Re: [CentOS] spectre variant 2
On Fri, Mar 16, 2018 at 09:42:34PM +, Phil Perry wrote: > On 16/03/18 18:24, Fred Smith wrote: > >Hi all! > > > >I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. > > > > What kernel are you running (uname -r)? uname -r 3.10.0-693.21.1.el7.x86_64 > > >I note that when I run the redhat script to test for spectre & meltdown > >I get this result for variant 2: > > > >Variant #2 (Spectre): Vulnerable > >CVE-2017-5715 - speculative execution branch target injection > >- Kernel with mitigation patches: OK > >- HW support / updated microcode: NO > >- IBRS: Not disabled on kernel commandline > >- IBPB: Not disabled on kernel commandline > > > > > >and when I run the one from github I get this: > > > >CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > >* Mitigated according to the /sys interface: NO (kernel confirms your > >system is vulnerable) > >* Mitigation 1 > > * Kernel is compiled with IBRS/IBPB support: YES > > * Currently enabled features > > * IBRS enabled for Kernel space: NO > > * IBRS enabled for User space: NO > > * IBPB enabled: NO > >* Mitigation 2 > > * Kernel compiled with retpoline option: YES > > * Kernel compiled with a retpoline-aware compiler: UNKNOWN > >>STATUS: VULNERABLE (Vulnerable: Retpoline without IBPB) > > > > > >So, I"m wondering: > >1. has RH in fact released mitigations for this issue for AMD processors, and > >2. has AMD released microcode updates for this? > > > >I have no idea how to query AMD with such a question, anybody here know? > > > >Thanks in advance! > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Fred Smith -- fre...@fcshome.stoneham.ma.us - God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --- Corinthians 5:21 - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] spectre variant 2
On 16/03/18 18:24, Fred Smith wrote: Hi all! I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. What kernel are you running (uname -r)? I note that when I run the redhat script to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on kernel commandline and when I run the one from github I get this: CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable) * Mitigation 1 * Kernel is compiled with IBRS/IBPB support: YES * Currently enabled features * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * IBPB enabled: NO * Mitigation 2 * Kernel compiled with retpoline option: YES * Kernel compiled with a retpoline-aware compiler: UNKNOWN STATUS: VULNERABLE (Vulnerable: Retpoline without IBPB) So, I"m wondering: 1. has RH in fact released mitigations for this issue for AMD processors, and 2. has AMD released microcode updates for this? I have no idea how to query AMD with such a question, anybody here know? Thanks in advance! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux: how to allow access?
On 16/03/18 18:37, Alexander Dalloz wrote: Am 16.03.2018 um 13:09 schrieb hw: On 03/16/2018 12:14 PM, Richard Grainger wrote: Yet again I could not find any documentation explaining how to do basic things like this :( Selinux is more like a curse than anything else :( Why is there not even a good documentation? More trolling? Show me a good documentation and/or name good reasons not to disable selinux. Considering how much trouble it gives, there have to be *very* good reasons to keep it enabled. Would you turn off your firewall because you don't understand how it works? Or any security feature for that matter? Invest a few hours of your life reading the documentation. There are plenty of good examples listed below. I've never had an SELinux problem I couldn't solve or work around in 2 minutes. Sometimes figuring out the *right* solution might take a little longer, but turning it off is very rarely going to be the right solution. Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux http://wiki.centos.org/TipsAndTricks/SelinuxBooleans http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ http://www.youtube.com/watch?v=bQqX3RWn0Yw http://opensource.com/business/13/11/selinux-policy-guide https://lists.centos.org/mailman/listinfo/centos and don't forget the definitive Red Hat documentation here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/ SELinux User's and Administrator's Guide at the bottom of the page. Download it and read it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cyrus: socket options
Am 16.03.2018 um 13:07 schrieb hw: [...] # lmtp cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4 lmtpunix cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" prefork=4 [...] Both definitions are wrong: 1) the lmtp line man cyrus.conf listen= The UNIX or internet socket to listen on. This string field is required and takes one of the following forms: path [ host : ] port So listen="lmtp:127.0.0.1" is utterly nonsense. It would be listen="127.0.0.1:lmtp" if you want to restrict access to localhost. 2) the lmtpunix line man lmtpd -a Preauthorize connections initiated on an internet socket, instead of requiring LMTP AUTH. This should only be used for connections coming from trusted hosts. So no pre-auth on the unix socket. And why do you define a prefork of 4? Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux: how to allow access?
> Am 16.03.2018 um 13:09 schrieb hw: > > On 03/16/2018 12:14 PM, Richard Grainger wrote: >>> Yet again I could not find any documentation explaining how to do basic >>> things like this :( Selinux is more like a curse than anything else :( Why >>> is there not even a good documentation? >> More trolling? > > Show me a good documentation and/or name good reasons not to disable selinux. > Considering how much trouble it gives, there have to be *very* good reasons > to keep it enabled. $ rpm -q --qf "%{URL}\n" libselinux -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cyrus: socket options
Am 16.03.2018 um 13:07 schrieb hw: Hi, what are the following messages supposed to tell me and does this indicate a problem? # systemctl status cyrus-imapd [...] master[3766]: unable to setsocketopt(IP_TOS): Operation not supported master[3766]: unable to setsocketopt(IP_TOS): Operation not supported [...] That's cyrus-imapd itself failing and has nothing to do with Exim. Exim says it can not connect to the lmtp socket even when selinux doesn´t get in the way. The configuration looks like this: cyrus.conf (none of the two options work): [...] # lmtp cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4 lmtpunix cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" prefork=4 [...] Providing just a snipped from the complete configuration of cyrus-imapd is insufficient. exim.conf: [...] begin transports # cyrus_ltcp: # driver = smtp # protocol = lmtp # delivery_date_add # envelope_to_add # return_path_add # hosts = localhost # allow_localhost lmtp_socket: driver = lmtp socket = /var/lib/imap/socket/lmtp delivery_date_add envelope_to_add return_path_add # ls -la /var/lib/imap/socket/lmtp srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp I have this working on the old server (which doesn´t run Centos) and am trying to migrate it to the new one (which runs Centos 7.4). The version of cyrus and sasl are the same on both machines. So cyrus-imapd and cyrus-sasl are not the ones shipped by CentOS? What´s the problem with Centos that these things don´t just work as they usually do? It works on CentOS, I can assure you that. Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux: how to allow access?
Am 16.03.2018 um 13:09 schrieb hw: On 03/16/2018 12:14 PM, Richard Grainger wrote: Yet again I could not find any documentation explaining how to do basic things like this :( Selinux is more like a curse than anything else :( Why is there not even a good documentation? More trolling? Show me a good documentation and/or name good reasons not to disable selinux. Considering how much trouble it gives, there have to be *very* good reasons to keep it enabled. Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux http://wiki.centos.org/TipsAndTricks/SelinuxBooleans http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ http://www.youtube.com/watch?v=bQqX3RWn0Yw http://opensource.com/business/13/11/selinux-policy-guide Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] spectre variant 2
Hi all! I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. I note that when I run the redhat script to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on kernel commandline and when I run the one from github I get this: CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable) * Mitigation 1 * Kernel is compiled with IBRS/IBPB support: YES * Currently enabled features * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * IBPB enabled: NO * Mitigation 2 * Kernel compiled with retpoline option: YES * Kernel compiled with a retpoline-aware compiler: UNKNOWN > STATUS: VULNERABLE (Vulnerable: Retpoline without IBPB) So, I"m wondering: 1. has RH in fact released mitigations for this issue for AMD processors, and 2. has AMD released microcode updates for this? I have no idea how to query AMD with such a question, anybody here know? Thanks in advance! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - The eyes of the Lord are everywhere, keeping watch on the wicked and the good. - Proverbs 15:3 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install CentOS 7 over serial port on router board ?
Le 16/03/2018 à 14:29, Leon Fauster a écrit : > We use a DIGITUS USB2Serial Converter (Prolific based USBID: VID:067B > PID:2303) and then > > screen /dev/DEVICE 115200 Thanks everybody for your numerous suggestions. As soon as I have the hardware, I'll fiddle with it and then report back my findings. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install CentOS 7 over serial port on router board ?
> Am 16.03.2018 um 14:21 schrieb isdtor: > > Nicolas Kovacs writes: >> Hi, >> >> I have to install CentOS 7 for a client, to act as cache & filtering >> proxy using Squid. >> >> I'd like to use this piece of specialized hardware : >> >> http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html >> >> There is no VGA or HDMI video output, just a serial port to connect to, >> and then three NICs and two USB ports. >> >> I've never installed CentOS over a serial console, so I don't even know >> if it's possible in the first place. Has anyone ever done something like >> that ? >> >> Any suggestions ? > > I haven't done this with Linux, only Soekris+OpenBSD, but the principles are > the same. PXE, kickstart, monitoring via serial port. Change console settings > to point to the serial port as per Giles. Use a USB-to-serial converter to > connect to a laptop running a terminal program, or serial cable with a > dekstop that still has a serial port. May need a null-modem cable, I don't > remember. We use a DIGITUS USB2Serial Converter (Prolific based USBID: VID:067B PID:2303) and then screen /dev/DEVICE 115200 -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install CentOS 7 over serial port on router board ?
Nicolas Kovacs writes: > Hi, > > I have to install CentOS 7 for a client, to act as cache & filtering > proxy using Squid. > > I'd like to use this piece of specialized hardware : > > http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html > > There is no VGA or HDMI video output, just a serial port to connect to, > and then three NICs and two USB ports. > > I've never installed CentOS over a serial console, so I don't even know > if it's possible in the first place. Has anyone ever done something like > that ? > > Any suggestions ? I haven't done this with Linux, only Soekris+OpenBSD, but the principles are the same. PXE, kickstart, monitoring via serial port. Change console settings to point to the serial port as per Giles. Use a USB-to-serial converter to connect to a laptop running a terminal program, or serial cable with a dekstop that still has a serial port. May need a null-modem cable, I don't remember. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install CentOS 7 over serial port on router board ?
On Fri, 16 Mar 2018, Nicolas Kovacs wrote: I have to install CentOS 7 for a client, to act as cache & filtering proxy using Squid. I'd like to use this piece of specialized hardware : http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html There is no VGA or HDMI video output, just a serial port to connect to, and then three NICs and two USB ports. I've never installed CentOS over a serial console, so I don't even know if it's possible in the first place. Has anyone ever done something like that ? Any suggestions ? Kickstart, and do a non-interactive install. That's always my preferred route. serial, as you've already had suggested. Set anaconda to provide vnc, then connect to the vncserver and install using the normal graphical installer just like you would on a default install. jh ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install CentOS 7 over serial port on router board ?
On 16/03/18 12:57, Nicolas Kovacs wrote: Hi, I have to install CentOS 7 for a client, to act as cache & filtering proxy using Squid. I'd like to use this piece of specialized hardware : http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html There is no VGA or HDMI video output, just a serial port to connect to, and then three NICs and two USB ports. I've never installed CentOS over a serial console, so I don't even know if it's possible in the first place. Has anyone ever done something like that ? Any suggestions ? You should look up installing Centos over a serial console, I believe you should be able to change the install parameters for netinstall to provide a console on the serial port. Failing that have you considered installing Centos to the mSATA disk on a different system and then just transplanting the built system into this appliance? Niki ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Install CentOS 7 over serial port on router board ?
Hi, I have to install CentOS 7 for a client, to act as cache & filtering proxy using Squid. I'd like to use this piece of specialized hardware : http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html There is no VGA or HDMI video output, just a serial port to connect to, and then three NICs and two USB ports. I've never installed CentOS over a serial console, so I don't even know if it's possible in the first place. Has anyone ever done something like that ? Any suggestions ? Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux: how to allow access?
On 03/16/2018 12:14 PM, Richard Grainger wrote: Yet again I could not find any documentation explaining how to do basic things like this :( Selinux is more like a curse than anything else :( Why is there not even a good documentation? More trolling? Show me a good documentation and/or name good reasons not to disable selinux. Considering how much trouble it gives, there have to be *very* good reasons to keep it enabled. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] cyrus: socket options
Hi, what are the following messages supposed to tell me and does this indicate a problem? # systemctl status cyrus-imapd [...] master[3766]: unable to setsocketopt(IP_TOS): Operation not supported master[3766]: unable to setsocketopt(IP_TOS): Operation not supported [...] Exim says it can not connect to the lmtp socket even when selinux doesn´t get in the way. The configuration looks like this: cyrus.conf (none of the two options work): [...] # lmtpcmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4 lmtpunix cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" prefork=4 [...] exim.conf: [...] begin transports # cyrus_ltcp: # driver = smtp # protocol = lmtp # delivery_date_add # envelope_to_add # return_path_add # hosts = localhost # allow_localhost lmtp_socket: driver = lmtp socket = /var/lib/imap/socket/lmtp delivery_date_add envelope_to_add return_path_add # ls -la /var/lib/imap/socket/lmtp srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp I have this working on the old server (which doesn´t run Centos) and am trying to migrate it to the new one (which runs Centos 7.4). The version of cyrus and sasl are the same on both machines. What´s the problem with Centos that these things don´t just work as they usually do? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 157, Issue 4
Send CentOS-announce mailing list submissions to centos-annou...@centos.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-requ...@centos.org You can reach the person managing the list at centos-announce-ow...@centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CESA-2018:0526 Critical CentOS 6 firefox Security Update (Johnny Hughes) 2. CESA-2018:0527 Critical CentOS 7 firefox Security Update (Johnny Hughes) -- Message: 1 Date: Thu, 15 Mar 2018 18:59:48 + From: Johnny HughesTo: centos-annou...@centos.org Subject: [CentOS-announce] CESA-2018:0526 Critical CentOS 6 firefox SecurityUpdate Message-ID: <20180315185948.ga44...@n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2018:0526 Critical Upstream details at : https://access.redhat.com/errata/RHSA-2018:0526 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3 firefox-52.7.0-1.el6.centos.i686.rpm x86_64: 29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3 firefox-52.7.0-1.el6.centos.i686.rpm 5ab36e9cf3534cc1af6c6ee3d6e302907235e8f8dd2b00f8003ea2e3ef98d272 firefox-52.7.0-1.el6.centos.x86_64.rpm Source: ae98346dd0287b8d7fe36edd4692a1980f4fcf1d53e7633307e33e67adfe9a71 firefox-52.7.0-1.el6.centos.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net Twitter: @JohnnyCentOS -- Message: 2 Date: Thu, 15 Mar 2018 19:24:33 + From: Johnny Hughes To: centos-annou...@centos.org Subject: [CentOS-announce] CESA-2018:0527 Critical CentOS 7 firefox SecurityUpdate Message-ID: <20180315192433.ga58...@n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2018:0527 Critical Upstream details at : https://access.redhat.com/errata/RHSA-2018:0527 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 3d4f163b3fe61aa41272b201f56732c9352c1e12d13e85dc15f466363d0ba59b firefox-52.7.0-1.el7.centos.i686.rpm 9546d6326537d96a09245d90386164fd8786578b2c5de142e3f877c532e85612 firefox-52.7.0-1.el7.centos.x86_64.rpm Source: 0852393b938ea86a3af795b46909d5fc13cf9da3f9f9b6ff85c8b2c2ee2f3e17 firefox-52.7.0-1.el7.centos.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net Twitter: @JohnnyCentOS -- Subject: Digest Footer ___ CentOS-announce mailing list centos-annou...@centos.org https://lists.centos.org/mailman/listinfo/centos-announce -- End of CentOS-announce Digest, Vol 157, Issue 4 *** ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux: how to allow access?
> Yet again I could not find any documentation explaining how to do basic > things like this :( Selinux is more like a curse than anything else :( Why > is there not even a good documentation? More trolling? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux: how to allow access?
Hi, how do I allow exim access to a socket in order to be able to do local deliveries to cyrus? type=AVC msg=audit(1521179280.845:1920270): avc: denied { name_connect } for pid=319 comm="exim" dest=24 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket Yet again I could not find any documentation explaining how to do basic things like this :( Selinux is more like a curse than anything else :( Why is there not even a good documentation? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VirtualBox on CentOS 7 with bridged network not working
James Pearson wrote: > > I've installed VirtualBox v5.2 on a CentOS 7.4 machine, but VMs set up > with bridged networking can not 'see' past the VirtualBox host machine > > i.e. the VM can ping the host and vice versa, but the VM can not ping > anything else and other machines on the same subnet can't ping the VM > > There are no firewall rules configured on the 7.4 host and selinux is > disabled > > I have a similar set up on a CentOS 6.9 host, where everything works as > expected > > Googling doesn't show up any similar issues, so I guess I'm missing > something on the host machine > > Does anyone have any idea what could be the issue? I've manged to 'solve' the problem - which wasn't anything to do with CentOS 7 ... the host running CentOS 7 was patched into a switch with MAC access control enabled - as were the two other CentOS 7 boxes I tried - whereas the CentOS 6 host(s) I used had no MAC access control enabled Just wish it hadn't taken me nearly a day to work that out :-) Sorry for the noise James Pearson ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos