Re: Default permissions on /dev/kvm

2017-03-15 Thread Daniel J Walsh
On 03/15/2017 11:49 AM, Daniel P. Berrange wrote: > On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: >> >> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: >>> Sure, if udev maintainers are willing to ship the kvm rule by default, >>> that's fine with me for reason you suggest. I

Re: Default permissions on /dev/kvm

2017-03-15 Thread Daniel J Walsh
On 03/15/2017 05:27 AM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote: >> >> On 03/14/2017 05:18 PM, Dusty Mabe wrote: >>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 05:02 PM, Dusty Mabe

Re: Default permissions on /dev/kvm

2017-03-14 Thread Daniel J Walsh
On 03/14/2017 05:18 PM, Dusty Mabe wrote: > > On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 05:02 PM, Dusty Mabe wrote: >>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >>&

Re: Default permissions on /dev/kvm

2017-03-14 Thread Daniel J Walsh
On 03/14/2017 05:02 PM, Dusty Mabe wrote: > > On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >> I guess if you volume/bind mount the device into the container you could >> see an issue, >> but mos

Re: Default permissions on /dev/kvm

2017-03-14 Thread Daniel J Walsh
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote: >> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 >> >> Currently if you install a minimal-ish, non-"Virtualization Host" >> Fedora, then the permissions on the

Re: Changing default "docker" storage to to Overlay2 in Fedora 26

2017-02-08 Thread Daniel J Walsh
What is going on with this Change Request? Any reason it has not been acted on at this point? We are putting changes into our packages assuming that this will be allowed. On 01/06/2017 05:08 PM, Igor Gnatenko wrote: > On Fri, Jan 6, 2017 at 9:29 PM, Daniel J Walsh <dwa...@redhat.com&

Re: per-product packaging question

2017-02-01 Thread Daniel J Walsh
On 02/01/2017 09:58 AM, Stephen Gallagher wrote: > On 01/30/2017 05:03 PM, Vivek Goyal wrote: >> On Mon, Jan 30, 2017 at 05:00:34PM -0500, Lokesh Mandvekar wrote: >>> Hi, >>> >>> I'm looking at the per-product packaging doc at >>>

Re: per-product packaging question

2017-01-31 Thread Daniel J Walsh
We should just install one default in the default location, We don't want to document to users the difference During post install the content can be modified based on the package. On 01/30/2017 05:03 PM, Vivek Goyal wrote: > On Mon, Jan 30, 2017 at 05:00:34PM -0500, Lokesh Mandvekar wrote: >>

Re: F26 Self Contained Change: Docker Overlay 2

2017-01-19 Thread Daniel J Walsh
On 01/19/2017 10:17 AM, James Hogarth wrote: > > > On 19 Jan 2017 2:43 pm, "Daniel J Walsh" <dwa...@redhat.com > <mailto:dwa...@redhat.com>> wrote: > > > > On 01/19/2017 09:20 AM, Matthew Miller wrote: > > On Thu, Jan 19, 2017 a

Re: F26 Self Contained Change: Docker Overlay 2

2017-01-19 Thread Daniel J Walsh
On 01/19/2017 09:20 AM, Matthew Miller wrote: > On Thu, Jan 19, 2017 at 08:36:02AM +0100, Jan Kurik wrote: >> Change the default Docker Storage to be overlay2 . > I made a couple of edits to this, mostly clarifying that overlay2 is > not a second overlay filesystem, but a second Docker driver

Re: Changing default "docker" storage to to Overlay2 in Fedora 26

2017-01-06 Thread Daniel J Walsh
https://fedoraproject.org/wiki/Changes/DockerOverlay2 On 01/06/2017 02:27 PM, Igor Gnatenko wrote: > Shouldn't this be submitted as a change? > > This would bring much more visibility to users of Fedora and even outside. > > -Igor Gnatenko > > On Jan 6, 2017 8:13 PM,

Changing default "docker" storage to to Overlay2 in Fedora 26

2017-01-06 Thread Daniel J Walsh
Upstream docker is moving to overlay2 by default for its storage. We plan on following suit. Their are some performance advantages of overlay2 over devicemapper in memory sharing, which we would like to take advantage of. We now have SELinux support for Overlay file systems, so the security

