On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
That one's easy, don't ever install the plugin, or anything else from
Adobe. Second step, set NoScript to block everything and everyone. If
any site has content that requires either of those, I will never see it.
That's their
Lamar Owen wrote:
On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
That one's easy, don't ever install the plugin, or anything else from
Adobe. Second step, set NoScript to block everything and everyone. If
any site has content that requires either of those, I will never see it.
On 11/30/10 12:31 PM, m.r...@5-cent.us wrote:
And I notice that you don't address the other point, all the in-house
apps, and if you think management will say sure, spend whatever it takes
to rewrite that so it conforms to selinux..., you're living in somewhere
I don't. And just about
On Tuesday, November 30, 2010 06:04:56 pm John R Pierce wrote:
for instance, all our java-ware can run just fine in
/home/$APPUSER/$APPNAME and run as a regular user. if we want to put
it in /opt/$COMPANY/$APP then we might have to play with selinux
defaults some, since /opt isn't part
On Tue, Nov 30, 2010 at 4:19 PM, m.r...@5-cent.us wrote:
Lamar Owen wrote:
On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote:
Reality check: how many of those installs are RedHat OOB installs with
default options?
No idea. How many aren't default OOB?
For that matter, how
On Tue, Nov 30, 2010 at 5:23 PM, Lamar Owen lo...@pari.edu wrote:
On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
That one's easy, don't ever install the plugin, or anything else from
Adobe. Second step, set NoScript to block everything and everyone. If
any site has content that
On 11/27/2010 09:21 PM, John R. Dennison wrote:
On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
The working system in that analogy is software, not necessarily nor
even likely to be the kernel itself. But yes, it can trash a
production critical web or software application
On Monday, November 29, 2010 08:11 PM, Steve Clark wrote:
I don't know how it is now - but I tried running in permissive mode a
few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining
about the same file again, and the file was part
On Monday, November 29, 2010 08:50 PM, Marko Vojinovic wrote:
Well, the kernel I used at the time had a known exploit (exploitable by some
services I was running), and the intruder got advantage of that. Of course, it
was partly my fault, because I didn't restart those machines for a long
On Sun, 2010-11-28 at 23:42 +, Marko Vojinovic wrote:
On Sunday 28 November 2010 22:40:41 brett mm wrote:
This is where, as a sysadmin, you need to invest just a little time and
effort learning the system. Honestly, the vast majority of issues are
trivial to solve if you just spend
Adam Tauno Williams wrote:
On Sun, 2010-11-28 at 23:42 +, Marko Vojinovic wrote:
On Sunday 28 November 2010 22:40:41 brett mm wrote:
This is where, as a sysadmin, you need to invest just a little time
and effort learning the system. Honestly, the vast majority of issues
snip
In
On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*. If you want two users to have rw- to a file you... create a
group of two users???
Yes, there is nothing simpler than a group to represent a group of users.
On Mon, 29 Nov 2010, Les Mikesell wrote:
On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*. If you want two users to have rw- to a file you... create a
group of two users???
Yes, there is nothing simpler than
On Nov 29, 2010, at 7:47 AM, Les Mikesell wrote:
On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
Even if it is *possible*, the traditional UNIX permissions are a
serious
*PAIN*. If you want two users to have rw- to a file you... create a
group of two users???
Yes, there is nothing
On Sunday, November 28, 2010 10:39:22 am Bob McConnell wrote:
Maybe not, but the risks should be evaluated on a case by case basis. I
don't believe it can be considered a panacea either. Even with SE in
full protected mode, a simple SQL injection flaw can still expose much
of the sensitive
On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
But that means you were running software with vulnerabilities or a user would
not be able to become root anyway. Is that due to not being up to date (i.e.
would normal, non-SELinux measures have been enough), or was this before a
On 11/29/2010 10:17 AM, Lamar Owen wrote:
On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
But that means you were running software with vulnerabilities or a user would
not be able to become root anyway. Is that due to not being up to date (i.e.
would normal, non-SELinux measures
On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
In reality, I am not at all sure that a quantum leap in complexity
adds to security at all. Any proper use of old-school group
permissions can give as finely-grained a security policy as you would
like.
