[CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[giggzounet]

Hi,

On our cluster with CentOS 5.5, I have a little problem with a script
for infiniband (this problem:
http://web.archiveorange.com/archive/v/NUQmuN84gd3D31Fdl8PU). So the fix
a very easy. But what will yum/RPM do during the next update ? Will it
overwrite the file ? Will it write on display that the file was modified
by an user (as under debian) ?

Thx a lot,
Best regards,
Guillaume

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Götz Reinicke - IT-Koordinator]

Hello,

is there anyone out there, who has a current 2.4.23 srpm or good how to
compile it from src with supported db4?

I tried to compile recent source files, but always finding the current
(installed) db4 >4.3 fails.

Than I tried to compile the LTB Project Files:
http://ltb-project.org/wiki/documentation/openldap-rpm

May be it is just a small step or option to be set.

Would be nice to get it working :-)

Thanks and best regards

Götz
-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reini...@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt



smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to separate individual logs?

[John Doe]

From: hadi motamedi 

> I have captured a file  in my centos showing logs captured from  many
> modules concurrently. Please find attached a sample of the file.  As
> you see, there are logs from individual modules that have been
> captured  concurrently. For example, there are logs from
> IPTR,SNMP,HLR,TCAP,XAPP,and  SCCP modules but they are coming
> concurrently.Each log has the header name of  its accompanied module in
> the beginning. I need to have the log of each  modules separately. Can
> you please show me the power of centos on how to  separate individual
> module's logs from the whole?

Here is "The Power of CentOS"!!!  (in approximately 3 minutes...)

cat edit.txt | while read LINE; do
  echo "$LINE" | grep -q '>\.\.'
  if [ $? -eq 0 ]; then
LOGFILE=`echo $LINE | cut -d' ' -f1`.log
  else
echo "$LINE" >> $LOGFILE
  fi
done

JD

PS: I wonder if I am doing your school homework...


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Rebuilding samba3x rpms results in size doubled

[John Doe]

From: Oguz Yilmaz 
>I have rebuilt samba3x SRPM in Centos 5.5. The resultings RPM's are nearly in 
>triple size of the original RPMs. I have installed and checked the binary 
>files 

>are stripped. What can result in such difference in RPM sizes?
>I have not changed anything on built and install sections of spec file. 

Maybe debuging symbols...
Maybe try ldd and check if there are differences...

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh-agent fails to hold values

[John Doe]

From: bluethundr 

> I am attempting to manage my key logins with ssh-agent.  However EVERY
> time I try to ssh I have to go through the same exact routing  and it's
> getting a little old...
> Does  anyone have any suggestions to make ssh-agent hold these values a
> bit more  persistently?

I have this in my .bash_profile:

  AGENTRUNNING=`ps x | grep agent | grep -v grep`
  if [ -z "$AGENTRUNNING" ]; then
/usr/bin/ssh-agent -s > $HOME/.ssh/agent-env.sh
  fi
  . $HOME/.ssh/agent-env.sh > /dev/null

Then, I ssh-add once and that's it.

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[Gabriel Tabares]

> a very easy. But what will yum/RPM do during the next update ? Will it
> overwrite the file ? Will it write on display that the file was modified
> by an user (as under debian) ?
>

As far as I can tell, if the file is marked as a configuration file in 
the RPM, it will be left alone and the new configuration file will be 
renamed to file.rpmnew. If the file is not marked as a configuration 
file, it will be overwritten.

Regards,

Gabriel

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to separate individual logs?

[Raj kumar]

Please unsubscribe the side on my email

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of John Doe
Sent: 29 November 2010 16:50
To: CentOS mailing list
Subject: Re: [CentOS] how to separate individual logs?

From: hadi motamedi 

> I have captured a file  in my centos showing logs captured from  many
> modules concurrently. Please find attached a sample of the file.  As
> you see, there are logs from individual modules that have been
> captured  concurrently. For example, there are logs from
> IPTR,SNMP,HLR,TCAP,XAPP,and  SCCP modules but they are coming
> concurrently.Each log has the header name of  its accompanied module in
> the beginning. I need to have the log of each  modules separately. Can
> you please show me the power of centos on how to  separate individual
> module's logs from the whole?

Here is "The Power of CentOS"!!!  (in approximately 3 minutes...)

cat edit.txt | while read LINE; do
  echo "$LINE" | grep -q '>\.\.'
  if [ $? -eq 0 ]; then
LOGFILE=`echo $LINE | cut -d' ' -f1`.log
  else
echo "$LINE" >> $LOGFILE
  fi
done

JD

PS: I wonder if I am doing your school homework...


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Steve Clark]

On 11/27/2010 09:21 PM, John R. Dennison wrote:

On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
   

The "working system" in that analogy is software, not necessarily nor
even likely to be the kernel itself. But yes, it can trash a
production critical web or software application that didn't follow the
sensible, but often poorly understood, policies of SELinux. This is
particularly common with 3rd party web applications, the sort of thing
we grab from Sourceforge and try ourselves. (Lilac, the Nagios
configuration tool, particularly comes to mind.)

I'd have to dig back to rediscover the Lilac issues, but I remember
running out of time to sort them all out and having to leave SELinux
off of that server.
 

heh, fail.

You run it in Permissive mode, you deal with the exceptions as
they arise while the software is running in its normal
environment and while its running normally using any of the
documented methods.  You thoroughly test the application in such
a manner and once you have ironed out any and all issues by
putting together a custom policy, setting the right SElinux
booleans, etc, you then enable Enforcing mode.  There is really
no reason that SElinux should have a negative impact on your
application or server if you use Permissive first.





John
   



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   
I don't know how it is now - but I tried running in permissive mode a 
few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining 
about the same file again, and the file was part

of the redhat installation. After that I gave up and just turned it off.

--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Stefan Held]

Am Montag, den 29.11.2010, 09:46 +0100 schrieb Götz Reinicke -
IT-Koordinator:
> Hello,
> 
> is there anyone out there, who has a current 2.4.23 srpm or good how to
> compile it from src with supported db4?

Well, you would have to rebuild half of the system to do that.

If you try to rebuild db4 you should rebuild rpm and so on.

if you rebuild openldap all the ldap client software an dependend stuff
should be rebuilt to ensure everything is working.

What would you do with that rpm? Would it be for production?

Or just for some testing?

Greetings from 75417 .)

-- 

Stefan Held   VI has only 2 Modes:
obi unixkiste org The first one is for beeping all the time,
FreeNode: foo_bar the second destroys the text.

---
perl -e'map{print pack c,($|++?1:13)+ord,select$,,$,,$,,$|}split//,ESEL.$/'
---

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[giggzounet]

Le 29/11/2010 12:44, Gabriel Tabares a écrit :
>> a very easy. But what will yum/RPM do during the next update ? Will it
>> overwrite the file ? Will it write on display that the file was modified
>> by an user (as under debian) ?
>>
> 
> As far as I can tell, if the file is marked as a configuration file in 
> the RPM, it will be left alone and the new configuration file will be 
> renamed to file.rpmnew. If the file is not marked as a configuration 
> file, it will be overwritten.
> 
> Regards,
> 
> Gabriel

ok ths for your answer!

where in the rpm package can I find if the file is a configuration file
or not ?

Regards,
Guillaume

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[Nico Kadel-Garcia]

On Mon, Nov 29, 2010 at 7:38 AM, giggzounet  wrote:
> Le 29/11/2010 12:44, Gabriel Tabares a écrit :
>>> a very easy. But what will yum/RPM do during the next update ? Will it
>>> overwrite the file ? Will it write on display that the file was modified
>>> by an user (as under debian) ?
>>>
>>
>> As far as I can tell, if the file is marked as a configuration file in
>> the RPM, it will be left alone and the new configuration file will be
>> renamed to file.rpmnew. If the file is not marked as a configuration
>> file, it will be overwritten.
>>
>> Regards,
>>
>> Gabriel
>
> ok ths for your answer!
>
> where in the rpm package can I find if the file is a configuration file
> or not ?

You need the .spec file from the SRPM, or you could install it and test it.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh-agent fails to hold values

[Nico Kadel-Garcia]

On Mon, Nov 29, 2010 at 6:41 AM, John Doe  wrote:
> From: bluethundr 
>
>> I am attempting to manage my key logins with ssh-agent.  However EVERY
>> time I try to ssh I have to go through the same exact routing  and it's
>> getting a little old...
>> Does  anyone have any suggestions to make ssh-agent hold these values a
>> bit more  persistently?
>
> I have this in my .bash_profile:
>
>  AGENTRUNNING=`ps x | grep agent | grep -v grep`
>  if [ -z "$AGENTRUNNING" ]; then
>    /usr/bin/ssh-agent -s > $HOME/.ssh/agent-env.sh
>  fi
>  . $HOME/.ssh/agent-env.sh > /dev/null
>
> Then, I ssh-add once and that's it.

And if you log in on another machine with that same home directory on
NFS, you'll load information for the wrong host's ssh-agent keys.

Install and use "keychain". It's leaps and bounds more reliable than this.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Eero Volotinen]

2010/11/29 Götz Reinicke - IT-Koordinator :
> Hello,
>
> is there anyone out there, who has a current 2.4.23 srpm or good how to
> compile it from src with supported db4?

RHEL 6 provides ldap-2.4.19

So maybe you just need to wait for Centos 6 ?

--
Eero
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

On Monday, November 29, 2010 08:11 PM, Steve Clark wrote:

> I don't know how it is now - but I tried running in permissive mode a
> few years ago. It would complain about some
> file, I would fix the file and the next thing I knew it was complaining
> about the same file again, and the file was part
> of the redhat installation. After that I gave up and just turned it off.
>

I never tried it on Centos 4 but when I had to implement it on Centos 5 
in September this year, I did not encounter what you experienced.

It could be simply because I took pains to ensure the system knew how to 
relabel stuff beyond the defaults that it was programmed to do. I cannot 
remember if I had to make a rule for something that is installed by 
anaconda but I do believe that if you have change anything from the 
defaults, you need to teach the relabel system. Like Marko posted: man 
semanage.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[giggzounet]

Le 29/11/2010 13:41, Nico Kadel-Garcia a écrit :
> On Mon, Nov 29, 2010 at 7:38 AM, giggzounet  wrote:
>> Le 29/11/2010 12:44, Gabriel Tabares a écrit :
 a very easy. But what will yum/RPM do during the next update ? Will it
 overwrite the file ? Will it write on display that the file was modified
 by an user (as under debian) ?

>>>
>>> As far as I can tell, if the file is marked as a configuration file in
>>> the RPM, it will be left alone and the new configuration file will be
>>> renamed to file.rpmnew. If the file is not marked as a configuration
>>> file, it will be overwritten.
>>>
>>> Regards,
>>>
>>> Gabriel
>>
>> ok ths for your answer!
>>
>> where in the rpm package can I find if the file is a configuration file
>> or not ?
> 
> You need the .spec file from the SRPM, or you could install it and test it.

ok I will take a look in the SRPM.

thx

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[giggzounet]

Le 29/11/2010 13:44, giggzounet a écrit :
> Le 29/11/2010 13:41, Nico Kadel-Garcia a écrit :
>> On Mon, Nov 29, 2010 at 7:38 AM, giggzounet  wrote:
>>> Le 29/11/2010 12:44, Gabriel Tabares a écrit :
> a very easy. But what will yum/RPM do during the next update ? Will it
> overwrite the file ? Will it write on display that the file was modified
> by an user (as under debian) ?
>

 As far as I can tell, if the file is marked as a configuration file in
 the RPM, it will be left alone and the new configuration file will be
 renamed to file.rpmnew. If the file is not marked as a configuration
 file, it will be overwritten.

