Re: Default permissions on /dev/kvm

On 03/15/2017 11:49 AM, Daniel P. Berrange wrote: > On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: >> >> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: >>> Sure, if udev maintainers are willing to ship the kvm rule by default, >>> that's fine with me for reason you suggest. I simp

Re: Default permissions on /dev/kvm

On 03/15/2017 05:27 AM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote: >> >> On 03/14/2017 05:18 PM, Dusty Mabe wrote: >>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 05:02 PM, Dusty Mabe

Re: Default permissions on /dev/kvm

On 03/14/2017 05:18 PM, Dusty Mabe wrote: > > On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 05:02 PM, Dusty Mabe wrote: >>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >>&

Re: Default permissions on /dev/kvm

On 03/14/2017 05:02 PM, Dusty Mabe wrote: > > On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >> I guess if you volume/bind mount the device into the container you could >> see an issue, >> but most co

Re: Default permissions on /dev/kvm

On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote: >> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 >> >> Currently if you install a minimal-ish, non-"Virtualization Host" >> Fedora, then the permissions on the /dev/kv

Re: Changing default "docker" storage to to Overlay2 in Fedora 26

What is going on with this Change Request? Any reason it has not been acted on at this point? We are putting changes into our packages assuming that this will be allowed. On 01/06/2017 05:08 PM, Igor Gnatenko wrote: > On Fri, Jan 6, 2017 at 9:29 PM, Daniel J Walsh wrote: >&

Re: per-product packaging question

On 02/01/2017 09:58 AM, Stephen Gallagher wrote: > On 01/30/2017 05:03 PM, Vivek Goyal wrote: >> On Mon, Jan 30, 2017 at 05:00:34PM -0500, Lokesh Mandvekar wrote: >>> Hi, >>> >>> I'm looking at the per-product packaging doc at >>> https://fedoraproject.org/wiki/Packaging:Per-Product_Configuration

Re: per-product packaging question

We should just install one default in the default location, We don't want to document to users the difference During post install the content can be modified based on the package. On 01/30/2017 05:03 PM, Vivek Goyal wrote: > On Mon, Jan 30, 2017 at 05:00:34PM -0500, Lokesh Mandvekar wrote: >> H

Re: F26 Self Contained Change: Docker Overlay 2

On 01/19/2017 10:17 AM, James Hogarth wrote: > > > On 19 Jan 2017 2:43 pm, "Daniel J Walsh" <mailto:dwa...@redhat.com>> wrote: > > > > On 01/19/2017 09:20 AM, Matthew Miller wrote: > > On Thu, Jan 19, 2017 at 08:36:02AM +0100, Jan Kurik wro

Re: F26 Self Contained Change: Docker Overlay 2

On 01/19/2017 09:20 AM, Matthew Miller wrote: > On Thu, Jan 19, 2017 at 08:36:02AM +0100, Jan Kurik wrote: >> Change the default Docker Storage to be overlay2 . > I made a couple of edits to this, mostly clarifying that overlay2 is > not a second overlay filesystem, but a second Docker driver for

Re: Changing default "docker" storage to to Overlay2 in Fedora 26

https://fedoraproject.org/wiki/Changes/DockerOverlay2 On 01/06/2017 02:27 PM, Igor Gnatenko wrote: > Shouldn't this be submitted as a change? > > This would bring much more visibility to users of Fedora and even outside. > > -Igor Gnatenko > > On Jan 6, 201

Changing default "docker" storage to to Overlay2 in Fedora 26

Upstream docker is moving to overlay2 by default for its storage. We plan on following suit. Their are some performance advantages of overlay2 over devicemapper in memory sharing, which we would like to take advantage of. We now have SELinux support for Overlay file systems, so the security sh

Re: Proposal: Rethink Fedora multilib support

On 01/05/2017 01:36 PM, Stephen John Smoogen wrote: > On 5 January 2017 at 13:31, Daniel J Walsh wrote: >>> You just described a fundamental change to how people would need to >>> build 32-bit applications locally. They don't have to install a >>> VM/chroo

Re: Proposal: Rethink Fedora multilib support

On 01/05/2017 01:26 PM, Josh Boyer wrote: > On Thu, Jan 5, 2017 at 11:25 AM, Stephen Gallagher > wrote: >> On 01/05/2017 11:17 AM, Tom Hughes wrote: >>> On 05/01/17 16:03, Stephen Gallagher wrote: >>> For many years, Fedora has supported multilib by carrying parallel-installable

Re: CVE-2016-8655, systemd, and Fedora

On 12/13/2016 03:21 PM, Tom Hughes wrote: > On 13/12/16 20:02, Przemek Klosowski wrote: >> On 12/13/2016 02:51 PM, Lennart Poettering wrote: >>> Yeah, this is really what it boils down to: the goal with the systemd >>> directives is to make things easy to grok and easy to change. I can >>> probab

Re: Missing kubernetes files in f25 atomic?

s a nice idea indeed. I found the > original post from Giuseppe: > http://www.projectatomic.io/blog/2016/09/intro-to-system-containers/ > > Do you think that I could use it to setup a small test cluster or it > is still in progress? > > Best, > > Mario > > On Wed,

Re: Missing kubernetes files in f25 atomic?

On 11/23/2016 10:19 AM, Matthew Miller wrote: > On Wed, Nov 23, 2016 at 10:15:29AM -0500, Daniel J Walsh wrote: >> We are working on this in >> https://github.com/projectatomic/atomic-system-containers >> >> >> I think giuseppe has some experimental system cont

Re: Missing kubernetes files in f25 atomic?

We are working on this in https://github.com/projectatomic/atomic-system-containers I think giuseppe has some experimental system containers available for this. We need to build them as official Fedora 25 container images though. On 11/23/2016 09:12 AM, Mario Ceresa wrote: > Hi, > I've just

Re: Modifying container storage for Fedora 26.

On 11/22/2016 06:24 PM, Josh Berkus wrote: > Vivek, Dan, > >> - Now when docker users overlay2 graph driver, all the images, containers >> and associated metadata will be stored outside the root filesystem and >> onto /dev/docker-vg/foo logical volume. > This is a change from current storage

Re: Modifying container storage for Fedora 26.

0500, Stephen Gallagher wrote: > > >> On 11/16/2016 02:56 PM, Vivek Goyal wrote: > > >>> On Wed, Nov 16, 2016 at 02:49:25PM -0500, Stephen Gallagher > wrote: > > >>>> On 11/16/2016 02:40 PM, Vivek Goyal wrote: > > >>>&

Modifying container storage for Fedora 26.

We would like to change the docker container storage to default to Overlayfs2 in Fedora 26. But we have a problem on Atomic Host and Fedora Server distributions. Currently docker-storage-setup defaults to devicemapper and is hard coded to setup a thinpool of 40% of remaining disk. Otherwise it

Re: docker-compose & selinux

On 10/30/2016 02:54 PM, Nikos Roussos wrote: > On 10/28/2016 02:58 PM, Daniel J Walsh wrote: >> What AVC's are you seeing? > Plenty of AVC messages in the form: > > type=AVC msg=audit(1477853452.023:1338): avc: denied { setattr } for > pid=23456 comm="chown"

Re: docker-compose & selinux

What AVC's are you seeing? On 10/28/2016 05:59 AM, Nikos Roussos wrote: > I use docker-compose extensively for local development. On F24 all I had > to do to make it play well with selinux was something like this: > > sudo chcon -Rt svirt_sandbox_file_t project_folder > > After updating to F25 th

Re: User instances of systemd and SELinux

On 08/15/2016 04:10 PM, Andrew Lutomirski wrote: > On Mon, Aug 15, 2016 at 12:59 PM, Daniel J Walsh wrote: >> >> On 08/10/2016 03:42 PM, Andrew Lutomirski wrote: >>> On Wed, Aug 10, 2016 at 12:26 PM, Zbigniew Jędrzejewski-Szmek >>> wrote: >>>> On Tu

Re: User instances of systemd and SELinux

On 08/10/2016 03:42 PM, Andrew Lutomirski wrote: > On Wed, Aug 10, 2016 at 12:26 PM, Zbigniew Jędrzejewski-Szmek > wrote: >> On Tue, Aug 09, 2016 at 01:32:10PM -0400, Daniel J Walsh wrote: >>> >>> On 08/09/2016 10:24 AM, Michal Sekletar wrote: >>>>

Re: User instances of systemd and SELinux

On 08/09/2016 10:24 AM, Michal Sekletar wrote: > Hi all, > > Most of you are probably aware that systemd except running as PID 1 > also runs inside user sessions. This allow users to define their own > "user services" and start up various scripts and background processes > right after logging in.

Re: RFC: Fedora Docker Layered Image Guidelines

Hopefully we are looking at getting docker-squash/docker-scripts involved in squashing images built from the service. At least optionally if not required. docker-squash should allow you to squash everything in the Dockerfile back to the from line. from=$(awk '/^FROM/{print $2}' ~/Dockerfile

Re: packaging suid files

No most likely the suid file should be fine with SELInux. Only a confined user would be prevented from using it. On 04/20/2016 07:12 AM, Dave Love wrote: I have a package to submit that has an suid binary. The packaging guidelines say in that case you must %global _hardened_build 1 and it t

Re: HEADS UP: systemd package split

On 03/05/2016 03:09 PM, Haïkel wrote: 2016-03-04 23:36 GMT+01:00 Zbigniew Jędrzejewski-Szmek : Hi, I finally pushed the split of the systemd package to Rawhide and F24 today [https://fedoraproject.org/w/index.php?title=Changes/systemd_package_split]. If you upgrade with dnf you should see som

Re: Minimizing the fedora docker base image footprint

On Mon, 2016-02-22 at 11:26 -0500, Bill Nottingham wrote: > Courtney Pacheco (cpach...@redhat.com) said:  > > > > Hi everyone, > > > > I've spent some time trying to minimize the footprint of the Fedora > > docker > > base image. Overall, I managed to reduce its size by 39.9%. > > > > A summary

Re: ship Fedora with /etc/{subuid|subgid}

ists.fedoraproject.org > | Cc: "Daniel J Walsh" , "Nalin Dahyabhai" > > | Inviato: Mercoledì, 17 febbraio 2016 14:44:34 > | Oggetto: ship Fedora with /etc/{subuid|subgid} > | > | Hello everyone, > | > | TL;DR; > | a fresh Fedora installation won't

Re: F24 Self Contained Change: System Python

On 02/08/2016 01:16 PM, Chris Murphy wrote: > On Mon, Feb 8, 2016 at 10:47 AM, Stephen Gallagher > wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 02/08/2016 12:45 PM, Mathieu Bridon wrote: >>> On Mon, 2016-02-08 at 17:21 +0100, Petr Viktorin wrote: Part of the change i

Re: Easier %config management?

On 12/15/2015 09:32 PM, Colin Walters wrote: > On Tue, Dec 15, 2015, at 06:43 PM, Japheth Cleaver wrote: >> >> Perhaps RPM (or yum/dnf, via plugin) could write a duplicate copy of >> all config files into a tree somewhere? (E.g., /usr/lib/config/ or >> /usr/share/config/?) > > I mentioned thi

Re: Fedora Docker Images containing fedora-updates-testing packages

Theoretically you should be able to build F21 and F22 containers and run them on F20. The only problem would be if software within a container tried to use something that the F20 Kernel did not support. On 07/23/2015 11:11 AM, Jon Miller wrote: > Matthew Miller writes: > >> On Wed, Jul 22, 2015 a

Re: F23 System Wide Change: SELinux policy store migration

Could all of this be done with links? IE Could you install selinux-policy into /usr/share/selinux/TARGETED/base/*.pp /usr/share/selinux/TARGETED/custom/*.pp Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators? On 06/15/2015 05:15 AM, Pe

New Article on Future Docker Security.

http://opensource.com/business/15/3/docker-security-future -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Is systemd within a Docker container still recommended?

On 03/02/2015 10:03 AM, Mauricio Tavares wrote: > On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering > wrote: >> On Mon, 02.03.15 09:17, Daniel J Walsh (dwa...@redhat.com) wrote: >> >>> On 03/01/2015 10:41 PM, Michael DePaulo wrote: >>>> Hi, >>>

Re: Is systemd within a Docker container still recommended?

On 03/01/2015 10:41 PM, Michael DePaulo wrote: > Hi, > > I am developing a Dockerfile for X2Go. I intend to submit a PR to > fedora-Dockerfiles within a week. > > https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go > > (X2Go was already added in F20) > https://fedoraproject.org/wiki/Cha

Re: yum or dnf in the Fedora 22 Docker base image?

Not that I know of. On 02/16/2015 09:50 AM, M. Edward (Ed) Borasky wrote: > Thanks! Are there tracking bugs in Bugzilla I can subscribe to? > > On Mon, Feb 16, 2015 at 9:42 AM, Daniel J Walsh wrote: >> On 02/16/2015 12:31 PM, M. Edward (Ed) Borasky wrote: >>> On Mon,

Re: yum or dnf in the Fedora 22 Docker base image?

On 02/16/2015 12:31 PM, M. Edward (Ed) Borasky wrote: > On Mon, Feb 16, 2015 at 5:19 AM, Daniel J Walsh wrote: > >> I think the F22 and Rawhide (Is it F23 at this point), should both use dnf >> not yum. We need to get more testing on dnf in containers. > I'm

Re: yum or dnf in the Fedora 22 Docker base image?

On 02/16/2015 02:32 AM, Jan Zelený wrote: > On 14. 2. 2015 at 22:28:53, M. Edward Borasky wrote: >> Right now, the fedora:rawhide image on Docker Hub uses yum instead of >> dnf, as does the Fedora 21 release. Is there any plan to switch this >> release over to dnf? > Not likely. Porting of the sy

Re: Is it a SELinux policy problem ?

On 01/27/2015 05:11 PM, Casper wrote: > Or is it a luajit problem ? > > Dear devs hello. > I would like to determine if these AVC are caused by prosody, lua, or > a wrong SELinux policy. > This avc (execmem) looks like it is allowed in Fedora selinux-policy-3.13.1-105.fc21.src.rpm Does prosody ha

Re: Flash plugin 0-day vulnerability in the wild

On 01/23/2015 10:25 AM, poma wrote: > On 23.01.2015 15:12, Kevin Fenzi wrote: >> On Fri, 23 Jan 2015 12:44:23 +0100 >> poma wrote: >> >>> On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash

Re: F22 System Wide Change: Enable Polyinstantiated /tmp and /var/tmp directories by default

On 01/20/2015 07:29 AM, Lennart Poettering wrote: > On Tue, 20.01.15 12:53, Jaroslav Reznik (jrez...@redhat.com) wrote: > >> = Proposed System Wide Change: Enable Polyinstantiated /tmp and /var/tmp >> directories by default = >> https://fedoraproject.org/wiki/Changes/Polyinstantiated_tmp_by_Defau

Re: docker 1.4.0 available, fixes multiple CVEs - testing/karma needed

On 12/12/2014 03:34 PM, Lokesh Mandvekar wrote: > On Fri, Dec 12, 2014 at 10:14:50AM -0800, M. Edward (Ed) Borasky wrote: >> Working here on F21 - karma logged! > Thanks. Btw, could you also check if things work fine after restarting > docker.service (if not tested already)? I see database locked

Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet

You can do this with SELinux and confined users somewhat. YOU basically could setup a user as xguest with no network access and then write policy to transition to certain domains that can use the internet. No ability to prompt the user though. This will get you most of the way you want to go, bu

I want to make Ryan Hallisey a co-maintainer of policycoreutils.

He is not currently in the packager list. But he does not have a package that needs to be added to Fedora. He is just making changes to policycoreutils? What is the procedure to get him on the packager list for this package. Dan -- devel mailing list devel@lists.fedoraproject.org https://admin

Re: SSH server always terminating after some time

On 11/14/2014 09:37 PM, Basil Mohamed Gohar wrote: > On 11/14/2014 08:49 AM, Florian Weimer wrote: >> On 11/14/2014 02:46 PM, Basil Mohamed Gohar wrote: >>> The only non-standard thing I can think I'm doing is running SSH on >>> another port, and I've already gotten SELinux to accept that fact. T

Re: Running docker in a mock chroot

On 11/05/2014 05:45 PM, Dridi Boukelmoune wrote: > Hi, > > I haven't really tried, I only wanted to look at fig 1.0 currently in > f21 updates-testing. So I --shell'ed inside my fedora-21-x86_64 > mock chroot after installing fig, and tried to start a docker daemon > in the background but it faile

Time to start blogging on all of the new Security features in Fedora 21

If you have one, please send it to me with some explanation of what it is and why it is important. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Anyone know how to get rsyslog to not use journald but to listen on /dev/log again.

We need this for running rsyslog within a docker container where systemd/journald might not be running. https://bugzilla.redhat.com/show_bug.cgi?id=1139734 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fed

Re: Systemd boot issue

Did you try to boot with enforcing=0? To see if it is an SELinux issue? On 09/09/2014 09:46 AM, P J P wrote: > Hello, > > I've been trying to boot into kernel-3.16.0 on a F19 machine. But it just > stops after saying > > .. > [OK] Reached target Initrd Default target > > System is not hung, b

Re: systemd dependencies

On 08/26/2014 08:23 AM, Lennart Poettering wrote: > On Tue, 26.08.14 14:18, Vít Ondruch (vondr...@redhat.com) wrote: > Recently I have noticed that systemd package dependency is creeping into some packages where it is not necessary. subversion [1] or rsync [2] are good examples. Ple

Re: fakesystemd package breaking builds

On 08/28/2014 02:10 PM, Lennart Poettering wrote: > On Thu, 28.08.14 07:24, Daniel J Walsh (dwa...@redhat.com) wrote: > >>>>> But regarding kmod/devicemapper, can we please get some stats about how >>>>> big this individually are, and how much is saved by thi

Re: fakesystemd package breaking builds

On 08/27/2014 03:15 PM, Lennart Poettering wrote: > On Wed, 27.08.14 21:00, Václav Pavlín (vpav...@redhat.com) wrote: > >>> I also offered to split out the hwdb in Brno, if you remember. If this >>> is about the hwdb, then let's just do that... >> Talk to Michal Sekletar about it then - he is work

Re: BIND 9.10.1 beta with seccomp functionality

On 08/19/2014 11:20 AM, Tomasz Torcz wrote: > On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote: >> Once upon a time, Tomas Hozza said: >>> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case >>> of a security hole being present in the server process, it goes furthe

Re: Advice needed for packaging local SELinux policy

On 07/22/2014 01:42 PM, John Florian wrote: > > I have a locally maintained package for private use that among other > things constrains proliferation of files in the following directory: > > > > # ls -lZd /var/lib/puppet/reports/ > > drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:

Re: runuser error in a docker container on rawhide

the >>> container in privileged mode (--privileged=true) and that didn't >>> change anything. The runuser command still prints "System error" if I >>> use it to do anything, even nothing. >>> >>> Rob >>> >>> On 06

Re: runuser error in a docker container on rawhide

The runuser command still prints "System error" if I > use it to do anything, even nothing. > > Rob > > On 06/04/2014 02:37 PM, Daniel J Walsh wrote: >> >> On 06/04/2014 02:27 PM, Robert Rati wrote: >>> I'm trying to run some docker containe

Re: runuser error in a docker container on rawhide

On 06/04/2014 02:27 PM, Robert Rati wrote: > I'm trying to run some docker containers and it appears the runuser in > rawhide isn't functional in the container: > > # runuser > runuser: System error > > I can run runuser in a physical system running rawhide however. These > same images created of

Re: selinux issue with containers

On 05/28/2014 05:26 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, May 28, 2014 at 01:52:23PM -0400, Daniel J Walsh wrote: >> On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: >>> On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: >>>>

Re: selinux issue with containers

On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: > On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: >> On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: >>> Yum -y update your entire computer and yum reinstall >>> selinux-poli

Re: selinux issue with containers

Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. On 05/27/2014 09:12 PM, Zbigniew Jędrzejewski-Szmek wrote: > Hi, > installing Fedora in containers fails strangely (see below). It seems to be > selinux related, since booting with selinux=0 allo

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 05/02/2014 06:32 AM, Lennart Poettering wrote: > On Wed, 30.04.14 09:44, Daniel J Walsh (dwa...@redhat.com) wrote: > >> On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote: >>> Em 29-04-2014 18:27, Martin Langhoff escreveu: >>>> On Tue, Apr 2

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/30/2014 10:28 AM, Adam Jackson wrote: > On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote: > >> I suspect just dropping the deps would break initial installations, e.g. >> anaconda / livecd-creator. RPM uses the deps to order the transaction so >> that systemd gets installed first, and t

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/30/2014 10:05 AM, Kalev Lember wrote: > On 04/29/2014 12:31 PM, Lennart Poettering wrote: >> On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote: >> >>> On Apr 28, 2014 5:01 PM, "Daniel J Walsh" wrote: >>>> The problem is lots o

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote: > Em 29-04-2014 18:27, Martin Langhoff escreveu: >> On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald > > wrote: >> >> defense in depth means limit the attack surface as much as you can >> >> >> As folks are try

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/29/2014 03:17 PM, Chris Adams wrote: > Once upon a time, Reindl Harald said: >> wrong question - is /bin/sh used? >> if the answer is yes then the anser to your question is no >> >> the point is remove anything *unneeded* from production systems >> that are best practices for many years and

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/29/2014 06:33 AM, Lennart Poettering wrote: > On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote: > >> The problem is lots of services require systemd because they ship a >> unit file and want systemctl reload to happen. Systemd then triggers a >> r

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/28/2014 06:44 PM, Adam Jackson wrote: > On Mon, 2014-04-28 at 17:01 -0400, Daniel J Walsh wrote: >> The problem is lots of services require systemd because they ship a >> unit file and want systemctl reload to happen. Systemd then triggers a >> require for udev a

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

On 04/29/2014 06:31 AM, Lennart Poettering wrote: > On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote: > >> On Apr 28, 2014 5:01 PM, "Daniel J Walsh" wrote: >>> The problem is lots of services require systemd because they ship a >>> unit

We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

The problem is lots of services require systemd because they ship a unit file and want systemctl reload to happen. Systemd then triggers a require for udev and kmod, which docker containers do not need. rpm -q --whatrequires systemd| wc -l 151 On rawhide I see 151 packages on my system which re

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 09:32 AM, Simo Sorce wrote: > On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: >> On 04/15/2014 09:31 AM, Simo Sorce wrote: >>> On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: >>>> I keep thinking that, if I had unlimited time, I&#x

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/15/2014 09:31 AM, Simo Sorce wrote: > On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: >> I keep thinking that, if I had unlimited time, I'd write a totally >> different kind of firewall. It would allow some policy (userspace >> daemon or rules loaded into the kernel) to determin

Re: F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

On 03/27/2014 04:03 PM, Miloslav Trmač wrote: > 2014-03-27 20:57 GMT+01:00 Daniel J Walsh : >> On 03/27/2014 01:49 PM, Miloslav Trmač wrote: >>> 2014-03-26 15:06 GMT+01:00 Jaroslav Reznik : >>>> == Detailed Description == >>>> When PrivateDevices=y

Re: F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

On 03/27/2014 01:49 PM, Miloslav Trmač wrote: > 2014-03-26 15:06 GMT+01:00 Jaroslav Reznik : >> == Detailed Description == >> When PrivateDevices=yes... >> Furthermore, the >> CAP_MKNOD capability is removed. Finally, the "devices" cgroup controller is >> used to ensure that no access to device no

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2014 01:45 AM, Dan Callaghan wrote: > Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000: >> Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000: >>> This is caused by sshd running with the wrong label, It shoul

Re: Server Technical Specification: Agenda and First Draft

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2014 08:56 AM, drago01 wrote: > On Fri, Feb 28, 2014 at 2:43 PM, Stephen Gallagher > wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> >> For the sake of keeping people in the loop, here's a first pass at the >> Fedora Server t

Re: change Selinux context in %post?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/11/2014 03:23 PM, Richard Shaw wrote: > On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh <mailto:dwa...@redhat.com>> wrote: > > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > On 02/06/2014 12:44 PM, Richard Shaw

Re: change Selinux context in %post?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 12:44 PM, Richard Shaw wrote: > On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh <mailto:dwa...@redhat.com>> wrote: > > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > On 02/06/2014 02:39 PM, Richard Shaw

Re: change Selinux context in %post?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/07/2014 02:18 PM, Richard Shaw wrote: > Ok, after sleeping on it, I have a question. > > Do I really need a full blown policy? I'm not creating anything new here. > I'm just applying the existing context applied to /var/lib/mongod to > /var/lib

Re: Audit overhead and default rules

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2014 04:49 PM, Andrew Lutomirski wrote: > On Mon, Feb 10, 2014 at 1:02 PM, Steve Grubb wrote: >> On Monday, February 10, 2014 12:41:08 PM Andrew Lutomirski wrote: > There are, indeed, many ways for me to fix this on my machine. > I'm

Re: change Selinux context in %post?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 02:39 PM, Richard Shaw wrote: > On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý wrote: > >> On 02/05/2014 08:24 PM, Richard Shaw wrote: >> >>> Are there official guidelines on how to handle selinux contexts in >>> packaging? I can stil

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 07:29 PM, Alek Paunov wrote: > On 24.01.2014 21:20, Daniel J Walsh wrote: >>> >> No, we pretty much allow executable stack/memory from user processes now >> and block it for most daemons, except for

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/2014 03:49 PM, Andrew Lutomirski wrote: > On Sun, Jan 26, 2014 at 12:38 PM, Richard W.M. Jones > wrote: >> Slightly OT, but is SELinux stopping programs from executing code at >> address zero? (And how can I stop it doing that?) >> >> JONE

Re: Drawing lessons from fatal SELinux bug #1054350

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 01:35 PM, Reindl Harald wrote: > > > Am 24.01.2014 19:31, schrieb Reindl Harald: >> >> Am 24.01.2014 19:18, schrieb drago01: >>> On Fri, Jan 24, 2014 at 7:12 PM, Fabian Deutsch >>> wrote: Am Freitag, den 24.01.2014, 00:55 +0100 s

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 02:11 PM, Björn Persson wrote: > Daniel J Walsh wrote: >> Here is the request from upstream to enable this feature in Rawhide, with >> an explanation of what it does. >> >>> "Android is starting to a

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is the request from upstream to enable this feature in Rawhide, with an explanation of what it does. > "Android is starting to apply execmem and friends to the non-Dalvik > components (i.e. non-Java components, primarily the native system > daem

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 10:32 AM, Lennart Poettering wrote: > On Fri, 24.01.14 10:22, Daniel J Walsh (dwa...@redhat.com) wrote: > > Heya, > > Do we really need a service for this? Can't this be done instead via a > tmpfiles snippe

I want to turn on a part of the kernel to make SELinux checking more stringent.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I wrote a systemd unit file to enable it, and to allow a user to disable the feature if he wants. # cat /usr/lib/systemd/system/selinux-checkreqprot.service [Unit] Description=SELinux check actual protection flags applied by kernel, rather than checki

Re: Go packaging guidelines?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/14/2014 02:18 PM, Matthew Miller wrote: > On Tue, Jan 14, 2014 at 12:06:09PM +0100, Florian Weimer wrote: >> A couple of questions and comments. I think overall, the approach >> works. # Packaging Libraries This does not mention libraries which

Re: SELinux RPM scriplet issue annoucement

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2014 10:50 AM, Simo Sorce wrote: > On Mon, 2014-01-20 at 08:42 +0100, Michael Schwendt wrote: >> On Sun, 19 Jan 2014 23:02:24 -0500, Simo Sorce wrote: >> Anyone not aware of the problem and the fix, who applies the -117.fc20 selinux

Re: SELinux RPM scriplet issue annoucement

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2014 04:42 AM, Michael Schwendt wrote: I think we should have a much higher Karma for SELinux-policy to be released. 5 or maybe 10. The problem with selinux-policy is it gets karma fast, since each update fixes multiple bugs. And people jus

Re: Livecd-creator is disabling selinux

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2014 04:17 PM, Richard W.M. Jones wrote: > [Moving this to the libguestfs mailing list] > > On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >

Re: Livecd-creator is disabling selinux

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: >> Secondly we prevent even unconfined_t from putting down labels on the >> file system that the kernel does not under

Re: Livecd-creator is disabling selinux

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2014 10:47 PM, Dennis Gilmore wrote: > El Fri, 10 Jan 2014 18:31:13 -0700 Tim Flink escribió: >> On Fri, 10 Jan 2014 15:35:59 -0800 Adam Williamson >> wrote: > >>> On Fri, 2014-01-10 at 17:33 -0600, Dennis Gilmore wrote: El Fri, 10 Jan

Re: Livecd-creator is disabling selinux

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2014 05:32 AM, Maros Zatko wrote: > Dear guys and ladies, So it seems like livecd-creator is silently disabling > selinux. Proof: vim $(which livecd-creator) ; line 150 Fact, that it's > re-enabled afterwards doesn't ease silent disablement of

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2013 05:06 PM, Philip Prindeville wrote: > I’m seeing the following after an update (via yum) from F19 to F20: > > time->Tue Dec 24 16:05:44 2013 type=SYSCALL > msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13

Re: Fedora 20 TC2 AMIs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/21/2013 03:13 PM, Vitaly Kuznetsov wrote: > Matthew Miller writes: > >> On Thu, Nov 21, 2013 at 01:30:15PM +0100, Vitaly Kuznetsov wrote: >>> I ran basic tests agains them and they're ok. The only issue I still >>> see is wrong SELinux context

Re: Fedora 20 TC2 AMIs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/21/2013 07:30 AM, Vitaly Kuznetsov wrote: > Dennis Gilmore writes: > >> Hi all, >> >> Final TC2 images have been uploaded to EC2 and are available at >> >> ami-3392b55a : us-east-1 image for i386 ami-f794b39e : us-east-1 image >> for x86_64 >

  1   2   3   4   >