On 06/01/11 04:03, Paul Johnson wrote:
> On Wed, Jan 5, 2011 at 12:57 PM, Daniel J Walsh wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 01/05/2011 11:50 AM, Paul Johnson wrote:
>>>
>>>
>>>
>> Turn on the httpd_can_sendmail boolean. We do not want all apache
>> servers to be a
On Wed, Jan 5, 2011 at 12:57 PM, Daniel J Walsh wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/05/2011 11:50 AM, Paul Johnson wrote:
>>
>>
>>
> Turn on the httpd_can_sendmail boolean. We do not want all apache
> servers to be able to send mail by default.
>
> # setsebool -P ht
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2011 02:10 PM, Les Mikesell wrote:
> On 1/5/2011 12:57 PM, Daniel J Walsh wrote:
>>
>> man apache_selinux
>> ...
>
> $ man apache_selinux
> No manual entry for apache_selinux
>
> - and I assume you wrote it...
>
Sorry about that, httpd
On 01/05/2011 08:10 PM, Les Mikesell wrote:
> On 1/5/2011 12:57 PM, Daniel J Walsh wrote:
>>
>> man apache_selinux
>> ...
>
> $ man apache_selinux
> No manual entry for apache_selinux
>
> - and I assume you wrote it...
>
man httpd_selinux
--
Athmane Madjoudj
___
On 1/5/2011 12:57 PM, Daniel J Walsh wrote:
>
> man apache_selinux
> ...
$ man apache_selinux
No manual entry for apache_selinux
- and I assume you wrote it...
--
Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2011 11:50 AM, Paul Johnson wrote:
> I quit using Fedora a couple of years ago, largely because I felt as
> though I was being used as an SELinux guinea pig. I spent days and
> says trying to work around selinux problems, until I eventually ju
I quit using Fedora a couple of years ago, largely because I felt as
though I was being used as an SELinux guinea pig. I spent days and
says trying to work around selinux problems, until I eventually just
turned it off.
I'm not a professional sysadmin, but I know many of them who think
SELinux is
On Thursday, December 09, 2010 11:39 PM, Tom H wrote:
>>> SELinux came as a result that someone found weaknesses and wanted to try
>>> avoid security issues. Just like when firewalls began to become so
>>> popular 20-30 years ago or so. There was a need to improve something,
>>> and someone did t
On Thursday, December 09, 2010 11:08 PM, Lamar Owen wrote:
> On Wednesday, December 08, 2010 10:06:34 pm Warren Young wrote:
>> That's great if you are wise enough to forsee all problems that an
>> automatic update can cause.
>
>> I am not that wise.
>
> Nor am I; that's why I have testing server V
Am 27.11.10 00:58, schrieb Alison:
> total newbie on CentOS.
Nothing against you, you asked a completely valid question.
All others: Can this insanity please stop now? I'm really thinking about
setting a subject moderation filter on this subject.
Ralph
_
On Thu, 9 Dec 2010, Warren Young wrote:
> On 12/9/2010 2:05 PM, m.r...@5-cent.us wrote:
>>
>> Also, Apple dictates style; to a lesser degree, so does M$. There's no
>> dictated style guide for Linux.
>
> That's outdated thinking. Apple's acquired some infamy among its fanboy
How about this long
On 12/9/2010 2:05 PM, m.r...@5-cent.us wrote:
>
> Also, Apple dictates style; to a lesser degree, so does M$. There's no
> dictated style guide for Linux.
That's outdated thinking. Apple's acquired some infamy among its fanboy
base for violating their old style guidelines, which AFAIR were last
Warren Young wrote:
> On 12/9/2010 1:54 AM, David Sommerseth wrote:
>>
>> For the vast majority of issues with SELinux, it possible to overcome
>> them using the provided tools.
>
> Of course, but I think you're mistaking "possible" for "practical".
> Everyone has different incentives and constrain
On 12/9/2010 1:54 AM, David Sommerseth wrote:
>
> For the vast majority of issues with SELinux, it possible to overcome
> them using the provided tools.
Of course, but I think you're mistaking "possible" for "practical".
Everyone has different incentives and constraints.
Allow me build an analog
On Wed, Dec 8, 2010 at 11:10 AM, Les Mikesell wrote:
> On 12/8/2010 4:04 AM, David Sommerseth wrote:
>> iptables is a de-facto standard on all Linux distributions nowadays. It
>> is not ratified by ISO, IETF or similar ... but how does that make the
>> real life scenario any different? That's
On Thu, 2010-12-09 at 10:11 -0500, Lamar Owen wrote:
> On Thursday, December 09, 2010 12:02:44 am Robert Nichols wrote:
> > On 12/07/2010 05:11 PM, Rob Kampen wrote:
> > > Daniel J Walsh wrote:
> > > http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
> > > I am ha
On Thursday, December 09, 2010 12:02:44 am Robert Nichols wrote:
> On 12/07/2010 05:11 PM, Rob Kampen wrote:
> > Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
> >>
> > I am having difficulty with the pdf file - both adobe and kpdf ha
On Wednesday, December 08, 2010 10:06:34 pm Warren Young wrote:
> That's great if you are wise enough to forsee all problems that an
> automatic update can cause.
> I am not that wise.
Nor am I; that's why I have testing server VM's on which to stage updates.
Even on the production servers, th
On 08/12/10 23:01, Warren Young wrote:
> On 12/8/2010 3:04 AM, David Sommerseth wrote:
>> it is still not recommendable to trade security for simplicity.
>
> Security is never an absolute, is *always* a tradeoff against simplicity.
>
> We could store our servers 16 feet underground and encased in
On 09/12/10 01:05, Christopher Chan wrote:
> On Thursday, December 09, 2010 02:55 AM, David Sommerseth wrote:
>
>> Second, iptables is a de-facto standard for Linux, just as pf is pretty
>> much the standard firewalling on BSD. Windows and Solaris got their own
>> firewalling methods as well. My
On Thursday, December 09, 2010 11:06 AM, Warren Young wrote:
> On 12/8/2010 5:00 PM, Christopher Chan wrote:
>> On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
>>> I assume you mean to advocate running updates infrequently,
>>
>> No, I advocate setting up SELinux properly which will ta
On 12/07/2010 05:11 PM, Rob Kampen wrote:
> Daniel J Walsh wrote:
>
>>
>> I wrote this paper to try to explain what SELinux tends to complain
>> about.
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>
> I am having difficulty with the pdf file - both ad
On 12/8/2010 3:55 PM, Lamar Owen wrote:
> On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
>> Let's not drag the desktop user into this discussion, too.
>
> Why not?
I thought my reason was clear, but apparently not. You talk the talk of
security, but I guess we hang in different
On 12/8/2010 5:00 PM, Christopher Chan wrote:
> On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
>> I assume you mean to advocate running updates infrequently,
>
> No, I advocate setting up SELinux properly which will take care of the
> automatic updates.
That's great if you are wise e
On Thursday, December 09, 2010 08:41 AM, Les Mikesell wrote:
> On 12/8/2010 6:14 PM, Christopher Chan wrote:
>> On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
>
>
>> Or rather stop telling people not to use SELinux and iptables on this
>> list just because you don't want to use any of
On 12/8/2010 6:14 PM, Christopher Chan wrote:
> On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
> Or rather stop telling people not to use SELinux and iptables on this
> list just because you don't want to use any of these tools because it is
> too troublesome for you and your gang.
On Thursday, December 09, 2010 06:55 AM, Lamar Owen wrote:
> On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
>> Let's not drag the desktop user into this discussion, too.
>
> Why not? Are there no CentOS desktop users out there? Are the needs of the
> desktop just to be ignored?
On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
> How many of those use the same commands to
> start/stop/save-current-config? Where do they keep the configs? How If
> you deployed applications on all of them, how much time would it take to
> train the operators that do the install
On Thursday, December 09, 2010 02:55 AM, David Sommerseth wrote:
> Second, iptables is a de-facto standard for Linux, just as pf is pretty
> much the standard firewalling on BSD. Windows and Solaris got their own
> firewalling methods as well. My point is, neither of them are any Posix
> standar
On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
> On 12/8/2010 7:13 AM, Christopher Chan wrote:
>>
>> Such [periodic failures] are fairly common
>
> I'd say the main reason someone chooses CentOS (or another Linux flavor
> with similar policies, like Ubuntu LTS) is that the distro prov
On Wednesday, December 08, 2010 11:03 PM, William Warren wrote:
> On 12/8/2010 9:13 AM, Christopher Chan wrote:
>> On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
>>> On 12/8/10 4:22 AM, David Sommerseth wrote:
On 30/11/10 03:52, cpol...@surewest.net wrote:
> Christopher Chan
On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
> Let's not drag the desktop user into this discussion, too.
Why not? Are there no CentOS desktop users out there? Are the needs of the
desktop just to be ignored? I support desktop Linux users who are not power
users; works grea
On 12/8/2010 4:48 PM, Warren Young wrote:
> On 12/8/2010 3:26 PM, Les Mikesell wrote:
>> Is there any central reporting concept in SELinux so a multi-machine
>> admin doesn't have to go check each for all of the one-off cases and
>> knowledge can be shared about the fixes needed for 3rd party RPMs?
On 12/8/2010 3:26 PM, Les Mikesell wrote:
> Is there any central reporting concept in SELinux so a multi-machine
> admin doesn't have to go check each for all of the one-off cases and
> knowledge can be shared about the fixes needed for 3rd party RPMs?
No. But then, there's not one for file permi
On 12/8/2010 3:41 PM, Warren Young wrote:
>
> /That/ is my point. I could -- and sometimes do -- work around file
> permissions errors manually, quickly. SELinux has a higher order of
> complexity compared to Unix file permissions, so the associated fixes
> don't fit into a small, easy-to-mentall
On 12/8/2010 8:21 AM, Lamar Owen wrote:
> On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
>> And if you can't get the simple version right, how can you hope to
>> do it right with something wildly more complicated?
>
> Alright, pray tell how I, a desktop Linux user,...
Let's not drag
On 12/8/2010 3:04 AM, David Sommerseth wrote:
> it is still not recommendable to trade security for simplicity.
Security is never an absolute, is *always* a tradeoff against simplicity.
We could store our servers 16 feet underground and encased in concrete
to prevent tampering and accidental pow
[I'm guessing from the dozens of quoted lines per reply that many of
y'all aren't as lucky as I am. I have a threading email reader with
backing store, so I can go back and read past messages in a thread if I
need more context than a brief quote can provide. I have been so lucky
since the mid
On 12/8/2010 7:13 AM, Christopher Chan wrote:
>
> Such [periodic failures] are fairly common
I'd say the main reason someone chooses CentOS (or another Linux flavor
with similar policies, like Ubuntu LTS) is that the distro provider has
made a long-term support commitment with minimal churn duri
On 12/8/2010 12:55 PM, David Sommerseth wrote:
>
>> The real life situation is that iptables only works on linux and the way
>> it works is distribution-dependent. So what you learn may lock you into
>> a platform that may not always be your best choice.
>
> Please educate me here. I've been usin
On Wednesday, December 08, 2010 01:47:07 pm Daniel J Walsh wrote:
> Sandbox -X might help solve some of these problems. Available in RHEL6
> http://danwalsh.livejournal.com/31146.html?thread=212906
Looks interesting, Dan. Thanks much. And thanks much for the sometimes
thankless work of trying
On 08/12/10 17:10, Les Mikesell wrote:
> On 12/8/2010 4:04 AM, David Sommerseth wrote:
[...snip...]
>>> Agreed, and something that equally needs standardization.
>>
>> iptables is a de-facto standard on all Linux distributions nowadays. It
>> is not ratified by ISO, IETF or similar ... but how doe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/08/2010 10:21 AM, Lamar Owen wrote:
> On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
>> I think you've missed the point that 'all that stuff' (being traditional
>> unix
>> security mechanisms) are not all that insecure. It is on
On 12/8/2010 12:19 PM, Lamar Owen wrote:
>
>> Standards committees have their ways of breaking all previous existing
>> implementations with their final decrees. Let me know when they are
>> finished.
>
> Standards committees are never finished.
>
> Linux is not standardized, either; in the case o
On Wednesday, December 08, 2010 01:02:10 pm Les Mikesell wrote:
> Standards committees have their ways of breaking all previous existing
> implementations with their final decrees. Let me know when they are
> finished.
Standards committees are never finished.
Linux is not standardized, either;
On 12/8/2010 11:38 AM, Lamar Owen wrote:
>
>> But your question was what to do if you choose to ignore the simple and
>> available tools - things available and well understood on many platforms.
>
> VM = complex. Not to mention proprietary (for all but KVM) and
> resource-wasteful.
> Switch User
On Wednesday, December 08, 2010 12:17:40 pm Les Mikesell wrote:
> But your question was what to do if you choose to ignore the simple and
> available tools - things available and well understood on many platforms.
VM = complex. Not to mention proprietary (for all but KVM) and
resource-wasteful.
On 12/8/2010 11:02 AM, Lamar Owen wrote:
> On Wednesday, December 08, 2010 10:39:50 am Les Mikesell wrote:
>> On 12/8/2010 9:21 AM, Lamar Owen wrote:
>>> Alright, pray tell how I, a desktop Linux user, can, without VM's and
>>> without having to switch users, protect my files from a PDF attack thr
On Wednesday, December 08, 2010 10:39:50 am Les Mikesell wrote:
> On 12/8/2010 9:21 AM, Lamar Owen wrote:
> > Alright, pray tell how I, a desktop Linux user, can, without VM's and
> > without having to switch users, protect my files from a PDF attack through
> > Adobe Reader?
>
> Don't run softw
On 08/12/10 16:03, William Warren wrote:
> On 12/8/2010 9:13 AM, Christopher Chan wrote:
>> On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
>>> On 12/8/10 4:22 AM, David Sommerseth wrote:
On 30/11/10 03:52, cpol...@surewest.net wrote:
> Christopher Chan wrote:
>> Les Mike
On 12/8/2010 4:04 AM, David Sommerseth wrote:
>
>>> Disabling SELinux is the same type of decision as disabling the firewall ---
>>> it's there to protect you, yet you don't know how to properly configure it
>>> and
>>> use it, furthermore you don't want to bother to learn, so you simply disable
>
On 12/08/2010 10:39 AM, Les Mikesell wrote:
> Don't run software you don't trust. Keep the software you run up to
> date. Don't open files you don't trust.
Agree here. We have very few issues at my company, because we stress the
issue of thinking before you click, especially when it comes to de
On Wednesday, December 08, 2010 10:28:38 am L A Hurst wrote:
> From: Lamar Owen
> >Alright, pray tell how I, a desktop Linux user, can, without VM's and
> >without having to switch users, protect my files from a PDF attack
> >through Adobe Reader?
>
> Backups.
I looked in vain for a smiley, and
On 12/8/2010 9:21 AM, Lamar Owen wrote:
> On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
>> I think you've missed the point that 'all that stuff' (being traditional unix
>> security mechanisms) are not all that insecure. It is only when you get them
>> wrong that you need to fall ba
-Original Message-
From: Lamar Owen
Reply-To: CentOS mailing list
Date: Wed, 8 Dec 2010 15:21:36 +
To: CentOS mailing list
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!
>Alright, pray tell how I, a desktop Linux user, can, without VM's and
>wit
On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
> I think you've missed the point that 'all that stuff' (being traditional unix
> security mechanisms) are not all that insecure. It is only when you get them
> wrong that you need to fall back on selinux as a safety net. And if you
On 12/8/2010 9:13 AM, Christopher Chan wrote:
> On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
>> On 12/8/10 4:22 AM, David Sommerseth wrote:
>>> On 30/11/10 03:52, cpol...@surewest.net wrote:
Christopher Chan wrote:
> Les Mikesell wrote:
>>> [...snip...]
> As was alread
On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
> On 12/8/10 4:22 AM, David Sommerseth wrote:
>> On 30/11/10 03:52, cpol...@surewest.net wrote:
>>> Christopher Chan wrote:
Les Mikesell wrote:
>> [...snip...]
As was already mentioned in another post, run in permissive mode, f
On 12/8/10 4:42 AM, David Sommerseth wrote:
> On 30/11/10 17:21, Les Mikesell wrote:
>> On 11/30/2010 9:51 AM, Lamar Owen wrote:
>>>
>>> If a particular app is so recalcitrant that SELinux needs to be turned off,
>>> that's when I'd be doing some drastic things, much like windows lab
>>> environm
On 12/8/10 4:22 AM, David Sommerseth wrote:
> On 30/11/10 03:52, cpol...@surewest.net wrote:
>> Christopher Chan wrote:
>>> Les Mikesell wrote:
> [...snip...]
>>> As was already mentioned in another post, run in permissive mode, for a
>>> few days if you must, and go through all the things the soft
On 30/11/10 17:21, Les Mikesell wrote:
> On 11/30/2010 9:51 AM, Lamar Owen wrote:
>>
>> If a particular app is so recalcitrant that SELinux needs to be turned off,
>> that's when I'd be doing some drastic things, much like windows lab
>> environments need done. Things like automatic revert to kn
On 30/11/10 03:52, cpol...@surewest.net wrote:
> Christopher Chan wrote:
>> Les Mikesell wrote:
[...snip...]
>> As was already mentioned in another post, run in permissive mode, for a
>> few days if you must, and go through all the things the software does
>> and voila! setroubleshoot and/or logs
On 08/12/10 04:28, Les Mikesell wrote:
> On 12/7/10 8:28 PM, Marko Vojinovic wrote:
>>
>>> I think you've missed the point that 'all that stuff' (being traditional
>>> unix security mechanisms) are not all that insecure. It is only when you
>>> get them wrong that you need to fall back on selinux
On 29/11/10 13:11, Steve Clark wrote:
> I don't know how it is now - but I tried running in permissive mode a
> few years ago. It would complain about some
> file, I would fix the file and the next thing I knew it was complaining
> about the same file again, and the file was part
> of the redhat in
Rob Kampen wrote:
> Daniel J Walsh wrote:
>
>>
>> I wrote this paper to try to explain what SELinux tends to complain
>> about.
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>
>>
> I am having difficulty with the pdf file - both adobe and kpdf have
On 12/7/10 8:28 PM, Marko Vojinovic wrote:
>
>> I think you've missed the point that 'all that stuff' (being traditional
>> unix security mechanisms) are not all that insecure. It is only when you
>> get them wrong that you need to fall back on selinux as a safety net.
>> And if you can't get the
On 12/7/10 1:45 PM, Marko Vojinovic wrote:
>
> And it isn't really rocket science. It's just an extension to the existing
> classical permissions system --- it works in analogous way, just with greater
> flexibility and power. If you know how to understand and use file permissions,
> you will easil
Daniel J Walsh wrote:
I wrote this paper to try to explain what SELinux tends to complain about.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
I am having difficulty with the pdf file - both adobe and kpdf have
problems with the pages with screen shots
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 01:13 PM, m.r...@5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
>>> Daniel J Walsh wrote:
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
On Tue, 7 Dec 2010, m.r...@5-cent.us wrote:
>> I am not arguing that SELinux is easy, I am arguing that it is not
>> rocket science. I have worked for a several years to try to make
>
> If rocket science means very difficult and obscure, yes, it is.
I've got to cry "foul" here. "Difficult and o
On 12/7/10 11:53 AM, Daniel J Walsh wrote:
>
> We have attempted to work with them, setup default labeling for them
> when we know about the problems, embarrass them when they say you need
> to disable SELInux. Red Hat is working on new developer tools to help
> third party developers work on RHEL
Daniel J Walsh wrote:
> On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>> What have you done for folks who have third-party software, either F/OSS
>> or COTS, or in-house
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts
Daniel J Walsh wrote:
> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>>
>>> Yes SELinux and all MAC systems require that if the administrator puts
>>> files in non default directories, then they have to have to be told.
>>> In the case of SELinux,
Brunner, Brian T. wrote:
> My solution is to use complex passwords, and write them down wrong,
> making my write-down a password hint, but not a password.
> My task is to remember what is my transform from hint to fact: (examples
> follow, choose your own)
Yeah, I use hints, too... but do *not* t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>
>> Yes SELinux and all MAC systems require that if the administrator puts
>> files in non default directories, then they have to have to be told. In
>> th
> The issue is similar to that of using passwords of more than
> 10 characters composed of random mixed-case alphanumeric
> characters (ideally with special characters mixed in). Yes -
> they are provably more secure in a technical sense than
> virtually any easily remembered system.
> Howeve
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>
> Yes SELinux and all MAC systems require that if the administrator puts
> files in non default directories, then they have to have to be told. In
> the case of SELinux, this involves correcting the labeling. DAC has
> similar problems, in that you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 10:59 AM, Benjamin Franz wrote:
> On 12/07/2010 07:36 AM, Benjamin Franz wrote:
>> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>>
>>> I agree, and would like to look at the AVC's to understand what could
>>> have broken the labeling
>>
On 12/07/2010 07:36 AM, Benjamin Franz wrote:
> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>
>> I agree, and would like to look at the AVC's to understand what could
>> have broken the labeling
>
> Well - since it happened again this morning, here you go. On further
> investigation in backups,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 10:36 AM, Benjamin Franz wrote:
> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>
>> I agree, and would like to look at the AVC's to understand what could
>> have broken the labeling
>
> Well - since it happened again this morning, here
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>
> I agree, and would like to look at the AVC's to understand what could
> have broken the labeling
Well - since it happened again this morning, here you go. On further
investigation in backups, I previously had the user account that I use
for the F
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/06/2010 09:45 AM, Jerry Franz wrote:
> On 12/06/2010 06:06 AM, Daniel J Walsh wrote:
>>
>> Did you take a look at the AVC messages? Are you running setroubleshoot?
>
> Yes to both.
>> Usually running something like restorecon -R -v /var/ftp wou
On 12/06/2010 06:06 AM, Daniel J Walsh wrote:
>
> Did you take a look at the AVC messages? Are you running setroubleshoot?
Yes to both.
> Usually running something like restorecon -R -v /var/ftp would have
> cleaned this up, if it is a simple mislabel in /var directory.
The point is *I shouldn't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2010 06:34 PM, Jerry Franz wrote:
> On 11/28/2010 09:31 AM, Benjamin Franz wrote:
>> [...]
>> And then, one day, it won't work. Worse - it doesn't always *log* what
>> it is doing in a way that you can figure out. Occasionally not at all.
>> S
On 11/28/2010 09:31 AM, Benjamin Franz wrote:
> [...]
> And then, one day, it won't work. Worse - it doesn't always *log* what
> it is doing in a way that you can figure out. Occasionally not at all.
> So you spend a few hours poking at the system until you try the magic of
> turning off SELinux. A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/01/2010 10:19 AM, m.r...@5-cent.us wrote:
> On this thread, I'm speaking with my manager, and the other admin comes
> in, ranting about selinux, and that he's going to file a bug against it
> with RH Seems he installed RHEL6, and had the misf
On this thread, I'm speaking with my manager, and the other admin comes
in, ranting about selinux, and that he's going to file a bug against it
with RH Seems he installed RHEL6, and had the misfortune of having an
older Sun keyboard, and may have hit the key when entering the
root password...
2010/12/1 Nico Kadel-Garcia :
>> Anyone willing to contribute funds (or time) to such a study? It would be
>> educational experience and good PR, at the least.
>
> Oh, I know the holes and which would be straightforward to get to.
> There's generally enough lower hanging fruit with NFS stored
> p
On Wed, Dec 1, 2010 at 12:52 AM, Geoff Galitz wrote:
I would guess no one knows. But all of my CentOS installs are OOB as
concerning SELinux, except the two scalix installs, which have some
custom
'stuff' thanks to the scalix instance naming.
>>>
>>> All I know is at the last
>>> I would guess no one knows. But all of my CentOS installs are OOB as
>>> concerning SELinux, except the two scalix installs, which have some
>>> custom
>>> 'stuff' thanks to the scalix instance naming.
>>
>> All I know is at the last two companies I worked at - AT&T, a small team
>> building
On 11/30/10 9:28 PM, Marko Vojinovic wrote:
> On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
>> And about apache... most of those attacks are preventable through
>> defensive configuration and coding for httpd itself. Looking to selinux to
>> protect you is very sloppy.
>
> So a guy i
On Wednesday, December 01, 2010 11:37 AM, Nico Kadel-Garcia wrote:
> On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovic wrote:
>> On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
>>> And about apache... most of those attacks are preventable through
>>> defensive configuration and coding
On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovic wrote:
> On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
>> And about apache... most of those attacks are preventable through
>> defensive configuration and coding for httpd itself. Looking to selinux to
>> protect you is very sloppy.
On Tue, Nov 30, 2010 at 5:23 PM, Lamar Owen wrote:
> On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
>> That one's easy, don't ever install the plugin, or anything else from
>> Adobe. Second step, set NoScript to block everything and everyone. If
>> any site has content that require
On Tue, Nov 30, 2010 at 4:19 PM, wrote:
> Lamar Owen wrote:
>> On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote:
>>> Reality check: how many of those installs are RedHat OOB installs with
>>> default options?
>>
>> No idea. How many aren't default OOB?
>>
>> For that matter, how ma
On Tuesday, November 30, 2010 06:04:56 pm John R Pierce wrote:
> for instance, all our java-ware can run just fine in
> /home/$APPUSER/$APPNAME and run as a regular user. if we want to put
> it in /opt/$COMPANY/$APP then we might have to play with selinux
> defaults some, since /opt isn't par
On 11/30/10 12:31 PM, m.r...@5-cent.us wrote:
> And I notice that you don't address the other point, all the in-house
> apps, and if you think management will say "sure, spend whatever it takes
> to rewrite that so it conforms to selinux...", you're living in somewhere
> I don't. And just about eve
Lamar Owen wrote:
> On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
>> That one's easy, don't ever install the plugin, or anything else from
>> Adobe. Second step, set NoScript to block everything and everyone. If
>> any site has content that requires either of those, I will never se
On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote:
> That one's easy, don't ever install the plugin, or anything else from
> Adobe. Second step, set NoScript to block everything and everyone. If
> any site has content that requires either of those, I will never see it.
> That's their
1 - 100 of 201 matches
Mail list logo