvm_directio
total_memory   : 65527
free_memory: 22692
free_cpus  : 0
xen_major  : 4
xen_minor  : 2
xen_extra  : .4-33.el6
xen_caps   : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64 
xen_scheduler  : credit

xen_pagesize   : 4096
platform_params: virt_start=0x8000
xen_changeset  : unavailable
xen_commandline: dom0_mem=2560M,max:3072M loglvl=all
guest_loglvl=all
cc_compiler: gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4)
cc_compile_by  : mockbuild
cc_compile_domain  : centos.org
cc_compile_date: Mon Jun 16 17:22:14 UTC 2014
xend_config_format : 4

Our configuration looks as follows:

Grub:

title CentOS (3.10.43-11.el6.centos.alt.x86_64)
root (hd0,1)
kernel /xen.gz dom0_mem=2560M,max:3072M loglvl=all guest_loglvl=all
module /vmlinuz-3.10.43-11.el6.centos.alt.x86_64 ro root=/dev/sda1 
KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys crashkernel=auto
module /initramfs-3.10.43-11.el6.centos.alt.x86_64.img

/etc/xen/xend-config.sxp

(xend-unix-server yes)
(xend-relocation-server no)
(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 1024)
(enable-dom0-ballooning no)
(total_available_memory 0)
(dom0-cpus 0)
(vncpasswd '')

I've attached the logfile information regarding the latest crash as
crash.log?

Does anybody has an idea how to solve these issues?

Kind Regards
Daniel BradlerJul 29 18:50:04 vserver20 kernel: BUG: unable to handle kernel paging request at 0066008c
Jul 29 18:50:04 vserver20 kernel: IP: [81151999] isolate_migratepages_range+0x459/0x980
Jul 29 18:50:04 vserver20 kernel: PGD 2c3d4067 PUD 0 
Jul 29 18:50:04 vserver20 kernel: Oops:  [#1] SMP 
Jul 29 18:50:04 vserver20 kernel: Modules linked in: bridge stp llc xen_pciback xen_gntalloc xt_REDIRECT xt_owner nf_nat_ftp nf_conntrack_ftp xt_state xt_length xt_hl xt_tcpmss xt_TCPMSS xt_multiport xt_limit xt_LOG xt_DSCP xt_dscp ipt_REJECT iptable_filter iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables ip6table_filter ip6_tables ipv6 xen_acpi_processor blktap xen_netback xen_blkback xen_gntdev xen_evtchn xenfs xen_privcmd gpio_ich iTCO_wdt iTCO_vendor_support coretemp hwmon freq_table mperf intel_powerclamp crc32c_intel microcode serio_raw pcspkr i2c_i801 joydev lpc_ich e1000e ptp pps_core ioatdma dca i7core_edac edac_core sg ext3 jbd mbcache sd_mod crc_t10dif pata_acpi ata_generic ata_piix aacraid mgag200 ttm drm_kms_helper dm_mirror dm_region_hash dm_log dm_mod
Jul 29 18:50:04 vserver20 kernel: CPU: 21 PID: 17034 Comm: solusvmc-node Not tainted 3.10.43-11.el6.centos.alt.x86_64 #1
Jul 29 18:50:04 vserver20 kernel: Hardware name: Supermicro X8DTL/X8DTL, BIOS 2.1b   11/16/2012
Jul 29 18:50:04 vserver20 kernel: task: 880003e31540 ti: 8811e000 task.ti: 8811e000
Jul 29 18:50:04 vserver20 kernel: RIP: e030:[81151999]  [81151999] isolate_migratepages_range+0x459/0x980
Jul 29 18:50:04 vserver20 kernel: RSP: e02b:8811f990  EFLAGS: 00010206
Jul 29 18:50:04 vserver20 kernel: RAX: 00660014 RBX: 1db0 RCX: 000e
Jul 29 18:50:04 vserver20 kernel: RDX: 0002 RSI: 0003 RDI: 003b
Jul 29 18:50:04 vserver20 kernel: RBP: 8811fa40 R08: ea00 R09: 1e00
Jul 29 18:50:04 vserver20 kernel: R10: 8800a003eb40 R11: ea062000 R12: ea067e80
Jul 29 18:50:04 vserver20 kernel: R13: 01b1 R14:  R15: 8800a003e6c0
Jul 29 18:50:04 vserver20 kernel: FS:  7f38bffdf700() GS:88009f2a() knlGS:
Jul 29 18:50:04 vserver20 kernel: CS:  e033 DS:  ES:  CR0: 8005003b
Jul 29 18:50:04 vserver20 kernel: CR2: 0066008c CR3: 20e7b000 CR4: 2660
Jul 29 18:50:04 vserver20 kernel: DR0:  DR1:  DR2: 
Jul 29 18:50:04 vserver20 kernel: DR3:  DR6: 0ff0 DR7: 0400
Jul 29 18:50:04 vserver20 kernel: Stack:
Jul 29 18:50:04 vserver20 kernel

[CentOS] CentOS 7 Anaconda GUI resolution

[Daniel Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Greetings!  I tried installing CentOS v7 (1406) to an old spare
machine, and the video card apparently don't play well with X.  It is
incorrectly saying that either monitor I connect is only able to
support 640x480, when one is 1024x768 and the other supports a higher
(but now forgotten) resolution.  In no way do I expect a fix to be
added just to support my antique.  :)

What I'd like to find, or have added to future CentOS installation
discs, is a way to force the GUI resolution.  Alternately, if nothing
below 800x600 will show the GUI properly perhaps the installer should
just forcibly set that as the minimum, no matter what the hardware
claims to allow?

Details of the hardware and such follow, let me know if you need more.
=-=-=-=-=-=

Under the normal boot from the normal DVD, graphics-mode output is
discolored and squashed to the left of the display.  In the Basic
Graphics troubleshooting mode the output is clear and proper, but
still just 640x480.

Server: Gateway E-9422R
Video card: Matrox Graphics MGA G200e, PCI 102b:0522

I captured the output of lspci, dmidecode, /tmp, and /var/log in both
Normal and Basic Graphics boot modes.  The file is 1,692,776 bytes and
has the following SHA1 checksum:

f9cd800ced963e29d0bb3e4381596dc3b61a4c4c
*CentOS7_InstallerResolutionProblem.tar.xz

It can be downloaded from this link:
  http://s000.tinyupload.com/index.php?file_id=55151826488339350948


Daniel Johnson
djohn...@progman.us
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlO/N1gACgkQ6vGcUBY+ge+5CwCgnRG1En1ZORoj5Q8tKFyApX13
xukAoJ309KaZJjZAc69REBz9p0J9Yxum
=iTJm
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 Anaconda GUI resolution

[Daniel Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/10/2014 08:28 PM, Johnny Hughes wrote:
 On 07/10/2014 08:01 PM, Daniel Johnson wrote:
snip
 Under the normal boot from the normal DVD, graphics-mode output
 is discolored and squashed to the left of the display.  In the
 Basic Graphics troubleshooting mode the output is clear and
 proper, but still just 640x480.
snip
 There is a basic video install in the 3rd selection when you boot
 the iso .. in the Troubleshooting section.  You might give that a
 try and see if it works better after boot of the OS.  The anaconda
 drivers are a subset of the drivers for the distro, so it might
 work better after initial.
 
 Might also try one of the LiveGnome or LiveKDE isos.

Thanks!  I did try Basic Graphics before, and while it made the image
clear and distortion-free it was still 640x480.

While browsing bugs.centos.org I saw a reference to using vga=773 to
fix the resolution in VMware Fusion/Workstation, but it had no effect
on the physical server's GUI when I tried it.

The same bug post mentioned putting text on the kernel line.  I
didn't think that was supported on CentOS 7, should that be in the
Troubleshooting menu too?  I'm using that to get the server at least
basically loaded for now, I'll go back later and tweak the
auto-generated KS file to re-install the way I want it.

[https://bugs.centos.org/view.php?id=7313]

Daniel Johnson
djohn...@progman.us

-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlO/SNwACgkQ6vGcUBY+ge+TQwCgnOrbVYhnkBnvBKTrO5S7gVxm
w6YAoP6uqucDWxYS13KRVIMveNcXqpUU
=Ujb9
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux context for web application directories

[Daniel J Walsh]

On 06/27/2014 11:47 AM, James B. Byrne wrote:
 CentOS-6.5

 We deploy web applications written with the Ruby on Rails framework using
 Capistrano (2.x).  Each 'family' of web applications are 'owned' by a
 dedicated user id.  The present httpd service is Apache 2.2.15 and we use
 Passenger 3.0.11.  We are moving shortly to a new deployment host and at that
 time we will be updating to Apache 2.4.9 and Passenger 4..0.25.

 Our deployment practice is to place the 'family' directory under /var/data/. 
 This is the home directory of the application user id. We place each
 individual web application or component into its own directory underneath the
 family root.  So that things look like this:

 /var/data/hll_th
 #9500;#9472;#9472; backups
 #9474;   #9492;#9472;#9472; pgsql
 #9500;#9472;#9472; etc
 #9474;   #9492;#9472;#9472; database.yml
 #9500;#9472;#9472; hll_th_cc_edi_get
 #9474;   #9500;#9472;#9472; current -
 /var/data/hll_th/hll_th_forex_rss/releases/20140519201615
 #9474;   #9500;#9472;#9472; releases
 #9474;   #9492;#9472;#9472; shared
 #9500;#9472;#9472; hll_th_forex_rss
 #9474;   #9500;#9472;#9472; current -
 /var/data/hll_th/hll_th_forex_rss/releases/20131204193652
 #9474;   #9500;#9472;#9472; releases
 #9474;   #9492;#9472;#9472; shared
 #9500;#9472;#9472; hll_th_hp3000_billing
 #9474;   #9500;#9472;#9472; current -
 /var/data/hll_th/hll_th_forex_rss/releases/20140214211431
 #9474;   #9500;#9472;#9472; releases
 #9474;   #9492;#9472;#9472; shared
 #9500;#9472;#9472; log
 #9500;#9472;#9472; lost+found
 #9492;#9472;#9472; pgpass - .pgpass

 The questions I have are: What is an appropriate SELinux context for such a
 directory structure given it is used by a httpd service?  Is the default user
 home setting of system_u:object_r:home_root_t acceptable?  Is
 system_u:object_r:httpd_sys_content_t preferable instead?  is some other
 SELinux context preferred for RoR web applications using Apache with
 mod-passenger?


I would think that httpd_sys_content_t and httpd_sys_rw_content_t would
be appropriate.
These are not real user accounts, meaning normal users do not login to
these systems.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mail delivery question

[Daniel J Walsh]

On 06/20/2014 03:15 PM, Chuck Campbell wrote:
 I've built a new mail system with Centos 6.5, and I'm running fetchmail -
 sendmail - procmail to maildir. I have all of this working at the moment.(I
 know, postfix was the default, but for lots of other reasons, I switched, and
 that isn't an issue, I don't think).

 I am using dovecot as an imap server. Procmail won't update indexes during 
 email
 delivery, so I'm having some performance delays and lags when accessing the
 emails via imap. I would like to use dovecot-lda for delivery, but I get
 permission denied errors, and I don't know why or where they are coming from.

 Here is the .procmailrc and procmail log file response when I try to use
 dovecot-lda from procmail:

 .procmailrc

 SHELL=/bin/sh
 PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
 # one page suggested MAILDIR has no trailing slash, but DEFAULT should have 
 one
 MAILDIR=$HOME/Maildir/  # You'd better make sure it exists '
 DEFAULT=$MAILDIR
 LOGFILE=$HOME/procmail_log
 LOCKFILE=$HOME/.lockmail
 LOCKEXT=.lock
 :0
 * .
 {
  LOG=$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL
 }
  :0 c
  .ham_to_learn/
  :0
   | /usr/libexec/dovecot/deliver -m $DEFAULT


 I get this in my log file:

 procmail: [27709] Fri Jun 20 14:00:17 2014
  default recipe using copy to .ham_to_learn/ (maildir version)
 procmail: Assigning LASTFOLDER=.ham_to_learn/new/1403290809.27709_3.helium
 procmail: Assigning LASTFOLDER=/usr/libexec/dovecot/deliver -m
 /home/campbell/Maildir/
 procmail: Notified comsat: campbell@:/usr/libexec/dovecot/deliver -m
 /home/campbell/Maildir/
 From campb...@accelinc.com  Fri Jun 20 14:00:06 2014
  Subject: Re: Uruguay gravity model description
   Folder: /usr/libexec/dovecot/deliver -m /home/campbell/Maildir/ 
 10470
 procmail: Unlocking /home/campbell/.lockmail
 procmail: Executing /usr/libexec/dovecot/deliver,-m,/home/campbell/Maildir/
 /bin/sh: /usr/libexec/dovecot/deliver: Permission denied

 ls -laFZ /usr/libexec/
 snip
 drwxr-xr-x. root root system_u:object_r:bin_t:s0   dovecot/
 snip

 ls -laFZ /usr/libexec/dovecot
 snip
 lrwxrwxrwx. root root system_u:object_r:bin_t:s0   deliver - dovecot-lda*
 -rwxr-xr-x. root root system_u:object_r:dovecot_deliver_exec_t:s0 dovecot-lda*
 snip

 It doesn't matter whether I reference the link file, or dovecot-lda directly, 
 I
 get the same result.

 I'm not getting any AVC (SELinux) entries in my /var/log/audit/audit.log, so 
 it
 doesn't appear to be unix permissions, or SELinux issues.
 How can I find out what permissions I need to change?

