Re: [CentOS-docs] CentOS wiki Homepage editing permission request
On 26/11/14 23:25, centos-docs.neophyte_...@ordinaryamerican.net wrote: Thank you. Good bye. We made a decision to require people to contribute content using FirstnameLastname and asked people to be truthful about it since we take content on wiki.centos.org very seriously, and thought that having a clear community of people was more important than having text from arbitary strings: and I still believe that its a ar better place to be today. If your choice in the matter is to stick with the arbitary string of text, there are lots of places on/around the internet where you can still contribute content and I encourage you to do so. regards and thanks for stopping by - KB PS: you can still contribute via this list, make such a huge impact that this entire equation needs reconsidering. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] centos.org List of Mirrors Javascript
On 27/11/14 13:57, Petr Spacek wrote: Hello, I would like to propose a small change to http://centos.org/download/mirrors/ Currently the mirror list is generated using Javascript but there is neither non-Javascript version of the list nor fallback a message for users without Javascript. It would be great to have non-Javascript version but at least a fallback message you need Javascript would greatly improve the user experience. Without Javascript, the page looks like this: List of CentOS Mirrors CentOS welcomes new mirror sites. If you are considering setting up a public mirror site for CentOS, please follow the mirror guidelines to make sure that your mirror is consistent with the other mirror sites. ... and that is it. There is no indication that the list of mirrors cannot be loaded because of missing Javascript. This greatly confused me when browsing with disabled Javascript. Have a nice day! cc: Jim. - KB -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Application for write permissions to CentOS wiki
Hi, Am 01.12.2014 um 23:21 schrieb Alan Bartlett: Karol -- If you have created a wiki account with an embedded space between forename and surname please delete it and create a new account, as Jerry has mentioned, above. Okay, I've messed that up. Is there a way for me (button/link) to delete my account on my own? Otherwise I hereby would like to request for my account to be deleted by you guys. I'll wait with the creation of the new account. Thanks in advance. Best regards, Karol Babioch signature.asc Description: OpenPGP digital signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] centos.org contacts in page footer are missing
On 11/27/2014 08:01 AM, Petr Spacek wrote: Hello, I would like to propose to add a Contact us link to centos.org web site. The page footer currently looks like this: © 2014 The CentOS Project | _Legal_ Unfortunately, even the Legal link does not contain any useful address. It took me a while to dig centos-docs@centos.org and it would be much more convenient to encourage users to report problems with the site without forcing them to dig deep for contacts. I hope this could help to make contribution easier. Have a nice day! Yep. Also a good suggestion. I'll put this in place as well. -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77 ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Application for write permissions to CentOS wiki
On 4 December 2014 at 12:00, Karol Babioch ka...@babioch.de wrote: Hi, Am 01.12.2014 um 23:21 schrieb Alan Bartlett: Karol -- If you have created a wiki account with an embedded space between forename and surname please delete it and create a new account, as Jerry has mentioned, above. Okay, I've messed that up. Is there a way for me (button/link) to delete my account on my own? Otherwise I hereby would like to request for my account to be deleted by you guys. I'll wait with the creation of the new account. Thanks in advance. Best regards, Karol Babioch As far as I can recall you will need to log into the wrong account, then take the Preferences option that is in the top right hand corner of the banner heading. Under General Options there should be the facility to perform the deed. Select it and then left-click on Save. If that fails, I'll need to call out to Ralph or Jim to assist. Alan. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-announce] CEEA-2014:1958 CentOS 7 bnx2x Enhancement Update
CentOS Errata and Enhancement Advisory 2014:1958
Upstream details at : https://rhn.redhat.com/errata/RHEA-2014-1958.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
eab035c4c87117fc19cc75cd8f5b856aa52a1a63a54ab7cf441755b89dd28ace
kmod-bnx2x-1.710.51-3.el7_0.x86_64.rpm
a4b5a1acbedc67060930542d951007f74845314a6215bdf5c5c5e93ea8b1909d
kmod-bnx2x-firmware-1.710.51-3.el7_0.x86_64.rpm
Source:
a44c81bac129e207108d4b8d9b61f8e373c993175bbfe4399b9cbf3c5187b24f
bnx2x-1.710.51-3.el7_0.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
___
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2014:1957 CentOS 7 resource-agents BugFix Update
CentOS Errata and Bugfix Advisory 2014:1957
Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-1957.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
324557e085beb83897926fe401aa1bff5a96bd437c0ec1aa4d443893f9eae08d
resource-agents-3.9.5-26.el7_0.6.x86_64.rpm
Source:
ea95a99f8a74cb22e963873f5693f1dcca724e2ac2cd9e7caee1b7821254bdb5
resource-agents-3.9.5-26.el7_0.6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
___
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2014:1956 Moderate CentOS 7 wpa_supplicant Security Update
CentOS Errata and Security Advisory 2014:1956 Moderate
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1956.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
867c5ed3ca6d8ddad3d7b237c318c8087a3f00b84608290c8029045c7d61e2d2
wpa_supplicant-2.0-13.el7_0.x86_64.rpm
Source:
f80528eda6d9a6aaddd3e357c3262d2daabed1fa4f3c8a09329d91ce98201004
wpa_supplicant-2.0-13.el7_0.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
___
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] Release for CentOS Linux Rolling media
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am pleased to announce general availability of the rolling builds for CentOS Linux. Todays release includes CentOS Linux 7 iso based install media and the generic cloud images. CentOS Linux rolling builds are point in time snapshot media rebuild from original release time, to include all updates pushed to mirror.centos.org's repositories. This includes all security, bugfix, enhancement and general updates for CentOS Linux. Machines installed from this media will have all these updates pre-included and will look no different when compared with machines installed with older media that have been yum updated to the same point in time. All rpm/yum repos remain on mirror.centos.org with no changes in either layout or content. We will aim to update and issue for release a new set of these files at the end of every month going forward. Each released filename includes a datestamp and a buildtag to indicate the content included. Files marked as 20141129_02 indicate that it includes all content released to mirror.centos.org upto ( and including ) the 29th of Nov 2014 and is the second build of that cycle. While all build's are made public at buildlogs.centos.org/, only those that pass our QA and testing cycles will be marked as released, to be included in buildlogs.centos.org/rolling/. We will also do interim builds as needed ( for development and testing purposes ) at different points in time, those builds will not be marked for general release, but will still be avilable publicly. Since there is a need to test these images, the release will always lag few days behind the datestamp ( and therefore content included ) in the release. My aim is to automate as much of this as possible going forward to reduce this time lag as much as possible, however we might not be able to remove it completely. With every cycle, we hope to increase the content made available in this rolling format. Immediate next steps include bringing the CentOS Linux 7 livemedia into the rolling releases followed by CentOS Linux 6 content from the next ( December 2014 ) cycle. Due to the way the installer works in CentOS-5, and its point in time we have no plans on including CentOS-5 in this cycle at this point. For the sake of uniformity and communication, the release media will be referenced by the month it reflects, not the month it was released in. Making this release the Nov 2014 Rolling release. Other content formats like containers and vendor specific images will aim to start with the same cycle as the main CentOS Linux media, but might move to a more frequent build and release cycle if needed. Special Interest Groups ( http://wiki.centos.org/SpecialInterestGroup ) wanting to do media and installer releases should also consider using the rolling timelines to sync with. Finally, I want to highlight that we will always consider doing a rolling release to address major security issues like the recent heartbleed, shellshock and poodle patches. - --- CentOS Linux distro installer media: File: CentOS-7-x86_64-DVD-20141129_02.iso Sha256sum: 85a46c62b5bfc701678bef7854bb73af4ccfb840dfcbfb2f9b2189e08fe9438c File: CentOS-7-x86_64-Everything-20141129_02.iso Sha256sum: f9fdd8b12c9529a1e3bf7628ebee964b2aeb9fd66540de7b369e0fde6f7a4236 File: CentOS-7-x86_64-Minimal-20141129_02.iso Sha256sum: e1338d13178f1c66c17386b7ced0b1459c677ff9a1cf095ac4db377234cc03fa Symlinks are provided that will always map to the latest released builds, as follows ( including their current mapping ) http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-DVD.iso - - CentOS-7-x86_64-DVD-20141129_02.iso http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Everything.iso - - CentOS-7-x86_64-Everything-20141129_02.iso http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Minimal.iso - - CentOS-7-x86_64-Minimal-20141129_02.iso These symlinks will be updated to point at the latest tested and released media and make for a good target in automation that requires CentOS Linux media. - -- Cloud and Instance Images: The CentOS Linux 7 GenericCloud image is built to include cloud-init from the Extras/ repository. The image is made available in multiple formats, with identical content. The cloud images are released via http://cloud.centos.org/centos/7/images/ File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2 Desc: is the reference image. Size: 944 MB Sha256Sum: 7710ffdd497cf00fc72c22a3fa7cc7adb3424d3542521ca8fbe19eba9ded403f File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2c Desc: This is the same image, run through the qemu qcow2 internal compression setup - while this image is suiteable for development and play, it comes with non trivial i/o performance penalties and therefore not recommended for production. Size: 399MB Sha256Sum: db42e4fb9565e75f0acbe6b54a5b8822f3f1e9783fb1a553e1552c72ceaff8df File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2.xz Desc: This is the
Re: [CentOS-virt] xen-c6 fails to boot
On 12/02/2014 07:36 AM, Bob Ball wrote: -Original Message- From: Johnny Hughes On 12/01/2014 04:48 AM, Bob Ball wrote: [81575480] panic+0xc4/0x1e1 [81054836] find_new_reaper+0x176/0x180 [81055345] forget_original_parent+0x45/0x2c0 [81107214] ? task_function_call+0x44/0x50 [810555d7] exit_notify+0x17/0x140 [81057053] do_exit+0x1f3/0x450 [81057305] do_group_exit+0x55/0xd0 [81057397] sys_exit_group+0x17/0x20 [815806a9] system_call_fastpath+0x16/0x1b It works fine for me .. you might consider using CentOS-6.6 and not CentOS-6.4 .. also, we now use a 3.10 kernel and the latest version of xen is 4.2.5 in the /6.6/xen4/ repo. Updated to CentOS-6.6, but I still get the same issue. By the above I assume you're using the xen4 repo rather than the xen-c6 repository referred to by http://wiki.centos.org/QaWiki/Xen4? Is the xen-c6 repo now considered broken or deprecated with the xen4 repo used in preference? BUT .. it seems to be a hardware/driver issue. The same hardware (cluster of 10 machines) was successfully working with the xen-c6 repository previously; I'm not sure what issue might have occurred to cause this failure on all hosts which is why I think it's a software issue. Possibly a driver issue although the last successful run was using the same kernel so I assume had roughly the same drivers installed. Note that the 3.4 kernel boots fine without Xen, it is only under Xen that the boot fails and the machine restarts. What I mean by hardware issue is the way the hardware interacts with the newer versions of xen. I guess what I should have said is that there is some unique issue with your hardware. The updates have have posted are needed for numerous security updates, so I would not recommend running older versions long term for security reasons ... BUT ... all the previously released software is here: http://vault.centos.org/6.4/xen4/ http://vault.centos.org/6.5/xen4/ and http://mirror.centos.org/centos/6.6/xen4/ In this unique case (ie, your exact hardware and software combinations), you may need to experiment with and find the exact combination of software that works for you. In any event, all the software we have previously released is in those locations, so getting a combination that works so we can isolate the issue that causes it all to die is likely the best starting point. signature.asc Description: OpenPGP digital signature ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] xen-c6 fails to boot
Thanks all for the advice. It seems there is an issue with Dracut booting from these hosts when LVM is used. dracut: Scanning devices sda2 for LVM logical volumes VolGroup/lv_swap VolGroup/lv_root dracut: inactive '/dev/VolGroup/lv_swap' [1.94 GiB] inherit dracut: inactive '/dev/VolGroup/lv_root' [230.69 GiB] inherit dracut: PARTIAL MODE. Incomplete logical volumes will be processed. dracut: Operation prohibited while global/metadata_read_only is set. dracut: Operation prohibited while global/metadata_read_only is set. ... dracut Warning: LVM VolGroup/lv_swap not found dracut Warning: LVM VolGroup/lv_root not found Switching my kickstart to use real partitions rather than LVM solved the issue. Not sure if that's enough detail to figure out what's wrong / missing from the kernel / initrd. Bob -Original Message- From: centos-virt-boun...@centos.org [mailto:centos-virt- boun...@centos.org] On Behalf Of Johnny Hughes Sent: 04 December 2014 09:51 To: centos-virt@centos.org Subject: Re: [CentOS-virt] xen-c6 fails to boot On 12/02/2014 07:36 AM, Bob Ball wrote: -Original Message- From: Johnny Hughes On 12/01/2014 04:48 AM, Bob Ball wrote: [81575480] panic+0xc4/0x1e1 [81054836] find_new_reaper+0x176/0x180 [81055345] forget_original_parent+0x45/0x2c0 [81107214] ? task_function_call+0x44/0x50 [810555d7] exit_notify+0x17/0x140 [81057053] do_exit+0x1f3/0x450 [81057305] do_group_exit+0x55/0xd0 [81057397] sys_exit_group+0x17/0x20 [815806a9] system_call_fastpath+0x16/0x1b It works fine for me .. you might consider using CentOS-6.6 and not CentOS-6.4 .. also, we now use a 3.10 kernel and the latest version of xen is 4.2.5 in the /6.6/xen4/ repo. Updated to CentOS-6.6, but I still get the same issue. By the above I assume you're using the xen4 repo rather than the xen-c6 repository referred to by http://wiki.centos.org/QaWiki/Xen4? Is the xen-c6 repo now considered broken or deprecated with the xen4 repo used in preference? BUT .. it seems to be a hardware/driver issue. The same hardware (cluster of 10 machines) was successfully working with the xen-c6 repository previously; I'm not sure what issue might have occurred to cause this failure on all hosts which is why I think it's a software issue. Possibly a driver issue although the last successful run was using the same kernel so I assume had roughly the same drivers installed. Note that the 3.4 kernel boots fine without Xen, it is only under Xen that the boot fails and the machine restarts. What I mean by hardware issue is the way the hardware interacts with the newer versions of xen. I guess what I should have said is that there is some unique issue with your hardware. The updates have have posted are needed for numerous security updates, so I would not recommend running older versions long term for security reasons ... BUT ... all the previously released software is here: http://vault.centos.org/6.4/xen4/ http://vault.centos.org/6.5/xen4/ and http://mirror.centos.org/centos/6.6/xen4/ In this unique case (ie, your exact hardware and software combinations), you may need to experiment with and find the exact combination of software that works for you. In any event, all the software we have previously released is in those locations, so getting a combination that works so we can isolate the issue that causes it all to die is likely the best starting point. ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS] CentOS-announce Digest, Vol 118, Issue 3
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org
You can reach the person managing the list at
centos-announce-ow...@centos.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of CentOS-announce digest...