 Regards,

 Gabriel
>>>
>>> ok ths for your answer!
>>>
>>> where in the rpm package can I find if the file is a configuration file
>>> or not ?
>>
>> You need the .spec file from the SRPM, or you could install it and test it.
> 
> ok I will take a look in the SRPM.
> 
> thx

m I don't know well the rpm system...so here is the .spec:
# $Id: openib.spec 6922 2006-05-04 12:49:48Z vlad $

Summary: OpenIB Infiniband Driver Stack
Name: openib
Version: 1.4.1
Release: 5%{?dist}
License: GPL/BSD
Url: http://www.openfabrics.org/
Group: System Environment/Base
Source1: openib-1.3.2-ifup-ib
Source2: openib-1.0-openib.conf
Source3: openib-1.0-openibd.init
Source4: openib-fixup-mtrr.awk
Source8: openib-90-ib.rules
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
#ExclusiveArch: i386 x86_64 ia64 ppc ppc64
BuildArch: noarch
Obsoletes: kernel-ib <= 1.0-1
Requires(post): chkconfig
%description
User space initialization scripts for the kernel InfiniBand drivers

%prep

%build

%install
rm -rf ${RPM_BUILD_ROOT}
install -d ${RPM_BUILD_ROOT}%{_initrddir}
install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/ofed
install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/network-scripts
install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/udev/rules.d

install -m 0755 %{SOURCE1}
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/network-scripts/ifup-ib
install -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/ofed/openib.conf
install -m 0755 %{SOURCE3} ${RPM_BUILD_ROOT}%{_initrddir}/openibd
install -m 0644 %{SOURCE4}
${RPM_BUILD_ROOT}%{_sysconfdir}/ofed/fixup-mtrr.awk
install -m 0644 %{SOURCE8} ${RPM_BUILD_ROOT}/etc/udev/rules.d/90-ib.rules

%clean
rm -rf ${RPM_BUILD_ROOT}

%post -n openib
if [ $1 = 1 ]; then
/sbin/chkconfig --add openibd
fi

%preun -n openib
if [ $1 = 0 ]; then
/sbin/chkconfig --del openibd
fi

%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ofed
%config(noreplace) %{_sysconfdir}/ofed/openib.conf
%{_sysconfdir}/ofed/fixup-mtrr.awk
%{_initrddir}/openibd
/etc/udev/rules.d/90-ib.rules
%{_sysconfdir}/sysconfig/network-scripts/ifup-ib



# END ##

I'm interested in the /etc/sysconfig/network-scripts/ifup-ib file. Is
there a configuration file or not ?

Thx a lot.
Guillaume




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[Jim Perrin]

On Mon, Nov 29, 2010 at 7:52 AM, giggzounet  wrote:

> %config(noreplace) %{_sysconfdir}/ofed/openib.conf

This is what a config file looks like in a spec file. See how it has
%config at the beginning of the line, with the option of noreplace.
This file is a config and will not be replaced as far as rpm is concerned.

> %{_sysconfdir}/sysconfig/network-scripts/ifup-ib

This file has no such markings, and is not considered a config file by
rpm. it will be replaced on update.



-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

On Monday, November 29, 2010 08:50 PM, Marko Vojinovic wrote:

> Well, the kernel I used at the time had a known exploit (exploitable by some
> services I was running), and the intruder got advantage of that. Of course, it
> was partly my fault, because I didn't restart those machines for a long time,
> so the updated kernel wasn't running on them.
>
> So yes, I agree, if I took good care of the rest of the system nothing serious
> would have happened. But in this particular case SELinux saved my skin, since
> the third machine could take the load from the first two while these were
> kickstarted by a friend of mine... :-)
>

There is also the case of recently discovered exploits. Like the one in 
phpmysqladmin that was made known in September. Okay, the HQ chap was 
inept in allowing anybody to access phpmysqladmin imagining that the 
password protection was sufficient and at the same time allowing access 
to setup.php from anyone on the Net so he could have prevented it the 
whole thing in the first place without the protection of SELinux. But 
had he had SELinux running, it could have foiled the upload of the bot 
and subsequent execution.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Adam Tauno Williams]

On Mon, 2010-11-29 at 09:46 +0100, Götz Reinicke - IT-Koordinator
wrote: 
> Hello,
> is there anyone out there, who has a current 2.4.23 srpm or good how to
> compile it from src with supported db4?
> I tried to compile recent source files, but always finding the current
> (installed) db4 >4.3 fails.
> Than I tried to compile the LTB Project Files:
> http://ltb-project.org/wiki/documentation/openldap-rpm
> May be it is just a small step or option to be set.
> Would be nice to get it working :-)

The packages at Telkomsa work very well [been using them in production
for years] and are quite current.



-- 
Adam Tauno Williams  LPIC-1, Novell CLA

OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[giggzounet]

Le 29/11/2010 14:08, Jim Perrin a écrit :
> On Mon, Nov 29, 2010 at 7:52 AM, giggzounet  wrote:
> 
>> %config(noreplace) %{_sysconfdir}/ofed/openib.conf
> 
> This is what a config file looks like in a spec file. See how it has
> %config at the beginning of the line, with the option of noreplace.
> This file is a config and will not be replaced as far as rpm is concerned.
> 
>> %{_sysconfdir}/sysconfig/network-scripts/ifup-ib
> 
> This file has no such markings, and is not considered a config file by
> rpm. it will be replaced on update.
> 
> 
> 

great! thx for the help.

Bye bye

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Adam Tauno Williams]

On Sun, 2010-11-28 at 23:42 +, Marko Vojinovic wrote: 
> On Sunday 28 November 2010 22:40:41 brett mm wrote:
> > > This is where, as a sysadmin, you need to invest just a little time and
> > > effort learning the system. Honestly, the vast majority of issues are
> > > trivial to solve if you just spend a few hours reading the docs/guides,
> > > and even if you really can't be bothered there are kind folks on this
> > > list (and others) that will likely solve your issues for you. How is
> > > that not worth the extra security SELinux affords?
> > In reality, I am not at all sure that a quantum leap in complexity
> > adds to security at all. Any proper use of old-school group
> > permissions can give as finely-grained a security policy as you would
> > like.
> No, you're wrong --- SELinux exists precisely because the old-school 
> permissions system is *not* fine-grained enough. That's why SELinux was 
> actually invented, to introduce a more fine-grained control over access.

+1

> I am lazy to search now, but I remember seeing a couple of typical counter-
> examples, where usual permissions system is completely incapable of 
> implementing the level of access control that SELinux gives you. 

Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*.  If you want two users to have rw- to a file you...  create a
group of two users???  You end up with a zillion groups - which is
pointless and unmaintainable.  Thank goodness for ACL support and
setfacl/getfacl.  While that isn't SELinux the principal is the same -
the tools should rise to match the practice, not the practice be mashed
into the functionality of inferior tools.

I was a disable-selinux guy because it seemed like a black box.  But I
saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
doesn't take much effort and SELinux really is understandable.

SELinux can even generate the required policies for you! It is an
impressively well thought out tool and as indispensable as iptables.

-- 
Adam Tauno Williams  LPIC-1, Novell CLA

OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Götz Reinicke - IT-Koordinator]

Am 29.11.10 13:16, schrieb Stefan Held:
> Am Montag, den 29.11.2010, 09:46 +0100 schrieb Götz Reinicke -
> IT-Koordinator:
>> Hello,
>>
>> is there anyone out there, who has a current 2.4.23 srpm or good how to
>> compile it from src with supported db4?
> 
> Well, you would have to rebuild half of the system to do that.
> 
> If you try to rebuild db4 you should rebuild rpm and so on.
> 
> if you rebuild openldap all the ldap client software an dependend stuff
> should be rebuilt to ensure everything is working.
> 
> What would you do with that rpm? Would it be for production?

Yes, it yould be for production. It is a pain I know, and so far I
managed to compile the rpm from

http://ltb-project.org/wiki/documentation/openldap-rpm

That might work, as it is an installation allong with the db 4.3 from RH.

chhers . Götz

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reini...@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt



smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5

[Götz Reinicke - IT-Koordinator]

Am 29.11.10 13:43, schrieb Eero Volotinen:
> 2010/11/29 Götz Reinicke - IT-Koordinator :
>> Hello,
>>
>> is there anyone out there, who has a current 2.4.23 srpm or good how to
>> compile it from src with supported db4?
> 
> RHEL 6 provides ldap-2.4.19
> 
> So maybe you just need to wait for Centos 6 ?

RH EL 6 is not supported by citrix xen server ... what is what we run
right now.

Ans using or waitig for a distribution releas if you 'only' need an
application update is not an option.

But thanks for you suggestion.

/Götz

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reini...@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt



smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Rebuilding samba3x rpms results in size doubled

[Oguz Yilmaz]

I thought, I have just recompiled by rpmbuild -ba samba3x.spec. However I
have recognized libcap.so.2 has included instead of libcap.so.1 on my build
system. This is the main difference between ldd outputs of smbd binaries.
I will check further.

Regards,


--
Oguz YILMAZ


On Mon, Nov 29, 2010 at 1:25 PM, John Doe  wrote:

> From: Oguz Yilmaz 
> >I have rebuilt samba3x SRPM in Centos 5.5. The resultings RPM's are nearly
> in
> >triple size of the original RPMs. I have installed and checked the binary
> files
>
> >are stripped. What can result in such difference in RPM sizes?
> >I have not changed anything on built and install sections of spec file.
>
> Maybe debuging symbols...
> Maybe try ldd and check if there are differences...
>
> JD
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[m . roth]

Adam Tauno Williams wrote:
> On Sun, 2010-11-28 at 23:42 +, Marko Vojinovic wrote:
>> On Sunday 28 November 2010 22:40:41 brett mm wrote:
>> > > This is where, as a sysadmin, you need to invest just a little time
>> and effort learning the system. Honestly, the vast majority of issues

>> > In reality, I am not at all sure that a quantum leap in complexity
>> > adds to security at all. Any proper use of old-school group
>> > permissions can give as finely-grained a security policy as you would
>> > like.
>> No, you're wrong --- SELinux exists precisely because the old-school
>> permissions system is *not* fine-grained enough. That's why SELinux was
>> actually invented, to introduce a more fine-grained control over access.
>
No, selinux is a *royal* pain. It may be good for a production box that
has systems tested to within an inch of their lives, and you go through an
approval process... but for anything else, most folks put it into
permissive mode. Certainly, we do, given that there are some AVC's I've
been trying to figure out for *months*, and still don't know how to fix,
or where the files are that it's complaining about; or want to allow this,
but not everything, and have no clue how to allow *only* that, etc.

> Even if it is *possible*, the traditional UNIX permissions are a serious
> *PAIN*.  If you want two users to have rw- to a file you...  create a
> group of two users???  You end up with a zillion groups - which is
> pointless and unmaintainable.  Thank goodness for ACL support and

You mean like the std. upstream practice of creating, by default, a new
group for EVERY BLOODY USER, and not, by default, dumping them into, say,
users?

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] opensc/ct/etc

[m . roth]

Has anyone worked with the upstream installation for 5.5, and successfully
told it to ->shut up<- when you pull your smart card out of the reader?
Since you can't add parms in /etc/reader.conf, or in a file in
/etc/reader.conf.d, I tried editing /etc/init.d/pcscd to tell it error
level and above logging only, and it ignores it, and writes over and over
that the card is "mute or absent", filling my logs.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
>
> Even if it is *possible*, the traditional UNIX permissions are a serious
> *PAIN*.  If you want two users to have rw- to a file you...  create a
> group of two users???

Yes, there is nothing simpler than a group to represent a group of users.

> You end up with a zillion groups - which is
> pointless and unmaintainable.  Thank goodness for ACL support and
> setfacl/getfacl.

So what do you do when you have user-specific ACLs splattered randomly 
through the filesystem and the members of the cooperating groups change?

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Minimising disk I/O

[Keith Roberts]

I'd like to get disk I/O down to a minimum for my new Centos 
5.5 installation.

The machine will not be used as a web server anymore, as 
that's now hosted on a cloud platform. So there are no HTTP 
requests coming down the line.

If I move the SWAP partition and /var/log/ to a small spare 
drive, and install Centos on the new larger drive, is there 
anything else that would cause disk activity on the main 
drive, when the machine is running but not in use?

fetchmail will be collecting my email hourly, but I'd like 
the drive to spin down and go into hibernate mode if 
possible.

I have a backup drive that gets woken up once an hour to 
backup email, and also during the night to make backups 
of specified directories every 24 hours.

Apart from that, the drive is not in use, unless I run a 
backup script manually.

So I'm hoping to do the same for the main drive if that's 
posible?

Kind Regards,

Keith Roberts

-- 
In theory, theory and practice are the same;
in practice they are not.

This email was sent from my laptop with Centos 5.5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[John Hodrien]

On Mon, 29 Nov 2010, Les Mikesell wrote:

> On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
>>
>> Even if it is *possible*, the traditional UNIX permissions are a serious
>> *PAIN*.  If you want two users to have rw- to a file you...  create a
>> group of two users???
>
> Yes, there is nothing simpler than a group to represent a group of users.
>
>> You end up with a zillion groups - which is
>> pointless and unmaintainable.  Thank goodness for ACL support and
>> setfacl/getfacl.
>
> So what do you do when you have user-specific ACLs splattered randomly
> through the filesystem and the members of the cooperating groups change?

If userA wants to share a file with userB, they use an ACL, or they need root
assistance.  That's the ad-hoc case, and it works much better using ACLs than
using groups.  For the planned case you describe, you create a group in your
central directory.

It's much the same under windows.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[aurfalien]

On Nov 29, 2010, at 7:47 AM, Les Mikesell wrote:

> On 11/29/2010 7:35 AM, Adam Tauno Williams wrote:
>>
>> Even if it is *possible*, the traditional UNIX permissions are a  
>> serious
>> *PAIN*.  If you want two users to have rw- to a file you...  create a
>> group of two users???
>
> Yes, there is nothing simpler than a group to represent a group of  
> users.
>
>> You end up with a zillion groups - which is
>> pointless and unmaintainable.  Thank goodness for ACL support and
>> setfacl/getfacl.
>
> So what do you do when you have user-specific ACLs splattered randomly
> through the filesystem and the members of the cooperating groups  
> change?

Perhaps consult with Winblows AD admins as I'm sure they deal with  
this all the time.

MS$ ACLs have been around for a very long time.

- aurf
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Lamar Owen]

On Sunday, November 28, 2010 10:39:22 am Bob McConnell wrote:
> Maybe not, but the risks should be evaluated on a case by case basis. I 
> don't believe it can be considered a panacea either. Even with SE in 
> full protected mode, a simple SQL injection flaw can still expose much 
> of the sensitive data on your server.

That's when something like SEPostgreSQL can help.  Yeah, SELinux controls in 
the database itself.  See http://wiki.postgresql.org/wiki/SEPostgreSQL for more 
information.

If you have sensitive data, you need to be diligent.  The people behind SELinux 
are the country's leading experts on information sensitivity and 
compartmentalization.

Yeah, that sort of control can be a pain, but if the data is truly sensitive 
you simply must take pains with it.

SELinux on the desktop is a great thing, too, especially if you want to thwart 
drive-by web bugs and such (you set your controls to not allow Firefox access 
but to specific areas of your home directory, and you set certain areas of your 
home directory off limits except to certain programs: you're worm-proof then, 
and, if you're careful, data-theft-proof).  But that fine-grained control means 
you have to maintain those controls, and require due diligence.

It is and has always been a balance between convenience and security; truly 
tight security, which SELinux can give you in droves, is a time-consuming and 
not very convenient affair.  

But if you think you're fully locked down without controls similar to SELinux, 
you are simply wrong, and an attacker will prove that to you one day.  
Firewalls are not enough by themselves.  SELinux is likely not enough by 
itself; layers do the trick, so that when an exploit in one layer occurs the 
other layer catches it (and hopefully you find out about it).

Intrusion detection is good, but, once an intrusion is detected it might be too 
late, depending upon the intrusion.  And intrusion 'signatures' (much like 
virus signatures) are no good at all against previously undetected threats.  
SELinux allows you (especially with permissive mode) to see the access 
footprint of an application, and tailor the security to the normal access 
footprint.  Allow only what is normal, and it's much harder (not impossible) to 
exploit things.

No security is perfect; multiple layers of diverse security on multiple 
platforms helps immensely. 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] directory services and root/sudo access

[Iain Morris]

This is perhaps a more general security question.  For those of you with a
directory services installation, do you install a generic local user with
sudo access in case directory services is not available?  Or do you just
beef up your directory services to the point that you are confident it will
almost always be up?

I usually disable root login via ssh, but allow it from the physical
console, and make an emergency generic account with sudo privs in case DS
breaks down.  What I've noticed, however, is if I simulate a directory
services failure, ssh logins with this generic local account take an
eternity as the server still tries to auth that user against ldap/kerberos
first.  I'm sure this could be adjusted in pam in some way.

I was just curious how other admins approach this, and what level of trust
they place in directory services being available.

-- 
-- -
Iain Morris
iain.t.mor...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum is dumb in update of gmime & gmime-sharp

[ken]

On 11/28/2010 05:13 PM William Hooper wrote:
> On Sun, Nov 28, 2010 at 4:00 PM, ken  wrote:
>>> You need to take a closer look at what yum is trying to install.  This
>>> message is telling you yum won't update the package because it will
>>> break a dependency on another installed package.
>> yum's trying to install gmime20.  This doesn't exist on my system.
>>
>> What dependency would break by installing it?
> 
> Looking at the RPMForge spec file for gmime20, it obsoletes any gmime
> lower that it's version. You are trying to install gmime20.i386
> 0:2.2.26-1.el5.rf, which will remove gmime-2.2.10-5.el5.centos.
> However, your currently installed gmime-sharp-2.2.10-5.el5.centos
> requires gmime-2.2.10-5.el5.centos.  You need to either remove
> gmime-sharp-2.2.10-5.el5.centos or find an updated version that will
> work with gmime20.i386 0:2.2.26-1.el5.rf.
> 

Thanks, WH.  Given that all this hassle is over one app (tomboy) which
is by no means critical to my system and that I don't even use that
much, I just decided to get rid of it... and gmime and gmime-sharp along
with it.  Problem solved.

The key to the puzzle for me was that, to install gmime20, it was
necessary to remove gmime.  I never would have guessed that... seems
counter-intuitive to me... and the only way to find that out is to look
in the spec file!!  Or is there another way?

What in the spec file told you that?

Also... I know to look in the SPEC file by installing just the src, but
is there a shorter (another, better) way to look at it?

This is all academic to me at this point... just want to learn a bit
more about RPMs if you're up for sharing wisdom.

Thanks.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Lamar Owen]

On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
> But that means you were running software with vulnerabilities or a user would 
> not be able to become root anyway.  Is that due to not being up to date (i.e. 
> would normal, non-SELinux measures have been enough), or was this before a 
> fix 
> was available?

By definition we are all running software with vulnerabilities.  Those 
vulnerabilities may not be public knowledge yet, but they are there, and many 
are likely known by the blackhats already, and kept 'mum.'

Fixing vulnerabilities and keeping up to date alone is insufficient to keep you 
secure.  Can you say 'zero day?'

SELinux is a powerful tool in helping combat zero day exploits from succeeding, 
in many cases.

Can it be a pain?  Sure it can.  It has improved greatly, in my experience, 
thanks in no small part to the dedicated Fedora team working on selinux 
packages.  This inlcudes the upstream developers, the Fedora packagers, the QA 
team, and ESPECIALLY the Fedora users who take time to file informative and 
useful reports while using the system with SELinux in enforcing mode.  No pain, 
no gain.

I've run with SELinux in enforcing (targeted) mode on my laptop, now, since 
Fedora 11, and have only had two issues that required some head-scratching.  
One was solved by a relabel.  The other was a little more devious, but a little 
tweaking which in permissive mode showed me the solution.  I did learn a couple 
of really good lessons from that, though.  The first was to always keep a 
Fedora Live boot media with the laptop (CD or USB, or another partition on the 
hard disk).  The second was that there are some updates that must occur in 
pairs, and occasionally a relabel of at least part of the filesystem is going 
to be required. But that's not hard to trigger, and isn't that inconvenient.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] rpm dependencies

[bluethundr]

 I have successfully created a packaged version of openssh that has
the LPK patch.  LPK allows you to store your public keys in LDAP.
However when I go to install the package I created it complains about
dependencies:

[r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
error: Failed dependencies:
openssh = 5.5p1-1.el5 is needed by (installed) 
openssh-clients-5.5p1-1.el5.i386
openssh = 5.5p1-1.el5 is needed by (installed) 
openssh-server-5.5p1-1.el5.i386

 how can I get past this?

thanks!!


-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 10:17 AM, Lamar Owen wrote:
> On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:
>> But that means you were running software with vulnerabilities or a user would
>> not be able to become root anyway.  Is that due to not being up to date (i.e.
>> would normal, non-SELinux measures have been enough), or was this before a 
>> fix
>> was available?
>
> By definition we are all running software with vulnerabilities.  Those 
> vulnerabilities may not be public knowledge yet, but they are there, and many 
> are likely known by the blackhats already, and kept 'mum.'
>
> Fixing vulnerabilities and keeping up to date alone is insufficient to keep 
> you secure.  Can you say 'zero day?'

Agreed, but not everyone has time to do both - or to learn lots of 
distribution-specific details in mixed environments.  My opinion is that 
doing the simple stuff first is a win.  And that works the same on 
systems that don't include SELinux.

> SELinux is a powerful tool in helping combat zero day exploits from 
> succeeding, in many cases.

And it also keeps most 3rd party software from working.  If you are 
storing credit card numbers or personal information that would be 
expensive to leak, then you obviously need to make every effort possible 
to block intrusion, although the people who regulate this stuff don't 
require SELinux explicitly.  But not all machines do that.

> I've run with SELinux in enforcing (targeted) mode on my laptop, now, since 
> Fedora 11, and have only had two issues that required some head-scratching.  
> One was solved by a relabel.  The other was a little more devious, but a 
> little tweaking which in permissive mode showed me the solution.  I did learn 
> a couple of really good lessons from that, though.  The first was to always 
> keep a Fedora Live boot media with the laptop (CD or USB, or another 
> partition on the hard disk).  The second was that there are some updates that 
> must occur in pairs, and occasionally a relabel of at least part of the 
> filesystem is going to be required. But that's not hard to trigger, and isn't 
> that inconvenient.

How much 3rd party software do you run where someone else has not 
already spent the time to work out the policies needed to let it work?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum is dumb in update of gmime & gmime-sharp

[ken]

On 11/28/2010 05:16 PM William Hooper wrote:
> On Sun, Nov 28, 2010 at 5:12 PM, William Hooper
>  wrote:
>> On Sun, Nov 28, 2010 at 4:00 PM, ken  wrote:
 You need to take a closer look at what yum is trying to
 install.  This message is telling you yum won't update the
 package because it will break a dependency on another installed
 package.

Where was a message telling me that?  (In my original post I included
the relevant output.)  There wasn't anything there which said the
install of gmime20 necessitated removing another, different package.


>>> yum's trying to install gmime20.  This doesn't exist on my
>>> system.
>>> 
>>> What dependency would break by installing it?
>> Looking at the RPMForge spec file for gmime20, it obsoletes any
>> gmime lower that it's version. You are trying to install
>> gmime20.i386 0:2.2.26-1.el5.rf, which will remove
>> gmime-2.2.10-5.el5.centos. However, your currently installed
>> gmime-sharp-2.2.10-5.el5.centos requires gmime-2.2.10-5.el5.centos.
>> You need to either remove gmime-sharp-2.2.10-5.el5.centos or find
>> an updated version that will work with gmime20.i386
>> 0:2.2.26-1.el5.rf.
> 
> I thought this seemed familiar:
> 
> http://lists.centos.org/pipermail/centos/2010-March/092358.html

Yeah, maintaining this app (tomboy) has been more hassle than it's
worth.  I think I just waited for gmime* updates to come out from a
different repo and installed those.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Lamar Owen]

On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
> In reality, I am not at all sure that a quantum leap in complexity
> adds to security at all. Any proper use of old-school group
> permissions can give as finely-grained a security policy as you would
> like.

No, it won't.

Suppose I'm running CentOS on a workstation, and have a need to access a 
corporate webapp written in Flash, read corporate documents in PDF, and use 
other applications written in Java.  So I'm going to be living in my browser 
for most things corporate.

How can I prevent a compromised PDF from gaining an attacker access to my 
entire home directory?  More to the point, how to I prevent that PDF from 
gaining WRITE access to files in my home directory (say, .bashrc for instance)?

With SELinux I can set files and whole hierachies to not allow Acrobat Reader 
access of various types, while still alllowing access to those areas it needs.  
Voila!  Acrobat Reader vulnerabilities and the PDF's that exploit them no 
longer have any power to exploit my system.  Same with Flash, Java, and Firefox 
itself.  If firefox has no need to write into my Documents directory, then I 
can lock out my Documents directory to firefox (even when it's running with the 
right uid:gid that would defeat old-school uid:gid based perms) and not worry 
about a malicious website exploiting a firefox zero-day modifying any of my 
files in Documents.

Old-school permissions are user and group ID based; mandatory access controls 
are not.  They can be process-based and file-based (and socket-based, too).  
They give you the ability to make root not able to touch every file, for 
instance, unless the process has the right security context (even making it 
possible to put /usr/bin, /bin, /lib, /usr/lib, the kernel, etc, off-limits for 
overwriting by root unless the controlling process is in the right security 
context).  SELinux controls can prevent botnet worms from opening network ports 
for listening; or even for outgoing access.

On a stable server, where the configuration is production-ready, it shouldn't 
be hard to determine a normal security footprint to write policy to; lock down 
the security contexts and the number of successful exploits will go down.

What needs to improve are the admin tools to make those sorts of decisions 
easy.  While the selinux configuration tool in Fedora (and thus RHEL as it gets 
the improvements backported) has improved, it can stand more improvement.

Yes, this sort of thing adds a little complexity (like, for instance, when you 
want to change ssh to listen to a non-default port; you need to remember three 
configuration steps: 1.) sshd needs to listen there; 2.) iptables needs to 
allow the incoming; 3.) and selinux policy needs to allow sshd to bind the port 
for listening.  Previous selinux configuration tools didn't make 3.) as easy as 
it could be; current Fedora tools at least make it as easy as steps 1 and 2.

On the server side, suppose you're running Plone and Moodle together, and have 
some integration.  You'll want to profile the security footprint, write the 
policy to it, and implement.  If the proper selinux procedures are followed it 
will survive updates and relabels just fine, and when Moodle and Plone exploits 
are found, they will prevent remote privilege escalation.

Or, in other words: follow the various mailing lists to see what the most 
common exploits are actually out there in the wild;  then analyze those to see 
if the old-school techniques would prevent them  without convoluted and massive 
groups.  In the Plone instance a PDF exploit might even be something to guard 
against, since Plone content types for automatic insertion of content from 
various upload forms is supported.  Ie, check to see what's happening in the 
real world of 2010, not the real world of 1980.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[m . roth]

Les Mikesell wrote:
> On 11/29/2010 10:17 AM, Lamar Owen wrote:
>> On Sunday, November 28, 2010 10:37:29 pm Les Mikesell wrote:

> How much 3rd party software do you run where someone else has not
> already spent the time to work out the policies needed to let it work?

And how much in-house developed software do you run? Or, about those 3rd
party software, do you run my own personal PITA, CA's $$$ SiteMinder?

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

[Joe Keller]

When you built openssh, didn't it also build the openssh-clients and
openssh-server RPMs?  You should install them at the same in the same
transaction with your version of openssh:

rpm -Uvh openssh*-5.6p1-1.i386.rpm

On Mon, Nov 29, 2010 at 11:23 AM, bluethundr  wrote:

>  I have successfully created a packaged version of openssh that has
> the LPK patch.  LPK allows you to store your public keys in LDAP.
> However when I go to install the package I created it complains about
> dependencies:
>
> [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
> error: Failed dependencies:
>openssh = 5.5p1-1.el5 is needed by (installed)
> openssh-clients-5.5p1-1.el5.i386
>openssh = 5.5p1-1.el5 is needed by (installed)
> openssh-server-5.5p1-1.el5.i386
>
>  how can I get past this?
>
> thanks!!
>
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Lamar Owen]

On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
> Agreed, but not everyone has time to do both - or to learn lots of 
> distribution-specific details in mixed environments.  My opinion is that 
> doing the simple stuff first is a win.  And that works the same on 
> systems that don't include SELinux.

The simple stuff on the Fedora box with SELinux is using the targeted policy in 
enforcing mode.  Updates are easy, but there is always a lag from vulnerability 
discovery to vulnerability patching.

Security isn't simple.  The mantra 'just disable SELinux, you don't need it 
anyway because it's too big of a pain and apps that aren't part of the tested 
distribution can break' is oversimplifying a complex issue.  My opinion is that 
I'm not going to run third party apps that break in that way, and I'm going to 
let the developers know why.

> > SELinux is a powerful tool in helping combat zero day exploits from 
> > succeeding, in many cases.
> 
> And it also keeps most 3rd party software from working. 

I'd ask you to qualify most.  All of the third-party software I run seems to 
run just fine, as long as the right contexts are applied.  The most difficult 
was Scalix, but that wasn't too difficult, since the culprit (the embedded 
PostgreSQL server running on a nonstandard port with a nonstandard file tree) 
had a fairly simple policy change to be done, thanks to permissive mode.

> If you are 
> storing credit card numbers or personal information that would be 
> expensive to leak, then you obviously need to make every effort possible 
> to block intrusion, although the people who regulate this stuff don't 
> require SELinux explicitly.  But not all machines do that.

If I use my laptop to do my online banking, then my browser cache, cookies, and 
other browser-stored data become critical.  Client-side data in this case, but 
no less critical.

> > I've run with SELinux in enforcing (targeted) mode on my laptop, now, since 
> > Fedora 11, and have only had two issues that required some head-scratching. 
> >  
> > 
> How much 3rd party software do you run where someone else has not 
> already spent the time to work out the policies needed to let it work?

A few things, and none were very hard to set up.  On the server side Scalix was 
the most difficult, but still not hard.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

[Robert Heller]

At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list  
wrote:

> 
>  I have successfully created a packaged version of openssh that has
> the LPK patch.  LPK allows you to store your public keys in LDAP.
> However when I go to install the package I created it complains about
> dependencies:
> 
> [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
> error: Failed dependencies:
>   openssh = 5.5p1-1.el5 is needed by (installed) 
> openssh-clients-5.5p1-1.el5.i386
>   openssh = 5.5p1-1.el5 is needed by (installed) 
> openssh-server-5.5p1-1.el5.i386
> 
>  how can I get past this?

Get the spec file from the stock openssh SRPM and use that as a guide
to create a spec file for openssh-5.6p1 that will create the
openssh-clients and openssh-server sub-packages and then re-build it
again.  Now you can upgrade the three packages
openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
openssh-server-5.6p1-1.i386.rpm.

> 
> thanks!!
> 
> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] centos 5.5 - which partition manager installed

[Johan Scheepers]

Good day,

Gparted is not available on my installation.

Which patition tool is available in centos 5.5 please.

Thanks
Johan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

[bluethundr]

Sounds great guys!! on it!!! :)

On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller  wrote:
> At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list  
> wrote:
>
>>
>>  I have successfully created a packaged version of openssh that has
>> the LPK patch.  LPK allows you to store your public keys in LDAP.
>> However when I go to install the package I created it complains about
>> dependencies:
>>
>> [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
>> error: Failed dependencies:
>>       openssh = 5.5p1-1.el5 is needed by (installed) 
>> openssh-clients-5.5p1-1.el5.i386
>>       openssh = 5.5p1-1.el5 is needed by (installed) 
>> openssh-server-5.5p1-1.el5.i386
>>
>>  how can I get past this?
>
> Get the spec file from the stock openssh SRPM and use that as a guide
> to create a spec file for openssh-5.6p1 that will create the
> openssh-clients and openssh-server sub-packages and then re-build it
> again.  Now you can upgrade the three packages
> openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
> openssh-server-5.6p1-1.i386.rpm.
>
>>
>> thanks!!
>>
>>
>
> --
> Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
> Deepwoods Software        -- http://www.deepsoft.com/
> ()  ascii ribbon campaign -- against html e-mail
> /\  www.asciiribbon.org   -- against proprietary attachments
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Minimising disk I/O

[Blake Hudson]

I would suggest looking at articles that focus on laptop power
consumption, they typically have a section dedicated to disk accesses
and how to spin the disk down as much as possible since this has
traditionally been one of the better ways to minimize power consumption
on a laptop.

This article has some good tips - especially relating to processes that
might be accessing the disk frequently
http://www.spencerstirling.com/computergeek/powersaving.html

--Blake


 Original Message  
Subject: [CentOS] Minimising disk I/O
From: Keith Roberts 
To: CentOS mailing list 
Date: Monday, November 29, 2010 9:50:04 AM
> I'd like to get disk I/O down to a minimum for my new Centos 
> 5.5 installation.
>
> The machine will not be used as a web server anymore, as 
> that's now hosted on a cloud platform. So there are no HTTP 
> requests coming down the line.
>
> If I move the SWAP partition and /var/log/ to a small spare 
> drive, and install Centos on the new larger drive, is there 
> anything else that would cause disk activity on the main 
> drive, when the machine is running but not in use?
>
> fetchmail will be collecting my email hourly, but I'd like 
> the drive to spin down and go into hibernate mode if 
> possible.
>
> I have a backup drive that gets woken up once an hour to 
> backup email, and also during the night to make backups 
> of specified directories every 24 hours.
>
> Apart from that, the drive is not in use, unless I run a 
> backup script manually.
>
> So I'm hoping to do the same for the main drive if that's 
> posible?
>
> Kind Regards,
>
> Keith Roberts
>

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Robert Heller]

At Mon, 29 Nov 2010 19:02:49 +0200 CentOS mailing list  
wrote:

> 
> Good day,
> 
> Gparted is not available on my installation.
> 
> Which patition tool is available in centos 5.5 please.

fdisk, sfdisk, parted, kpartx, and pyparted.

fdisk is not recomended for really large disks since it only handles
DOS partition tables -- use parted to create GPT partition tables.

> 
> Thanks
> Johan
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments



   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Keith Roberts]

On Mon, 29 Nov 2010, Johan Scheepers wrote:

> To: centos 
> From: Johan Scheepers 
> Subject: [CentOS] centos 5.5 - which partition manager installed
> 
> Good day,
>
> Gparted is not available on my installation.
>
> Which patition tool is available in centos 5.5 please.

Hi Johan.

It's available from rpmforge repository:

Installed Packages
Name   : gparted
Arch   : i386
Version: 0.4.8
Release: 4.el5.rf
Size   : 3.4 M
Repo   : installed
Summary: Gnome Partition Editor
URL: http://gparted.sourceforge.net/
License: GPLv2+
Description: GParted stands for Gnome Partition Editor and 
is a graphical frontend
: to libparted. Among other features it supports 
creating, resizing,
: moving and copying of partitions. Also several 
(optional) filesystem
: tools provide support for filesystems not 
included in libparted.
: These optional packages will be detected at 
runtime and don't require
: a rebuild of GParted

As well as installing it from the above, I'd recommend 
getting the live CD from the Gparted website:

http://gparted.sourceforge.net/livecd.php

As this is handy for preparing your hard drive, before doing 
a fresh installation of Linux. Some things are not possible 
when using Gparted from a working Linux installation.

As the Gparted CD runs from memory, you can do anything you 
want to any partition using this.

Kind Regards,

Keith Roberts

-- 
In theory, theory and practice are the same;
in practice they are not.

This email was sent from my laptop with Centos 5.5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Rudi Ahlers]

On Mon, Nov 29, 2010 at 7:02 PM, Johan Scheepers  wrote:
> Good day,
>
> Gparted is not available on my installation.
>
> Which patition tool is available in centos 5.5 please.
>
> Thanks
> Johan
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Have you tried to see what other tools are installed?
And, have you tried to install gparted?

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Minimising disk I/O

[Keith Roberts]

On Mon, 29 Nov 2010, Blake Hudson wrote:

> To: CentOS mailing list 
> From: Blake Hudson 
> Subject: Re: [CentOS] Minimising disk I/O
> 
> I would suggest looking at articles that focus on laptop power
> consumption, they typically have a section dedicated to disk accesses
> and how to spin the disk down as much as possible since this has
> traditionally been one of the better ways to minimize power consumption
> on a laptop.
>
> This article has some good tips - especially relating to processes that
> might be accessing the disk frequently
> http://www.spencerstirling.com/computergeek/powersaving.html
>
> --Blake

Hi Blake.

Thanks for that info.

I'll take a look at that.

Kind Regards,

Keith

-- 
In theory, theory and practice are the same;
in practice they are not.

This email was sent from my laptop with Centos 5.5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Lars Hecking]

> fdisk, sfdisk, parted, kpartx, and pyparted.
> 
> fdisk is not recomended for really large disks since it only handles
> DOS partition tables -- use parted to create GPT partition tables.
 
 I prefer GPT fdisk for that and rolled my own rpm ...



---
This message and any attachments may contain Cypress (or its
subsidiaries) confidential information. If it has been received
in error, please advise the sender and immediately delete this
message.
---

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Johan Scheepers]

Robert Heller wrote:
> At Mon, 29 Nov 2010 19:02:49 +0200 CentOS mailing list  
> wrote:
> 
>> Good day,
>>
>> Gparted is not available on my installation.
>>
>> Which patition tool is available in centos 5.5 please.
> 
> fdisk, sfdisk, parted, kpartx, and pyparted.
> 
> fdisk is not recomended for really large disks since it only handles
> DOS partition tables -- use parted to create GPT partition tables.
> 
>> Thanks
>> Johan
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>> 
> 
Thanks. I was looking for a graphical tool
Johan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Johan Scheepers]

Lars Hecking wrote:
>> fdisk, sfdisk, parted, kpartx, and pyparted.
>>
>> fdisk is not recomended for really large disks since it only handles
>> DOS partition tables -- use parted to create GPT partition tables.
>  
>  I prefer GPT fdisk for that and rolled my own rpm ...
> 
> 
> 
> ---
> This message and any attachments may contain Cypress (or its
> subsidiaries) confidential information. If it has been received
> in error, please advise the sender and immediately delete this
> message.
> ---
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
Thanks. Now busy installing gparted
Johan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Johan Scheepers]

Rudi Ahlers wrote:
> On Mon, Nov 29, 2010 at 7:02 PM, Johan Scheepers  
> wrote:
>> Good day,
>>
>> Gparted is not available on my installation.
>>
>> Which patition tool is available in centos 5.5 please.
>>
>> Thanks
>> Johan
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> 
> Have you tried to see what other tools are installed?
> And, have you tried to install gparted?
> 
Now busy installing it.
Thanks
Johan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Johan Scheepers]

Keith Roberts wrote:
> On Mon, 29 Nov 2010, Johan Scheepers wrote:
> 
>> To: centos 
>> From: Johan Scheepers 
>> Subject: [CentOS] centos 5.5 - which partition manager installed
>>
>> Good day,
>>
>> Gparted is not available on my installation.
>>
>> Which patition tool is available in centos 5.5 please.
> 
> Hi Johan.
> 
> It's available from rpmforge repository:
> 
> Installed Packages
> Name   : gparted
> Arch   : i386
> Version: 0.4.8
> Release: 4.el5.rf
> Size   : 3.4 M
> Repo   : installed
> Summary: Gnome Partition Editor
> URL: http://gparted.sourceforge.net/
> License: GPLv2+
> Description: GParted stands for Gnome Partition Editor and 
> is a graphical frontend
> : to libparted. Among other features it supports 
> creating, resizing,
> : moving and copying of partitions. Also several 
> (optional) filesystem
> : tools provide support for filesystems not 
> included in libparted.
> : These optional packages will be detected at 
> runtime and don't require
> : a rebuild of GParted
> 
> As well as installing it from the above, I'd recommend 
> getting the live CD from the Gparted website:
> 
> http://gparted.sourceforge.net/livecd.php
> 
> As this is handy for preparing your hard drive, before doing 
> a fresh installation of Linux. Some things are not possible 
> when using Gparted from a working Linux installation.
> 
> As the Gparted CD runs from memory, you can do anything you 
> want to any partition using this.
> 
> Kind Regards,
> 
> Keith Roberts
> 
Busy installing gparted fron centos repos.
Thanks
Johan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 10:52 AM, Lamar Owen wrote:
> On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
>> Agreed, but not everyone has time to do both - or to learn lots of
>> distribution-specific details in mixed environments.  My opinion is that
>> doing the simple stuff first is a win.  And that works the same on
>> systems that don't include SELinux.
>
> The simple stuff on the Fedora box with SELinux is using the targeted policy 
> in enforcing mode.  Updates are easy, but there is always a lag from 
> vulnerability discovery to vulnerability patching.
>
> Security isn't simple.  The mantra 'just disable SELinux, you don't need it 
> anyway because it's too big of a pain and apps that aren't part of the tested 
> distribution can break' is oversimplifying a complex issue.  My opinion is 
> that I'm not going to run third party apps that break in that way, and I'm 
> going to let the developers know why.

The user/group/other unix permission set is simple and it works unless 
something is broken. If you can't get that right you have no hope of 
doing better with anything else.  More complex systems existed before 
unix and the argument that simplifying the setup to something 
understandable was a win was correct then and still is.   The concept of 
adding layers is OK, but not if you don't get the simple version right 
first and make an effort not to run broken software.

>>> SELinux is a powerful tool in helping combat zero day exploits from 
>>> succeeding, in many cases.
>>
>> And it also keeps most 3rd party software from working.
>
> I'd ask you to qualify most.

Pretty much anything that needs to write files outside of the home 
directory of the owning user.  Certainly anything that uses apache with 
its own data store.

> All of the third-party software I run seems to run just fine, as long as the 
> right contexts are applied.

Well, obviously it will work after someone takes the time to make it 
work.  Now it is your turn to quantify:  How much would you charge to 
teach someone to be able to make those changes and how long would it 
take?  This has to include the ability to quickly diagnose and fix any 
problem that might be caused by updates to the application or to the OS 
distribution.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[ken]

On 11/29/2010 07:38 AM giggzounet wrote:
> Le 29/11/2010 12:44, Gabriel Tabares a écrit :
>>> ...
> 
> where in the rpm package can I find if the file is a configuration file
> or not ?

This will list configuration files for an installed $package:

rpm -Vv $package 2>&1|grep -e ^"  c"

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 10:46 AM, m.r...@5-cent.us wrote:
>
>> How much 3rd party software do you run where someone else has not
>> already spent the time to work out the policies needed to let it work?
>
> And how much in-house developed software do you run? Or, about those 3rd
> party software, do you run my own personal PITA, CA's $$$ SiteMinder?

In-house software with 3rd party components and stuff running under Java 
is the main reason for most of our machines.  I'm not sure we'd have any 
that just use the base distro packages.  Some stuff uses SUSE because 
the developer claims their realtime kernel is required for performance. 
  Letting SELinux break other things would be turned into an argument to 
move them to SUSE.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] directory services and root/sudo access

[Adam Tauno Williams]

On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:
> This is perhaps a more general security question.  For those of you
> with a directory services installation, do you install a generic local
> user with sudo access in case directory services is not available?

Yes, always.

> Or do you just beef up your directory services to the point that you
> are confident it will almost always be up?

Yes, always.

And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship
with most distros.
 
> I usually disable root login via ssh, but allow it from the physical
> console, and make an emergency generic account with sudo privs in case
> DS breaks down.  What I've noticed, however, is if I simulate a
> directory services failure, ssh logins with this generic local account
> take an eternity as the server still tries to auth that user against
> ldap/kerberos first.  I'm sure this could be adjusted in pam in some
> way.

Yes, by replacing the worthless module. 
> I was just curious how other admins approach this, and what level of
> trust they place in directory services being available.

I trust it a great deal; but anticipate there will be situations where
it will not be available [for whatever reason - simple NIC failure can
cut a host off from the DSA].

Running an OpenLDAP instance as a caching proxy is also sometimes a good
idea; it depends on the application. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 10:40 AM, Lamar Owen wrote:
> On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
>> In reality, I am not at all sure that a quantum leap in complexity
>> adds to security at all. Any proper use of old-school group
>> permissions can give as finely-grained a security policy as you would
>> like.
>
> No, it won't.
>
> Suppose I'm running CentOS on a workstation, and have a need to access a 
> corporate webapp written in Flash, read corporate documents in PDF, and use 
> other applications written in Java.  So I'm going to be living in my browser 
> for most things corporate.
>
> How can I prevent a compromised PDF from gaining an attacker access to my 
> entire home directory?  More to the point, how to I prevent that PDF from 
> gaining WRITE access to files in my home directory (say, .bashrc for 
> instance)?

If you don't trust your software, run it under a uid that doesn't have 
write access to anything important - or in a VM or a different machine 
for that matter.  X has no problem displaying programs running with 
different uids or locations.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Minimising disk I/O

[Keith Roberts]

I've added a second IDE card to my system on the PCI bus, 
and added a small HDD on the Primary Master port for that 
IDE card.

This drive shows up using the Gparted live CD as /dev/hde
Which sounds about right.

The other drives show up as /dev/hda (Primary Master) and 
/dev/hdc (Secondary Master). /dev/hdb is an empty removable 
drive caddy (Primary Slave) and /dev/hdd (Seconday Slave) is 
the DVD-RW drive.

So I now have a maximum of 8 IDE ports - 4 on the IDE 
controller built into the motherboard (which BTW are all 
A-OK), and 4 on the IDE-PCI addon card.

Vivard on the Ultimate Boot CD recognises the /dev/hde 
drive, as being on the PCI controller.

I was also able to format the 2GB Samsung drive on /dev/hde 
as linux-swap using Gparted.

The largest spare drive I have is ~7 GB, which might be 
enough for a linux-swap partition, and a /var/log partition.

The idea is to have any logging and other intensive disk I/O 
on a spare disk drive, so as not wake up the main hard drive 
with the Linux root partition on it.

I just want to write any 'disposable data' to a spare 
hard disk drive, and keep this seperated from stuff on my 
main root partition/linux installation.

Kind Regards,

Keith Roberts

-- 
In theory, theory and practice are the same;
in practice they are not.

This email was sent from my laptop with Centos 5.5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] the wandering MAC?

[Boris Epstein]

On Wed, Oct 13, 2010 at 12:28 PM, Boris Epstein  wrote:
> Hi all,
>
> I have what appears to be a truly puzzling problem. I've got this P4
> 32-bit machine running CentOS 5.5 with XEN that has two NICs: one
> onboard, an Intel Corporation 82540EM Gigabit and one on an expansion
> card, Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit. The second one
> is recognized as eth1.
>
> What's happening is, it is showing up under one of the two MAC's:
> either 00:0a:cd:1a:c1:71 or 00:00:00:00:c1:71. If you reboot it the
> MAC stays the same; if you shutdown and do a full powerdown it seems
> to change.
>
> Obviously, after it goes from one MAC to another you have to play with
> the start-up scripts for this interface to start up correctly and this
> becomes a major annoyance.
>
> Any idea what all of this mess could mean?
>
> Thanks.
>
> Boris.
>

OK, people, here's something looks promising:

http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&order=ASC&topic_id=19571&forum=40#forumpost73378

Looks like there is a whole special repo for this sort of drivers. Has
anybody used it? How is it?

Anyways, I think I'd give it a try.

Cheers,

Boris.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum is dumb in update of gmime & gmime-sharp

[William Hooper]

On Mon, Nov 29, 2010 at 11:13 AM, ken  wrote:
> The key to the puzzle for me was that, to install gmime20, it was
> necessary to remove gmime.  I never would have guessed that... seems
> counter-intuitive to me... and the only way to find that out is to look
> in the spec file!!  Or is there another way?

I believe if you tell yum to be more verbose it will tell you when one
package obsoletes another, but I can't remember off the top of my head
if you need "-v" or something with "-d".

> What in the spec file told you that?

The Obsoletes line:

Obsoletes: gmime <= %{version}-%{release}

> Also... I know to look in the SPEC file by installing just the src, but
> is there a shorter (another, better) way to look at it?

RPMForge is usually pretty good about having the spec files in their svn:

http://svn.rpmforge.net/viewvc/rpmforge/

However, I didn't see one for gmime20, so I just installed the srpm.

> This is all academic to me at this point... just want to learn a bit
> more about RPMs if you're up for sharing wisdom.

No problem.  I've learned it by reading mailing lists and messing around myself.

-- 
William Hooper
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum is dumb in update of gmime & gmime-sharp

[William Hooper]

On Mon, Nov 29, 2010 at 11:33 AM, ken  wrote:
> Where was a message telling me that?  (In my original post I included
> the relevant output.)  There wasn't anything there which said the
> install of gmime20 necessitated removing another, different package.

I'll try to explain, but part of it just comes from experience.

---> Package gmime20.i386 0:2.2.26-1.el5.rf set to be updated

This is the package being installed.

 --> Finished Dependency Resolution
 gmime-sharp-2.2.10-5.el5.centos.i386 from installed has depsolving problems
 --> Missing Dependency: gmime = 2.2.10-5.el5.centos is needed by
package gmime-sharp-2.2.10-5.el5.centos.i386 (installed)

The "from installed" means the that package in question (gmime-sharp)
is already installed.  The assumption I made, since you provided the
output saying that gmime of an appropriate version was installed, is
that yum is saying the gmime version needed would be removed.
Checking the spec file and finding the obsoletes confirms that.

Yum used to give similar messages when you tried to "yum erase" a
package that would break dependencies.  Newer versions of yum just
walk down the tree and offer to remove half the system, instead.

-- 
William Hooper
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[m . roth]

Lamar Owen wrote:
> On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
>> Agreed, but not everyone has time to do both - or to learn lots of
>> distribution-specific details in mixed environments.  My opinion is that
>> doing the simple stuff first is a win.  And that works the same on
>> systems that don't include SELinux.

> Security isn't simple.  The mantra 'just disable SELinux, you don't need
> it anyway because it's too big of a pain and apps that aren't part of the
> tested distribution can break' is oversimplifying a complex issue.  My
> opinion is that I'm not going to run third party apps that break in that
> way, and I'm going to let the developers know why.

That's fine for you. When you're running in a larger environment, as many
of us are, corporate or government, and you have no choice in what's run,
esp. if some of it's run by mandate, and the group mandating it only knows
WinDoze, and companies that they buy software from claim they have it for
Linux (like CA), or you've got F/OSS that no one has time to do more than
customize, not go through zillions of lines of code, that generate AVC's,
you do what we do: mostly permissive.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Samsung CLP-325W network connection?

[Timothy Murphy]

Anyone got this working over a LAN under CentOS?
The instructions claim it is easy to connect
after pressing the WPS button on printer and router.

Sadly, I don't see a WPS button on my Linksys WRT54GL router.
When I press the WPS button on the printer
the WiFi icon flashes,
but I don't see any attempt to connect in /var/log/messages
on my CentOS-5.5 server.

Any advice or suggestions gratefully received.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Samsung CLP-325W network connection?

[Eero Volotinen]

2010/11/29 Timothy Murphy :
> Anyone got this working over a LAN under CentOS?
> The instructions claim it is easy to connect
> after pressing the WPS button on printer and router.
>
> Sadly, I don't see a WPS button on my Linksys WRT54GL router.
> When I press the WPS button on the printer
> the WiFi icon flashes,
> but I don't see any attempt to connect in /var/log/messages
> on my CentOS-5.5 server.

http://www.openprinting.org/printer/Samsung/Samsung-CLP-325w

at least printer is supported. You should configure wlan by hand..

--
Eero
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Samsung CLP-325W network connection?

[John R Pierce]

On 11/29/10 11:50 AM, Timothy Murphy wrote:
> Anyone got this working over a LAN under CentOS?
> The instructions claim it is easy to connect
> after pressing the WPS button on printer and router.
>
> Sadly, I don't see a WPS button on my Linksys WRT54GL router.

thats not going to do anything if your router doesn't support 'wifi 
protected setup'
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup


> When I press the WPS button on the printer
> the WiFi icon flashes,
> but I don't see any attempt to connect in /var/log/messages
> on my CentOS-5.5 server.

why would you? it hasn't gotten on the wireless yet, so your server 
can't possibly see it.

does this printer have any other connectivity options?  if its got 
ethernet, maybe you can plug it in via ethernet, and then access its 
wireless configuration and manually set it up

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

[bluethundr]

Hey list,

 I actually got the spec for openssh-lpk to build... however for some
reason at this point it is ONLY building SRPMs... no idea why yet but
i am plugging away at this.. I could use a spare set of eyes on this
if you can spare them...

 spec file is enclosed...


thanks!!


On Mon, Nov 29, 2010 at 12:02 PM, bluethundr  wrote:
> Sounds great guys!! on it!!! :)
>
> On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller  wrote:
>> At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list  
>> wrote:
>>
>>>
>>>  I have successfully created a packaged version of openssh that has
>>> the LPK patch.  LPK allows you to store your public keys in LDAP.
>>> However when I go to install the package I created it complains about
>>> dependencies:
>>>
>>> [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
>>> error: Failed dependencies:
>>>       openssh = 5.5p1-1.el5 is needed by (installed) 
>>> openssh-clients-5.5p1-1.el5.i386
>>>       openssh = 5.5p1-1.el5 is needed by (installed) 
>>> openssh-server-5.5p1-1.el5.i386
>>>
>>>  how can I get past this?
>>
>> Get the spec file from the stock openssh SRPM and use that as a guide
>> to create a spec file for openssh-5.6p1 that will create the
>> openssh-clients and openssh-server sub-packages and then re-build it
>> again.  Now you can upgrade the three packages
>> openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
>> openssh-server-5.6p1-1.i386.rpm.
>>
>>>
>>> thanks!!
>>>
>>>
>>
>> --
>> Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
>> Deepwoods Software        -- http://www.deepsoft.com/
>> ()  ascii ribbon campaign -- against html e-mail
>> /\  www.asciiribbon.org   -- against proprietary attachments
>>
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
%define ver 5.6p1
%define rel 7

# OpenSSH privilege separation requires a user & group ID
%define sshd_uid74
%define sshd_gid74

# Version of ssh-askpass
%define aversion 1.2.4.1

# Do we want to disable building of x11-askpass? (1=yes 0=no)
%define no_x11_askpass 0

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%define no_gnome_askpass 0

# Do we want to link against a static libcrypto? (1=yes 0=no)
%define static_libcrypto 0

# Do we want smartcard support (1=yes 0=no)
%define scard 0

# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1

# Is this build for RHL 6.x?
%define build6x 0

# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1

# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}

# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}

# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
%endif

# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%define static_libcrypto 1}

# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%define scard 1}

# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}

# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif

Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: http://www.openssh.com/portable.html
Source0: openssh-5.6p1.tar.gz
Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
Patch0: contrib-openssh-lpk-5.6p1-0.3.13.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
PreReq: initscripts >= 5.20
%endif
BuildPreReq: perl, openssl-devel, tcp_wrappers, openssl, zlib-devel, openldap-devel, openssl-devel, pam-devel
BuildPreReq: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildPreReq: /usr/include/security/pam_appl.h
%endif

%if ! %{no_gnome_askpass}
BuildPreReq: pkgconfig
%endif


%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients

%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif

%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obs

Re: [CentOS] Samsung CLP-325W network connection?

[fred smith]

On Mon, Nov 29, 2010 at 07:50:45PM +, Timothy Murphy wrote:
> Anyone got this working over a LAN under CentOS?
> The instructions claim it is easy to connect
> after pressing the WPS button on printer and router.
> 
> Sadly, I don't see a WPS button on my Linksys WRT54GL router.

I'm not at home right now where I can go look, but I think MY wrt54gl
has a WPS button. I've never found a use for it,  however, as I always
configure things by hand so I know what they're set to.

As someone else has already suggested, if you can access the printer
via hard-wired network, you can set it up the way you want instead
of the way some marketing-droid thinks he'd like you to do it.

> When I press the WPS button on the printer
> the WiFi icon flashes,
> but I don't see any attempt to connect in /var/log/messages
> on my CentOS-5.5 server.
> 
> Any advice or suggestions gratefully received.
> 
> -- 
> Timothy Murphy  
> e-mail: gayleard /at/ eircom.net
> tel: +353-86-2336090, +353-1-2842366
> s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
  "For him who is able to keep you from falling and to present you before his 
 glorious presence without fault and with great joy--to the only God our Savior
 be glory, majesty, power and authority, through Jesus Christ our Lord, before
 all ages, now and forevermore! Amen."
- Jude 1:24,25 (niv) -
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

[bluethundr]

using this command, sorry I forgot to include that..

[make...@virtcent15 SPECS]$ rpmbuild -ba openssh-lpk.spec


and here's the tail end of the output:

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

+ exit 0
Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/openssh-5.6p1-buildroot
Wrote: /home/makerpm/rpmbuild/SRPMS/openssh-5.6p1-7.src.rpm


thanks!



On Mon, Nov 29, 2010 at 4:19 PM, bluethundr  wrote:
> Hey list,
>
>  I actually got the spec for openssh-lpk to build... however for some
> reason at this point it is ONLY building SRPMs... no idea why yet but
> i am plugging away at this.. I could use a spare set of eyes on this
> if you can spare them...
>
>  spec file is enclosed...
>
>
> thanks!!
>
>
> On Mon, Nov 29, 2010 at 12:02 PM, bluethundr  wrote:
>> Sounds great guys!! on it!!! :)
>>
>> On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller  wrote:
>>> At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list  
>>> wrote:
>>>

  I have successfully created a packaged version of openssh that has
 the LPK patch.  LPK allows you to store your public keys in LDAP.
 However when I go to install the package I created it complains about
 dependencies:

 [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
 error: Failed dependencies:
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-clients-5.5p1-1.el5.i386
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-server-5.5p1-1.el5.i386

  how can I get past this?
>>>
>>> Get the spec file from the stock openssh SRPM and use that as a guide
>>> to create a spec file for openssh-5.6p1 that will create the
>>> openssh-clients and openssh-server sub-packages and then re-build it
>>> again.  Now you can upgrade the three packages
>>> openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
>>> openssh-server-5.6p1-1.i386.rpm.
>>>

 thanks!!


>>>
>>> --
>>> Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
>>> Deepwoods Software        -- http://www.deepsoft.com/
>>> ()  ascii ribbon campaign -- against html e-mail
>>> /\  www.asciiribbon.org   -- against proprietary attachments
>>>
>>>
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>
>>
>>
>> --
>> Here's my RSA Public key:
>> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
>>
>
>
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[Jim Perrin]

On Mon, Nov 29, 2010 at 12:39 PM, ken  wrote:

> rpm -Vv $package 2>&1|grep -e ^"  c"

Or the slightly easier (and per the rpm documentation)

rpm -qc packagename

HTH

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] the wandering MAC?

[Lucian]

On Mon, Nov 29, 2010 at 6:58 PM, Boris Epstein  wrote:
> http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&order=ASC&topic_id=19571&forum=40#forumpost73378
>
> Looks like there is a whole special repo for this sort of drivers. Has
> anybody used it? How is it?

Elrepo is trustworthy. Got myself out of an realsh..err,tek problem
using their packages, too. Go ahead.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] pcscd

[Todd Denniston]

m.r...@5-cent.us wrote, On 11/22/2010 02:21 PM:
> Anyone working with/using it? One thing that's driving me nuts is that it
> keeps spitting garbage into the logs (card absent or mute!!!). I just
> tried editing /etc/init.d/pcscd - there's *no* way to pass parms from the
> config file - and set the logging level to --error, and it's still doing
> it.
> 
> Clues for the poor, to shut it up?
> 
> mark
> 

Did you try --critical ??

Did someone make the mistake of having both pcsc and openct loaded on the same 
machine?

Did someone load ctapi-cyberjack with out having one of those readers? [I have 
had this ifd-handler
cause a LOT of trouble that seemed similar to yours, before I learned not to 
install it.]

BTW if the card reader thinks there is a card, but pcscd can't establish 
communication with the card
then that is an error or critical.  IIRC you only get the messages like you 
showed when pcscd thinks
there should be a card physically present.

Does anyone use a smart card with the machine?
* If no, then either
  `chkconfig pcscd off`
or
  `yum remove pcsc-lite`

* If yes, ask your question over on the muscle list, which is where the fellow 
who maintains pcsc
hangs out and he may have some incantation for you.
http://lists.drizzle.com/mailman/listinfo/muscle



Hope this helps.
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

On Tuesday, November 30, 2010 01:38 AM, Les Mikesell wrote:

>> All of the third-party software I run seems to run just fine, as long as the 
>> right contexts are applied.
>
> Well, obviously it will work after someone takes the time to make it
> work.  Now it is your turn to quantify:  How much would you charge to
> teach someone to be able to make those changes and how long would it
> take?  This has to include the ability to quickly diagnose and fix any
> problem that might be caused by updates to the application or to the OS
> distribution.
>

As was already mentioned in another post, run in permissive mode, for a 
few days if you must, and go through all the things the software does 
and voila! setroubleshoot and/or logs tell you what needs doing.

You can switch from enforcing mode to permissive mode in real time, no 
reboot necessary. All this yapping about the time and effort needed is 
an excuse when it is TRIVIAL to switch modes and as has already been 
pointed out, setroubleshoot will explain everything and even tell you 
exactly in most cases what commands need running to fix things.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

On Monday, November 29, 2010 11:58 PM, aurfal...@gmail.com wrote:

>>> You end up with a zillion groups - which is
>>> pointless and unmaintainable.  Thank goodness for ACL support and
>>> setfacl/getfacl.
>>
>> So what do you do when you have user-specific ACLs splattered randomly
>> through the filesystem and the members of the cooperating groups
>> change?
>
> Perhaps consult with Winblows AD admins as I'm sure they deal with
> this all the time.
>
> MS$ ACLs have been around for a very long time.
>

Heh. So we have been reduced to asking Windows admins how to implement 
best current practice.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Jeff Allison]

On 30 November 2010 09:03, Christopher Chan
 wrote:
> On Monday, November 29, 2010 11:58 PM, aurfal...@gmail.com wrote:
>
 You end up with a zillion groups - which is
 pointless and unmaintainable.  Thank goodness for ACL support and
 setfacl/getfacl.
>>>
>>> So what do you do when you have user-specific ACLs splattered randomly
>>> through the filesystem and the members of the cooperating groups
>>> change?
>>
>> Perhaps consult with Winblows AD admins as I'm sure they deal with
>> this all the time.
>>
>> MS$ ACLs have been around for a very long time.
>>
>
> Heh. So we have been reduced to asking Windows admins how to implement
> best current practice.

I wouldn't...

In my experience what you have in most AD environments is a mess...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

On Tuesday, November 30, 2010 02:35 AM, Les Mikesell wrote:
> On 11/29/2010 10:40 AM, Lamar Owen wrote:
>> On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
>>> In reality, I am not at all sure that a quantum leap in complexity
>>> adds to security at all. Any proper use of old-school group
>>> permissions can give as finely-grained a security policy as you would
>>> like.
>>
>> No, it won't.
>>
>> Suppose I'm running CentOS on a workstation, and have a need to access a 
>> corporate webapp written in Flash, read corporate documents in PDF, and use 
>> other applications written in Java.  So I'm going to be living in my browser 
>> for most things corporate.
>>
>> How can I prevent a compromised PDF from gaining an attacker access to my 
>> entire home directory?  More to the point, how to I prevent that PDF from 
>> gaining WRITE access to files in my home directory (say, .bashrc for 
>> instance)?
>
> If you don't trust your software, run it under a uid that doesn't have
> write access to anything important - or in a VM or a different machine
> for that matter.  X has no problem displaying programs running with
> different uids or locations.
>

Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out 
a bit too much. Write access is not just the problem. Being able to 
upload and execute is also a problem. Can you say 'bot'?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum/RPM behaviour: does yum/RPM overwrite a file modified by a user during an update ?

[ken]

On 11/29/2010 04:29 PM Jim Perrin wrote:
> On Mon, Nov 29, 2010 at 12:39 PM, ken  wrote:
> 
>> rpm -Vv $package 2>&1|grep -e ^"  c"
> 
> Or the slightly easier (and per the rpm documentation)
> 
> rpm -qc packagename
> 
> HTH

"rpm -qvc $package" gives more info-- the files' permissions and owners.

But the ridiculously long one (at top) tells-- among other things--
which files have changed from their initially installed versions-- key
info for what the OP was wanting to know.  (I wrapped it in a bash
script so it's easier to type.)

hth++



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/2010 4:09 PM, Christopher Chan wrote:
>
 In reality, I am not at all sure that a quantum leap in complexity
 adds to security at all. Any proper use of old-school group
 permissions can give as finely-grained a security policy as you would
 like.
>>>
>>> No, it won't.
>>>
>>> Suppose I'm running CentOS on a workstation, and have a need to access a 
>>> corporate webapp written in Flash, read corporate documents in PDF, and use 
>>> other applications written in Java.  So I'm going to be living in my 
>>> browser for most things corporate.
>>>
>>> How can I prevent a compromised PDF from gaining an attacker access to my 
>>> entire home directory?  More to the point, how to I prevent that PDF from 
>>> gaining WRITE access to files in my home directory (say, .bashrc for 
>>> instance)?
>>
>> If you don't trust your software, run it under a uid that doesn't have
>> write access to anything important - or in a VM or a different machine
>> for that matter.  X has no problem displaying programs running with
>> different uids or locations.
>>
>
> Hurrah! That's it! Just move the problem elsewhere.

Yes, if you are concerned about security of certain files it is indeed a 
good idea to run software you don't trust elsewhere.  And if the problem 
is not trusting software, why are you putting blind faith in the SELinux 
code?

> Oh, you snipped out
> a bit too much. Write access is not just the problem. Being able to
> upload and execute is also a problem. Can you say 'bot'?

You don't need SELinux to mount the space writable by the uid in 
question with the noexec option.

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] pcscd

[m . roth]

Todd Denniston wrote:
> m.r...@5-cent.us wrote, On 11/22/2010 02:21 PM:
>> Anyone working with/using it? One thing that's driving me nuts is that
>> it keeps spitting garbage into the logs (card absent or mute!!!). I just
>> tried editing /etc/init.d/pcscd - there's *no* way to pass parms from
>> the config file - and set the logging level to --error, and it's still
doing
>> it.
>>
>> Clues for the poor, to shut it up?
>
> Did you try --critical ??

No, I haven't. I was hoping for something useful in the logs that might
help me on other things.
>
> Did someone make the mistake of having both pcsc and openct loaded on the
> same machine?

Um, say *wha*? My manager told me to load both. I've got pcsc-lite,
pcsc-lite-libs, and openct. I can read the card, but when I stick it into
a reader, it brings up two windows, one after the other: the first wants
the phone home URL, and I tell it close, and then the one to "manage smart
cards". It should not phone home.
>
> Did someone load ctapi-cyberjack with out having one of those readers? [I

Nope.

>
> BTW if the card reader thinks there is a card, but pcscd can't establish
> communication with the card then that is an error or critical.  IIRC you
only
> get the messages like you showed when pcscd thinks there should be a
card physically
> present.

Hmmm... it does show problems: card not transacted: 612.
>
> Does anyone use a smart card with the machine?

> * If yes, ask your question over on the muscle list, which is where the
> fellow who maintains pcsc
> hangs out and he may have some incantation for you.
> http://lists.drizzle.com/mailman/listinfo/muscle
>
Thanks. My manager did get it working on his machine (FC, now 14). I may
have to rebuild sshd with smartcard support, *if* I can find the source.
>
> Hope this helps.

It leads to questions I didn't know to ask. Thanks!

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Max Hetrick]

On 11/29/2010 05:09 PM, Christopher Chan wrote:

> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
> a bit too much. Write access is not just the problem. Being able to
> upload and execute is also a problem. Can you say 'bot'?


What we've done at my place of employment for a few of these kinds of 
issues is take a similar approach. We have a VM on a completely isolated 
network in the DMZ. Folks that need to access Facebook related items VNC 
to this machine since we have Facebook and other known social media 
sites blocked because of malware problems.

If/when it gets hosed, we roll a snapshot back to good, or keep a copy 
of a good know instance, and no one inside the network is harmed since 
the machine has no internal access. In a case like this, yes, moving the 
problem elsewhere was a very practical and easy approach to a security 
issue. Obviously this example is a very specific one, but you shouldn't 
just automatically dismiss using a VM and moving the problem elsewhere 
for other practical purposes. It's a very good and practical solution to 
some security concerns.

This is a bit offtopic from SELinux, but there are folks using this 
approach successfully to address some of these issues.

Regards,
Max
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] pcscd

[Todd Denniston]

m.r...@5-cent.us wrote, On 11/29/2010 05:20 PM:
> Todd Denniston wrote:
>> m.r...@5-cent.us wrote, On 11/22/2010 02:21 PM:
>>> Anyone working with/using it? One thing that's driving me nuts is that
>>> it keeps spitting garbage into the logs (card absent or mute!!!). I just
>>> tried editing /etc/init.d/pcscd - there's *no* way to pass parms from
>>> the config file - and set the logging level to --error, and it's still
> doing
>>> it.
>>>
>>> Clues for the poor, to shut it up?


>> Did someone make the mistake of having both pcsc and openct loaded on the
>> same machine?
> 
> Um, say *wha*? My manager told me to load both. I've got pcsc-lite,
> pcsc-lite-libs, and openct. 

Known issue, they both (pcscd and openct) need exclusive access to the card 
reader.
load one or the other. [Yes, I have been there, and got the T-shirt.]

BTW (IIRC you were working for a leg of the government in your spare time) if 
you are working with a
CAC, then  pcscd and coolkey* are enough.
*note if you are working with the latest transitional CAC/PIV you'll need a 
more current coolkey
such as coolkey-1.1.0-16.el6.src.rpm from RH.
https://bugzilla.redhat.com/show_bug.cgi?id=622916
https://bugzilla.redhat.com/show_bug.cgi?id=534172#c67

It was rumored (by some one I would trust to know) at one time (on the muscle 
list) that openct and
a different pkcs11 lib would be needed for the full on PIV, I don't know if 
this update to coolkey
makes that disappear.

> I can read the card, but when I stick it into
> a reader, it brings up two windows, one after the other: the first wants
> the phone home URL, and I tell it close, and then the one to "manage smart
> cards". It should not phone home.

[I won't be here to answer for a while, but the answer to this question will 
help anyone trying to
answer yours.]
Which product is bringing up the windows? ESC (Enterprise Security Client Smart 
Card Client)?
This may be an effect of the offending product not being able to read the card 
because the daemon it
is asking can't gain exclusive access to the card reader, and thus it can not 
identify a card that
already has an applet on it.


> 
>> * If yes, ask your question over on the muscle list, which is where the
>> fellow who maintains pcsc
>> hangs out and he may have some incantation for you.
>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
> Thanks. My manager did get it working on his machine (FC, now 14). I may
> have to rebuild sshd with smartcard support, *if* I can find the source.
>> Hope this helps.

the sshd that ships with CentOS does work with smart cards.
Things have changed a little since
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c15

Unfortunately the best README.nss I can get you is in
http://www.redhat.com/archives/fedora-extras-commits/2007-September/msg01179.html

now days you should (after getting the daemons and pkcs11 sorted out, 
`pkcs11_inspect --debug` [with
no one looking over your shoulder] will become a friend)  be able to to do the 
following (at least
with a cac):
get nssdb filled with the CAs in ~/.ssh/
ssh-add -n #give pin
ssh-add -L > authorized_keys
ssh othermachinereadingaboveAKfile


> 
> It leads to questions I didn't know to ask. Thanks!
> 
>mark



-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
Even when this disclaimer is not here, 
the opinions expressed by me are not necessarily sanctioned by and 
do not necessarily represent those of my employer. 
Also even when this disclaimer is not here, I DO NOT have authority to 
direct you in any way to alter your contractual obligation 
and my email can NOT be used as direction to modify a contract.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

- Original Message - 
From: "Max Hetrick" 
To: "CentOS mailing list" 
Sent: Tuesday, November 30, 2010 6:51 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!


> On 11/29/2010 05:09 PM, Christopher Chan wrote:
>
>> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
>> a bit too much. Write access is not just the problem. Being able to
>> upload and execute is also a problem. Can you say 'bot'?
>
>
> What we've done at my place of employment for a few of these kinds of
> issues is take a similar approach. We have a VM on a completely isolated
> network in the DMZ. Folks that need to access Facebook related items VNC
> to this machine since we have Facebook and other known social media
> sites blocked because of malware problems.
>
> If/when it gets hosed, we roll a snapshot back to good, or keep a copy
> of a good know instance, and no one inside the network is harmed since
> the machine has no internal access. In a case like this, yes, moving the
> problem elsewhere was a very practical and easy approach to a security
> issue. Obviously this example is a very specific one, but you shouldn't
> just automatically dismiss using a VM and moving the problem elsewhere
> for other practical purposes. It's a very good and practical solution to
> some security concerns.

Oh certainly. Guess why I run Windows servers in a VM? If it was a Linux 
box, I don't see why I should not also make use of SELinux even if the 
installation is running in a VM.


>
> This is a bit offtopic from SELinux, but there are folks using this
> approach successfully to address some of these issues.
>

Don't worry, easy to bring back to the topic. 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

- Original Message - 
From: "Les Mikesell" 
To: 
Sent: Tuesday, November 30, 2010 6:19 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!


> On 11/29/2010 4:09 PM, Christopher Chan wrote:

>>> If you don't trust your software, run it under a uid that doesn't have
>>> write access to anything important - or in a VM or a different machine
>>> for that matter.  X has no problem displaying programs running with
>>> different uids or locations.
>>>
>>
>> Hurrah! That's it! Just move the problem elsewhere.
>
> Yes, if you are concerned about security of certain files it is indeed a
> good idea to run software you don't trust elsewhere.  And if the problem
> is not trusting software, why are you putting blind faith in the SELinux
> code?

Oh certainly. That is why there is a separate SELinux user context for 
apache too.
Blind faith in SELinux code? Hey, let's not run anything at all then. 
SELinux provides an extra layer of security to use against exploits that may 
go beyond what we can do with the usual posix provisions. I do not see why 
you have a problem with it.


>
>> Oh, you snipped out
>> a bit too much. Write access is not just the problem. Being able to
>> upload and execute is also a problem. Can you say 'bot'?
>
> You don't need SELinux to mount the space writable by the uid in
> question with the noexec option.
>

IF that zero day exploit actually uploads to that space only. 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Les Mikesell]

On 11/29/10 8:10 PM, Christopher Chan wrote:
>
>> Yes, if you are concerned about security of certain files it is indeed a
>> good idea to run software you don't trust elsewhere.  And if the problem
>> is not trusting software, why are you putting blind faith in the SELinux
>> code?
>
> Oh certainly. That is why there is a separate SELinux user context for
> apache too.
> Blind faith in SELinux code? Hey, let's not run anything at all then.
> SELinux provides an extra layer of security to use against exploits that may
> go beyond what we can do with the usual posix provisions. I do not see why
> you have a problem with it.

Not so much a problem - I'm just saying that you should do the simple things 
that have always worked first, then add SELinux if you want.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[cpolish]

Lamar Owen wrote:

> With SELinux I can set files and whole hierachies to not allow Acrobat
> Reader access of various types, while still alllowing access to those
> areas it needs.  Voila!  Acrobat Reader vulnerabilities and the PDF's
> that exploit them no longer have any power to exploit my system.  Same
> with Flash, Java, and Firefox itself.  If firefox has no need to write
> into my Documents directory, then I can lock out my Documents
> directory to firefox (even when it's running with the right uid:gid
> that would defeat old-school uid:gid based perms) and not worry about
> a malicious website exploiting a firefox zero-day modifying any of my
> files in Documents.

Your enthusiasm for SELinux seems tied conceptually to a workstation
running the set of applications that come with the distribution.
Nothing wrong with that.
-- 
Charles Polisher

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[cpolish]

Christopher Chan wrote:
> Les Mikesell wrote:
> 
> >> All of the third-party software I run seems to run just fine, as long as 
> >> the right contexts are applied.
> >
> > Well, obviously it will work after someone takes the time to make it
> > work.  Now it is your turn to quantify:  How much would you charge to
> > teach someone to be able to make those changes and how long would it
> > take?  This has to include the ability to quickly diagnose and fix any
> > problem that might be caused by updates to the application or to the OS
> > distribution.
> >
> 
> As was already mentioned in another post, run in permissive mode, for a 
> few days if you must, and go through all the things the software does 
> and voila! setroubleshoot and/or logs tell you what needs doing.

Very optimistic, that. In my shop, some things run annually.
A comprehensive system test = production, for a year. Just
this morning a 1099 (annual tax-form) script failed in test. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Christopher Chan]

- Original Message - 
From: 
> Christopher Chan wrote:
>> Les Mikesell wrote:
>>
>> >> All of the third-party software I run seems to run just fine, as long 
>> >> as the right contexts are applied.
>> >
>> > Well, obviously it will work after someone takes the time to make it
>> > work.  Now it is your turn to quantify:  How much would you charge to
>> > teach someone to be able to make those changes and how long would it
>> > take?  This has to include the ability to quickly diagnose and fix any
>> > problem that might be caused by updates to the application or to the OS
>> > distribution.
>> >
>>
>> As was already mentioned in another post, run in permissive mode, for a
>> few days if you must, and go through all the things the software does
>> and voila! setroubleshoot and/or logs tell you what needs doing.
>
> Very optimistic, that. In my shop, some things run annually.
> A comprehensive system test = production, for a year. Just
> this morning a 1099 (annual tax-form) script failed in test.
>


For some reason, I suspect that these annual stuff would be largely run by 
hand. Of course, it would be nice if you don't have to get a call for these 
annual stuff but I do not see that as absolutely so disabling that SELinux 
has to be disabled. 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to separate individual logs?

[hadi motamedi]

On 11/29/10, John Doe  wrote:
> Here is "The Power of CentOS"!!!  (in approximately 3 minutes...)
>
> cat edit.txt | while read LINE; do
>   echo "$LINE" | grep -q '>\.\.'
>   if [ $? -eq 0 ]; then
> LOGFILE=`echo $LINE | cut -d' ' -f1`.log
>   else
> echo "$LINE" >> $LOGFILE
>   fi
> done
>
> JD
>
Thank you very much for your help. I tried for your code but I am
receiving the following error:
-bash:[1:command not found
-bash:$LOGFILE:ambiguous redirect
Can you please correct me?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux - way of the future or good idea but !!!

[Nico Kadel-Garcia]

On Mon, Nov 29, 2010 at 8:35 AM, Adam Tauno Williams
 wrote:

> Even if it is *possible*, the traditional UNIX permissions are a serious
> *PAIN*.  If you want two users to have rw- to a file you...  create a
> group of two users???  You end up with a zillion groups - which is
> pointless and unmaintainable.  Thank goodness for ACL support and
> setfacl/getfacl.  While that isn't SELinux the principal is the same -
> the tools should rise to match the practice, not the practice be mashed
> into the functionality of inferior tools.

Adding higher functionality means more cost in performance. This is
information right down at the file system level, and UNIX ACL's are
*cheap* computationally to administer.

If you need more, you can get into netgroups, or NFSv4 ACL's, or the
like. But I don't recommend it. It's fairly unusual to wish to grant
permissions to only two users, at least in industry. SELinux, well,
it's taking the controls out of band in fascinating ways.

> I was a disable-selinux guy because it seemed like a black box.  But I
> saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
> doesn't take much effort and SELinux really is understandable.
> 
> SELinux can even generate the required policies for you! It is an
> impressively well thought out tool and as indispensable as iptables.

Which many sites simply do not use, preferring to leave their servers
open internally and rely on external firewalls. I'm not saying this is
ideal, but it remains a pretty common approach.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 - which partition manager installed

[Nico Kadel-Garcia]

On Mon, Nov 29, 2010 at 12:02 PM, Johan Scheepers
 wrote:
> Good day,
>
> Gparted is not available on my installation.
>
> Which patition tool is available in centos 5.5 please.
>
> Thanks
> Johan

gparted is just the "Gnome" GUI for parted. "parted" works very well
at the command line, and has options that the Gnome utility lacks,
such as block alignment for NFS OS images residing on 4096 byte block
NetApps. (Ask if you're curious, but parted is your friend for this.)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos