Re: [CentOS] spectre variant 2

[Fred Smith]

On Fri, Mar 16, 2018 at 09:42:34PM +, Phil Perry wrote:
> On 16/03/18 18:24, Fred Smith wrote:
> >Hi all!
> >
> >I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU.
> >
> 
> What kernel are you running (uname -r)?

 uname -r
3.10.0-693.21.1.el7.x86_64

> 
> >I note that when I run the redhat script to test for spectre & meltdown
> >I get this result for variant 2:
> >
> >Variant #2 (Spectre): Vulnerable
> >CVE-2017-5715 - speculative execution branch target injection
> >- Kernel with mitigation patches: OK
> >- HW support / updated microcode: NO
> >- IBRS: Not disabled on kernel commandline
> >- IBPB: Not disabled on kernel commandline
> >
> >
> >and when I run the one from github I get this:
> >
> >CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> >* Mitigated according to the /sys interface:  NO  (kernel confirms your 
> >system is vulnerable)
> >* Mitigation 1
> >   * Kernel is compiled with IBRS/IBPB support:  YES
> >   * Currently enabled features
> > * IBRS enabled for Kernel space:  NO
> > * IBRS enabled for User space:  NO
> > * IBPB enabled:  NO
> >* Mitigation 2
> >   * Kernel compiled with retpoline option:  YES
> >   * Kernel compiled with a retpoline-aware compiler:  UNKNOWN
> >>STATUS:  VULNERABLE  (Vulnerable: Retpoline without IBPB)
> >
> >
> >So, I"m wondering:
> >1. has RH in fact released mitigations for this issue for AMD processors, and
> >2. has AMD released microcode updates for this?
> >
> >I have no idea how to query AMD with such a question, anybody here know?
> >
> >Thanks in advance!
> >
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
 God made him who had no sin
  to be sin for us, so that in him
 we might become the righteousness of God."
--- Corinthians 5:21 -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] spectre variant 2

[Phil Perry]

On 16/03/18 18:24, Fred Smith wrote:

Hi all!

I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU.



What kernel are you running (uname -r)?


I note that when I run the redhat script to test for spectre & meltdown
I get this result for variant 2:

Variant #2 (Spectre): Vulnerable
CVE-2017-5715 - speculative execution branch target injection
- Kernel with mitigation patches: OK
- HW support / updated microcode: NO
- IBRS: Not disabled on kernel commandline
- IBPB: Not disabled on kernel commandline


and when I run the one from github I get this:

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system 
is vulnerable)
* Mitigation 1
   * Kernel is compiled with IBRS/IBPB support:  YES
   * Currently enabled features
 * IBRS enabled for Kernel space:  NO
 * IBRS enabled for User space:  NO
 * IBPB enabled:  NO
* Mitigation 2
   * Kernel compiled with retpoline option:  YES
   * Kernel compiled with a retpoline-aware compiler:  UNKNOWN

STATUS:  VULNERABLE  (Vulnerable: Retpoline without IBPB)



So, I"m wondering:
1. has RH in fact released mitigations for this issue for AMD processors, and
2. has AMD released microcode updates for this?

I have no idea how to query AMD with such a question, anybody here know?

Thanks in advance!



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Phil Perry]

On 16/03/18 18:37, Alexander Dalloz wrote:

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else 
:( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be 
*very* good reasons to keep it enabled.


Would you turn off your firewall because you don't understand how it 
works? Or any security feature for that matter?


Invest a few hours of your life reading the documentation. There are 
plenty of good examples listed below.


I've never had an SELinux problem I couldn't solve or work around in 2 
minutes. Sometimes figuring out the *right* solution might take a little 
longer, but turning it off is very rarely going to be the right solution.




Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide


https://lists.centos.org/mailman/listinfo/centos


and don't forget the definitive Red Hat documentation here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/

SELinux User's and Administrator's Guide at the bottom of the page. 
Download it and read it.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cyrus: socket options

[Alexander Dalloz]

Am 16.03.2018 um 13:07 schrieb hw:

[...]
   # lmtp    cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4
   lmtpunix  cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" 
prefork=4

[...]


Both definitions are wrong:

1) the lmtp line

man cyrus.conf

listen=
The UNIX or internet socket to listen on. This string field is required 
and takes one of the following forms:


path
[ host : ] port

So listen="lmtp:127.0.0.1" is utterly nonsense. It would be 
listen="127.0.0.1:lmtp" if you want to restrict access to localhost.


2) the lmtpunix line

man lmtpd

-a

Preauthorize connections initiated on an internet socket, instead 
of requiring LMTP AUTH. This should only be used for connections coming 
from trusted hosts.


So no pre-auth on the unix socket.

And why do you define a prefork of 4?

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Leon Fauster]

> Am 16.03.2018 um 13:09 schrieb hw :
> 
> On 03/16/2018 12:14 PM, Richard Grainger wrote:
>>> Yet again I could not find any documentation explaining how to do basic
>>> things like this :(  Selinux is more like a curse than anything else :( Why
>>> is there not even a good documentation?
>> More trolling?
> 
> Show me a good documentation and/or name good reasons not to disable selinux.
> Considering how much trouble it gives, there have to be *very* good reasons 
> to keep it enabled.


$ rpm -q --qf "%{URL}\n" libselinux

--
LF





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cyrus: socket options

[Alexander Dalloz]

Am 16.03.2018 um 13:07 schrieb hw:


Hi,

what are the following messages supposed to tell me and does this 
indicate a problem?



# systemctl status cyrus-imapd
[...]
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
[...]


That's cyrus-imapd itself failing and has nothing to do with Exim.

Exim says it can not connect to the lmtp socket even when selinux 
doesn´t get in the way.  The configuration looks like this:



cyrus.conf (none of the two options work):

[...]
   # lmtp    cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4
   lmtpunix  cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" 
prefork=4

[...]


Providing just a snipped from the complete configuration of cyrus-imapd 
is insufficient.



exim.conf:

[...]
begin transports



# cyrus_ltcp:
#   driver = smtp
#   protocol = lmtp
#   delivery_date_add
#   envelope_to_add
#   return_path_add
#   hosts = localhost
#   allow_localhost

lmtp_socket:
   driver = lmtp
   socket = /var/lib/imap/socket/lmtp
   delivery_date_add
   envelope_to_add
   return_path_add


# ls -la /var/lib/imap/socket/lmtp
srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp


I have this working on the old server (which doesn´t run Centos) and am 
trying to migrate it to the new one (which runs Centos 7.4).  The 
version of cyrus and sasl are the same on both machines.


So cyrus-imapd and cyrus-sasl are not the ones shipped by CentOS?

What´s the problem with Centos that these things don´t just work as they 
usually do?


It works on CentOS, I can assure you that.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Alexander Dalloz]

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else 
:( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be *very* 
good reasons to keep it enabled.


Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] spectre variant 2

[Fred Smith]

Hi all!

I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU.

I note that when I run the redhat script to test for spectre & meltdown
I get this result for variant 2:

Variant #2 (Spectre): Vulnerable
CVE-2017-5715 - speculative execution branch target injection
   - Kernel with mitigation patches: OK
   - HW support / updated microcode: NO
   - IBRS: Not disabled on kernel commandline
   - IBPB: Not disabled on kernel commandline


and when I run the one from github I get this:

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system 
is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES 
  * Currently enabled features
* IBRS enabled for Kernel space:  NO 
* IBRS enabled for User space:  NO 
* IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  UNKNOWN 
> STATUS:  VULNERABLE  (Vulnerable: Retpoline without IBPB)


So, I"m wondering:
1. has RH in fact released mitigations for this issue for AMD processors, and
2. has AMD released microcode updates for this?

I have no idea how to query AMD with such a question, anybody here know?

Thanks in advance!

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
  The eyes of the Lord are everywhere, 
keeping watch on the wicked and the good.
- Proverbs 15:3 (niv) -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install CentOS 7 over serial port on router board ?

[Nicolas Kovacs]

Le 16/03/2018 à 14:29, Leon Fauster a écrit :
> We use a DIGITUS USB2Serial Converter (Prolific based USBID: VID:067B 
> PID:2303) and then 
> 
> screen /dev/DEVICE 115200

Thanks everybody for your numerous suggestions. As soon as I have the
hardware, I'll fiddle with it and then report back my findings.

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install CentOS 7 over serial port on router board ?

[Leon Fauster]

> Am 16.03.2018 um 14:21 schrieb isdtor :
> 
> Nicolas Kovacs writes:
>> Hi,
>> 
>> I have to install CentOS 7 for a client, to act as cache & filtering
>> proxy using Squid.
>> 
>> I'd like to use this piece of specialized hardware :
>> 
>> http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html
>> 
>> There is no VGA or HDMI video output, just a serial port to connect to,
>> and then three NICs and two USB ports.
>> 
>> I've never installed CentOS over a serial console, so I don't even know
>> if it's possible in the first place. Has anyone ever done something like
>> that ?
>> 
>> Any suggestions ?
> 
> I haven't done this with Linux, only Soekris+OpenBSD, but the principles are 
> the same. PXE, kickstart, monitoring via serial port. Change console settings 
> to point to the serial port as per Giles. Use a USB-to-serial converter to 
> connect to a laptop running a terminal program, or serial cable with a 
> dekstop that still has a serial port. May need a null-modem cable, I don't 
> remember.


We use a DIGITUS USB2Serial Converter (Prolific based USBID: VID:067B PID:2303) 
and then 

screen /dev/DEVICE 115200

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install CentOS 7 over serial port on router board ?

[isdtor]

Nicolas Kovacs writes:
> Hi,
> 
> I have to install CentOS 7 for a client, to act as cache & filtering
> proxy using Squid.
> 
> I'd like to use this piece of specialized hardware :
> 
> http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html
> 
> There is no VGA or HDMI video output, just a serial port to connect to,
> and then three NICs and two USB ports.
> 
> I've never installed CentOS over a serial console, so I don't even know
> if it's possible in the first place. Has anyone ever done something like
> that ?
> 
> Any suggestions ?

I haven't done this with Linux, only Soekris+OpenBSD, but the principles are 
the same. PXE, kickstart, monitoring via serial port. Change console settings 
to point to the serial port as per Giles. Use a USB-to-serial converter to 
connect to a laptop running a terminal program, or serial cable with a dekstop 
that still has a serial port. May need a null-modem cable, I don't remember.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install CentOS 7 over serial port on router board ?

[John Hodrien]

On Fri, 16 Mar 2018, Nicolas Kovacs wrote:


I have to install CentOS 7 for a client, to act as cache & filtering
proxy using Squid.

I'd like to use this piece of specialized hardware :

http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html

There is no VGA or HDMI video output, just a serial port to connect to,
and then three NICs and two USB ports.

I've never installed CentOS over a serial console, so I don't even know
if it's possible in the first place. Has anyone ever done something like
that ?

Any suggestions ?


Kickstart, and do a non-interactive install.  That's always my preferred
route.

serial, as you've already had suggested.

Set anaconda to provide vnc, then connect to the vncserver
and install using the normal graphical installer just like you would on a
default install.

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install CentOS 7 over serial port on router board ?

[Giles Coochey]

On 16/03/18 12:57, Nicolas Kovacs wrote:

Hi,

I have to install CentOS 7 for a client, to act as cache & filtering
proxy using Squid.

I'd like to use this piece of specialized hardware :

http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html

There is no VGA or HDMI video output, just a serial port to connect to,
and then three NICs and two USB ports.

I've never installed CentOS over a serial console, so I don't even know
if it's possible in the first place. Has anyone ever done something like
that ?

Any suggestions ?
You should look up installing Centos over a serial console, I believe 
you should be able to change the install parameters for netinstall to 
provide a console on the serial port.


Failing that have you considered installing Centos to the mSATA disk on 
a different system and then just transplanting the built system into 
this appliance?




Niki


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Install CentOS 7 over serial port on router board ?

[Nicolas Kovacs]

Hi,

I have to install CentOS 7 for a client, to act as cache & filtering
proxy using Squid.

I'd like to use this piece of specialized hardware :

http://store.calexium.com/fr/systeme-pre-assemble/869-systeme-pre-assemble-rackmatrix-apu-amd-gx-412tc-quatre-coeurs-1-ghz.html

There is no VGA or HDMI video output, just a serial port to connect to,
and then three NICs and two USB ports.

I've never installed CentOS over a serial console, so I don't even know
if it's possible in the first place. Has anyone ever done something like
that ?

Any suggestions ?

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[hw]

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else :( Why
is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be *very* 
good reasons to keep it enabled.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] cyrus: socket options

[hw]

Hi,

what are the following messages supposed to tell me and does this 
indicate a problem?



# systemctl status cyrus-imapd
[...]
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
[...]


Exim says it can not connect to the lmtp socket even when selinux 
doesn´t get in the way.  The configuration looks like this:



cyrus.conf (none of the two options work):

[...]
  # lmtpcmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4
  lmtpunix  cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" prefork=4
[...]


exim.conf:

[...]
begin transports



# cyrus_ltcp:
#   driver = smtp
#   protocol = lmtp
#   delivery_date_add
#   envelope_to_add
#   return_path_add
#   hosts = localhost
#   allow_localhost

lmtp_socket:
  driver = lmtp
  socket = /var/lib/imap/socket/lmtp
  delivery_date_add
  envelope_to_add
  return_path_add


# ls -la /var/lib/imap/socket/lmtp
srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp


I have this working on the old server (which doesn´t run Centos) and am 
trying to migrate it to the new one (which runs Centos 7.4).  The 
version of cyrus and sasl are the same on both machines.


What´s the problem with Centos that these things don´t just work as they 
usually do?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 157, Issue 4

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2018:0526 Critical CentOS 6 firefox Security Update
  (Johnny Hughes)
   2. CESA-2018:0527 Critical CentOS 7 firefox Security Update
  (Johnny Hughes)


--

Message: 1
Date: Thu, 15 Mar 2018 18:59:48 +
From: Johnny Hughes 
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2018:0526 Critical CentOS 6 firefox
SecurityUpdate
Message-ID: <20180315185948.ga44...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2018:0526 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0526

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3  
firefox-52.7.0-1.el6.centos.i686.rpm

x86_64:
29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3  
firefox-52.7.0-1.el6.centos.i686.rpm
5ab36e9cf3534cc1af6c6ee3d6e302907235e8f8dd2b00f8003ea2e3ef98d272  
firefox-52.7.0-1.el6.centos.x86_64.rpm

Source:
ae98346dd0287b8d7fe36edd4692a1980f4fcf1d53e7633307e33e67adfe9a71  
firefox-52.7.0-1.el6.centos.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS



--

Message: 2
Date: Thu, 15 Mar 2018 19:24:33 +
From: Johnny Hughes 
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2018:0527 Critical CentOS 7 firefox
SecurityUpdate
Message-ID: <20180315192433.ga58...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2018:0527 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0527

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
3d4f163b3fe61aa41272b201f56732c9352c1e12d13e85dc15f466363d0ba59b  
firefox-52.7.0-1.el7.centos.i686.rpm
9546d6326537d96a09245d90386164fd8786578b2c5de142e3f877c532e85612  
firefox-52.7.0-1.el7.centos.x86_64.rpm

Source:
0852393b938ea86a3af795b46909d5fc13cf9da3f9f9b6ff85c8b2c2ee2f3e17  
firefox-52.7.0-1.el7.centos.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS



--

Subject: Digest Footer

___
CentOS-announce mailing list
centos-annou...@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce


--

End of CentOS-announce Digest, Vol 157, Issue 4
***
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Richard Grainger]

> Yet again I could not find any documentation explaining how to do basic
> things like this :(  Selinux is more like a curse than anything else :( Why
> is there not even a good documentation?

More trolling?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux: how to allow access?

[hw]

Hi,

how do I allow exim access to a socket in order to be able to do local 
deliveries to cyrus?



type=AVC msg=audit(1521179280.845:1920270): avc:  denied  { name_connect 
} for  pid=319 comm="exim" dest=24 scontext=system_u:system_r:exim_t:s0 
tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket



Yet again I could not find any documentation explaining how to do basic 
things like this :(  Selinux is more like a curse than anything else :( 
Why is there not even a good documentation?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VirtualBox on CentOS 7 with bridged network not working

[James Pearson]

James Pearson wrote:
> 
> I've installed VirtualBox v5.2 on a CentOS 7.4 machine, but VMs set up
> with bridged networking can not 'see' past the VirtualBox host machine
> 
> i.e. the VM can ping the host and vice versa, but the VM can not ping
> anything else and other machines on the same subnet can't ping the VM
> 
> There are no firewall rules configured on the 7.4 host and selinux is
> disabled
> 
> I have a similar set up on a CentOS 6.9 host, where everything works as
> expected
> 
> Googling doesn't show up any similar issues, so I guess I'm missing
> something on the host machine
> 
> Does anyone have any idea what could be the issue?

I've manged to 'solve' the problem - which wasn't anything to do with 
CentOS 7 ... the host running CentOS 7 was patched into a switch with 
MAC access control enabled - as were the two other CentOS 7 boxes I 
tried - whereas the CentOS 6 host(s) I used had no MAC access control 
enabled

Just wish it hadn't taken me nearly a day to work that out :-)

Sorry for the noise

James Pearson
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos