Re: A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh dwalsh at redhat.com writes: definitely still getting the error with any Wine application with mmap_low_allowed set to 0. selinux-policy-3.6.32-41.fc12.noarch The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed The meaning has also changed in RHEL5 unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set. In F12 No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero. One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set. Thank you for that clarification Dan. By the way I entered a private ticket at the Crossover site (hence not publicly visible), and have been told that their devs are currently already looking at this issue to try to see if the problem can be worked around in a new version of Crossover, which will presumably also be made available to newer versions of wine if a solution can be found. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh dwalsh at redhat.com writes: The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed The meaning has also changed in RHEL5 unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set. In F12 No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero. One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set. There is an interesting thing I just found - in F11 without the bool set I can run MS Word 2003 in Crossover (i.e. effectively wine) and open a .doc file without any AVC popping up. However from a webmail interface opened in Firefox, and clicking on a .doc attachment, trying to open it via an association link to Word 2003 in Crossover immediately gives an AVC denial for wine-preloader and suggests allowing the bool! However the file does seem to open nevertheless!! -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
Mike Cloaked mike.cloaked at gmail.com writes: Daniel J Walsh dwalsh at redhat.com writes: On 11/04/2009 10:23 AM, mike cloaked wrote: By moving forward do you mean that one can, in f11, reset the original boolean and set boolean mmap_low_allowed instead, in a forthcoming policy update? Or is this a planned change coming for f12 but not yet policy in earlier versions? Thanks We have setroubleshoot plugins that explain exactly to the users what they need to do to turn make their wine apps run. Does the dereference fix in kernel-2.6.30.9-96.fc11 address the issue raised here or have I got this wrong? I am somewhat confused by the following - I thought that if mmap_min_addr was 0 then you are not vulnerable. I also thought that installing wine, OR Crossover would set it to zero. I have Crossover installed and not wine, and just checked: [m...@home1 ~]$ cat /proc/sys/vm/mmap_min_addr 65536 This is an f11 box. I also set the boolean by doing # setsebool -P allow_unconfined_mmap_low 1 Now I have lost track whether this means I am vulnerable or not? I understand that installing wine would set mmap_min_addr to zero and make the machine vulnerable but can someone clarify so that I no longer confused? Thanks. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Re: A question about allow_unconfined_mmap_low in f11 amd selinux
Daniel J Walsh dwalsh at redhat.com writes: You can run with SELinux in enforcement. mmap_low_allowed is the name of the boolean moving forward. By moving forward do you mean that one can, in f11, reset the original boolean and set boolean mmap_low_allowed instead, in a forthcoming policy update? Or is this a planned change coming for f12 but not yet policy in earlier versions? Thanks -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
A question about allow_unconfined_mmap_low in f11 amd selinux
For people running wine or Crossover and using MS Office 2003 and related codes it is necessary to do: # setsebool -P allow_unconfined_mmap_low 1 To prevent AVC denials. However there is recent publicity at http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/ which highlights that there is still a vulnerability in the kernel if this is set. For people running f11 with this boolean set how can one run wine and still remain secure? i.e. what should an admin do to protect the system? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
How can I get a response on a specific bz report concerning sane-backends?
Two weeks ago I reported https://bugzilla.redhat.com/show_bug.cgi?id=527137 Since this could well affect quite a few people with scanners of various flavours I though that some response to the report might have been seen on the above link by now. Am I barking up the wrong tree or is my diagnosis that there is a packaging bug correct? How does one know if the maintainer concerned has seen the report, and if there is no action following up on the bz, how does one ask for a second maintainer to have a look at it? Thanks. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: How can I get a response on a specific bz report concerning sane-backends?
Mike Cloaked mike.cloaked at gmail.com writes: How does one know if the maintainer concerned has seen the report, and if there is no action following up on the bz, how does one ask for a second maintainer to have a look at it? I was not aware the maintainer was away - this is now answered in the bz. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Thunderbird 3.0rc1
Mike Cloaked mike.cloaked at gmail.com writes: Will a build of Thunderbird 3.0rc1 be pushed to updates-testing for F11 when it is released? From MozillaWiki I note that the plan is: Start build: 3rd November (est 10th Nov) so this will likely be around 3 weeks away. I just started using Thunderbird 3.0pre (via the upstream nightly tarball) and it is much better than the 3.0b4 version that is in f11... -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Thunderbird 3.0rc1
Julian Sikorski belegdol at gmail.com writes: Will a build of Thunderbird 3.0rc1 be pushed to updates-testing for F11 when it is released? What makes you think it won't? Julian I did wonder what the process would be after all the kerfuffle with TB3.0b4 I presume that it will go out with GLODA and smart folders turned OFF? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Status of touchpad support in F12 for kdm?
In F11 every laptop I installed had support for the touchpad under Gnome, but in order to have touchpad tap action at the greeter stage in kdm I need to put in place a suitable hal/fdi file. Is touchpad support in kdm going to be available by default in F12? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Status of touchpad support in F12 for kdm?
drago01 drago01 at gmail.com writes: No, tapping is disabled by default distrowide, there's nothing KDM can or should do about this. This is an intentional decision by the upstream Well it can enable it via input properties (configuration interface for xorg input drivers). Using the buttons is often a pain and slower than tapping - in Gnome you can switch on tap to click and also disable touchpad whilst typing which I find convenient. Exactly which config interface are you referring to that enables this for xorg for kdm? Many systems do not have xorg.conf once installed, so presumably there is something else? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Status of touchpad support in F12 for kdm?
Matěj Cepl mcepl at redhat.com writes: I have no experience with KDE, but in Gnome I have it set in the Gnome configuration (not sure whether it works in gdm). Otherwise /etc/hal/fdi file is your safest bet. https://fedoraproject.org/wiki/Input_device_configuration has some more information about this. Matěj Thanks - yes in Gnome F11 it is settable in System-Preferences-Mouse and then select the touchpad tab - I have not tried in gdm recently but I have set a file as /etc/hal/fdi/policy/10-synaptics.fdi which was made by adding the lines: merge key=input.x11_options.TapButton1 type=string1/merge merge key=input.x11_options.TapButton2 type=string3/merge merge key=input.x11_options.TapButton3 type=string2/merge merge key=input.x11_options.VertEdgeScroll type=string1/merge to the contents of /usr/share/hal/fdi/policy/20thirdparty/10-synaptics.fdi and then copying to the location /etc/hal/fdi/policy/10-synaptics.fdi After rebooting then the touchpad works in kdm - maybe this will fix gdm too? I suppose at least this does work even if upstream policy is not to make this available - however for a newbie just installing F11 and wanting this available it is not obvious from install notes or release notes as far as I remember? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Thunderbird 3.0rc1
Will a build of Thunderbird 3.0rc1 be pushed to updates-testing for F11 when it is released? From MozillaWiki I note that the plan is: Start build: 3rd November (est 10th Nov) so this will likely be around 3 weeks away. Thanks -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Richard Hughes hughsient at gmail.com writes: Anyway, by PackageKit we really mean kpackagekit and gnome-packagekit, as the PackageKit bits are already usable, e.g. * Enable this testing repo * Get the updates from this repo * Install them * Wait a week * Ask user for feedback, and point them at the bohdi page. Richard. The basic philosophy here does sound workable and appealing to me as both a user and tester, and also fits with the cutting edge Fedora model, and seems to me might get a significant number of users more aware of how to test packages (presumably there would be some warning that 'this is a package still being tested and may not work as expected' or somesuch (like the 'eats babies' warning for rawhide)? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Rahul Sundaram sundaram at fedoraproject.org writes: problems was known then reversing the release was not really an option. Why not? The maintainer says it is a option and it is definitely feasible to release a update that disables these couple of features by default rather than make everybody go through the same problems. I don't understand your view point at all. Changelog or even testing notes is useful to guide testers into checking for problems but once the problems are evident, we should just address them directly. Only a tiny fraction of our users will read such notes and it is not reasonable to expect them to continue to suffer. Yes if it is an option to release a new package update that will have smart folders and GLODA turned off then great - however I presume that the significant majority of F11 users will already have updated and therefore already have been hit by the change - so have either gone through the pain and reset their parameters by now or dumped TB in favour of another mail client. Therefore the gain of a new update will (to me) seem not provide much in the way of help now that the damage (of the beta4) has already been done. I guess that 3.0pre is not far away, and perhaps in this next update the smart folders and GLODA can be off by default. I must admit that I would also like to see the normal icons unchanged on the top taskbar in TB - I simply re-instated what I want, but I would have preferred that the update did not take them away in the first place. Again I have made the changes necessary to get 3.0b4 working nicely (there are some residual bugs though - like occasionally the compose window gets its formatting slightly awry and won't send and restarting TB then fixes it) Anyway hopefully this event will inform how the next update gets planned so that it does not upset as many people next time? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Jeff Garzik jgarzik at pobox.com writes: I hope a thunderbird update is being prepared, to make 2 config tweaks for F11? And a warning / release note for F12 users, noting that a __lot__ of additional disk space is required in ~/.thunderbird. Jeff Hopefully the default will be GLODA=off and smart folders=off and then the additional humungous file space requirements will not be needed and the user presentation a lot more familiar as well as functional? I must admit I cannot imagine why the thunderbird developers wanted the global indexing thing in the first place - I, like many others, keep mail accounts separate for a good reason - and I don't want a global search - it is insane - and I also don't want to munge my inboxes together - I keep work and private mail as well as other accounts separate so they there is no mixing and merging. Hopefully f12 TB will arrive and function smoothly (hands clasped together, eyes looking upward, channelling all the power of prayer..and hoping the developers are listening!) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Rahul Sundaram sundaram at fedoraproject.org writes: Anyway, this debate is essentially over at this point since a update with the defaults changed is being pushed out. http://mether.wordpress.com/2009/10/14/thunderbird-problem-gets-fixed/ Rahul OK - I hope this runs smoothly and hopefully we all learned from this event (just like the d-bus event!) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Mike McGrath mmcgrath at redhat.com writes: And that's a people problem more than a process problem. If nobody tests it in updates-testing, then how is the maintainer to know that it is problematic? Certainly not solvable with even more repos for testing content... You let me know how three people in Fedora can miss a very subtle Firefox memory leak. How many people would need to use updates testing before the thunderbird indexing problem is caught? How long would it need to stay there? In this case updates-testing theory just does not match reality. The status quo is broken, doing nothing will keep it that way. -Mike Actually I don't think the blame is directly layable at the feet of either the Fedora maintainer (who pushed an update with reasonable reports in bodhi according to normal practice), nor the Fedora process which should have worked if no poor upstream changes were made - but in fact this shows up the vulnerability of Fedora to packages which have bad decisions made upstream. In this case the upstream developers made a really bad decision to foist the GLODA change and the smart folder change on users who installed this beta, instead of taking the safer, and in my view better, decision to bring in these new features, but to leave them switched off by default, but to advertise the availability of these new features big time, and then let this simmer for a while and wait for any bad user feedback. Only if the new features were then shown to be acceptable should they be enabled in a future update by default. In this case, going that route would have shown that the new features were certainly not acceptable to all users, and in particular users with large amounts of stored mail with multiple accounts. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Christopher Aillon caillon at redhat.com writes: The UI change was obvious, but as it was upstream's decision, and we follow upstream, didn't think much of it. In retrospect, we should have considered undoing that change. We are looking into that now. Not everyone had issues with the indexing so that seemed to slip past testing. It was a change, but didn't seem to disrupt things, so we let it slide. We are looking at reverting both in F11. Please don't revert the package - now that I have configured TB to work well by switching off gloda and also switching off smart folders it actually does work well! Maybe it could be an optional package revert? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: thunderbird upgrade - wtf?
Rahul Sundaram sundaram at fedoraproject.org writes: The general attitude in this thread (not you) and elsewhere that it was ok to cause problems was worrying me. Thanks for looking into this problem. Rahul I am not sure that there is evidence for that! I think that some people were justifyably concerned that a package was released that had a major change to settings and user experience, and caused some serious difficulties including problems that gave large CPU and disk loads for a considerable and unjustifiable periods - (me included) until the workarounds were known, but that once this package was released and the knowledge and guidance on how to resolve the main problems was known then reversing the release was not really an option. However 3.0pre is around the corner (well you can download and run it independently if you want to), and there will hopefully be later versions that avoid the main problems that have arisen. By the way beta 4 did fix some bugs related to TLS connections that I had, and that were certainly present in beta 2 - so there were some advantages in moving to the more recent beta. It would also be a real help to users if the feedback from testing both prior to pushing to updates-testing as well as in the updates-testing phase could lead to some user notes attached to the final release that would guide users who bump into these kinds of problems when doing what would be a normal yum update, and expect things in a stable release to just work? (Question mark intended) I know that we can do rpm -q --changelog foo or those of use who know what we are doing can check the comments in bodhi but many users don't even know about these. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Thunderbird 3.0pre?
Is there any chance there will be a build of Thunderbird 3.0PRE in Koji soon? It would be nice to see a build for F11 and F12 as I believe there are significant fixes compared to 3.0beta 4 in the 3.0pre build. -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Re: Thunderbird 3.0pre?
Drag01 wrote like? Well someone I know has had dreadful problems with the x64 version of b4 build for F11 from updates-testing - with huge memory usage and never completed the re-indexing process - in the end it hung the machine completely. He took 3.0pre from the mozilla download site and it ran fine. I am told that the x64 code is not clean, and wondered if for x64 users with large numbers of accounts and large amounts of mail stored that maybe the 3.0pre code may actually work where it did not work for 3.0b4 in the x64 case? I have just moved from b2 to b4 as b2 gave me signficant problems with starttls connections to a dovecot imap server but my case was i386. -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Graphics Test Week (ATI, NVIDIA and Intel graphics Test Days)
Tomorrow - 2009-09-09 - is ATI/AMD Radeon graphics card Test Day (1). I have been trying to follow the procedure to get the liveusb key to boot - but changing the kernel line to either of root=live:LABEL=F12-Snap1-i686-Live to: root=live:LABEL=F12-i686 or to LABEL=LIVE won't work for me! I have seen both the bz reports at https://bugzilla.redhat.com/show_bug.cgi?id=520207 and https://bugzilla.redhat.com/show_bug.cgi?id=521471 The boot gets to the stage where the white/blue line goes across the page but the screen then shows No root device found. Boot has failed, sleeping forever - the advertised method for fixing this fails for me - is there any other suggested work-around? Thanks -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Re: Graphics Test Week (ATI, NVIDIA and Intel graphics Test Days)
Bob Arendt wrote: Try using /sbin/dosfslabel or /sbin/e2label to read the actual label. Then use that for the label on the boot line. Bingo! That works - excellent - I think I will add this to the reference page - others will doubtless be bitten by this also. Now I hope I can test later this evening -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Re: Snapshot Label bug (was Graphics Test Week)
Bob Arendt wrote: Glad it helped. I tried out the Snapshot 1 liveusb, and was puzzled when it didn't work; My original post to those bugs was based on /sbin/dosfslabel (it was a vfat stick). I'm curious - what *was* the label reported? How did you create your live boot? I'd used the livecd-iso-to-disk tool, latest F11 version to put the live iso's on to a USB stick .. and ended up with labels F12-i686 and F12-x86_64. I had labelled the stick myself when I first got it - as fedora-test and this was what was needed. Of course plugging the stick in to a running system gives a desktop icon with the correct label that I perhaps could have spotted earlier! The live usbkey was created with the livecd-iso-to-disk command as per the Fedora wiki, from within a running F11 system (up to date). I had previously labelled the stick using e2label (if I remember correctly!) -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Re: Snapshot Label bug (was Graphics Test Week)
On Wed, Sep 9, 2009 at 8:55 PM, mike cloakedmike.cloa...@gmail.com wrote: The live usbkey was created with the livecd-iso-to-disk command as per the Fedora wiki, from within a running F11 system (up to date). I had previously labelled the stick using e2label (if I remember correctly!) Thinking about it that can't be right - e2label only does ext2/3 so it may have been that I used qtparted to reformat it to vfat and gave it a label at the same timeit was a while back! -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: bind-chroot in F11
Mike Cloaked wrote: In F11 the contents contain /var/named/chroot and within this directory are /dev containing file null, random and zero and /etc containing file localtime and nothing else. This is surely a packing error since the bind-chroot package should install the proper chrooted directory structure and install the correct basic files in them including a basic named.conf under /var/named/chroot/etc/ There appears not even to be a root cert file in the chroot. -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
bind-chroot in F11
I checked the contents of the bind-chroot package in both F10 and f11 - as I was puzzled about running bind-chroot since things seemed rather different to previous behaviour. In F11 the contents contain /var/named/chroot and within this directory are /dev containing file null, random and zero and /etc containing file localtime and nothing else. In F10 the contents contain /usr/sbin/bind-chroot-admin and /var/named/chroot and within this directory are /dev containing file null, random and zero /etc/ containing files named.conf, named.rfc1912.zones and rndc.key /var/ containing log/named.log and also containing named/ containing named.ca, named.empty, named.localhost and named.loopback So this is a big difference in the bind-chroot package in F11 - with lots not there compared to F10 Can anyone enlighten me on why there is such a huge difference? Has there been some fundamental policy change since F10? Thanks -- mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list