Re: Proposal: Rethink Fedora multilib support

2017-01-05 Thread Daniel J Walsh
On 01/05/2017 01:36 PM, Stephen John Smoogen wrote: > On 5 January 2017 at 13:31, Daniel J Walsh <dwa...@redhat.com> wrote: >>> You just described a fundamental change to how people would need to >>> build 32-bit applications locally. They don't have to install a >

Re: Proposal: Rethink Fedora multilib support

2017-01-05 Thread Daniel J Walsh
On 01/05/2017 01:26 PM, Josh Boyer wrote: > On Thu, Jan 5, 2017 at 11:25 AM, Stephen Gallagher > wrote: >> On 01/05/2017 11:17 AM, Tom Hughes wrote: >>> On 05/01/17 16:03, Stephen Gallagher wrote: >>> For many years, Fedora has supported multilib by carrying

Re: CVE-2016-8655, systemd, and Fedora

2016-12-16 Thread Daniel J Walsh
On 12/13/2016 03:21 PM, Tom Hughes wrote: > On 13/12/16 20:02, Przemek Klosowski wrote: >> On 12/13/2016 02:51 PM, Lennart Poettering wrote: >>> Yeah, this is really what it boils down to: the goal with the systemd >>> directives is to make things easy to grok and easy to change. I can >>>

Re: Missing kubernetes files in f25 atomic?

2016-11-23 Thread Daniel J Walsh
ems a nice idea indeed. I found the > original post from Giuseppe: > http://www.projectatomic.io/blog/2016/09/intro-to-system-containers/ > > Do you think that I could use it to setup a small test cluster or it > is still in progress? > > Best, > > Mario > > On Wed, 23 N

Re: Missing kubernetes files in f25 atomic?

2016-11-23 Thread Daniel J Walsh
On 11/23/2016 10:19 AM, Matthew Miller wrote: > On Wed, Nov 23, 2016 at 10:15:29AM -0500, Daniel J Walsh wrote: >> We are working on this in >> https://github.com/projectatomic/atomic-system-containers >> >> >> I think giuseppe has some experimental system cont

Re: Missing kubernetes files in f25 atomic?

2016-11-23 Thread Daniel J Walsh
We are working on this in https://github.com/projectatomic/atomic-system-containers I think giuseppe has some experimental system containers available for this. We need to build them as official Fedora 25 container images though. On 11/23/2016 09:12 AM, Mario Ceresa wrote: > Hi, > I've just

Re: Modifying container storage for Fedora 26.

2016-11-23 Thread Daniel J Walsh
On 11/22/2016 06:24 PM, Josh Berkus wrote: > Vivek, Dan, > >> - Now when docker users overlay2 graph driver, all the images, containers >> and associated metadata will be stored outside the root filesystem and >> onto /dev/docker-vg/foo logical volume. > This is a change from current storage

Re: Modifying container storage for Fedora 26.

2016-11-18 Thread Daniel J Walsh
n Wed, Nov 16, 2016 at 03:01:06PM -0500, Stephen Gallagher wrote: > > >> On 11/16/2016 02:56 PM, Vivek Goyal wrote: > > >>> On Wed, Nov 16, 2016 at 02:49:25PM -0500, Stephen Gallagher > wrote: > > >>>> On 11/16/2016 02:40 PM, Vivek Goyal wrote:

Modifying container storage for Fedora 26.

2016-11-16 Thread Daniel J Walsh
We would like to change the docker container storage to default to Overlayfs2 in Fedora 26. But we have a problem on Atomic Host and Fedora Server distributions. Currently docker-storage-setup defaults to devicemapper and is hard coded to setup a thinpool of 40% of remaining disk. Otherwise it

Re: docker-compose & selinux

2016-10-31 Thread Daniel J Walsh
On 10/30/2016 02:54 PM, Nikos Roussos wrote: > On 10/28/2016 02:58 PM, Daniel J Walsh wrote: >> What AVC's are you seeing? > Plenty of AVC messages in the form: > > type=AVC msg=audit(1477853452.023:1338): avc: denied { setattr } for > pid=23456 comm="chown" name

Re: docker-compose & selinux

2016-10-28 Thread Daniel J Walsh
What AVC's are you seeing? On 10/28/2016 05:59 AM, Nikos Roussos wrote: > I use docker-compose extensively for local development. On F24 all I had > to do to make it play well with selinux was something like this: > > sudo chcon -Rt svirt_sandbox_file_t project_folder > > After updating to F25

Re: User instances of systemd and SELinux

2016-08-15 Thread Daniel J Walsh
On 08/15/2016 04:10 PM, Andrew Lutomirski wrote: > On Mon, Aug 15, 2016 at 12:59 PM, Daniel J Walsh <dwa...@redhat.com> wrote: >> >> On 08/10/2016 03:42 PM, Andrew Lutomirski wrote: >>> On Wed, Aug 10, 2016 at 12:26 PM, Zbigniew Jędrzejewski-Szmek >>> <

Re: User instances of systemd and SELinux

2016-08-15 Thread Daniel J Walsh
On 08/10/2016 03:42 PM, Andrew Lutomirski wrote: > On Wed, Aug 10, 2016 at 12:26 PM, Zbigniew Jędrzejewski-Szmek > <zbys...@in.waw.pl> wrote: >> On Tue, Aug 09, 2016 at 01:32:10PM -0400, Daniel J Walsh wrote: >>> >>> On 08/09/2016 10:24 AM, Michal Sekleta

Re: User instances of systemd and SELinux

2016-08-09 Thread Daniel J Walsh
On 08/09/2016 10:24 AM, Michal Sekletar wrote: > Hi all, > > Most of you are probably aware that systemd except running as PID 1 > also runs inside user sessions. This allow users to define their own > "user services" and start up various scripts and background processes > right after logging

Re: RFC: Fedora Docker Layered Image Guidelines

2016-04-29 Thread Daniel J Walsh
Hopefully we are looking at getting docker-squash/docker-scripts involved in squashing images built from the service. At least optionally if not required. docker-squash should allow you to squash everything in the Dockerfile back to the from line. from=$(awk '/^FROM/{print $2}'

Re: packaging suid files

2016-04-20 Thread Daniel J Walsh
No most likely the suid file should be fine with SELInux. Only a confined user would be prevented from using it. On 04/20/2016 07:12 AM, Dave Love wrote: I have a package to submit that has an suid binary. The packaging guidelines say in that case you must %global _hardened_build 1 and it

Re: HEADS UP: systemd package split

2016-03-07 Thread Daniel J Walsh
On 03/05/2016 03:09 PM, Haïkel wrote: 2016-03-04 23:36 GMT+01:00 Zbigniew Jędrzejewski-Szmek : Hi, I finally pushed the split of the systemd package to Rawhide and F24 today [https://fedoraproject.org/w/index.php?title=Changes/systemd_package_split]. If you upgrade with

Re: Minimizing the fedora docker base image footprint

2016-02-22 Thread Daniel J Walsh
On Mon, 2016-02-22 at 11:26 -0500, Bill Nottingham wrote: > Courtney Pacheco (cpach...@redhat.com) said:  > > > > Hi everyone, > > > > I've spent some time trying to minimize the footprint of the Fedora > > docker > > base image. Overall, I managed to reduce its size by 39.9%. > > > > A summary

Re: ship Fedora with /etc/{subuid|subgid}

2016-02-17 Thread Daniel J Walsh
dhat.com> > | A: devel@lists.fedoraproject.org > | Cc: "Daniel J Walsh" <dwa...@redhat.com>, "Nalin Dahyabhai" > <na...@redhat.com> > | Inviato: Mercoledì, 17 febbraio 2016 14:44:34 > | Oggetto: ship Fedora with /etc/{subuid|subgid} > | > | Hello ev

Re: F24 Self Contained Change: System Python

2016-02-08 Thread Daniel J Walsh
On 02/08/2016 01:16 PM, Chris Murphy wrote: > On Mon, Feb 8, 2016 at 10:47 AM, Stephen Gallagher > wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 02/08/2016 12:45 PM, Mathieu Bridon wrote: >>> On Mon, 2016-02-08 at 17:21 +0100, Petr Viktorin wrote:

Re: Easier %config management?

2015-12-16 Thread Daniel J Walsh
On 12/15/2015 09:32 PM, Colin Walters wrote: > On Tue, Dec 15, 2015, at 06:43 PM, Japheth Cleaver wrote: >> >> Perhaps RPM (or yum/dnf, via plugin) could write a duplicate copy of >> all config files into a tree somewhere? (E.g., /usr/lib/config/ or >> /usr/share/config/?) > > I mentioned

Re: Fedora Docker Images containing fedora-updates-testing packages

2015-07-23 Thread Daniel J Walsh
Theoretically you should be able to build F21 and F22 containers and run them on F20. The only problem would be if software within a container tried to use something that the F20 Kernel did not support. On 07/23/2015 11:11 AM, Jon Miller wrote: Matthew Miller writes: On Wed, Jul 22, 2015 at

Re: F23 System Wide Change: SELinux policy store migration

2015-06-15 Thread Daniel J Walsh
Could all of this be done with links? IE Could you install selinux-policy into /usr/share/selinux/TARGETED/base/*.pp /usr/share/selinux/TARGETED/custom/*.pp Then we reassemble these modules with custom modules in /var/lib/selinux/TARGETED/ supplied by administrators? On 06/15/2015 05:15 AM,

New Article on Future Docker Security.

2015-03-19 Thread Daniel J Walsh
http://opensource.com/business/15/3/docker-security-future -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Is systemd within a Docker container still recommended?

2015-03-02 Thread Daniel J Walsh
On 03/01/2015 10:41 PM, Michael DePaulo wrote: Hi, I am developing a Dockerfile for X2Go. I intend to submit a PR to fedora-Dockerfiles within a week. https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go (X2Go was already added in F20)

Re: Is systemd within a Docker container still recommended?

2015-03-02 Thread Daniel J Walsh
On 03/02/2015 10:03 AM, Mauricio Tavares wrote: On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering mzerq...@0pointer.de wrote: On Mon, 02.03.15 09:17, Daniel J Walsh (dwa...@redhat.com) wrote: On 03/01/2015 10:41 PM, Michael DePaulo wrote: Hi, I am developing a Dockerfile for X2Go. I

Re: yum or dnf in the Fedora 22 Docker base image?

2015-02-17 Thread Daniel J Walsh
Not that I know of. On 02/16/2015 09:50 AM, M. Edward (Ed) Borasky wrote: Thanks! Are there tracking bugs in Bugzilla I can subscribe to? On Mon, Feb 16, 2015 at 9:42 AM, Daniel J Walsh dwa...@redhat.com wrote: On 02/16/2015 12:31 PM, M. Edward (Ed) Borasky wrote: On Mon, Feb 16, 2015 at 5:19

Re: yum or dnf in the Fedora 22 Docker base image?

2015-02-16 Thread Daniel J Walsh
On 02/16/2015 02:32 AM, Jan Zelený wrote: On 14. 2. 2015 at 22:28:53, M. Edward Borasky wrote: Right now, the fedora:rawhide image on Docker Hub uses yum instead of dnf, as does the Fedora 21 release. Is there any plan to switch this release over to dnf? Not likely. Porting of the system

Re: Is it a SELinux policy problem ?

2015-01-27 Thread Daniel J Walsh
On 01/27/2015 05:11 PM, Casper wrote: Or is it a luajit problem ? Dear devs hello. I would like to determine if these AVC are caused by prosody, lua, or a wrong SELinux policy. This avc (execmem) looks like it is allowed in Fedora selinux-policy-3.13.1-105.fc21.src.rpm Does prosody have a

Re: Flash plugin 0-day vulnerability in the wild

2015-01-23 Thread Daniel J Walsh
On 01/23/2015 10:25 AM, poma wrote: On 23.01.2015 15:12, Kevin Fenzi wrote: On Fri, 23 Jan 2015 12:44:23 +0100 poma pomidorabelis...@gmail.com wrote: On 23.01.2015 10:51, Martin Stransky wrote: Folk, There's a live 0-day flash vulnerability which is not fixed yet [1][2]. If you use flash

Re: F22 System Wide Change: Enable Polyinstantiated /tmp and /var/tmp directories by default

2015-01-21 Thread Daniel J Walsh
On 01/20/2015 07:29 AM, Lennart Poettering wrote: On Tue, 20.01.15 12:53, Jaroslav Reznik (jrez...@redhat.com) wrote: = Proposed System Wide Change: Enable Polyinstantiated /tmp and /var/tmp directories by default = https://fedoraproject.org/wiki/Changes/Polyinstantiated_tmp_by_Default

Re: docker 1.4.0 available, fixes multiple CVEs - testing/karma needed

2014-12-13 Thread Daniel J Walsh
On 12/12/2014 03:34 PM, Lokesh Mandvekar wrote: On Fri, Dec 12, 2014 at 10:14:50AM -0800, M. Edward (Ed) Borasky wrote: Working here on F21 - karma logged! Thanks. Btw, could you also check if things work fine after restarting docker.service (if not tested already)? I see database locked

Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet

2014-12-09 Thread Daniel J Walsh
You can do this with SELinux and confined users somewhat. YOU basically could setup a user as xguest with no network access and then write policy to transition to certain domains that can use the internet. No ability to prompt the user though. This will get you most of the way you want to go,

I want to make Ryan Hallisey a co-maintainer of policycoreutils.

2014-11-18 Thread Daniel J Walsh
He is not currently in the packager list. But he does not have a package that needs to be added to Fedora. He is just making changes to policycoreutils? What is the procedure to get him on the packager list for this package. Dan -- devel mailing list devel@lists.fedoraproject.org

Re: Running docker in a mock chroot

2014-11-05 Thread Daniel J Walsh
On 11/05/2014 05:45 PM, Dridi Boukelmoune wrote: Hi, I haven't really tried, I only wanted to look at fig 1.0 currently in f21 updates-testing. So I --shell'ed inside my fedora-21-x86_64 mock chroot after installing fig, and tried to start a docker daemon in the background but it failed.

Time to start blogging on all of the new Security features in Fedora 21

2014-09-12 Thread Daniel J Walsh
If you have one, please send it to me with some explanation of what it is and why it is important. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Anyone know how to get rsyslog to not use journald but to listen on /dev/log again.

2014-09-10 Thread Daniel J Walsh
We need this for running rsyslog within a docker container where systemd/journald might not be running. https://bugzilla.redhat.com/show_bug.cgi?id=1139734 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct:

Re: Systemd boot issue

2014-09-09 Thread Daniel J Walsh
Did you try to boot with enforcing=0? To see if it is an SELinux issue? On 09/09/2014 09:46 AM, P J P wrote: Hello, I've been trying to boot into kernel-3.16.0 on a F19 machine. But it just stops after saying .. [OK] Reached target Initrd Default target System is not hung, but there

Re: systemd dependencies

2014-08-30 Thread Daniel J Walsh
On 08/26/2014 08:23 AM, Lennart Poettering wrote: On Tue, 26.08.14 14:18, Vít Ondruch (vondr...@redhat.com) wrote: Recently I have noticed that systemd package dependency is creeping into some packages where it is not necessary. subversion [1] or rsync [2] are good examples. Please consider

Re: fakesystemd package breaking builds

2014-08-28 Thread Daniel J Walsh
On 08/27/2014 03:15 PM, Lennart Poettering wrote: On Wed, 27.08.14 21:00, Václav Pavlín (vpav...@redhat.com) wrote: I also offered to split out the hwdb in Brno, if you remember. If this is about the hwdb, then let's just do that... Talk to Michal Sekletar about it then - he is working on

Re: fakesystemd package breaking builds

2014-08-28 Thread Daniel J Walsh
On 08/28/2014 02:10 PM, Lennart Poettering wrote: On Thu, 28.08.14 07:24, Daniel J Walsh (dwa...@redhat.com) wrote: But regarding kmod/devicemapper, can we please get some stats about how big this individually are, and how much is saved by this? kmod at least is 150K or so only

Re: BIND 9.10.1 beta with seccomp functionality

2014-08-19 Thread Daniel J Walsh
On 08/19/2014 11:20 AM, Tomasz Torcz wrote: On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote: Once upon a time, Tomas Hozza tho...@redhat.com said: That's where seccomp kicks in, it acts as a 2nd wall of defence. In case of a security hole being present in the server process, it

Re: Advice needed for packaging local SELinux policy

2014-07-22 Thread Daniel J Walsh
On 07/22/2014 01:42 PM, John Florian wrote: I have a locally maintained package for private use that among other things constrains proliferation of files in the following directory: # ls -lZd /var/lib/puppet/reports/ drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0

Re: runuser error in a docker container on rawhide

2014-06-04 Thread Daniel J Walsh
On 06/04/2014 02:27 PM, Robert Rati wrote: I'm trying to run some docker containers and it appears the runuser in rawhide isn't functional in the container: # runuser runuser: System error I can run runuser in a physical system running rawhide however. These same images created off of

Re: runuser error in a docker container on rawhide

2014-06-04 Thread Daniel J Walsh
prints System error if I use it to do anything, even nothing. Rob On 06/04/2014 02:37 PM, Daniel J Walsh wrote: On 06/04/2014 02:27 PM, Robert Rati wrote: I'm trying to run some docker containers and it appears the runuser in rawhide isn't functional in the container: # runuser runuser

Re: runuser error in a docker container on rawhide

2014-06-04 Thread Daniel J Walsh
, which leads me to believe it's not util-linux at all. The docker version in rawhide is newer (I'm running rawhide host and rawhide in the container), but I wouldn't expect that to affect runuser. Rob It looks like /dev/log is not being created. On 06/04/2014 03:54 PM, Daniel J Walsh wrote

Re: selinux issue with containers

2014-05-29 Thread Daniel J Walsh
On 05/28/2014 05:26 PM, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 01:52:23PM -0400, Daniel J Walsh wrote: On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400

Re: selinux issue with containers

2014-05-28 Thread Daniel J Walsh
Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. On 05/27/2014 09:12 PM, Zbigniew Jędrzejewski-Szmek wrote: Hi, installing Fedora in containers fails strangely (see below). It seems to be selinux related, since booting with selinux=0 allows

Re: selinux issue with containers

2014-05-28 Thread Daniel J Walsh
On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-05-02 Thread Daniel J Walsh
On 05/02/2014 06:32 AM, Lennart Poettering wrote: On Wed, 30.04.14 09:44, Daniel J Walsh (dwa...@redhat.com) wrote: On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote: Em 29-04-2014 18:27, Martin Langhoff escreveu: On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-30 Thread Daniel J Walsh
On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote: Em 29-04-2014 18:27, Martin Langhoff escreveu: On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net mailto:h.rei...@thelounge.net wrote: defense in depth means limit the attack surface as much as you can As folks

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-30 Thread Daniel J Walsh
On 04/30/2014 10:05 AM, Kalev Lember wrote: On 04/29/2014 12:31 PM, Lennart Poettering wrote: On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote: On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote: The problem is lots of services require systemd because

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-30 Thread Daniel J Walsh
On 04/30/2014 10:28 AM, Adam Jackson wrote: On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote: I suspect just dropping the deps would break initial installations, e.g. anaconda / livecd-creator. RPM uses the deps to order the transaction so that systemd gets installed first, and the

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-29 Thread Daniel J Walsh
On 04/29/2014 06:31 AM, Lennart Poettering wrote: On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote: On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote: The problem is lots of services require systemd because they ship a unit file and want systemctl reload

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-29 Thread Daniel J Walsh
On 04/28/2014 06:44 PM, Adam Jackson wrote: On Mon, 2014-04-28 at 17:01 -0400, Daniel J Walsh wrote: The problem is lots of services require systemd because they ship a unit file and want systemctl reload to happen. Systemd then triggers a require for udev and kmod, which docker containers

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-29 Thread Daniel J Walsh
On 04/29/2014 06:33 AM, Lennart Poettering wrote: On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote: The problem is lots of services require systemd because they ship a unit file and want systemctl reload to happen. Systemd then triggers a require for udev and kmod, which

Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-29 Thread Daniel J Walsh
On 04/29/2014 03:17 PM, Chris Adams wrote: Once upon a time, Reindl Harald h.rei...@thelounge.net said: wrong question - is /bin/sh used? if the answer is yes then the anser to your question is no the point is remove anything *unneeded* from production systems that are best practices for

We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

2014-04-28 Thread Daniel J Walsh
The problem is lots of services require systemd because they ship a unit file and want systemctl reload to happen. Systemd then triggers a require for udev and kmod, which docker containers do not need. rpm -q --whatrequires systemd| wc -l 151 On rawhide I see 151 packages on my system which

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-17 Thread Daniel J Walsh
On 04/16/2014 09:32 AM, Simo Sorce wrote: On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: On 04/15/2014 09:31 AM, Simo Sorce wrote: On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different kind

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-16 Thread Daniel J Walsh
On 04/15/2014 09:31 AM, Simo Sorce wrote: On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different kind of firewall. It would allow some policy (userspace daemon or rules loaded into the kernel) to determine when

Re: F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

2014-03-27 Thread Daniel J Walsh
On 03/27/2014 01:49 PM, Miloslav Trmač wrote: 2014-03-26 15:06 GMT+01:00 Jaroslav Reznik jrez...@redhat.com: == Detailed Description == When PrivateDevices=yes... Furthermore, the CAP_MKNOD capability is removed. Finally, the devices cgroup controller is used to ensure that no access to

Re: F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

2014-03-27 Thread Daniel J Walsh
On 03/27/2014 04:03 PM, Miloslav Trmač wrote: 2014-03-27 20:57 GMT+01:00 Daniel J Walsh dwa...@redhat.com: On 03/27/2014 01:49 PM, Miloslav Trmač wrote: 2014-03-26 15:06 GMT+01:00 Jaroslav Reznik jrez...@redhat.com: == Detailed Description == When PrivateDevices=yes... Furthermore

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-03-06 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2014 01:45 AM, Dan Callaghan wrote: Excerpts from Dan Callaghan's message of 2014-03-06 16:43:26 +1000: Excerpts from Daniel J Walsh's message of 2014-01-03 01:46:44 +1000: This is caused by sshd running with the wrong label, It should be

Re: Audit overhead and default rules

2014-02-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2014 04:49 PM, Andrew Lutomirski wrote: On Mon, Feb 10, 2014 at 1:02 PM, Steve Grubb sgr...@redhat.com wrote: On Monday, February 10, 2014 12:41:08 PM Andrew Lutomirski wrote: There are, indeed, many ways for me to fix this on my machine.

Re: change Selinux context in %post?

2014-02-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/07/2014 02:18 PM, Richard Shaw wrote: Ok, after sleeping on it, I have a question. Do I really need a full blown policy? I'm not creating anything new here. I'm just applying the existing context applied to /var/lib/mongod to

Re: change Selinux context in %post?

2014-02-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 12:44 PM, Richard Shaw wrote: On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 02:39 PM, Richard Shaw wrote: On Thu

Re: change Selinux context in %post?

2014-02-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/11/2014 03:23 PM, Richard Shaw wrote: On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 12:44 PM, Richard Shaw wrote: On Thu

Re: change Selinux context in %post?

2014-02-06 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2014 02:39 PM, Richard Shaw wrote: On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý msu...@redhat.com wrote: On 02/05/2014 08:24 PM, Richard Shaw wrote: Are there official guidelines on how to handle selinux contexts in packaging? I

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-27 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/2014 03:49 PM, Andrew Lutomirski wrote: On Sun, Jan 26, 2014 at 12:38 PM, Richard W.M. Jones rjo...@redhat.com wrote: Slightly OT, but is SELinux stopping programs from executing code at address zero? (And how can I stop it doing that?)

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-27 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 07:29 PM, Alek Paunov wrote: On 24.01.2014 21:20, Daniel J Walsh wrote: No, we pretty much allow executable stack/memory from user processes now and block it for most daemons, except for those that need it. My understanding

I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-24 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I wrote a systemd unit file to enable it, and to allow a user to disable the feature if he wants. # cat /usr/lib/systemd/system/selinux-checkreqprot.service [Unit] Description=SELinux check actual protection flags applied by kernel, rather than

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-24 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 10:32 AM, Lennart Poettering wrote: On Fri, 24.01.14 10:22, Daniel J Walsh (dwa...@redhat.com) wrote: Heya, Do we really need a service for this? Can't this be done instead via a tmpfiles snippet that uses f and the extra

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-24 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is the request from upstream to enable this feature in Rawhide, with an explanation of what it does. Android is starting to apply execmem and friends to the non-Dalvik components (i.e. non-Java components, primarily the native system

Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

2014-01-24 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 02:11 PM, Björn Persson wrote: Daniel J Walsh wrote: Here is the request from upstream to enable this feature in Rawhide, with an explanation of what it does. Android is starting to apply execmem and friends to the non-Dalvik

Re: Drawing lessons from fatal SELinux bug #1054350

2014-01-24 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2014 01:35 PM, Reindl Harald wrote: Am 24.01.2014 19:31, schrieb Reindl Harald: Am 24.01.2014 19:18, schrieb drago01: On Fri, Jan 24, 2014 at 7:12 PM, Fabian Deutsch fabian.deut...@gmx.de wrote: Am Freitag, den 24.01.2014, 00:55

Re: Go packaging guidelines?

2014-01-21 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/14/2014 02:18 PM, Matthew Miller wrote: On Tue, Jan 14, 2014 at 12:06:09PM +0100, Florian Weimer wrote: A couple of questions and comments. I think overall, the approach works. # Packaging Libraries This does not mention libraries which use

Re: SELinux RPM scriplet issue annoucement

2014-01-20 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2014 04:42 AM, Michael Schwendt wrote: I think we should have a much higher Karma for SELinux-policy to be released. 5 or maybe 10. The problem with selinux-policy is it gets karma fast, since each update fixes multiple bugs. And people

Re: SELinux RPM scriplet issue annoucement

2014-01-20 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2014 10:50 AM, Simo Sorce wrote: On Mon, 2014-01-20 at 08:42 +0100, Michael Schwendt wrote: On Sun, 19 Jan 2014 23:02:24 -0500, Simo Sorce wrote: Anyone not aware of the problem and the fix, who applies the -117.fc20 selinux-policy

Re: Livecd-creator is disabling selinux

2014-01-14 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2014 04:17 PM, Richard W.M. Jones wrote: [Moving this to the libguestfs mailing list] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2014 11:49 AM, Richard W.M

Re: Livecd-creator is disabling selinux

2014-01-13 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2014 10:47 PM, Dennis Gilmore wrote: El Fri, 10 Jan 2014 18:31:13 -0700 Tim Flink tfl...@redhat.com escribió: On Fri, 10 Jan 2014 15:35:59 -0800 Adam Williamson awill...@redhat.com wrote: On Fri, 2014-01-10 at 17:33 -0600, Dennis

Re: Livecd-creator is disabling selinux

2014-01-13 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: Secondly we prevent even unconfined_t from putting down labels on the file system that the kernel does not understand. IE If I am

Re: Livecd-creator is disabling selinux

2014-01-09 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2014 05:32 AM, Maros Zatko wrote: Dear guys and ladies, So it seems like livecd-creator is silently disabling selinux. Proof: vim $(which livecd-creator) ; line 150 Fact, that it's re-enabled afterwards doesn't ease silent disablement of

Re: Sshd getting 'dyntransition' AVC's in SElinux enforcing mode

2014-01-02 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2013 05:06 PM, Philip Prindeville wrote: I’m seeing the following after an update (via yum) from F19 to F20: time-Tue Dec 24 16:05:44 2013 type=SYSCALL msg=audit(1387926344.492:5867): arch=c03e syscall=1 success=no exit=-13

Re: Fedora 20 TC2 AMIs

2013-11-22 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/21/2013 03:13 PM, Vitaly Kuznetsov wrote: Matthew Miller mat...@fedoraproject.org writes: On Thu, Nov 21, 2013 at 01:30:15PM +0100, Vitaly Kuznetsov wrote: I ran basic tests agains them and they're ok. The only issue I still see is wrong

Re: Fedora 20 TC2 AMIs

2013-11-21 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/21/2013 07:30 AM, Vitaly Kuznetsov wrote: Dennis Gilmore den...@ausil.us writes: Hi all, Final TC2 images have been uploaded to EC2 and are available at ami-3392b55a : us-east-1 image for i386 ami-f794b39e : us-east-1 image for x86_64

Re: Fedora 20 TC2 AMIs

2013-11-21 Thread Daniel J Walsh
restorecon on them. Daniel J Walsh dwa...@redhat.com wrote: On 11/21/2013 07:30 AM, Vitaly Kuznetsov wrote: Dennis Gilmore den...@ausil.us writes: Hi all, Final TC2 images have been uploaded to EC2 and are available at ami-3392b55a : us-east-1 image for i386 ami-f794b39e : us-east-1 image

Re: [Base] Summary/Minutes from today's Base WG meeting (2013-11-08)

2013-11-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2013 10:31 AM, Harald Hoyer wrote: On 11/10/2013 01:39 PM, Daniel J Walsh wrote: A few other things, I would like to see broken out would be sort of a lower level definition for containers, based on the docker model. IE Can we remove

Re: [Base] Summary/Minutes from today's Base WG meeting (2013-11-08)

2013-11-10 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/08/2013 11:51 AM, Dennis Gilmore wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 == #fedora-meeting: Fedora Base Design Working Group (2013-11-08)

  1   2   3   4   >