Today's Topics:
1. CESA-2014:1948 Important CentOS 5 nss SecurityUpdate
(Johnny Hughes)
2. CESA-2014:1919 Critical CentOS 5 firefox Security Update
(Johnny Hughes)
3. CESA-2014:1924 Important CentOS 5 thunderbird Security Update
(Johnny Hughes)
4. CESA-2014:1919 Critical CentOS 6 firefox Security Update
(Johnny Hughes)
5. CESA-2014:1924 Important CentOS 6 thunderbird Security Update
(Johnny Hughes)
6. CESA-2014:1948 Important CentOS 6 nss SecurityUpdate
(Johnny Hughes)
7. CESA-2014:1919 Critical CentOS 7 firefox Security Update
(Johnny Hughes)
8. CESA-2014:1948 Important CentOS 7 nss SecurityUpdate
(Johnny Hughes)
--
Message: 1
Date: Wed, 3 Dec 2014 22:45:56 +
From: Johnny Hughes joh...@centos.org
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2014:1948 Important CentOS 5 nss
SecurityUpdate
Message-ID: 20141203224556.ga26...@chakra.karan.org
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2014:1948 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1948.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
b8a799602864cd2f9352bcd442c0b4652ef4486b246d9baeff9e889ce51b9243
nss-3.16.2.3-1.el5_11.i386.rpm
409f51997a41bd6e2cff5b37a32019b46d2a526621ac35c5f35d0b884ec9c75b
nss-devel-3.16.2.3-1.el5_11.i386.rpm
3af4d4d23156e56efbe74e5658af28cc66c517ecbb20c1040f2d4d679e92dfdb
nss-pkcs11-devel-3.16.2.3-1.el5_11.i386.rpm
f6eb0fa74c036640fcfef6df781e5a716cf8c9eb1d6614ce4432ff233ed2a576
nss-tools-3.16.2.3-1.el5_11.i386.rpm
x86_64:
b8a799602864cd2f9352bcd442c0b4652ef4486b246d9baeff9e889ce51b9243
nss-3.16.2.3-1.el5_11.i386.rpm
d09ed19b6ec0defe4352c10caccfe0c996ad71a5950b7b97f88d80675ec9369d
nss-3.16.2.3-1.el5_11.x86_64.rpm
409f51997a41bd6e2cff5b37a32019b46d2a526621ac35c5f35d0b884ec9c75b
nss-devel-3.16.2.3-1.el5_11.i386.rpm
c79362a2311852a8bc470fc23ec216ef1c584dcbba82fe6ea388c7b6a0c2d0fe
nss-devel-3.16.2.3-1.el5_11.x86_64.rpm
3af4d4d23156e56efbe74e5658af28cc66c517ecbb20c1040f2d4d679e92dfdb
nss-pkcs11-devel-3.16.2.3-1.el5_11.i386.rpm
eb674312d3831b56b2ce62688b1d9fbc92e13def8dae4a52b371beee7f3fd70c
nss-pkcs11-devel-3.16.2.3-1.el5_11.x86_64.rpm
5aa2f69b45955f200f22a682164c8679b1904911a429845dc5b89e84528f3b59
nss-tools-3.16.2.3-1.el5_11.x86_64.rpm
Source:
f99f974c0ad77aea4144b991d7e6fb6ee10aa92c9abbebc7030dfd11f7c2ee0e
nss-3.16.2.3-1.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
--
Message: 2
Date: Wed, 3 Dec 2014 22:51:38 +
From: Johnny Hughes joh...@centos.org
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2014:1919 Critical CentOS 5 firefox
SecurityUpdate
Message-ID: 20141203225138.ga26...@chakra.karan.org
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2014:1919 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1919.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
fcc0f6afc339f1489e58b0a3d5165842cdd18b0be9989593788d21dc34184eb7
firefox-31.3.0-4.el5.centos.i386.rpm
x86_64:
fcc0f6afc339f1489e58b0a3d5165842cdd18b0be9989593788d21dc34184eb7
firefox-31.3.0-4.el5.centos.i386.rpm
8486affc75744d986438ecf4f9fe1b73f27ef370999675c2d3f2caa8bb58405d
firefox-31.3.0-4.el5.centos.x86_64.rpm
Source:
c1833c68d0aa3abb27e5011b2e1625eafc5e968f353e42a381327fa583ef3172
firefox-31.3.0-4.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
--
Message: 3
Date: Wed, 3 Dec 2014 22:57:24 +
From: Johnny Hughes joh...@centos.org
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2014:1924 Important CentOS 5
thunderbird Security Update
Message-ID: 20141203225724.ga26...@chakra.karan.org
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2014:1924 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-1924.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
Re: [CentOS] SEtroubleshootd Crashing
Are you seeing other AVCs? On 12/03/2014 05:36 AM, John Beranek wrote: Indeed, thanks Dan - it doesn't get us to a completely clean running that would allow us to run our Node app as we are under Passenger with SELinux enforcing, but it at least has stopped the excessive amount of AVCs we were getting. John On 3 December 2014 at 10:01, Daniel J Walsh dwa...@redhat.com wrote: Looks like turning on three booleans will solve most of the problem. httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write On 12/03/2014 03:55 AM, John Beranek wrote: Mark: Labels look OK, restorecon has nothing to do, and: -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc I'll send the audit log on to Dan. Cheers, John On 2 December 2014 at 16:10, Daniel J Walsh dwa...@redhat.com wrote: Could you send me a copy of your audit.log. You should not be getting hundreds of AVC's a day. ausearch -m avc,user_avc -ts today On 12/02/2014 05:08 AM, John Beranek wrote: I'll jump in here to say we'll try your suggestion, but I guess what's not been mentioned is that we get the setroubleshoot abrt's only a few times a day, but we're getting 1s of setroubleshoot messages in /var/log/messages a day. e.g. Dec 2 10:03:55 server audispd: queue is full - dropping event Dec 2 10:04:00 server audispd: last message repeated 199 times Dec 2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages from pid 5967 due to rate-limiting Dec 2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid 5967 due to rate-limiting Dec 2 10:04:01 server audispd: queue is full - dropping event Dec 2 10:04:02 server audispd: last message repeated 134 times Dec 2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from read access on the file /proc/pid/stat. For complete SELinux messages. run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4 Dec 2 10:04:02 server audispd: queue is full - dropping event Dec 2 10:04:03 server audispd: last message repeated 48 times Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/pid. For complete SELinux messages. run sealert -l 2d09d555-8834-4c27-976b-6647f8673286 Dec 2 10:04:03 server audispd: queue is full - dropping event Dec 2 10:04:03 server audispd: last message repeated 15 times Dec 2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages from pid 5967 due to rate-limiting Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from search access on the directory /proc/pid/stat. For complete SELinux messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069 Dec 2 10:04:04 server setroubleshoot: last message repeated 2 times Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/pid. For complete SELinux messages. run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from search access on the directory /proc/pid/stat. For complete SELinux messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f Dec 2 10:04:05 server setroubleshoot: last message repeated 2 times Dec 2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/pid. For complete SELinux messages. run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be Dec 2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from search access on the directory /proc/pid/stat. For complete SELinux messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c Dec 2 10:04:06 server setroubleshoot: last message repeated 2 times Dec 2 10:04:06 server sedispatch: AVC Message for setroubleshoot, dropping message Dec 2 10:04:06 server sedispatch: last message repeated 3 times Cheers, John On 1 December 2014 at 17:19, Daniel J Walsh dwa...@redhat.com wrote: On 12/01/2014 10:39 AM, Gary Smithson wrote: We are currently running libxml2-2.7.6-14.el6_5.2.x86_64 How far back would you suggest we go? would libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient Ok might not be related. One other suggestion would be to clear the database out. And see if there was something in the database that was causing it problems. Make sure there is no setroubleshootd running and /var/lib/setroubleshoot/setroubleshoot_database.xml -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Daniel J Walsh Sent: 01 December 2014 15:10 To: CentOS mailing list Subject: Re: [CentOS] SEtroubleshootd Crashing I am not sure. I was just seeing email on this today. Could you try to downgrade the latest version of libxml to see if the problem goes away. On 12/01/2014 10:01 AM, Gary Smithson wrote: Thanks Could you please clarify, which version libxml is broken and
[CentOS] ELRepo still active?
Hi, I'm currently installing CentOS 5.11 i386 on an old PC. Is the ELRepo third-party repository still active and maintained? Cheers, Niki Kovacs -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ELRepo still active?
On 04/12/14 13:10, Niki Kovacs wrote: Hi, I'm currently installing CentOS 5.11 i386 on an old PC. Is the ELRepo third-party repository still active and maintained? Cheers, Niki Kovacs Sure is. Although you would probably be better off asking on the elrepo mailing list rather than the CentOS list. Anything you are particularly interest in? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 - not using latest installed kernel
On 03/12/14 17:10, John Horne wrote: Hello, I have just installed CentOS 7 onto two servers and applied all the current patches. There are currently two kernels installed: # rpm -q kernel kernel-3.10.0-123.el7.x86_64 kernel-3.10.0-123.9.3.el7.x86_64 However, if I reboot the servers they both start up on the older kernel: # uname -r 3.10.0-123.el7.x86_64 I would have expected them to restart using kernel 3.10.0-123.9.3. I know I can manually select the kernel to use at boot time (from the grub2 menu), but, as with CentOS 6, I would have expected the servers to reboot using the latest kernel automatically. Has anyone else noticed this? Any ideas as to why it might be happening? Thanks, John. Someone already pointed you to the upstream bug for this. Uninstalling the original release kernel (3.10.0-123.el7.x86_64) should provide a workaround as the rest of the kernels should then be sorted in the correct order. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ELRepo still active?
Le 04/12/2014 14:24, Ned Slider a écrit : Sure is. Although you would probably be better off asking on the elrepo mailing list rather than the CentOS list. Anything you are particularly interest in? Not really, but I've been a CentOS user for a few years. Then migrated to Slackware, but it looks like I will use CentOS again soon. I knew CentOS 5.x very well (even published a book about it), so now I'm busy doing some RTFM, writing my own notes and catching up with all the changes since I've last used CentOS. I remember having used ELRepo for some exotic hardware, for proprietary NVidia drivers and the likes, hence my question. Cheers, Niki -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DegradedArray message
Thanks for all the responses. A little more digging revealed: md0 is made up of two 250G disks on which the OS and a very large /var partions resides for a number of virtual machines. md1 is made up of two 2T disks on which /home resides. Challenge is that disk 0 of md0 is the problem and it has a 524M /boot partition outside of the raid partition. My plan is to back up /home (md1) and at a minimum /etc/libvirt and /var/lib/libvirt (md0) before I do anything else. Here are the log entries for 'raid' Dec 1 20:50:15 desk4 kernel: md/raid1:md1: not clean -- starting background reconstruction Dec 1 20:50:15 desk4 kernel: md/raid1:md1: active with 2 out of 2 mirrors Dec 1 20:50:15 desk4 kernel: md/raid1:md0: active with 1 out of 2 mirrors This is a desktop, not a server. We've had several short (20 sec) power outages over the last month. The last one was on 1 Dec. I suspect the sudden loss and restoration of power could have trashed a portion of disk 0 in md0. I finally obtained an APC UPS (BX1500G), installed, configured, and tested it. In the future, it will carry me through these short outages. I'll obtain a new 250G (or larger) drive and start rooting around for guidance on how to replace a drive with the MBR and /boot on it. On Wed, 2014-12-03 at 22:11 +0100, Leon Fauster wrote: Hi David, Am 03.12.2014 um 02:14 schrieb David McGuffey davidmcguf...@verizion.net: This is an automatically generated mail message from mdadm running on desk4 A DegradedArray event had been detected on md device /dev/md0. Faithfully yours, etc. P.S. The /proc/mdstat file currently contains the following: Personalities : [raid1] md0 : active raid1 dm-2[1] 243682172 blocks super 1.1 [2/1] [_U] bitmap: 2/2 pages [8KB], 65536KB chunk md1 : active raid1 dm-3[0] dm-0[1] 1953510268 blocks super 1.1 [2/2] [UU] bitmap: 3/15 pages [12KB], 65536KB chunk the reason why one drive was kicked out (above [_U] ) will be in /var/log/messages. If it is also part of md1 then it should be manually removed from md1 before replacing the hd. -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] wield messages on /var/log/messages after install BACKEXEC
we have Centos 5.X on DELL servers. Recently we upgrade to BACKEXEC later version of software and /var/log/messages have following messages: Dec 3 18:19:04 ORA1 modprobe: WARNING: Unmatched bracket in ÷ 0E[rŠ£½Øô/N Dec 3 19:14:45 ORA1 modprobe: WARNING: Unmatched bracket in •§ºÎãù(A[v’¯Íì Dec 3 19:14:45 ORA1 modprobe: WARNING: Unmatched bracket in ÈÚí,C[tŽ©Åâ Dec 3 19:14:45 ORA1 modprobe: WARNING: Unmatched bracket in `r…™®ÄÛó A]z˜· Dec 3 19:29:45 ORA1 SYMBDSNAP_SDK[7808]: Reloc File successfully created. Dec 3 19:30:38 ORA1 SYMBDSNAP_SDK[7808]: Reloc File successfully created. ANy one know why? Thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
On Thu, 2014-12-04 at 08:08 -0500, mark wrote: On 12/03/14 17:34, Cal Webster wrote: Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites. I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries. Dunno 'bout the new CaC keys, but they upgraded our PIV cards to 128? 256? I forget, earlier this year, and I *think* I remember my manager pushing an enhancement on upstream, and since then we've had no trouble with coolkey accessing them. The two *should* be identical. Was source for this upstream enhancement released to the community? Not sure what you meant by The two - you mean coolkey and cackey? snip I've tried installing and loading the latest cackey libraries (see I know nothing about cackey libraries, but it's possible that, and pcscd are arguing. I don't see pcscd installed. pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd. Sure that's possible but I see nothing to support that in the system logs. I just got a cackey developer contact on forge.mil today from a Civil Svc engineer who does have access so I'll send him my data too. Thanks Mark. mark snip More relevant information below... Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0 Old CAC:GEMAL TO TOPDL GX4 144 New CAC:GD FIPS 201 SCE 3.2 [root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]# Installed Packages coolkey.i686 1.1.0-32.el6@base coolkey.x86_64 1.1.0-32.el6@base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6@base pcsc-lite-devel.x86_64 1.5.2-14.el6@base pcsc-lite-libs.x86_64 1.5.2-14.el6@base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i6863.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_643.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6@base nss-util.x86_643.16.1-3.el6@base nss-util-devel.x86_64 3.16.1-3.el6@base [root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202 token: WEBSTER.CALVIN.DALE.9427154028 3. cackey library name: libcackey.so slots: 2 slots attached status: loaded slot: CACKey Slot token: WEBSTER.CALVIN.DALE.9427154028 slot: CACKey Slot token: DoD Certificates ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster cwebs...@ec.rr.com wrote: Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites. I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries. After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be. I've tried installing and loading the latest cackey libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites. I tried building the cackey RPMs from the source RPMs too but the result is the same. Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up. One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something... Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc. More relevant information below... I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks! Cal Webster Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0 Old CAC:GEMAL TO TOPDL GX4 144 New CAC:GD FIPS 201 SCE 3.2 [root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]# Installed Packages coolkey.i686 1.1.0-32.el6@base coolkey.x86_64 1.1.0-32.el6@base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6@base pcsc-lite-devel.x86_64 1.5.2-14.el6@base pcsc-lite-libs.x86_64 1.5.2-14.el6@base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i6863.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_643.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686 3.16.1-3.el6@base nss-util.x86_643.16.1-3.el6@base nss-util-devel.x86_64 3.16.1-3.el6@base [root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so
[CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
-Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
On Wed, 2014-12-03 at 18:20 -0500, Jason Pyeron wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Cal Webster Sent: Wednesday, December 03, 2014 17:35 To: CentOS List Subject: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites. I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries. After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be. Does your system trust CA32? I see Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32 Validity Not Before: Nov 24 00:00:00 2014 GMT Not After : Jan 30 23:59:59 2015 GMT Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383 That's a very good point, Jason. I could not locate that CA in the certs being stored for Firefox. It is, however, listed in the CA store in Thunderbird, which I've had no trouble using with coolkey libs. The trust settings there are all un-checked, though. I had also installed the latest dod_configuration-1.3.7.xpi extension which automatically downloads the latest DoD certs on installation. I assumed it was a complete set. After reading your message I went ahead and clicked the [Update DoD Certs...] button in the add-on preferences too - Still not listed. Apparently this cert is missed during this process. I went ahead and exported the cert from Thunderbird, then imported it into firefox. Now I'm up and running again. It's often the simple things we overlook, which is why it's nice to have a community to bounce things off of. Thanks for the help Jason. I've tried installing and loading the latest cackey libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites. I tried building the cackey RPMs from the source RPMs too but the result is the same. Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up. One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something... Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc. Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support dgisa.tinker.ops.list.pkesupp...@mail.mil No, but thank you for the contact info. Even though I've got my issue resolved, I'd be happy to help iron out the cackey package issues if someone wants. More relevant information below... I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks! Cal Webster I have a GD FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging. Thanks but that won't be necessary now unless someone else needs the help. Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0 Old CAC:GEMAL TO TOPDL GX4 144 New CAC:GD FIPS 201 SCE 3.2 [root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]# Installed Packages coolkey.i686 1.1.0-32.el6@base coolkey.x86_64 1.1.0-32.el6@base firefox.i686
Re: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
On Thu, 2014-12-04 at 11:22 -0500, Jason Ricles wrote: I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DoD does use RHEL for the critical infrastructure hosts and in our case for training simulators. The issue here was with a separate non-DoD asset used to retrieve security updates and to conduct research to support engineering efforts on isolated, stand-alone networks. The isolated networks are not allowed to touch the Internet. CentOS 6 (and recently 7) has been approved for engineering labs and certain RD facilities too, BTW - You'll see it if you do a search in DADMS. We do use CentOS for local general purpose servers and workstations. On Wed, Dec 3, 2014 at 5:34 PM, Cal Webster cwebs...@ec.rr.com wrote: Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites. I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries. After getting my new CAC I am no longer able to authenticate to any DoD sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I'm not even prompted for which cert to use, like I used to be. I've tried installing and loading the latest cackey libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey - doesn't freeze up firefox but never connects to .mil sites. I tried building the cackey RPMs from the source RPMs too but the result is the same. Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm I'm pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up. One thing is for sure... the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn't even register them in the nss db I had to do that manually with modutil. I must be missing something... The Without direct access to forge.mil it's difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc. More relevant information below... I'd be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks! Cal Webster Smart Card Reader: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00 00-0 Old CAC:GEMAL TO TOPDL GX4 144 New CAC:GD FIPS 201 SCE 3.2 [root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@inet3 ~]# Installed Packages coolkey.i686 1.1.0-32.el6@base coolkey.x86_64 1.1.0-32.el6@base firefox.i686 31.2.0-3.el6.centos @updates firefox.x86_64 31.2.0-3.el6.centos @updates thunderbird.x86_64 31.2.0-3.el6.centos @updates pcsc-lite.x86_64 1.5.2-14.el6@base pcsc-lite-devel.x86_64 1.5.2-14.el6@base pcsc-lite-libs.x86_64 1.5.2-14.el6@base nss.i686 3.16.1-14.el6 @base nss.x86_64 3.16.1-14.el6 @base nss-devel.x86_64 3.16.1-14.el6 @base nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i6863.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_643.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base nss-tools.x86_64 3.16.1-14.el6 @base nss-util.i686
[CentOS] Postfix avc (SELinux)
I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6
virtual guest:
time-Thu Dec 4 12:14:58 2014
type=SYSCALL msg=audit(1417713298.610:60522): arch=c03e syscall=2
success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698
pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2784 comm=trivial-rewrite
exe=/usr/libexec/postfix/trivial-rewrite
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294
comm=trivial-rewrite name=tmp dev=dm-0 ino=393240
scontext=unconfined_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
We are using a locally built Postfix (Postfix-2.8+ is required to support
postscreen and CentOS only provides 2.6.6)
rpm -qi postfix
Name: postfix Relocations: (not relocatable)
Version : 2.11.1Vendor: (none)
Release : 0.el6 Build Date: Thu May 15 14:38:25 2014
Install Date: Fri Nov 28 14:57:25 2014 Build Host:
xnet242.hamilton.harte-lyne.ca
Group : System Environment/DaemonsSource RPM:
postfix-2.11.1-0.el6.src.rpm
Size: 13111458 License: IBM
Signature : (none)
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
TLS
Re: SELinux. Do I just build a local policy or is there some boolean setting
needed to handle this? I could not find one if there is but. . .
getsebool -a | grep postfix
allow_postfix_local_write_mail_spool -- on
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote: Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel-VNC-GDM and/or shell through ssh. We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
On Thu, 2014-12-04 at 11:30 -0500, m.r...@5-cent.us wrote: Cal Webster wrote: On Thu, 2014-12-04 at 08:08 -0500, mark wrote: On 12/03/14 17:34, Cal Webster wrote: Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don't use it for console logins, only for email and .mil web sites. I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries. Dunno 'bout the new CaC keys, but they upgraded our PIV cards to 128? 256? I forget, earlier this year, and I *think* I remember my manager pushing an enhancement on upstream, and since then we've had no trouble with coolkey accessing them. The two *should* be identical. Was source for this upstream enhancement released to the community? Not Yup. We have a few RHEL licenses, so he could push for the enhancement. It was released, and we were using it with CentOS 6.5. It must have been in the coolkey-1.1.0-32 update. Build Date: Wed 15 Oct 2014 11:11:10 AM EDT Install Date: Wed 29 Oct 2014 05:04:04 AM EDT sure what you meant by The two - you mean coolkey and cackey? Nope. We don't use cackey. snip I've tried installing and loading the latest cackey libraries (see I know nothing about cackey libraries, but it's possible that, and pcscd are arguing. I don't see pcscd installed. pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd. Sure that's possible but I see nothing to support that in the system logs Watch out that opensc that *doesn't* come with pcscd isn't loaded. Oh, also, new card - do you have a new CA chain? Is that installed? snip mark, who has a new card a few weeks ago, and had to deal with the CA change from Verizon to Entrust Yes, I learned to avoid opensc years ago when we first setup the CACs. A missing CA cert turned out to be the problem. I checked after Jason Pyeron was kind enough to mention MAIL CA-32 listed on my CAC cert lookup. Sure enough, it was missing in the Firefox CA store but present in the Thunderbird store. This explains why I could sign and encrypt email but not access .mil web sites. When I used the dod_configuration mozilla add-on to update the certs I assumed it would get them all. Apparently not. In fact, I think it deleted this cert because I recorded everything on my previous CAC before getting the new one. It was also using CA-32. I ended up just exporting the cert from Thunderbird and importing it into Firefox. ./Cal ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
That is true, which we are using ours for critical things. Guess RHEL will be the way to go till Centos is maybe approved for critical systems as well. On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster cwebs...@ec.rr.com wrote: On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote: Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel-VNC-GDM and/or shell through ssh. We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
-Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:42 Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. But you will still need a (self?) support plan to be STIG compliant. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] What is the not supported hardware?
When the installer complains that it has detected unsupported hardware, is there any way to tell just what it didn't like? Following the URL in the message just ends up at the RHEL Hardware Certification page, which isn't much help. The installer seemed quite willing to continue with the installation, and poking around from the shell VT I didn't find anything that didn't seem to be working. I also didn't see anything relevant in any of the message VTs. As it turns out this isn't a big deal for me, since this was the CentOS 6.5 installer and there was no such warning from the 6.6 installer. I'm just wondering how I might go about tracking that down, -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
Do you mean as in terms of updates? I forget some of the STIGs and don't deal with that part of our projects. On Thu, Dec 4, 2014 at 1:14 PM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:42 Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. But you will still need a (self?) support plan to be STIG compliant. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
On Thu, 2014-12-04 at 13:09 -0500, Jason Ricles wrote: That is true, which we are using ours for critical things. Guess RHEL will be the way to go till Centos is maybe approved for critical systems as well. That's really up to the program manager in which the machine would be used. He would make a determination whether it's supportable and maintainable, based on in-house expertise and/or outside contract support. RHEL subscriptions give you instant support and patches if necessary. Otherwise, unless another RHEL subscriber has the same issue, you'd have to wait for the community to fix something then get it integrated into RHEL before filtering down to CentOS. If this is acceptable then CentOS is an option. On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster cwebs...@ec.rr.com wrote: On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote: Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel-VNC-GDM and/or shell through ssh. We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is the not supported hardware?
We noticed this when installing onto some new Dell R320's.. it might have something to do with hardware that the device had that the older kernel might not have known about. Nothing seemed wrong and everything seemed to install ok (we would also update the kernel in the install process, so that probably hid any further problems), but moving to a 6.6 install made the silly error message go away. On Thu, Dec 4, 2014 at 11:14 AM, Robert Nichols rnicholsnos...@comcast.net wrote: When the installer complains that it has detected unsupported hardware, is there any way to tell just what it didn't like? Following the URL in the message just ends up at the RHEL Hardware Certification page, which isn't much help. The installer seemed quite willing to continue with the installation, and poking around from the shell VT I didn't find anything that didn't seem to be working. I also didn't see anything relevant in any of the message VTs. As it turns out this isn't a big deal for me, since this was the CentOS 6.5 installer and there was no such warning from the 6.6 installer. I'm just wondering how I might go about tracking that down, -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix avc (SELinux)
Am 04.12.2014 um 18:29 schrieb James B. Byrne:
I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6
virtual guest:
time-Thu Dec 4 12:14:58 2014
type=SYSCALL msg=audit(1417713298.610:60522): arch=c03e syscall=2
success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698
pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2784 comm=trivial-rewrite
exe=/usr/libexec/postfix/trivial-rewrite
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294
comm=trivial-rewrite name=tmp dev=dm-0 ino=393240
scontext=unconfined_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
We are using a locally built Postfix (Postfix-2.8+ is required to support
postscreen and CentOS only provides 2.6.6)
rpm -qi postfix
Name: postfix Relocations: (not relocatable)
Version : 2.11.1Vendor: (none)
Release : 0.el6 Build Date: Thu May 15 14:38:25 2014
Install Date: Fri Nov 28 14:57:25 2014 Build Host:
xnet242.hamilton.harte-lyne.ca
Group : System Environment/DaemonsSource RPM:
postfix-2.11.1-0.el6.src.rpm
Size: 13111458 License: IBM
Signature : (none)
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
TLS
Re: SELinux. Do I just build a local policy or is there some boolean setting
needed to handle this? I could not find one if there is but. . .
getsebool -a | grep postfix
allow_postfix_local_write_mail_spool -- on
https://bugzilla.redhat.com/show_bug.cgi?id=892024
Are you sure you are really up to date on CentOS 6?
https://rhn.redhat.com/errata/RHBA-2013-1598.html is old and meanwhile
outdated. I don't have such a problem with the Postfix 2.11.3 package
from ghettoforge on a current CentOS 6.6.
Alexander
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix avc (SELinux)
On Thu, December 4, 2014 12:29, James B. Byrne wrote:
Re: SELinux. Do I just build a local policy or is there some boolean setting
needed to handle this? I could not find one if there is but. . .
Anyone see any problem with generating a custom policy consisting of the
following?
grep avc /var/log/audit/audit.log | audit2allow
#= amavis_t ==
allow amavis_t shell_exec_t:file execute;
allow amavis_t sysfs_t:dir search;
#= clamscan_t ==
allow clamscan_t amavis_spool_t:dir read;
#= logwatch_mail_t ==
allow logwatch_mail_t usr_t:lnk_file read;
#= postfix_master_t ==
allow postfix_master_t tmp_t:dir read;
#= postfix_postdrop_t ==
allow postfix_postdrop_t tmp_t:dir read;
#= postfix_showq_t ==
allow postfix_showq_t tmp_t:dir read;
#= postfix_smtp_t ==
allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is the not supported hardware?
On Thu, Dec 4, 2014 at 12:32 PM, m.r...@5-cent.us wrote: Jeremy Hoel wrote: We noticed this when installing onto some new Dell R320's.. it might have something to do with hardware that the device had that the older kernel might not have known about. Nothing seemed wrong and everything seemed to install ok (we would also update the kernel in the install process, so that probably hid any further problems), but moving to a 6.6 install made the silly error message go away. Please don't top post. Dumb question: *how* were you installing? Did you have a kickstart of your very own? If so... could it have wanted eth0, and the installer called it em1? mark Kickstart.. and we had already changed the interface to the new name. It's the same kickstart between the two versions, with just the nic name being different. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
-Original Message- From: Cal Webster Sent: Thursday, December 04, 2014 13:31 On Thu, 2014-12-04 at 13:09 -0500, Jason Ricles wrote: That is true, which we are using ours for critical things. Guess RHEL will be the way to go till Centos is maybe approved for critical systems as well. That's really up to the program manager in which the machine would be More correct the DAA [designated approving authority], not the PM. used. He would make a determination whether it's supportable and maintainable, based on in-house expertise and/or outside contract support. RHEL subscriptions give you instant support and patches if necessary. Otherwise, unless another RHEL subscriber has the same issue, you'd have to wait for the community to fix something then get it integrated into RHEL before filtering down to CentOS. If this is acceptable then CentOS is an option. On Thu, Dec 4, 2014 at 12:29 PM, Cal Webster cwebs...@ec.rr.com wrote: On Thu, 2014-12-04 at 11:41 -0500, Jason Ricles wrote: Gotcha, I also work with DoD for Navy systems and was surprised by that. So you mean if we don't want to pay RHEL licensing fees, we can use Centos? Since we are paying about $100 per RHEL license. I would recommend RHEL for critical systems or those that must be certified for a particular purpose, such as CA servers. We've been using CentOS for years now on our internal networks for software development, local site mail service (SMTP/POP/IMAP), file services (FTP/NFS/SMB/CIFS), DNS, local web servers, etc. It works very well for this, especially for software development where multiple people can get a GUI login through Stunnel-VNC-GDM and/or shell through ssh. We're also using CentOS for software maintenance of RHEL hosts on our aircraft simulators. Many of our software developers prefer a CentOS workstation because of its versatility. On those we install MS Windoze as a KVM guest for those applications that require it. My internal workstation is setup this way for use network/systems admin and analysis, software development, as well as normal office tasks. On Thu, Dec 4, 2014 at 11:36 AM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Jason Ricles Sent: Thursday, December 04, 2014 11:23 To: CentOS mailing list Subject: Re: [CentOS] Firefox fails to authenticate .mil sites with New DoDCAC I thought DoD used RHEL and not Centos, or did Centos did approved DADEMS recently? DADMS is a Navy system, but yes Centos is approved for use by DISA. You would STIG it just like RHEL. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Guidance: compile education
This question may not belong in the Centos.org list, but I do want to compile against this distro. Please advise. The question: Can I be pointed at methods to learn to compile source against a distro. I have software development background (but too long ago to be specifically useful; however I have the concepts). Typically I can find some fairly decent step-by-steps for some apps, but it never works out. Which means I am missing the basics. I have been working with Centos and Fedora through many VM and metal installs, so that part is OK. I am getting tired of constantly trying to find the app I want in the distro, or an applicable rpm. It's time to compile. Stan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Guidance: compile education
On Thu, 04 Dec 2014 15:16:28 -0700 Stan Cruise wrote: Can I be pointed at methods to learn to compile source against a distro. I think you need to ask a more specific question, but this is an overview of the process to give you a place to start with further reading. Google is your friend here. To compile programs, you need to install a compiler (usually gcc) and whatever development libraries are required. Those are usually named something-devel, so if you are compiling a program that uses the SDL library, for example, you need to install the SDL-devel rpm as well. A lot of software comes with configure and make scripts. If that's the case, you can compile it by moving into the source directory and typing ./configure (with the dot and slash), then make. Configure sometimes comes with options for where to install the software after compiling it. If that's the case, type ./configure --prefix --prefix=/path/to/your/directory instead of just typing ./confgure alone. After running make, run make install to install the software. This procedure works, but I personally avoid it if possible. It's usually a better idea to install rpms on a Centos system. The effort required to create a rpm for any particular program ranges from absolutely trivial to next to impossible. If you want to create and/or recompile rpms, you should install rpmdevtools, then run rpmdev-setuptree to create a rpm build tree in your home directory. Otherwise you will have to compile rpms as the root user which is possible but generally not a really good idea. (rpmdevtools does a lot of other handy stuff, too.) The easiest way to create a new rpm (assuming that one doesn't already exist) is to edit an existing spec file for something that's as similar to what you are trying to do as possible. In many cases you can find an existing rpm for the program that you're trying to install as a Fedora rpm. If that's the case, download and recompile the Fedora .src.rpm and it will in many cases work perfectly. Sometimes you need to make some small changes in the spec file but a lot of the time you don't even have to do that. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Guidance: compile education
On Thu, Dec 4, 2014 at 4:16 PM, Stan Cruise stancru...@me.com wrote: This question may not belong in the Centos.org list, but I do want to compile against this distro. Please advise. The question: Can I be pointed at methods to learn to compile source against a distro. I have software development background (but too long ago to be specifically useful; however I have the concepts). Typically I can find some fairly decent step-by-steps for some apps, but it never works out. Which means I am missing the basics. I have been working with Centos and Fedora through many VM and metal installs, so that part is OK. I am getting tired of constantly trying to find the app I want in the distro, or an applicable rpm. It's time to compile. The best approach depends very much on the target application and how you intend to mange it. Most sources will have a generic configure script and makefile that will build and maybe install in /usr/local. For a quick test, that might be enough, but you have to note where things land and clean up after yourself. Note that 'most' things worth building have already been packaged as RPMs, so finding them is still going to be your easiest solution. If they are for a 'slightly' wrong disto, you can often grab the source rpm instead of the binary and 'rpmbuild --rebuild ...' to get locally configured binary rpms. The somewhat higher level approach to this is to install the 'mock' package from epel and then 'mock -r some_version --rebuild some_src.rpm'. This will download all of the required library support and build the binary rpm for some fedora/centos other than the running system. There are lots of variations, but these may get something working without a lot of specific programming knowledge. One other thing to know about would be 'software collections' that have updated versions of applications that can co-exist with the stock versions. This might come into play if you run across source that uses c++11 and you want to compile it on Centos 6 (thus needing a newer gcc, etc.). -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DegradedArray message
On 12/04/2014 05:45 AM, David McGuffey wrote: md0 is made up of two 250G disks on which the OS and a very large /var partions resides for a number of virtual machines. ... Challenge is that disk 0 of md0 is the problem and it has a 524M /boot partition outside of the raid partition. Assuming that you have an unused drive port, you can fix that pretty easily. Attach a new replacement disk to the unused port. Let's say that it comes up as /dev/sde. Copy the partition table to it (unless it's GPT, in which case use parted): sfdisk -d /dev/sda | sfdisk /dev/sde Unmount /boot and copy that partition (assuming that it is sda1): umount /boot dd if=/dev/sda1 of=/dev/sde1 bs=1M Install grub on the new drive: grub-install /dev/sde At that point, you should be able to also add the new partition to the md array: mdadm /dev/md0 /dev/sda2 Once it rebuilds, shut down. Remove the bad drive. Put the new drive in its place. In theory the system will boot and be whole. In practice, however, there's a bunch of information you didn't provide, so some of those steps are wrong. I'm not sure what dm-0, dm-2 and dm-3 are, but they're indicated in your mdstat. I'm guessing that you made partitions, and then made LVM or crypto devices, and then did RAID on top of that. If either of those are correct, that's completely the wrong way to build RAID sets. You risk either bad performance from doing crypto more often than is required, or possibly corruption as a result of LVM not mapping blocks the way you expect. If you build software RAID, I really strongly recommend that you keep it as simple as possible. That means a) build sofware RAID sets from raw partitions and b) use as few partitions as possible. Typically, I'll create two partitions on all disks. The first is a small partition for /boot, which may be part of a RAID1 set or may be unused. The second partition covers the rest of the drive and will be used in whatever arrangement is suitable for that system, whether it's RAID1, RAID5, or RAID10. All of the drives are consistent, so there's always a place to copy /boot, and just one script or process to set up new disks regardless of their position in the array. md0 is used for /boot, and md1 is an LVM PV. All of the filesystems other than /boot are LVs. Hopefully btrfs will become the default fs in the near future and all of this will be vastly simplified. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is the not supported hardware?
On Thu, Dec 4, 2014 at 12:32 PM, m.r...@5-cent.us wrote: Dumb question: *how* were you installing? Did you have a kickstart of your very own? If so... could it have wanted eth0, and the installer called it em1? In my case there was no kickstart -- just a plain install from the ISO image, and the complaint from the installer comes long before I get a chance to do any customizations. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