No, it won't.
Suppose I'm
Les Mikesell wrote:
On 11/29/2010 10:17 AM, Lamar Owen wrote:
On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
snip
How much 3rd party software do you run where someone else has not
already spent the time to work out the policies needed to let it work?
And how much in-house
On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
Agreed, but not everyone has time to do both - or to learn lots of
distribution-specific details in mixed environments. My opinion is that
doing the simple stuff first is a win. And that works the same on
systems that don't
On 11/29/2010 10:52 AM, Lamar Owen wrote:
On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
Agreed, but not everyone has time to do both - or to learn lots of
distribution-specific details in mixed environments. My opinion is that
doing the simple stuff first is a win. And that
On 11/29/2010 10:46 AM, m.r...@5-cent.us wrote:
How much 3rd party software do you run where someone else has not
already spent the time to work out the policies needed to let it work?
And how much in-house developed software do you run? Or, about those 3rd
party software, do you run my own
On 11/29/2010 10:40 AM, Lamar Owen wrote:
On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
In reality, I am not at all sure that a quantum leap in complexity
adds to security at all. Any proper use of old-school group
permissions can give as finely-grained a security policy as you
Lamar Owen wrote:
On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
Agreed, but not everyone has time to do both - or to learn lots of
distribution-specific details in mixed environments. My opinion is that
doing the simple stuff first is a win. And that works the same on
systems
On Tuesday, November 30, 2010 01:38 AM, Les Mikesell wrote:
All of the third-party software I run seems to run just fine, as long as the
right contexts are applied.
Well, obviously it will work after someone takes the time to make it
work. Now it is your turn to quantify: How much would
On Monday, November 29, 2010 11:58 PM, aurfal...@gmail.com wrote:
You end up with a zillion groups - which is
pointless and unmaintainable. Thank goodness for ACL support and
setfacl/getfacl.
So what do you do when you have user-specific ACLs splattered randomly
through the filesystem and
On 30 November 2010 09:03, Christopher Chan
christopher.c...@bradbury.edu.hk wrote:
On Monday, November 29, 2010 11:58 PM, aurfal...@gmail.com wrote:
You end up with a zillion groups - which is
pointless and unmaintainable. Thank goodness for ACL support and
setfacl/getfacl.
So what do you
On Tuesday, November 30, 2010 02:35 AM, Les Mikesell wrote:
On 11/29/2010 10:40 AM, Lamar Owen wrote:
On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
In reality, I am not at all sure that a quantum leap in complexity
adds to security at all. Any proper use of old-school group
On 11/29/2010 4:09 PM, Christopher Chan wrote:
In reality, I am not at all sure that a quantum leap in complexity
adds to security at all. Any proper use of old-school group
permissions can give as finely-grained a security policy as you would
like.
No, it won't.
Suppose I'm running
- Original Message -
From: Max Hetrick maxhetr...@verizon.net
To: CentOS mailing list centos@centos.org
Sent: Tuesday, November 30, 2010 6:51 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/29/2010 05:09 PM, Christopher Chan wrote:
Hurrah! That's
- Original Message -
From: Les Mikesell lesmikes...@gmail.com
To: centos@centos.org
Sent: Tuesday, November 30, 2010 6:19 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/29/2010 4:09 PM, Christopher Chan wrote:
If you don't trust your software, run
On 11/29/10 8:10 PM, Christopher Chan wrote:
Yes, if you are concerned about security of certain files it is indeed a
good idea to run software you don't trust elsewhere. And if the problem
is not trusting software, why are you putting blind faith in the SELinux
code?
Oh certainly. That is
Lamar Owen wrote:
With SELinux I can set files and whole hierachies to not allow Acrobat
Reader access of various types, while still alllowing access to those
areas it needs. Voila! Acrobat Reader vulnerabilities and the PDF's
that exploit them no longer have any power to exploit my system.
Christopher Chan wrote:
Les Mikesell wrote:
All of the third-party software I run seems to run just fine, as long as
the right contexts are applied.
Well, obviously it will work after someone takes the time to make it
work. Now it is your turn to quantify: How much would you charge
- Original Message -
From: cpol...@surewest.net
Christopher Chan wrote:
Les Mikesell wrote:
All of the third-party software I run seems to run just fine, as long
as the right contexts are applied.
Well, obviously it will work after someone takes the time to make it
work.
On Mon, Nov 29, 2010 at 8:35 AM, Adam Tauno Williams
awill...@whitemice.org wrote:
Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*. If you want two users to have rw- to a file you... create a
group of two users??? You end up with a zillion groups - which is
You forgot take on becoming the SELinux integration manager for that
project with every single update. I've done that several times now
In commercial service production, wasted time also costs money.
I think it is easier/cheaper to use hardware firewalls and idp systems
to protect servers
On Sunday, November 28, 2010 07:22 PM, Eero Volotinen wrote:
You forgot take on becoming the SELinux integration manager for that
project with every single update. I've done that several times now
In commercial service production, wasted time also costs money.
I think it is easier/cheaper
Marko Vojinovic wrote:
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison j...@gerdesas.com wrote:
You run it in Permissive mode, you deal with the exceptions as
they arise while the software is running in its normal
On 11/28/2010 8:15 AM, Bob McConnell wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennisonj...@gerdesas.com wrote:
You run it in Permissive mode, you deal with the exceptions as
they arise
On Sun, Nov 28, 2010 at 09:14:43PM +0800, Christopher Chan wrote:
I think it is easier/cheaper to use hardware firewalls and idp systems
to protect servers than fight with selinux on each server.
SELinux tuning might work on companies with unlimited resources like
NSA .. or if you run
Marko Vojinovic wrote:
On Sunday 28 November 2010 13:15:24 Bob McConnell wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
You forgot take on becoming the SELinux integration manager for that
project with every single update.
Every single update?
On 11/27/2010 02:52 PM, Marko Vojinovic wrote:
On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
On 11/26/2010 05:17 PM, Patrick Lists wrote:
What's with people recommending to turn off SELinux?! That's just bad
advice and like recommending people keep their doors unlocked at all
On Sunday 28 November 2010 13:31:28 Benjamin Franz wrote:
Worse - it doesn't always log what it is doing in a way that you can figure
out. Occasionally not at all.
SELinux does have some rate-limiting capabilities built-in to avoid a flood of
identical messages...so the triggering-event to
1,000 pardons for aggressively trimming this post,
sorry if I have harmed the flow by being selective.
Bob McConnell wrote:
Marko Vojinovic wrote:
Bob McConnell wrote:
Marko Vojinovic wrote:
Nico Kadel-Garcia wrote:
Hypothetical: one admins a vended suite of applications that comprise
an
On 11/28/10 1:06 PM, Jorge Fábregas wrote:
There has been a lot of progress with SELinux lately. I think you should
reconsider your position and perhaps give it a try on the upcoming CentOS 6
where the targeted policy is much matured.
SELinux has been around many years now. Are there any
This is where, as a sysadmin, you need to invest just a little time and
effort learning the system. Honestly, the vast majority of issues are
trivial to solve if you just spend a few hours reading the docs/guides,
and even if you really can't be bothered there are kind folks on this
list
On Sunday, November 28, 2010 10:50 PM, Scott Robbins wrote:
On Sun, Nov 28, 2010 at 09:14:43PM +0800, Christopher Chan wrote:
I think it is easier/cheaper to use hardware firewalls and idp systems
to protect servers than fight with selinux on each server.
SELinux tuning might work on
On Sun, Nov 28, 2010 at 10:39 AM, Bob McConnell rmcco...@lightlink.com wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 13:15:24 Bob McConnell wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
You forgot take on becoming the SELinux integration
On 11/28/2010 7:55 PM, Nico Kadel-Garcia wrote:
On Sun, Nov 28, 2010 at 10:39 AM, Bob McConnellrmcco...@lightlink.com
wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 13:15:24 Bob McConnell wrote:
Marko Vojinovic wrote:
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
On 11/28/10 5:29 PM, Marko Vojinovic wrote:
I wouldn't know the typical ratio itself as a number, but I can tell you it is
surely less than one. I had three identical systems compromised at the same
time (one of the users had a weak password, and he used the same password on
all three
Thanks for all the input. Particularly John and Patricks URL's for reading
material. Starting with the stuff here
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
Which is really good.
Verry interesting collection. The document for rhel5 is verry well
On 27/11/10 18:57, Benjamin Franz wrote:
On 11/26/2010 05:17 PM, Patrick Lists wrote:
What's with people recommending to turn off SELinux?! That's just bad
advice and like recommending people keep their doors unlocked at all
times. Really, stop doing that. SELinux is there for a reason.
On Sat, Nov 27, 2010 at 5:52 PM, Marko Vojinovic vvma...@gmail.com wrote:
On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
On 11/26/2010 05:17 PM, Patrick Lists wrote:
What's with people recommending to turn off SELinux?! That's just bad
advice and like recommending people keep
On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
The working system in that analogy is software, not necessarily nor
even likely to be the kernel itself. But yes, it can trash a
production critical web or software application that didn't follow the
sensible, but often
On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison j...@gerdesas.com wrote:
On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
The working system in that analogy is software, not necessarily nor
even likely to be the kernel itself. But yes, it can trash a
production critical
Hi,
total newbie on CentOS. Just firing up an install of 5.5 on a development
webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully. Yet
to work on Sendmail and Samba. SELinux in enforcing mode, reporting SELinux
preventing ifconfig (ifconfig_t) read write to
2010/11/27 Alison peng...@alisoncc.com:
Hi,
total newbie on CentOS. Just firing up an install of 5.5 on a development
webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully. Yet
to work on Sendmail and Samba. SELinux in enforcing mode, reporting SELinux
preventing
On Sat, Nov 27, 2010 at 10:58:00AM +1100, Alison wrote:
Hi,
total newbie on CentOS. Just firing up an install of 5.5 on a
development webserver. Installed Webmin, Awstats, PHPMyAdmin and
Drupal successfully. Yet to work on Sendmail and Samba. SELinux in
enforcing mode, reporting SELinux
On Sat, Nov 27, 2010 at 02:53:30AM +0200, Eero Volotinen wrote:
Just turn selinux off. setenforce 0 works without rebooting server,
but /etc/sysconfig/selinux is correct place to finalize setting..
Oh please. This is perhaps the most idiotic advice I've seen on
this list in
On 11/27/2010 01:53 AM, Eero Volotinen wrote:
2010/11/27 Alisonpeng...@alisoncc.com:
Hi,
total newbie on CentOS. Just firing up an install of 5.5 on a development
webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully.
Yet to work on Sendmail and Samba. SELinux in
Just turn selinux off. setenforce 0 works without rebooting server,
but /etc/sysconfig/selinux is correct place to finalize setting..
What's with people recommending to turn off SELinux?! That's just bad
advice and like recommending people keep their doors unlocked at all
times. Really, stop
On Sat, Nov 27, 2010 at 03:29:49AM +0200, Eero Volotinen wrote:
Usually it causes more problems. If you have unlimited resources to tune it
up,
then it possibly helps on the way.
Only if you don't bother to take the time to read any of the
resources I previously provided or
On 11/26/10 8:01 PM, John R. Dennison wrote:
If the best avenue was to disable it do you honestly think that
upstream would enable it by default?
They are, after all, selling service. What distro enables it that doesn't have
a service for pay model (besides Centos,
Thanks for all the input. Particularly John and Patricks URL's for reading
material. Starting with the stuff here
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
Which is really good.
I can get 1.5Mb/s upload using Annex M, but have previously purchased
On 27/11/10 06:33, Alison wrote:
Thanks for all the input. Particularly John and Patricks URL's for reading
material. Starting with the stuff here
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
Which is really good.
There is also a guide to SELinux
I just set up samba to support some Win7 VMs on top of CentOS 5.5.
Recommend you read the first page or so of the smb.conf file
in /etc/samba. It gives guidance on what to do to ensure SELinux
doesn't get in the way.
I try to place my shares in something like /var/local/share and avoid
any
Hello,
Does anyone have a sample SELinux policy for dkim-milter?
I'm using the configuration from this page:
http://www.howtoforge.com/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3
Along with the latest RPM from the link on that page.
Regards,
Ben
--
On 13/10/10 1:44 AM, Ben McGinnes wrote:
Hello,
Does anyone have a sample SELinux policy for dkim-milter?
I'm using the configuration from this page:
http://www.howtoforge.com/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3
Along with the latest RPM
I'm having problems setting up a samba server with sellinux in centos 5.6
(x64).
My samba config works flawlessly when selinux is disabled but fails to
access shares when selinux is enabled. Wich command makes it possible to
run samba with selinux without disabling it, now I've done: set sebool
Geert Batsleer wrote on 09/17/2010 09:14 AM:
I'm having problems setting up a samba server with sellinux in centos
5.6 (x64).
My samba config works flawlessly when selinux is disabled but fails to
access shares when selinux is enabled. Wich command makes it possible
to run samba with
This is more a CentOS issue, I think (hope) than selinux. I've got some
systems in permissive mode - good thing, or they'd be dead. they keep
spewing execmem errors with java, among other things. This *seems* like
something that should be covered. I looked at the policy
(selinux-policy-targeted,
Does anyone know? Are we, with CentOS, that far behind with something like
this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the
log file (/var/log/messages IIRC) and it gives me a command to execute
to view more details. When I do
Does anyone know? Are we, with CentOS, that far behind with something
like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the
log file (/var/log/messages IIRC) and it gives me a command to execute
to view more details. When I
m.r...@5-cent.us wrote:
Does anyone know? Are we, with CentOS, that far behind with something
like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the
log file (/var/log/messages IIRC) and it gives me a command to execute
to view
m.r...@5-cent.us wrote:
Does anyone know? Are we, with CentOS, that far behind with something
like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the
log file (/var/log/messages IIRC) and it gives me a command to execute
to view
Hi All,
I have this following issue in SELinux. I did what instruction said but the
security context has still never changed. Do I need to create local SELinux
module? I hope anyone could help me out of this. Thank you.
---
# sealert -b
On Tuesday 06 April 2010 03:24:49 James Corteciano wrote:
Instead, you can generate a local policy module to allow this access
Hello James,
This doesn't seem like an incorrect labeling issue. Files under /etc, most of
them, will have the etc_t as type.
Apparently the current policy doesn't
I rebuilt my xen host with the 64-bit OS and am in the process of recreating
the guests, both 32 and 64 bit. I use a kickstart installation with
virt-install, and so far none of the installation attempts has completed.
Anaconda indicates installation should take about 2-3 minutes, but when
lheck...@users.sourceforge.net writes:
I rebuilt my xen host with the 64-bit OS and am in the process of recreating
the guests, both 32 and 64 bit. I use a kickstart installation with
virt-install, and so far none of the installation attempts has completed.
Anaconda indicates
After upgrading to centos 5.4 I am getting a selinux violation, yet
nothing is logged to /var/log/audit/audit.log. Other violations do get
logged.
The violation occurs when running the following command on the mail
server:
aspen /usr/bin/Mail centos@centos.org
Subject: test
hi
Cc:
aspen
I got the same thing, which I think if from the selinux updates last
night. My machine was on 5.4 since 5.4 was released. I will let you know
if/when I figure out the solution.
http://lists.centos.org/pipermail/centos/2010-January/088465.html
___
Here is the fix. Just found this:
https://bugzilla.redhat.com/show_bug.cgi?id=553492
and also
https://bugzilla.redhat.com/show_bug.cgi?id=553277
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
On Fri, 2010-01-08 at 17:34 -0700, Nataraj wrote:
After upgrading to centos 5.4 I am getting a selinux violation, yet
nothing is logged to /var/log/audit/audit.log. Other violations do get
logged.
The violation occurs when running the following command on the mail
server:
aspen
James Rankin wrote:
Here is the fix. Just found this:
https://bugzilla.redhat.com/show_bug.cgi?id=553492
and also
https://bugzilla.redhat.com/show_bug.cgi?id=553277
Thank you James. I added the mypostfix.te module and it solved the
problem. It would still seem that the fact that
The subject says it all. I've still got that irritating problem of selinux
complaining with smagent writing to its own logfile, and as I mentioned
here, weeks ago, I've done everything that sealert says, a number of
times, and it didn't fix it, and I've determined that it's clearly an
error
/'
doesn't actually work.
to specifically answer your question, no, I don't know of a specific
CentOS-SELinux list but the general SELinux list is certainly all you
need...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Craig
--
This message has been scanned for viruses and
dangerous
/'
doesn't actually work.
Wait - you mean I have to cd to /var/log/httpd, to run setsebool
httpd_unified on? That makes no sense.
And I made the roles, etc, as close as I could, both on smagent and on its
log file.
to specifically answer your question, no, I don't know of a specific
CentOS
On Mon, 2009-11-23 at 11:41 -0700, m.r...@5-cent.us wrote:
On Mon, 2009-11-23 at 11:01 -0700, m.r...@5-cent.us wrote:
The subject says it all. I've still got that irritating problem of
selinux
complaining with smagent writing to its own logfile, and as I mentioned
here, weeks ago, I've
David McGuffey wrote on Mon, 09 Nov 2009 22:44:39 -0500:
Don't be so hard on him.
I'm not trying to. Sorry, if it sounded like that. The point is that James
still seems to mix some things in his mind which apparently are not to be
mixed. He's to start over to succeed.
Kai
--
Kai Schätzl,
I am trying to set up a test kvm virtual machine on a core2 quad
system. I have managed to thread my way through bridging eth0 and I
have a CentOS-5.4 dvd iso prepared.
Using virt-manager, when I try and add a new guest then I get the
error reproduced below. Now, I know that I can 'fix' this by
James B. Byrne wrote on Mon, 9 Nov 2009 10:44:36 -0500 (EST):
Install qemu.
SELinux denied access requested by qemu-system-x86.
I'm not running KVM (but Xen). From the snippets above I deduce:
- qemu is not part of CentOS, you probably got it from rpmforge.
- that means you do not need qemu
- qemu is not part of CentOS, you probably got it from rpmforge.
- that means you do not need qemu for KVM usage
- SELinux cannot know about it
- there's probably a different preferred way to use KVM on CentOS
From a recent mail in this list:
Well, it turns out that qemu is required and
On Mon, November 9, 2009 10:44, James B. Byrne wrote:
I'm not running KVM (but Xen). From the snippets above I deduce:
- qemu is not part of CentOS, you probably got it from rpmforge.
- that means you do not need qemu for KVM usage
- SELinux cannot know about it
- there's probably a
I removed qemu and reinstalled virt-manager using the -x qemu
switch. Everything installs and I get kvm-qemu-img instead of qemu.
Of course, virt-manager now does not work. It opens but it does
not provide any means of adding a new virtual host. This places me
back at my point of departure,
Of course, virt-manager now does not work. It opens but it does
not provide any means of adding a new virtual host.
What are the symptoms?
Does virt-manager ask for your root password when starting?
Did you try with SELinux in permissive mode?
I recommend that you install setroubleshoot, it
James B. Byrne wrote on Mon, 9 Nov 2009 14:48:50 -0500 (EST):
I am afraid I am not seeing the logic behind this sort of install
cockup. If qemu is not supposed to be used at all then why is it
even available
because you enabled rpmforge and installed qemu. *You* did that, not CentOS. I
James B. Byrne wrote on Mon, 9 Nov 2009 14:30:21 -0500 (EST):
Odd then, do you not think, that when I install virt-manager yum
requires qemu from the extras repository and does not require
kvm-qemu-img.
Yes. It doesn't require any of them for me. Have you tried cleaning your
metadata?
Kai
On Mon, 2009-11-09 at 23:31 +0100, Kai Schaetzl wrote:
James B. Byrne wrote on Mon, 9 Nov 2009 14:48:50 -0500 (EST):
I am afraid I am not seeing the logic behind this sort of install
cockup. If qemu is not supposed to be used at all then why is it
even available
because you enabled
Ricky Tompu Breaky wrote:
Dear my friends...
Anybody would be so nice for telling me the solution of my problem.
My Apache2 can not start.
I find this error in /var/log/messages:
Nov 7 14:20:47 cencen setroubleshoot: SELinux is preventing httpd from
loading
601 - 700 of 771 matches
Mail list logo