 -chuck


 --
 current working (but not indexing) examples below here.

 Two versions using procmail for delivery that succeed:


 If my .procmailrc file that looks like this:

 SHELL=/bin/sh
 PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
 # one page suggested MAILDIR has no trailing slash, but DEFAULT should have 
 one
 MAILDIR=$HOME/Maildir/  # You'd better make sure it exists '
 DEFAULT=$MAILDIR
 LOGFILE=$HOME/procmail_log
 LOCKFILE=$HOME/.lockmail
 LOCKEXT=.lock
 :0
 * .
 {
  LOG=$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL
 }
  :0 c
  .ham_to_learn/


 I get this in my log file:

 procmail: [27580] Fri Jun 20 13:37:55 2014
  default recipe using copy to .ham_to_learn/ (maildir version)
 procmail: Assigning LASTFOLDER=.ham_to_learn/new/1403289475.27580_2.helium
 procmail: Assigning
 LASTFOLDER=/home/campbell/Maildir/new/1403289475.27580_3.helium
 procmail: Notified comsat:
 campbell@0:/home/campbell/Maildir/new/1403289475.27580_3.helium
 From campb...@accelinc.com  Fri Jun 20 13:37:55 2014
  Subject: t41
   Folder: /home/campbell/Maildir/new/1403289475.27580_3.helium 
 4299
 procmail: Unlocking /home/campbell/.lockmail

 I get a copy in my inbox and a copy in my ham to learn folder. All appears OK

 If I use this recipe:

 SHELL=/bin/sh
 PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
 # one page suggested MAILDIR has no trailing slash, but DEFAULT should have 
 one
 MAILDIR=$HOME/Maildir/  # You'd better make sure it exists '
 DEFAULT=$MAILDIR
 LOGFILE=$HOME/procmail_log
 LOCKFILE=$HOME/.lockmail
 LOCKEXT=.lock
 :0
 * .
 {
  LOG=$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL
 }
  :0 c
  .ham_to_learn/
  :0
   $DEFAULT

 I get this in my log file (same as above, all is well):

 procmail: [27646] Fri Jun 20 13:46:25 2014
  default recipe using copy to .ham_to_learn/ (maildir version)
 procmail: Assigning LASTFOLDER=.ham_to_learn/new/1403289985.27646_2.helium
 procmail: Assigning
 LASTFOLDER=/home/campbell/Maildir/new/1403289985.27646_3.helium
 procmail: Notified comsat:
 campbell@0:/home/campbell/Maildir/new/1403289985.27646_3.helium
 From campb...@accelinc.com  Fri Jun 20 13:45:53 2014
  Subject: t43
   Folder: /home/campbell/Maildir/new/1403289985.27646_3.helium 
 4603
 procmail: 

Re: [CentOS] SELinux issue?

[Daniel J Walsh]

On 06/16/2014 11:13 AM, m.r...@5-cent.us wrote:
 Chuck Campbell wrote:
 I've recently built a new mail server with centos6.5, and decided to bite
 the bullet and leave SELinux running. I've stumbled through making
 things work
 and am mostly there.

 I've got my own spam and ham corpus as mbox files in
 /home/user/Mail/learned.
 These files came from my backup of the centos 5 server this machine is
 replacing.

 The folder is owned by the user (the following is run as root):
 ls -laF learned
 drw---. 6 user group   4096 Jun 10 03:35 ./
 drw---. 6 user group  35864Jun 10 03:35 ../
 drw---. 6 user group   4096 Jun 10 03:35 2004/
 -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam
 -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham

 also as root:
 ls -laZlearned
 drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.
 drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0..
 drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004
 -rw---. 6 user group
 system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam
 -rw---. 6 user group
 system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham

 When I do the same as the user, I get this:
 ls -laF learned
 ls: cannot access learned/2004: Permission denied
 ls: cannot access 2014_10_Jun_learned_spam: Permission denied
 ls: cannot access 2014_10_Jun_learned_ham: Permission denied
 snip
 Yup, you will. The *directories* have to be executable for you to look in
 them.

   mark

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
I think this is more of a DAC issue as Mark has said. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /etc/bash_completion.d/git generates permissions errors

[Daniel J Walsh]

On 05/28/2014 12:55 PM, James B. Byrne wrote:
 I did a yum update to my desktop machine as root this morning and now my
 regular logon account sees this whenever I press the enter key:

 etc/audisp/audispd.conf: Permission denied
 etc/audisp/plugins.d/af_unix.conf: Permission denied
 etc/audisp/plugins.d/syslog.conf: Permission denied
 etc/audit/audit.rules: Permission denied
 etc/audit/auditd.conf: Permission deniedetc/dhcp/dhclient.d/ntp.sh: Permission
 denied
 etc/libvirt/libvirt.conf: Permission denied
 etc/libvirt/libvirtd.conf: Permission denied
 etc/libvirt/lxc.conf: Permission denied
 etc/libvirt/nwfilter/allow-arp.xml: Permission denied
 etc/libvirt/nwfilter/allow-dhcp-server.xml: Permission denied
 etc/libvirt/nwfilter/allow-dhcp.xml: Permission denied
 etc/libvirt/nwfilter/allow-incoming-ipv4.xml: Permission denied
 etc/libvirt/nwfilter/allow-ipv4.xml: Permission denied
 etc/libvirt/nwfilter/clean-traffic.xml: Permission denied

 . . .

 etc/lvm/backup/vg_vhost04: Permission denied
 etc/lvm/backup/vg_xnet241: Permission denied
 etc/lvm/backup/vg_xnet242: Permission denied
 etc/lvm/backup/vg_xnet243: Permission denied
 etc/ntp/crypto/pw: Permission denied
 etc/selinux/targeted/modules/active/base.pp: Permission denied
 etc/selinux/targeted/modules/active/commit_num: Permission denied
 etc/selinux/targeted/modules/active/file_contexts: Permission denied
 etc/selinux/targeted/modules/active/file_contexts.homedirs: Permission denied
 etc/selinux/targeted/modules/active/file_contexts.local: Permission denied
 etc/selinux/targeted/modules/active/file_contexts.template: Permission denied

 . . .

 root/iaxmodem-debuginfo-1.2.0-1.el6.x86_64.rpm: Permission denied
 root/ifcfg-br0: Permission denied
 root/ifcfg-br1: Permission denied
 root/ifcfg-eth0: Permission denied
 root/ifcfg-eth0:xxx: Permission denied
 root/ifcfg-eth1: Permission denied
 root/install.log: Permission denied
 root/install.log.syslog: Permission denied
 root/internal_call.trace: Permission denied
 root/iptables.gateway.revised: Permission denied
 root/iptables.gway01.20130517: Permission denied
 root/iptables.inet09-2012-12-31: Permission denied
 root/jcameron-key.asc: Permission denied
 root/locale_en...@-mmm-dd.tar.gz: Permission denied
 root/more_or_less_commands.txt: Permission denied
 root/named.conf.bind-9.8.2-default-2013-07-04: Permission denied
 root/named.conf.inet01-dns01-2013-07-04: Permission denied
 root/named.conf.inet03-dnm-2013-07-04: Permission denied
 root/pg_hba.conf: Permission denied
 root/pg_ident.conf: Permission denied
 root/pgadmin.log: Permission denied
 root/pgdg-91-centos.repo: Permission denied
 root/ping_host.sh: Permission denied
 root/ping_http.sh: Permission denied
 root/postgresql.conf: Permission denied
 root/root_voinet09.tgz: Permission denied
 root/rsync_control.tgz: Permission denied
 root/rsync_inet01.sh: Permission denied
 root/rsync_inet02.sh: Permission denied
 root/rsync_inet03.sh: Permission denied
 root/rsync_inet04.sh: Permission denied
 root/rsync_inet05.sh: Permission denied
 root/rsync_inet06.sh: Permission denied
 root/rsync_inet07.sh: Permission denied
 root/rsync_inet08.sh: Permission denied
 root/rsync_inet09.sh: Permission denied
 root/rsync_voinet09_freepbx.sh: Permission denied
 root/rsync_xnet241_home_byrnejb.sh: Permission denied
 root/ttyS0.conf: Permission denied
 root/vimsetup.tgz: Permission denied
 root/virtinstallscript: Permission denied
 root/voinet01_pki.tgz: Permission denied
 root/xTuple-3.8.2-linux-installer.run: Permission denied

 I traced this back to this statement in ~/.bash_profile

 source /etc/bash_completion.d/git

 Removing this statement allows new terminal sessions for my regular account to
 work as they did before - in other words without the massive list of
 permissions errors.  This file comes from the git package in base:

 $ yum provides /etc/bash_completion.d/git
 . . .
 129 packages excluded due to repository priority protections
 git-1.7.1-3.el6_4.1.x86_64 : Fast Version Control System
 Repo: base
 Matched from:
 Filename: /etc/bash_completion.d/git


 My question is: what is in /etc/bash_completion.d/git that is causing this?


Are you running with a confined user?  id -Z?  Is this an SELinux issue?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.5 workaround needed for selinux Could not open policy file bug

[Daniel J Walsh]

On 05/20/2014 12:50 PM, Michael McNulty wrote:
 I read about this bug in the Centos 6.2 faq and the link showing it fixed in 
 https://bugzilla.redhat.com/show_bug.cgi?id=769859
 but I am still getting it updating on a Centos 6.5 server that had selinux 
 disabled. I want to run selinux as permissive but it won't load now on reboot.

 I ran the yum update to apply this latest selinux update 
 http://lists.centos.org/pipermail/centos-announce/2014-May/020294.html
 for centos-release-6-5.el6.centos.11.2.x86_64.

 Transaction Test Succeeded
 Running Transaction
   Installing : selinux-policy-3.7.19-231.el6_5.3.noarch
   Installing : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch 
 semodule: link.c:840: alias_copy_callback: Assertion `base_type-primary == 
 target_type-s.value' failed.
 SELinux:  Could not open policy file = 
 /etc/selinux/targeted/policy/policy.24:  No such file or directory
   Verifying  : selinux-policy-3.7.19-231.el6_5.3.noarch   
   Verifying  : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch  

 Installed:
   selinux-policy.noarch 0:3.7.19-231.el6_5.3   

 I tried yum reinstall, yum remove and yum install for selinux-policy-targeted 
 but I still receive the same error. I also enabled selinux as permissive and 
 rebooted but selinux still will not start as permissive.

 Anyone have a work around to get selinux working as permissive with this 
 condition?

 thx

 Mike
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
This seems strange.  Try this.

setenforce 0
rm -rf /etc/selinux
yum reinstall selinux-policy selinux-policy-targeted
restorecon -R -v /etc/selinux

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] abrt dump qt selinux

[Daniel J Walsh]

Was the system running out of memory.

semodule is very memory intensive.

On 05/20/2014 01:57 PM, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS
INC] wrote:
 Hi all,

 Note: selinux was in permissive prior to error

 Got this with a yum update:

 abrt_version:   2.0.8
 cgroup:
 cmdline:semodule -n -r oracle-port -b base.pp.bz2 -i
 accountsd.pp.bz2 ada.pp.bz2 cachefilesd.pp.bz2 cpufreqselector.pp.bz2
 chrome.pp.bz2 awstats.pp.bz2 abrt.pp.bz2 aiccu.pp.bz2 amanda.pp.bz2
 afs.pp.bz2 apache.pp.bz2 arpwatch.pp.bz2 audioentropy.pp.bz2
 asterisk.pp.bz2 automount.pp.bz2 avahi.pp.bz2 boinc.pp.bz2 bind.pp.bz2
 bugzilla.pp.bz2 dirsrv.pp.bz2 dirsrv-admin.pp.bz2 dnsmasq.pp.bz2
 bluetooth.pp.bz2 canna.pp.bz2 ccs.pp.bz2 calamaris.pp.bz2
 cdrecord.pp.bz2 certwatch.pp.bz2 certmaster.pp.bz2 certmonger.pp.bz2
 cipe.pp.bz2 chronyd.pp.bz2 cobbler.pp.bz2 comsat.pp.bz2
 consolekit.pp.bz2 cups.pp.bz2 cvs.pp.bz2 cyphesis.pp.bz2 cyrus.pp.bz2
 daemontools.pp.bz2 dbskk.pp.bz2 dcc.pp.bz2 devicekit.pp.bz2
 dhcp.pp.bz2 dictd.pp.bz2 dovecot.pp.bz2 gitosis.pp.bz2 gpg.pp.bz2
 gpsd.pp.bz2 git.pp.bz2 gpm.pp.bz2 ethereal.pp.bz2 fail2ban.pp.bz2
 fetchmail.pp.bz2 finger.pp.bz2 firewallgui.pp.bz2 fprintd.pp.bz2
 ftp.pp.bz2 games.pp.bz2 gnome.pp.bz2 gnomeclock.pp.bz2 hal.pp.bz2
 hddtemp.pp.bz2 passenger.pp.bz2 permissivedomains.pp.bz2
 policykit.pp.bz2 puppet.pp.bz2 ptchown.pp.bz2 psad.pp.bz2 howl.pp.bz2
 inn.pp.bz2 ipsec.pp.bz2 irc.pp.bz2 iscsi.pp.bz2 icecast.pp.bz2
 jabber.pp.bz2 java.pp.bz2 execmem.pp.bz2 kdump.pp.bz2 kdumpgui.pp.bz2
 ksmtuned.pp.bz2 kerberos.pp.bz2 ktalk.pp.bz2 ldap.pp.bz2
 likewise.pp.bz2 lockdev.pp.bz2 lpd.pp.bz2 lircd.pp.bz2 mailman.pp.bz2
 mono.pp.bz2 mozilla.pp.bz2 ntop.pp.bz2 nslcd.pp.bz2 nsplugin.pp.bz2
 modemmanager.pp.bz2 mpd.pp.bz2 mplayer.pp.bz2 gpg.pp.bz2 mrtg.pp.bz2
 mysql.pp.bz2 nagios.pp.bz2 ncftool.pp.bz2 nis.pp.bz2 ntp.pp.bz2
 nut.pp.bz2 nx.pp.bz2 oddjob.pp.bz2 openvpn.pp.bz2 pcscd.pp.bz2
 openct.pp.bz2 pegasus.pp.bz2 piranha.pp.bz2 postgresql.pp.bz2
 portmap.pp.bz2 postfix.pp.bz2 postgrey.pp.bz2 ppp.pp.bz2
 procmail.pp.bz2 privoxy.pp.bz2 publicfile.pp.bz2 pulseaudio.pp.bz2
 pyzor.pp.bz2 qmail.pp.bz2 qpidd.pp.bz2 radius.pp.bz2 radvd.pp.bz2
 razor.pp.bz2 rhcs.pp.bz2 clogd.pp.bz2 cmirrord.pp.bz2 rhgb.pp.bz2
 rdisc.pp.bz2 remotelogin.pp.bz2 ricci.pp.bz2 rlogin.pp.bz2
 roundup.pp.bz2 rshd.pp.bz2 rsync.pp.bz2 rtkit.pp.bz2 rwho.pp.bz2
 samba.pp.bz2 sandbox.pp.bz2 sanlock.pp.bz2 sambagui.pp.bz2 sasl.pp.bz2
 screen.pp.bz2 seunshare.pp.bz2 shutdown.pp.bz2 sectoolm.pp.bz2
 slocate.pp.bz2 smartmon.pp.bz2 smokeping.pp.bz2 smoltclient.pp.bz2
 snmp.pp.bz2 spamassassin.pp.bz2 squid.pp.bz2 sssd.pp.bz2
 stunnel.pp.bz2 sysstat.pp.bz2 tcpd.pp.bz2 tgtd.pp.bz2 usbmuxd.pp.bz2
 unconfined.pp.bz2 unlabelednet.pp.bz2 ulogd.pp.bz2 vhostmd.pp.bz2
 wdmd.pp.bz2 wine.pp.bz2 telepathy.pp.bz2 userhelper.pp.bz2 tor.pp.bz2
 tvtime.pp.bz2 uml.pp.bz2 usbmodules.pp.bz2 usernetctl.pp.bz2
 xen.pp.bz2 varnishd.pp.bz2 virt.pp.bz2 qemu.pp.bz2 telnet.pp.bz2
 tftp.pp.bz2 tuned.pp.bz2 uucp.pp.bz2 webalizer.pp.bz2 xfs.pp.bz2
 zebra.pp.bz2 vpn.pp.bz2 tmpreaper.pp.bz2 amtu.pp.bz2 zabbix.pp.bz2
 apcupsd.pp.bz2 aide.pp.bz2 w3c.pp.bz2 plymouthd.pp.bz2
 portreserve.pp.bz2 rpcbind.pp.b.bz2 prelude.pp.bz2 pads.pp.bz2
 kerneloops.pp.bz2 openoffice.pp.bz2 podsleuth.pp.bz2 guest.pp.bz2
 xguest.pp.bz2 cgroup.pp.bz2 courier.pp.bz2 denyhosts.pp.bz2
 livecd.pp.bz2 snort.pp.bz2 memcached.pp.bz2 netlabel.pp.bz2
 zosremote.pp.bz2 pingd.pp.bz2 milter.pp.bz2 mediawiki.pp.bz2
 namespace.pp.bz2 vdagent.pp.bz2 matahari.pp.bz2 rhev.pp.bz2
 rhsmcertd.pp.bz2 lldpad.pp.bz2 zarafa.pp.bz2 drbd.pp.bz2
 fcoemon.pp.bz2 ctdbd.pp.bz2 sblim.pp.bz2 uuidd.pp.bz2 cloudform.pp.bz2
 condor.pp.bz2 sge.pp.bz2 cfengine.pp.bz2 condor.pp.bz2 nova.pp.bz2
 keystone.pp.bz2 glance.pp.bz2 quantum.pp.bz2 sensord.pp.bz2
 bcfg2.pp.bz2 slpd.pp.bz2 pkcsslotd.pp.bz2 l2tpd.pp.bz2 svnserve.pp.bz2
 numad.pp.bz2 glusterd.pp.bz2 openshift.pp.bz2 openshift-origin.pp.bz2
 rhnsd.pp.bz2 antivirus.pp.bz2 openvswitch.pp.bz2 dspam.pp.bz2
 lldpad.pp.bz2 watchdog.pp.bz2 oracleasm.pp.bz2 smstools.pp.bz2
 openhpid.pp.bz2 -s targeted
 executable: /usr/sbin/semodule
 kernel: 2.6.32-431.11.2.el6.x86_64
 last_occurrence: 1400595287
 pid:977
 pwd:/usr/share/selinux/targeted
 time:   Tue 20 May 2014 02:14:47 PM UTC
 uid:0
 username:   root

 sosreport.tar.xz: Binary file, 6274616 bytes

 environ:
 :HOSTNAME=ourhostisaveryverynicehost
 :TERM=xterm
 :SHELL=/bin/bash
 :HISTSIZE=1000
 :QTDIR=/usr/lib64/qt-3.3
 :QTINC=/usr/lib64/qt-3.3/include
 :USER=root
 

Re: [CentOS] OpenDKIM and SELinux

[Daniel J Walsh]

On 05/13/2014 09:56 AM, James B. Byrne wrote:
 On Mon, May 12, 2014 14:05, Daniel J Walsh wrote:

 dac_read_search and dac_override are usually bad to add. They typically
 mean the permission flags on the file in question is two tight for a
 root process to read/use.

 Loosing up the group/other permissions would probably allow a root
 process to read the object without requiring these capabities.
 I just wrote a quick blog on this.

 https://danwalsh.livejournal.com/69478.html


 So, to turn on full path reporting I do this:

 # echo -w /etc/shadow -p w  /etc/audit/audit.rules
 # service auditd restart

 My question is: what is the effect that -w /etc/shadow -p w has on SELinux
 with respect to reporting the full path of file names in AVCs?  In other
 words, why does that work?

This rule above does not effect SELinux at all, specifically.  The rule
above tells the audit system to generate an audit messages any time a
process writes to /etc/shadow.  It has the side effect of telling the
kernel to turn on full audit. Full audit gathers full paths before
making a syscall, so if SELinux blocks a syscall, the PATH record gets
generated.

The problem with turning this on by default, it it has a fairly large
performance hit.  ~5%. 
We only want to turn on full auditing for people who require it. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OpenDKIM and SELinux

[Daniel J Walsh]

On 05/12/2014 09:17 AM, James B. Byrne wrote:
 Following the most recent kernel updates I restarted our outgoing SMTP MTA
 which was recently reconfigured to DKIM sign messages using OpenDKIM.  This
 morning I discovered that Postfix had stopped on that server.  Whether it is
 related to the Postfix issue or not is yet to be determined but, in the
 process of getting things restarted I ran across this error with Open DKIM:

 # service opendkim restart
 Stopping OpenDKIM Milter:  [FAILED]
 Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
 refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
[FAILED]

 I check the permissions and ownership on the file and everything seems normal.
  I then checked audit2why and got this:

 audit2allow: error: no such option: --
 [root@inet08 opendkim]# audit2why -l -a
 type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_read_search } for
  pid=15213 comm=opendkim capability=2 
 scontext=unconfined_u:system_r:dkim_milter_t:s0
 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
   Was caused by:
   Missing type enforcement (TE) allow rule.

   You can use audit2allow to generate a loadable module to allow 
 this access.

 type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_override } for 
 pid=15213 comm=opendkim capability=1 
 scontext=unconfined_u:system_r:dkim_milter_t:s0
 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
   Was caused by:
   Missing type enforcement (TE) allow rule.

   You can use audit2allow to generate a loadable module to allow 
 this access.



 We have been using dkim for a little while now and our dmarc records indicate
 that messages from our domains should be signed so this problem needed an
 immediate fix or workaround.  What I ended up with was this .te file that
 generates an SEModule which at least gets the service running.  What else it
 opens us up to I am not sure so I would appreciate some commentary on how I
 should proceed to obtain a permanent fix:



 module localOpenDKIMmod 1.0;

 require {
   type dkim_milter_t;
   class capability { dac_read_search dac_override };
 }

 #= dkim_milter_t ==
 allow dkim_milter_t self:capability { dac_read_search dac_override };



dac_read_search and dac_override are usually bad to add. They typically
mean the permission flags on the file in question is two tight for a
root process to read/use.

Loosing up the group/other permissions would probably allow a root
process to read the object without requiring these capabities.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos