Re: [CentOS] how to separate individual logs?
can you please tell what that command does ?:)) From: hadi motamedi To: CentOS mailing list Sent: Tue, November 30, 2010 6:52:30 AM Subject: Re: [CentOS] how to separate individual logs? On 11/29/10, John Doe wrote: > Here is "The Power of CentOS"!!! (in approximately 3 minutes...) > > cat edit.txt | while read LINE; do > echo "$LINE" | grep -q '>\.\.' > if [ $? -eq 0 ]; then > LOGFILE=`echo $LINE | cut -d' ' -f1`.log > else > echo "$LINE" >> $LOGFILE > fi > done > > JD > Thank you very much for your help. I tried for your code but I am receiving the following error: -bash:[1:command not found -bash:$LOGFILE:ambiguous redirect Can you please correct me? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On 11/30/10, cybernet wrote: > can you please tell what that command does ?:)) > > Sorry. Which command do you mean? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
> cat edit.txt | while read LINE; do > echo "$LINE" | grep -q '>\.\.' > if [ $? -eq 0 ]; then >LOGFILE=`echo $LINE | cut -d' ' -f1`.log > else >echo "$LINE" >> $LOGFILE > fi > done From: hadi motamedi To: CentOS mailing list Sent: Tue, November 30, 2010 10:16:43 AM Subject: Re: [CentOS] how to separate individual logs? On 11/30/10, cybernet wrote: > can you please tell what that command does ?:)) > > Sorry. Which command do you mean? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On 11/30/10, cybernet wrote: >> cat edit.txt | while read LINE; do >> echo "$LINE" | grep -q '>\.\.' >> if [ $? -eq 0 ]; then >>LOGFILE=`echo $LINE | cut -d' ' -f1`.log >> else >>echo "$LINE" >> $LOGFILE >> fi >> done > As you see in the original text file, each module's log is started with the module's name following with '>..' characters so the code is expected to search for the start of each module's log and try to separate its specific log. I tried for the code but it seems that it has some syntax error that needs to be corrected. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] yum/RPM Problem: several packages with the same name were installed, how to remove one of them ?
Hi, We have a cluster with CentOS 5.5 installed with oscar. The firm which has pre-installed the cluster has done strange things...and now I get problems: - if I understand correctly what was done, several infiniband CentOS packages were installed (compat-dapl, compat-dapl-devel, compat-dapl-utils, libibcm, libibverb, librdmacm, mpi-selector). - Then the tar package from OFED was installed. This archive contains rpm packages too...and were installed. - So on our nodes we have several versions of "compat-dapl, compat-dapl-devel, compat-dapl-utils, libibcm, libibverb, librdmacm, mpi-selector". I would like to remove the package from CentOS (in order to have homogen OFED environment). How can I do that ? These packages target the sames files...If I remove the package of CentOS, will it erase all the files in common ? how does rpm/yum behave in this situation ? Best regards, Guillaume ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
From: hadi motamedi > On 11/29/10, John Doe wrote: > > cat edit.txt | while read LINE; do > > echo "$LINE" | grep -q '>\.\.' > > if [ $? -eq 0 ]; then > > LOGFILE=`echo $LINE | cut -d' ' -f1`.log > > else > > echo "$LINE" >> $LOGFILE > > fi > > done > Thank you very much for your help. I tried for your code but I am > receiving the following error: > -bash:[1:command not found > -bash:$LOGFILE:ambiguous redirect > Can you please correct me? The trick is that your original file has '\r' chars lurking around... Forgot I did removed them manualy when I saw them... cat Edit3 | tr -d "\r" | while read LINE; do Instead of just copy/pasting, try to understand what it does. Here is how it works: - Read each line in the LINE variable. - If the line contains the string '>..', it is a "section" line. Set the log filename to the section title. - If not, just write the line to the current log filename. JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
From: Les Mikesell > why are you putting blind faith in the SELinux code? Because it comes from the NSA! The backdoor experts... ;P JD PS: joking of course, the NSA would never do anything bad... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ssh-agent fails to hold values
From: Nico Kadel-Garcia > On Mon, Nov 29, 2010 at 6:41 AM, John Doe wrote: > > From: bluethundr > >> I am attempting to manage my key logins with ssh-agent. However EVERY > >> time I try to ssh I have to go through the same exact routing and it's > >> getting a little old... > >> Does anyone have any suggestions to make ssh-agent hold these values a > >> bit more persistently? > > I have this in my .bash_profile: > > AGENTRUNNING=`ps x | grep agent | grep -v grep` > > if [ -z "$AGENTRUNNING" ]; then > >/usr/bin/ssh-agent -s > $HOME/.ssh/agent-env.sh > > fi > > . $HOME/.ssh/agent-env.sh > /dev/null > > Then, I ssh-add once and that's it. > And if you log in on another machine with that same home directory on > NFS, you'll load information for the wrong host's ssh-agent keys. > Install and use "keychain". It's leaps and bounds more reliable than this. No NFS home directories... so no problems. What reliability problems are you refering to? So far, it just worked fine... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 5.5 - which partition manager installed
Nico Kadel-Garcia wrote: > On Mon, Nov 29, 2010 at 12:02 PM, Johan Scheepers > wrote: >> Good day, >> >> Gparted is not available on my installation. >> >> Which patition tool is available in centos 5.5 please. >> >> Thanks >> Johan > > gparted is just the "Gnome" GUI for parted. "parted" works very well > at the command line, and has options that the Gnome utility lacks, > such as block alignment for NFS OS images residing on 4096 byte block > NetApps. (Ask if you're curious, but parted is your friend for this.) and if you really want the gui, I can see gparted is in rpmforge. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Hello Les, On Mon, 2010-11-29 at 12:35 -0600, Les Mikesell wrote: > If you don't trust your software, run it under a uid that doesn't have > write access to anything important - or in a VM or a different machine > for that matter. X has no problem displaying programs running with > different uids or locations. Using a "safe uid" will not stop a buffer overflow from happening and causing a privilege escalation if such an issue exists in the software. SELinux will negate most of the damage by disallowing even the escalated process access to resources it shouldn't touch. With the ever increasing complexity of software is there any software you trust? I know I don't. Are you running your Flash plugin in Mozilla as a different user than the one you logged into under X? Care to elaborate how to accomplish such a feat? Or can you provide any pointers? Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] ( SOLVED ) Hostname too long
Good day, Some time ago I asked some assistance for the long hostname in the terminals. Editing .bashrc in user and root by adding PS1=xxx did make the difference. Here is something I picked up on another list that make editing .bashrc not necessary. as root..gedit /etc/sysconfig/network # HOSTNAME=localhost.localdomain change to in my case and that solves the problem HOSTNAME=johan.jan Regards Johan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On 11/30/10, John Doe wrote: > The trick is that your original file has '\r' chars lurking around... > Forgot I did removed them manualy when I saw them... > > cat Edit3 | tr -d "\r" | while read LINE; do > > Instead of just copy/pasting, try to understand what it does. > Here is how it works: > - Read each line in the LINE variable. > - If the line contains the string '>..', it is a "section" line. >Set the log filename to the section title. > - If not, just write the line to the current log filename. > > JD Sorry. I didn't get the point clearly. What I need is to separate the log files from each of the modules. For example, I need all of the log files coming from XAPP module. In the main log, it can be distinguished by searching for the following line: XAPP >.. Then you see subsequent lines that are logs coming from this module. Then the logs from another module will come following the previous one. I think you code is not doing this . Can you please correct me on my understanding of your code body? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Hello John, On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote: > From: Les Mikesell > > why are you putting blind faith in the SELinux code? The SELinux restrictions are a much bigger hurdle to take for a buffer overflow exploit than setting a "safe" uid. > Because it comes from the NSA! > The backdoor experts... ;P > PS: joking of course, the NSA would never do anything bad... This of course was a serious concern by any of the early adopters. It has been discussed in length on various mailing lists. But since the code is available it can and has been audited. Unless of course the Linux developers are collaborating with the NSA to take over your computer and they slipped us a mickey. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 07:45 PM, Leonard den Ottolander wrote: > Hello Les, > > On Mon, 2010-11-29 at 12:35 -0600, Les Mikesell wrote: >> If you don't trust your software, run it under a uid that doesn't have >> write access to anything important - or in a VM or a different machine >> for that matter. X has no problem displaying programs running with >> different uids or locations. > > Using a "safe uid" will not stop a buffer overflow from happening and > causing a privilege escalation if such an issue exists in the software. > SELinux will negate most of the damage by disallowing even the escalated > process access to resources it shouldn't touch. > > With the ever increasing complexity of software is there any software > you trust? I know I don't. Are you running your Flash plugin in Mozilla > as a different user than the one you logged into under X? Care to > elaborate how to accomplish such a feat? Or can you provide any > pointers? > Forget it Leonard. He says he has no problem with SELinux but he has strenuously tried to come up with every sort of excuse he can think of to tell others to not bother with it. So it seems to me that he is either trolling or is willing to make himself a soundboard for others to see the need to implement and run SELinux. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ssh-agent fails to hold values
On Tue, Nov 30, 2010 at 5:19 AM, John Doe wrote: > From: Nico Kadel-Garcia > >> On Mon, Nov 29, 2010 at 6:41 AM, John Doe wrote: >> > From: bluethundr >> >> I am attempting to manage my key logins with ssh-agent. However EVERY >> >> time I try to ssh I have to go through the same exact routing and it's >> >> getting a little old... >> >> Does anyone have any suggestions to make ssh-agent hold these values a >> >> bit more persistently? >> > I have this in my .bash_profile: >> > AGENTRUNNING=`ps x | grep agent | grep -v grep` >> > if [ -z "$AGENTRUNNING" ]; then >> > /usr/bin/ssh-agent -s > $HOME/.ssh/agent-env.sh >> > fi >> > . $HOME/.ssh/agent-env.sh > /dev/null >> > Then, I ssh-add once and that's it. >> And if you log in on another machine with that same home directory on >> NFS, you'll load information for the wrong host's ssh-agent keys. >> Install and use "keychain". It's leaps and bounds more reliable than this. > > No NFS home directories... so no problems. > What reliability problems are you refering to? > So far, it just worked fine... The NFS home directory is the big one. Another other is that, if something sets "AGENTRUNNING", in another script and you inherit it, it's not reset. And since it's in a .bashrc, once it's set, you'll inherit for other scripts: if it dies, you won't get a new one due to the inherited AGENTRUNNING. And what if the user has "agent" in their login name? If it works in your small environment, fine, but I wouldn't publish it for general use without more thought. The "keychain" perl script is actually pretty good. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
From: hadi motamedi > On 11/30/10, John Doe wrote: > > The trick is that your original file has '\r' chars lurking around... > > Forgot I did removed them manualy when I saw them... > > cat Edit3 | tr -d "\r" | while read LINE; do > > Instead of just copy/pasting, try to understand what it does. > > Here is how it works: > > - Read each line in the LINE variable. > > - If the line contains the string '>..', it is a "section" line. > >Set the log filename to the section title. > > - If not, just write the line to the current log filename. > Sorry. I didn't get the point clearly. What I need is to separate the > log files from each of the modules. For example, I need all of the log > files coming from XAPP module. In the main log, it can be > distinguished by searching for the following line: > XAPP >.. > Then you see subsequent lines that are logs coming from this module. > Then the logs from another module will come following the previous > one. I think you code is not doing this . Can you please correct me on > my understanding of your code body? My pseudo-code does exactly what you described (re-read it)... And it creates .log files... $ ll -n total 36 -rw-r--r-- 1 2000 500 4678 nov 30 10:49 Edit3 -rw-r--r-- 1 2000 500 39 nov 30 10:54 HLR.log -rw-r--r-- 1 2000 500 2320 nov 30 10:54 IPTR.log -rw-r--r-- 1 2000 500 478 nov 30 10:54 SCCP.log -rw-r--r-- 1 2000 500 754 nov 30 10:54 SNMP.log -rw-r--r-- 1 2000 500 507 nov 30 10:54 TCAP.log -rw-r--r-- 1 2000 500 281 nov 30 10:54 XAPP.log -rwxr-xr-x 1 2000 500 207 nov 30 10:54 test.sh* If you think it is not doing it, I cannot help you... Either ask your sysadmin to help you, or use someone else code... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum/RPM Problem: several packages with the same name were installed, how to remove one of them ?
On Tue, Nov 30, 2010 at 4:44 AM, giggzounet wrote: > Hi, > > We have a cluster with CentOS 5.5 installed with oscar. The firm which > has pre-installed the cluster has done strange things...and now I get > problems: > > - if I understand correctly what was done, several infiniband CentOS > packages were installed (compat-dapl, compat-dapl-devel, > compat-dapl-utils, libibcm, libibverb, librdmacm, mpi-selector). > - Then the tar package from OFED was installed. This archive contains > rpm packages too...and were installed. > - So on our nodes we have several versions of "compat-dapl, > compat-dapl-devel, compat-dapl-utils, libibcm, libibverb, librdmacm, > mpi-selector". > > I would like to remove the package from CentOS (in order to have homogen > OFED environment). How can I do that ? If they came from CentOS, it should be reasonable to uninstall them. Use "yum" and see what it reports. > These packages target the sames files...If I remove the package of > CentOS, will it erase all the files in common ? how does rpm/yum behave > in this situation ? "It Depends(tm)". .i386 and .x86_64 packages, for example, often have considerable overlap, and leave behind the common files when removed, If the duplications were incompatible, then yum or RPM *should* have refused to install the duplicates, unless the installation was forced. "%config' files from .spec files may also overlap and be preserved. Some packages, such as sendmail and postfix and exim, use the "alternatives" web of symlinks to leave one expected version in place in /usr/bin for common tools like "sendmail" binaries, and unweave the link when removing one of them. So it's hard to be completely sure it's reliably safe without checking the packages. But if they have distinct package names, not just version numbers, you should be OK deleting them. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ssh-agent fails to hold values
From: Nico Kadel-Garcia > If it works in your small environment, fine, but I wouldn't publish it > for general use without more thought. The "keychain" perl script is > actually pretty good. I am not going to pit 5 lines of shell against a 1500+ lines perl script... It was just a suggestion, not an official publication... ;P JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 30/11/10 10:54 PM, Leonard den Ottolander wrote: > On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote: > >> Because it comes from the NSA! >> The backdoor experts... ;P > >> PS: joking of course, the NSA would never do anything bad... > > This of course was a serious concern by any of the early adopters. It > has been discussed in length on various mailing lists. But since the > code is available it can and has been audited. Unless of course the > Linux developers are collaborating with the NSA to take over your > computer and they slipped us a mickey. As you say, it was eventually determined that the NSA did not insert anything dodgy in the code to give them access. They only did two things which caused a certain amount of questioning, to a greater or lesser extent: 1) They only work with Red Hat officially because it is an American company, though the current business model of Red Hat made the partnership far more viable. 2) In spite of many requests, they refused point blank to incorporate encryption in any of the enhancements. The reason for the second one is pretty obvious, though, they know that SELinux would be (and is) used by non-Americans and they don't want to protect foreign secrets, they want to discover them. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CF disks images and centos
Hi all, I have 8G -CF cards that I have been putting linux on. Everything was working fine till yesterday when I got a new batch of CF cards. The size has changed. The original CF card was 7637M (255 heads/63 sectors/928 cylinders) The new CF card is 8019M (255 heads/63 sectors/974 cylinders) I would have thought putting the smaller image file onto the larger CF card would be ok. However its not. centos boots but there are journal issues and everything is mounted read-only. Any ideas why this doesnt work or how I can keep my smaller image and "succecssfully" put it on the larger CF card? I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. Thanks, Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimal VPN
On 25/11/10 4:07 AM, tony.chamberl...@lemko.com wrote: > > > I am looking for the optimal VPN. Well it doens't have to be that elaborate. > Just the best VPN. We currently have some customers using PPTP, some using > openvpn, some using Cisco Any Connect and there are a few others. Be careful with the Cisco VPN solutions. Cisco's VPN client is notoriously bad at handling 64-bit architecture and frequently induces kernel panics (I've seen this in both Linux and OS X systems). > So my question is, if you have control of both ends (client and server) > what is the best VPN to use? There are not too many requirements, but a > big one is I'd go for OpenVPN, it's free and widely supported across multiple platforms. > The VPN must return the same IP address to the same user each time > > That is there must be a specific IP address assigned to a user/password > combination. pptp does not really do this but I wrote sort of a backend > (or maybe frontend? ;-) ) to change the IP address assigned based on a > login and password. It is extra stuff I would prefer not to do though. RADIUS can assign a specific IP to a given user, but let OpenVPN handle the encryption. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On Nov 30, 2010, at 4:07 AM, hadi motamedi wrote: > On 11/30/10, cybernet wrote: >>> cat edit.txt | while read LINE; do >>> echo "$LINE" | grep -q '>\.\.' >>> if [ $? -eq 0 ]; then >>> LOGFILE=`echo $LINE | cut -d' ' -f1`.log >>> else >>> echo "$LINE" >> $LOGFILE >>> fi >>> done >> > > As you see in the original text file, each module's log is started > with the module's name following with '>..' characters so the code is > expected to search for the start of each module's log and try to > separate its specific log. I tried for the code but it seems that it > has some syntax error that needs to be corrected. > ___ That error would happen if you did not have a space between [ and $? Tony Schreiner ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Ben McGinnes wrote: > On 30/11/10 10:54 PM, Leonard den Ottolander wrote: >> On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote: >> > As you say, it was eventually determined that the NSA did not insert > anything dodgy in the code to give them access. They only did two I dunno, selinux is pretty dodgy > things which caused a certain amount of questioning, to a greater or > lesser extent: > 2) In spite of many requests, they refused point blank to incorporate > encryption in any of the enhancements. > > The reason for the second one is pretty obvious, though, they know > that SELinux would be (and is) used by non-Americans and they don't > want to protect foreign secrets, they want to discover them. Um, not quite: there *are* export controls on encryption, and even if they wanted it, they couldn't. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 1/12/10 2:32 AM, m.r...@5-cent.us wrote: > Ben McGinnes wrote: >> >> The reason for the second one is pretty obvious, though, they know >> that SELinux would be (and is) used by non-Americans and they don't >> want to protect foreign secrets, they want to discover them. > > Um, not quite: there *are* export controls on encryption, and even > if they wanted it, they couldn't. With the crypto that is already included by default in Linux (e.g. OpenSSH, OpenSSL, etc.), US companies are already unable to distribute their products to those few countries left on the list that those export controls apply to (not that that actually stops those countries from obtaining it anyway). You won't find any RHEL service contracts in Syria, Cuba, Iran, North Korea and whichever other countries are on the list (I can't be bothered looking it up). It's more likely that the NSA reasoning is operational rather than legal. There are already enough suppliers of cryptographic software within the United States to show that compliance with that legislation is still possible. The NSA know that the crypto genie is out of the bottle, they're just not willing to share their own advances. Which makes sense considering what they do, it's not like GCHQ shares its advances with UK firms or the DSD shares theirs with Australian firms. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Monday, November 29, 2010 12:38:20 pm Les Mikesell wrote: > [Most thrid party apps qualify as] > Pretty much anything that needs to write files outside of the home > directory of the owning user. Certainly anything that uses apache with > its own data store. Which is the prime target for SELinux anyway. If it runs in-process in apache you need better protection than the standard UNIX uid:gid. > > All of the third-party software I run seems to run just fine, as long as > > the right contexts are applied. > > Well, obviously it will work after someone takes the time to make it > work. Exactly. Proper information security is becoming more and more critical; educating the executive suite on the need for good information security is a big part; they're obviously going to want justification for the time spent. If a particular app is so recalcitrant that SELinux needs to be turned off, that's when I'd be doing some drastic things, much like windows lab environments need done. Things like automatic revert to known-good snapshot on the production boxes for all but the data files. Things like isolation in a VM for those apps. Of course, that's also work, and getting SELinux working properly might be less work. Everyone wants less work per project to get more projects done, of course, but cutting corners is still cutting corners and one day it will come back to haunt the corner-cutter. > Now it is your turn to quantify: How much would you charge to > teach someone to be able to make those changes and how long would it > take? This has to include the ability to quickly diagnose and fix any > problem that might be caused by updates to the application or to the OS > distribution. To teach, $50 per hour (if I were available to teach; at the moment I'm full on my work hours). The number of hours would depend upon the complexity of the application; for Scalix, assuming no familiarity with either Scalix or SELinux, eight to sixteen hours (one-two days). Basic stuff wouldn't take more than five to ten hours at most; but I've not done a full workup of an 'SELinux' course, either, and I bet Red Hat has; might even be something they offer, I don't know. Their instructors would likely do a much better job than I, since they teach it more often and probably more rigorous, as I don't really consider myself an expert in SELinux itself; I know enough to get my stuff to work with SELinux in enforcing/targeted mode, that's all. And I can share that experience; I can also share the experience of having been hacked once, and also the experience of multiple layers (including SELinux) preventing a hack (or two). But training in 'SELinux did this, do that' or 'here's common symptoms of SELinux issues, and here's how to get into permissive mode so you can figure out what's breaking, and here are your triage tools' is a vital part of using SELinux to its potential. But an ounce of prevention is worth a pound of cure; once an information theft occurs, it cannot be undone. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Monday, November 29, 2010 02:24:14 pm m.r...@5-cent.us wrote: > Lamar Owen wrote: > > My opinion is that I'm not going to run third party apps that break in that > > way, and I'm going to let the developers know why. > > That's fine for you. When you're running in a larger environment, as many > of us are, corporate or government, and you have no choice in what's run, > esp. if some of it's run by mandate, and the group mandating it only knows > WinDoze, and companies that they buy software from claim they have it for > Linux (like CA), or you've got F/OSS that no one has time to do more than > customize, not go through zillions of lines of code, that generate AVC's, > you do what we do: mostly permissive. While I sympathize with the plight of those saddled with software not written with SELinux in mind, I would ask those so saddled to understand that others are running enforcing mode SELinux systems with no trouble at all. And most cases where I've needed to troubleshoot AVC's they've been file labels, and didn't require going through zillions of lines of code to fix. But the basic real trouble is that the upstream developers cannot fix bugs that they don't know about. Now perhaps they don't care about SELinux; well, at that point I would hazard to say that perhaps you should just run whatever is best supported by upstream, whether that be SuSE, of debian, or whatever. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Monday, November 29, 2010 11:02:59 pm cpol...@surewest.net wrote: > Your enthusiasm for SELinux seems tied conceptually to a workstation > running the set of applications that come with the distribution. > Nothing wrong with that. I have used a Linux as my primary desktop for 13 years; so, yeah, I do sometimes have a desktop slant. I've run Linux servers for that same amount of time; I've seen hacks succeed, and recently I've seen hacks fail thanks to SELinux. I bring out desktop scenarios simply to bring that out in a sea of server-centric discussions; do that will by default give the sense that I'm desktop-slanted, when I run both, but have quicker desktop paradigms since I use my desktop in more 'critical' ways than I use my servers (things like online banking on the desktop, where data theft is the critical issue). Now my servers are mission-critical for sure; but data theft there wouldn't be quite as directly impacting as data theft on my laptop would be. Of course, my desktops are Fedora rather than CentOS; although I might switch one to CentOS 6 early next year. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/2010 9:51 AM, Lamar Owen wrote: > > If a particular app is so recalcitrant that SELinux needs to be turned off, > that's when I'd be doing some drastic things, much like windows lab > environments need done. Things like automatic revert to known-good snapshot > on the production boxes for all but the data files. Things like isolation in > a VM for those apps. Of course, that's also work, and getting SELinux > working properly might be less work. Everyone wants less work per project to > get more projects done, of course, but cutting corners is still cutting > corners and one day it will come back to haunt the corner-cutter. > >> Now it is your turn to quantify: How much would you charge to >> teach someone to be able to make those changes and how long would it >> take? This has to include the ability to quickly diagnose and fix any >> problem that might be caused by updates to the application or to the OS >> distribution. > > To teach, $50 per hour (if I were available to teach; at the moment I'm full > on my work hours). The number of hours would depend upon the complexity of > the application; for Scalix, assuming no familiarity with either Scalix or > SELinux, eight to sixteen hours (one-two days). I'm not talking about a particular app. The thing I want quantified is what it will cost to train some number of people to be able to troubleshoot any problem that SELinux might cause with any app, given potential changes in updates to both the distribution provided stuff and the 3rd party coding at any time. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote: > Not so much a problem - I'm just saying that you should do the simple things > that have always worked first, then add SELinux if you want. First, I hope everyone else is enjoying the thread as much as I; I always like to see divergent opinions, especially by those who in other venues have proven their technical mettle, of which this list has plenty. And, while I am more than aware that this is not CentOS-specific, it is directly related to a default CentOS installation, that is, SELinux in enforcing mode with the targeted policy (last I installed C5.5 that was the case). Now, I want to ask, given the two alternatives: 1.) Set up another uid to run PDF, browser, flash, etc and either switch between them or use some display indirection/ forwarding complexity to not have to switch, or fire up a VMware resoure hog (I do use VMware; firing up a whole 'nother OS in a VM reduces the performance of host apps, no matter how I tune them) and use Unity to make it look seamless or 2.) Be able to tell my os 'PDF reader can only do X to these files, and no others. Browser cannot read ~/Documents, and can only write in ~/.mozilla. Flash plugin cannot write anywhere without specific user permission and can only read those files it requires to work.' As to the trust issue, well, I trust the SELinux code as much as any other code in the Linux kernel, including the uid:gid permissions code. I know in all cases that the code is getting well-qualified eyes looking at it, and, should I want to train myself to look at it in that detail, I can. There are sever-side equivalent examples, but I am purposely playing the desktop advocate here, so I'll leave those as a reader exercise. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
I'll add to the large (often interesting, but large nonetheless) pile of messages in this thread by remarking that even in permissive mode, SELinux can be very useful as an audit tool. Those AVC messages folks love to hate show deviations from expected behavior. Sometimes those deviations are false positives and require a policy adjustment or relabeling. Sometimes, however, they show in great detail exactly what an exploited vulnerability did (or tried to do): read or replace files, open TCP ports or sockets, create and populate directories. A while back, someone exploited a vulnerability on a machine in my care. I'd been having trouble getting other apps on that machine to work and play well with SELinux so I had it running in permissive mode. Using the audit logs, I was able to ascertain with a high degree of confidence the extent of the damage -- using information that would have been unavailable but for SELinux. Of course, the exploit wouldn't have been possible if I'd been running SELinux in enforcing mode... :-) -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote: >> Not so much a problem - I'm just saying that you should do the simple >> things that have always worked first, then add SELinux if you want. > Now, I want to ask, given the two alternatives: > 1.) Set up another uid to run PDF, browser, flash, etc and either switch > between them or use some display indirection/ forwarding complexity to not > have to switch, or fire up a VMware resoure hog (I do use VMware; firing > up a whole 'nother OS in a VM reduces the performance of host apps, no > matter how I tune them) and use Unity to make it look seamless > > or > > 2.) Be able to tell my os 'PDF reader can only do X to these files, and no > others. Browser cannot read ~/Documents, and can only write in > ~/.mozilla. Flash plugin cannot write anywhere without specific user > permission and can only read those files it requires to work.' Gag! And suppose you d/l a pdf, or an html of a manual, or the company holiday party flyer, or the meeting annoucement - the way you describe it, above, I can't look at them. As I said, the whole arcane policy language, and it being for *everything*... and you've said it's esp. for apache, and most of the AVC's I see that I have problems even figuring out what it's complaining about, have been related to apache and cgi, etc. Sorry, but I think selinux is a side pathway that leads to an unnavigable swamp. And training folks - you need a number of folks *all* of whom can deal with that swamp. Unless, of course, you want to be so irreplaceable that they don't want you to ever take a vacation, and are on call 24x7x365.25. mark, been there without realizing it, done that, WON'T DO IT AGAIN ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 05:12:17 am John Doe wrote: > From: Les Mikesell > > why are you putting blind faith in the SELinux code? > Because it comes from the NSA! > The backdoor experts... ;P Also the SCIF experts. SCIFs are used by people other than intelligence agencies and in areas other than intelligence; HIPAA compliance, for instance. The wikipedia article is a good read. In other words, SELinux embodies the SCI 'need to know' paradigm in-kernel: the process's uid might have the clearance to access a piece of data, but if it doesn't have a need to access it shouldn't be allowed to access it. And perhaps it can access, but not modify. Perhaps it needs monitoring by other processes in order to access. Etc. SELinux gives the tools to allow the decoupling of 'cleared to know' with 'need to know.' ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Converting to Raid1
Have a CentOS 4.x 32 bit server running on a single 500M SATA drive. What is easiest way to convert too RAID 1 on it? Anyone have a link? Would be open to hardware or software just do not want to reinstall the entire mess. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 11:21:46 am Les Mikesell wrote: > I'm not talking about a particular app. The thing I want quantified is > what it will cost to train some number of people to be able to > troubleshoot any problem that SELinux might cause with any app, given > potential changes in updates to both the distribution provided stuff and > the 3rd party coding at any time. That I wouldn't consider myself qualified to quantify. I'm sure there are those who are, however. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Converting to Raid1
On Tue, Nov 30, 2010 at 11:59, Matt wrote: > Have a CentOS 4.x 32 bit server running on a single 500M SATA drive. > What is easiest way to convert too RAID 1 on it? Anyone have a link? > Would be open to hardware or software just do not want to reinstall > the entire mess. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Why would you mirror a single disk? You need to get another 500Gb hard drive to mirror with. Once you get the second drive, you need to make sure LVM is installed. I think you then need to add your partitions as physical drives and partition the new drive to match your existing one. Add the new drive partitions as physical drives and pair them up. How difficult it is depends on your current set up. John -- John Kennedy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/2010 11:04 AM, Lamar Owen wrote: > On Tuesday, November 30, 2010 11:21:46 am Les Mikesell wrote: >> I'm not talking about a particular app. The thing I want quantified is >> what it will cost to train some number of people to be able to >> troubleshoot any problem that SELinux might cause with any app, given >> potential changes in updates to both the distribution provided stuff and >> the 3rd party coding at any time. > > That I wouldn't consider myself qualified to quantify. I'm sure there are > those who are, however. But that's the thing someone needs to be able to estimate before considering enabling SELinux on an existing farm of machines running complex, pre-existing applications where the team of operators has to be able to fix any potential problem quickly. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
At Tue, 30 Nov 2010 09:46:03 -0500 CentOS mailing list wrote: > > Hi all, > > I have 8G -CF cards that I have been putting linux on. > Everything was working fine till yesterday when I got a new batch of CF > cards. > > The size has changed. The original CF card was 7637M (255 heads/63 > sectors/928 cylinders) > The new CF card is 8019M (255 heads/63 sectors/974 cylinders) > > I would have thought putting the smaller image file onto the larger CF > card would be ok. > However its not. centos boots but there are journal issues and > everything is mounted read-only. > > Any ideas why this doesnt work or how I can keep my smaller image and > "succecssfully" put it > on the larger CF card? > > I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. ARG!!! Don't do this! You really, really don't want to dd a raw disk image (including mbr/partition table) to a *different* geometry disk -- it does not matter what the 'disk' tech is (IDE. SCSI, SATA, SSD, etc.). Partition the new disk with fdisk (or something like that), then use mkfs to make the file systems than use dump/restore to move the file systems. Finally use grub-install (or lilo) to install the boot loader. > > Thanks, > > Jerry > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > > -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 11:38:24 am m.r...@5-cent.us wrote: > Lamar Owen wrote: > > 2.) Be able to tell my os 'PDF reader can only do X to these files, and no > > others. Browser cannot read ~/Documents, and can only write in > > ~/.mozilla. Flash plugin cannot write anywhere without specific user > > permission and can only read those files it requires to work.' > > Gag! And suppose you d/l a pdf, or an html of a manual, or the company > holiday party flyer, or the meeting annoucement - the way you describe it, > above, I can't look at them. Valid point; I'd just want to tune my policy. The biggest lack I see right now is a simple interface to the policy settings, but it is getting better each iteration. > Sorry, but I think selinux is a side pathway that leads to an unnavigable > swamp. And training folks - you need a number of folks *all* of whom can > deal with that swamp. You are certainly entitled to your opinion. Swamps are buildable with ACL's, SELinux contexts, user permissions, and basically any other controls. Well-groomed gardens are also buildable with these tools; at least the tools are available. One should not avoid greenery entirely just because one has seen overgrown yards before. > Unless, of course, you want to be so irreplaceable that they don't want > you to ever take a vacation, and are on call 24x7x365.25. For my own laptop? :-) And why would I want to be on call 365 weeks a year? No one is ever irreplaceable. Least of all me. Security concerns should be part and parcel of any application rollout, and it is irresponsible to ignore any of the myraid tools at hand to perform the task. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
> > The size has changed. The original CF card was 7637M (255 heads/63 > > sectors/928 cylinders) > > The new CF card is 8019M (255 heads/63 sectors/974 cylinders) > > > > I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. > > ARG!!! Don't do this! You really, really don't want to dd a > raw disk image (including mbr/partition table) to a > *different* geometry disk -- it does not matter what the > 'disk' tech is (IDE. SCSI, SATA, SSD, etc.). Even if the two disks have the same manufacturer and manufacturer part number, different firmware revisions can fail to boot after dd if=/dev/spinpoint.partnumber.fwrev1 of=/dev/spinpoint.partnumber.fwrev2 Been there, done that, got bit where the sun doesn't shine. > Partition the new disk with fdisk (or something like that), > then use mkfs to make the file systems than use dump/restore > to move the file systems. Finally use grub-install (or lilo) > to install the boot loader. +1 sfdisk -d /dev/olddisk > /product/partition.layout dump (whatever) ...years later... sfdisk /dev/newdisk < /product/partition.layout restore (whatever) grub-install (magic tbd) # SHIP IT *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
On Tuesday, November 30, 2010 09:46:03 am Jerry Geis wrote: > However its not. centos boots but there are journal issues and > everything is mounted read-only. Can you get log snippets showing why the journal had issues? > Any ideas why this doesnt work or how I can keep my smaller image and > "succecssfully" put it > on the larger CF card? > > I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. I've done this before with regular disk drives (going from a 200G to a 500G SATA in this laptop I'm using right now; I used dd to copy, then I booted just fine. I then rebooted with a liveCD and did the partition moving/enlargement that I needed to do. Geometry issues used to be bears, but in the days of LBA (and with SCSI drives) there really isn't a 'geometry' to speak of at the OS or partition level. The 'geometry' you quoted has the standard 255 heads and 63 sectors pseudo-geometry for both devices, and even in the days of real chs geometry issues those issues revolved around the number of heads and the number of sectors per track rather than the number of cylinders on the volume. The dd way of copying to CF is pretty standard these days, and works almost all the time. But this is all speculation without seeing what is causing the filesystem to go read-only. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 11:38:24 am m.r...@5-cent.us wrote: >> Lamar Owen wrote: >> > 2.) Be able to tell my os 'PDF reader can only do X to these files, >> > and no others. Browser cannot read ~/Documents, and can only write in >> > ~/.mozilla. Flash plugin cannot write anywhere without specific user >> > permission and can only read those files it requires to work.' >> >> Gag! And suppose you d/l a pdf, or an html of a manual, or the company >> holiday party flyer, or the meeting annoucement - the way you describe >> it, above, I can't look at them. > > Valid point; I'd just want to tune my policy. The biggest lack I see > right now is a simple interface to the policy settings, but it is getting > better each iteration. Right - change *local* policy for every iteration. > >> Sorry, but I think selinux is a side pathway that leads to an >> unnavigable swamp. And training folks - you need a number of folks *all* of whom can >> deal with that swamp. > > You are certainly entitled to your opinion. > > Swamps are buildable with ACL's, SELinux contexts, user permissions, and > basically any other controls. Well-groomed gardens are also buildable > with these tools; at least the tools are available. One should not avoid > greenery entirely just because one has seen overgrown yards before. I'm talking about the real, outside world, *not* my own personal system. And for personal systems, even though it would protect a lot of folks, it would stop them from doing still more... and we're talking about folks who are *NOT* knowledgable. > >> Unless, of course, you want to be so irreplaceable that they don't want >> you to ever take a vacation, and are on call 24x7x365.25. > > For my own laptop? :-) And why would I want to be on call 365 weeks a > year? As I said, I work in the real world with all this, and you seem to be arguing, based on your own personal experience that those of us in the workplace should do thus-and-so, and we're telling you what it's like in the trenches, and why we don't like selinux. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
On 11/30/2010 12:10 PM, Brunner, Brian T. wrote: > >>> The size has changed. The original CF card was 7637M (255 heads/63 >>> sectors/928 cylinders) >>> The new CF card is 8019M (255 heads/63 sectors/974 cylinders) >>> >>> I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. >> >> ARG!!! Don't do this! You really, really don't want to dd a >> raw disk image (including mbr/partition table) to a >> *different* geometry disk -- it does not matter what the >> 'disk' tech is (IDE. SCSI, SATA, SSD, etc.). > > Even if the two disks have the same manufacturer and manufacturer part > number, different firmware revisions can fail to boot after > > dd if=/dev/spinpoint.partnumber.fwrev1 > of=/dev/spinpoint.partnumber.fwrev2 > > Been there, done that, got bit where the sun doesn't shine. > >> Partition the new disk with fdisk (or something like that), >> then use mkfs to make the file systems than use dump/restore >> to move the file systems. Finally use grub-install (or lilo) >> to install the boot loader. > > +1 > sfdisk -d /dev/olddisk> /product/partition.layout > dump (whatever) > > ...years later... > > sfdisk /dev/newdisk< /product/partition.layout > restore (whatever) > grub-install (magic tbd) > # SHIP IT I'm not positive, but I'd expect clonezilla to get this right - and probably be able to expand the partition after the copy for you. Plus it will save time compared to dd by not needing to copy unused disk blocks and it can save a compressed image on a file server for repeated cloning. -- Les Mikesell lesmikese...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any chance to get a working, current openldap srpm/rpm for centos 5.5
On Mon, Nov 29, 2010 at 03:07:49PM +0100, Götz Reinicke - IT-Koordinator wrote: > Am 29.11.10 13:43, schrieb Eero Volotinen: > > 2010/11/29 Götz Reinicke - IT-Koordinator : > >> Hello, > >> > >> is there anyone out there, who has a current 2.4.23 srpm or good how to > >> compile it from src with supported db4? > > > > RHEL 6 provides ldap-2.4.19 > > > > So maybe you just need to wait for Centos 6 ? > > RH EL 6 is not supported by citrix xen server ... what is what we run > right now. > XCP (Xen Cloud Platform) 1.0 beta added support for EL6, so it should be also in XenServer 5.6 FP1 beta. -- Pasi > Ans using or waitig for a distribution releas if you 'only' need an > application update is not an option. > > But thanks for you suggestion. > > /Götz > > -- > Götz Reinicke > IT-Koordinator > > Tel. +49 7141 969 420 > Fax +49 7141 969 55 420 > E-Mail goetz.reini...@filmakademie.de > > Filmakademie Baden-Württemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > Vorsitzende des Aufsichtsrats: > Prof. Dr. Claudia Hübner > > Geschäftsführer: > Prof. Thomas Schadt > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 12:18:26 pm Les Mikesell wrote: > But [what it will cost to train some number of people to be able to > troubleshoot any problem that SELinux might cause with any app, given > potential changes in updates to both the distribution provided stuff and > the 3rd party coding at any time] is the thing someone needs to be able > to estimate before considering enabling SELinux on an existing farm of > machines running complex, pre-existing applications where the team of > operators has to be able to fix any potential problem quickly. Before this can be done the analysts who perform such estimating as part of their regular jobs need to become familiar with the overhead of setting up SELinux, much like any other impacting technology the analysts already deal with. Such estimates have too many variables to state an easy answer in the general sense, especially when unknowns such as the magnitude of potential updates is factored in, or the degree of backporting of fixes into the pinned versions in an Enterprise distribution. For that matter, that is already the case in update management for some apps, so there isn't any provably major overhead adding SELinux to that mix for that particular criterion. And is it the app causing problems with SELinux or is it SELinux causing problems with the app? Or is it the lack of integrator understanding in marrying the two? Or are the tools to configure the functionality to blame? An integrator who as a matter of course sets SELinux to off or to permissive as one of the first steps may be in for a rude awakening as pentesters wise up to SELinux and specifically target penetration testing to that layer. Especially as empirical evidence to the utility of SELinux preventing exploitation of vulnerabilities piles up ever higher. Upstream and CentOS both ship with SELinux in the default 'more secure' enforcing mode with the moderately strict targeted policy; to make a conscious decision to reduce security for convenience would, at least in my shop, require written justification. An analysis of the time to take to implement the controls in the app would be required at that time, as well as a risk analysis of disabling the controls. I would weigh the costs and the risks, and decide at that time what to do (as I am the decision maker in my shop, I can do that, of course). It boils down to balancing 'it breaks my app that I can't or won't fix' against 'you've been pwned!' ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 12:18:26 pm Les Mikesell wrote: > > But [what it will cost to train some number of people to be able to >> troubleshoot any problem that SELinux might cause with any app, given >> potential changes in updates to both the distribution provided stuff and >> the 3rd party coding at any time] is the thing someone needs to be able >> to estimate before considering enabling SELinux on an existing farm of >> machines running complex, pre-existing applications where the team of >> operators has to be able to fix any potential problem quickly. > And is it the app causing problems with SELinux or is it SELinux causing > problems with the app? Or is it the lack of integrator understanding in > marrying the two? Or are the tools to configure the functionality to > blame? Reality check time: selinux is a *tiny* portion of the entire Linux market, though growing. However, there are a ton of apps out there, and almost no developers who have been earning their living as programmers, who have any knowledge of selinux. Case in point: something here, developed in-house over the last 10-12 years, lots of cgi. Another case: Computer Associates' SiteMinder, big bucks commercial product. Anyone know of a list of selinux-compatible software? And how much will the commercial software cost to upgrade it to play well with selinux? Do you have an idea of how much multiuser commercial licenses are? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/2010 10:42 AM, Lamar Owen wrote: > > It boils down to balancing 'it breaks my app that I can't or won't fix' > against 'you've been pwned!' Actually, it boils down to 'what causes more total costs to the business'. Right now, in my experience, that is SELinux. Break ins to my servers are extremely rare (one machine out of several dozen internet exposed machines in 13 years). SELinux randomly taking out some aspect of operations is fairly frequent in comparison (several incidents on just the handful of machines I have that it was left active on). Security in not an end unto itself. It exists to support the business making money. If a cost saving measure is costing the business more than it is saving it, it is *not* a good idea no matter how technically superior it is. This in a very real sense is similar to the 'how much resources should measures to prevent shoplifting be given' in a retail store. If the anti-shoplifting measures are costing *more* than the shoplifting you are preventing - you have lost sight of the actual reason for anti-shoplifting measures in the first place. -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Benjamin Franz wrote: > On 11/30/2010 10:42 AM, Lamar Owen wrote: >> >> It boils down to balancing 'it breaks my app that I can't or won't fix' >> against 'you've been pwned!' > > Actually, it boils down to 'what causes more total costs to the > business'. Right now, in my experience, that is SELinux. Break ins to my > Security in not an end unto itself. It exists to support the business > making money. If a cost saving measure is costing the business more than Not just making money, says the guy who's works for a federal contractor. It exists, in the IT world, to keep the systems working, and not corrupted. > it is saving it, it is *not* a good idea no matter how technically > superior it is. There's a story on today's slashdot, about how the terrorists have won - for *very* little money, they've cause countries and governments, esp. the US gov't, to spend hundreds of billions of dollars on prevention. > > This in a very real sense is similar to the 'how much resources should > measures to prevent shoplifting be given' in a retail store. If the > anti-shoplifting measures are costing *more* than the shoplifting you > are preventing - you have lost sight of the actual reason for > anti-shoplifting measures in the first place. Yup. Seen lots of companies do just that, or try to squeeze out the last dime... and spend dollars doing it. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
At Tue, 30 Nov 2010 12:26:04 -0600 CentOS mailing list wrote: > > On 11/30/2010 12:10 PM, Brunner, Brian T. wrote: > > > >>> The size has changed. The original CF card was 7637M (255 heads/63 > >>> sectors/928 cylinders) > >>> The new CF card is 8019M (255 heads/63 sectors/974 cylinders) > >>> > >>> I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. > >> > >> ARG!!! Don't do this! You really, really don't want to dd a > >> raw disk image (including mbr/partition table) to a > >> *different* geometry disk -- it does not matter what the > >> 'disk' tech is (IDE. SCSI, SATA, SSD, etc.). > > > > Even if the two disks have the same manufacturer and manufacturer part > > number, different firmware revisions can fail to boot after > > > > dd if=/dev/spinpoint.partnumber.fwrev1 > > of=/dev/spinpoint.partnumber.fwrev2 > > > > Been there, done that, got bit where the sun doesn't shine. > > > >> Partition the new disk with fdisk (or something like that), > >> then use mkfs to make the file systems than use dump/restore > >> to move the file systems. Finally use grub-install (or lilo) > >> to install the boot loader. > > > > +1 > > sfdisk -d /dev/olddisk> /product/partition.layout > > dump (whatever) > > > > ...years later... > > > > sfdisk /dev/newdisk< /product/partition.layout > > restore (whatever) > > grub-install (magic tbd) > > # SHIP IT > > I'm not positive, but I'd expect clonezilla to get this right - and > probably be able to expand the partition after the copy for you. Plus > it will save time compared to dd by not needing to copy unused disk > blocks and it can save a compressed image on a file server for repeated > cloning. Right. clonezilla is much more than dd. I would suspect that clonezilla is a bundling of sfdisk, dump/restore, and grub-install, or something link that. > > -- >Les Mikesell > lesmikese...@gmail.com > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
On 11/30/2010 1:13 PM, Robert Heller wrote: > At Tue, 30 Nov 2010 12:26:04 -0600 CentOS mailing list > wrote: > >> >> On 11/30/2010 12:10 PM, Brunner, Brian T. wrote: >>> > The size has changed. The original CF card was 7637M (255 heads/63 > sectors/928 cylinders) > The new CF card is 8019M (255 heads/63 sectors/974 cylinders) > > I simply do "dd if=cf.img of=/dev/sde" to copy the images to CF. ARG!!! Don't do this! You really, really don't want to dd a raw disk image (including mbr/partition table) to a *different* geometry disk -- it does not matter what the 'disk' tech is (IDE. SCSI, SATA, SSD, etc.). >>> >>> Even if the two disks have the same manufacturer and manufacturer part >>> number, different firmware revisions can fail to boot after >>> >>> dd if=/dev/spinpoint.partnumber.fwrev1 >>> of=/dev/spinpoint.partnumber.fwrev2 >>> >>> Been there, done that, got bit where the sun doesn't shine. >>> Partition the new disk with fdisk (or something like that), then use mkfs to make the file systems than use dump/restore to move the file systems. Finally use grub-install (or lilo) to install the boot loader. >>> >>> +1 >>> sfdisk -d /dev/olddisk> /product/partition.layout >>> dump (whatever) >>> >>> ...years later... >>> >>> sfdisk /dev/newdisk< /product/partition.layout >>> restore (whatever) >>> grub-install (magic tbd) >>> # SHIP IT >> >> I'm not positive, but I'd expect clonezilla to get this right - and >> probably be able to expand the partition after the copy for you. Plus >> it will save time compared to dd by not needing to copy unused disk >> blocks and it can save a compressed image on a file server for repeated >> cloning. > > Right. clonezilla is much more than dd. I would suspect that > clonezilla is a bundling of sfdisk, dump/restore, and grub-install, or > something link that. Yes, dd is a worst-case fallback if it doesn't recognize the filesystem, and even then it would do each partition separately. Normally it would use partimage, partclone, or ntfsclone, automatically deciding which is best. I don't think it ever uses dump or tar, but it would be kind of nice is someone added those as a restore approach inside the wrapper that does the partitioning and setup for quick bare-metal restores from live backups. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux - way of the future or good idea but !!!
On Tue, 30 Nov 2010, Les Mikesell wrote: > ... troubleshoot any problem that SELinux might cause with > any app, ... would you like a fixed price on that quote as well? - R ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] linux-2.6.18.tar.bz2 is missing
We have to rebuild our kernel to add support for a Mainpine fax board on a CentOS 5.5 board: http://www.hylafax.org/content/Handbook:Basic_Server_Configuration:Modem-specific_Guidance#Mainpine_IQ_Express We followed all steps, but when calling rpmbuild, we are getting: [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec Construction pour plate-formes cibles: x86_64 Construction pour cible x86_64 erreur: Fichier /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2: Aucun fichier ou répertoire de ce type So it doesn't find linux-2.6.18.tar.bz2 We do have both the kernel-devel and kernel-headers packages installed, so I don't understand why that file is missing. Googling for "linux-2.6.18.tar.bz2 is missing" didn't bring any useful info. So where/how can we rebuild or get that archive? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] linux-2.6.18.tar.bz2 is missing
2010/11/30 Pascal Robert : > We have to rebuild our kernel to add support for a Mainpine fax board on a > CentOS 5.5 board: > > http://www.hylafax.org/content/Handbook:Basic_Server_Configuration:Modem-specific_Guidance#Mainpine_IQ_Express > > We followed all steps, but when calling rpmbuild, we are getting: > > [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec > Construction pour plate-formes cibles: x86_64 > Construction pour cible x86_64 > erreur: Fichier /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2: Aucun > fichier ou répertoire de ce type > So it doesn't find linux-2.6.18.tar.bz2 > > We do have both the kernel-devel and kernel-headers packages installed, so I > don't understand why that file is missing. Googling for > "linux-2.6.18.tar.bz2 is missing" didn't bring any useful info. So where/how > can we rebuild or get that archive? it is inside the kernel source .src.rpm package .. that one that you downloaded and installed? -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 02:04:12 pm Benjamin Franz wrote: > On 11/30/2010 10:42 AM, Lamar Owen wrote: > > > > It boils down to balancing 'it breaks my app that I can't or won't fix' > > against 'you've been pwned!' > > Actually, it boils down to 'what causes more total costs to the > business'. Not what causes, but what could cause, in the terms of the risk analysis. The probability of the cost is part of the equation, but in many cases it becomes 'what can a single breach cost me in the worst case' and that can outweigh what seems to be large costs. You might have a small probability of infiltration, but the cost of a single infiltration (in some areas, like healthcare and financial) can be so huge that a single infiltration could bankrupt you. If you do your online banking on your laptop, it is no stretch to say that a single infiltration of your laptop has the potential to bankrupt you, or worse. Yeah, worse: the infiltrator might be malicious enough to plant illegal material on your system and make your life really miserable, as the case of Michael Fiola showed. And in the main SELinux integration is not a high cost. It may be in your area, but it hasn't been in mine. If it were that big of a problem, Red Hat wouldn't include it in the upstream due to customer pressure. SELinux, at least for me and others, has a very positive benefit to cost ratio. YMMV. > Security in not an end unto itself. It exists to support the business > making money. If a cost saving measure is costing the business more than > it is saving it, it is *not* a good idea no matter how technically > superior it is. And that's a big if. One must carefully define 'savings' in order to make an informed decision. It is a balance, that is sure. > This in a very real sense is similar to the 'how much resources should > measures to prevent shoplifting be given' in a retail store. If the > anti-shoplifting measures are costing *more* than the shoplifting you > are preventing - you have lost sight of the actual reason for > anti-shoplifting measures in the first place. As former loss-prevention for Kmart many years ago, I know that there's more to that than economics, there's a significant public-relations piece that's difficult to impossible to quantify. And we found it difficult in the extreme to determine how much theft the visible presence of loss-prevention personnel and equipment actually prevented. And there is an area where defense in depth is heavily practiced. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 01:55:11 pm m.r...@5-cent.us wrote: > Reality check time: selinux is a *tiny* portion of the entire Linux > market, though growing. Reality check: IDC analysts have estimated Red Hat's share of the paid commercial Linux market as 62%[1], [2], with Red Hat estimating higher [3]. That's RHEL: which ships SELinux enabled, enforcing, targeted, by default. And, this being the CentOS list, we're in a default SELinux enforcing/targeted userbase; SELinux is (in) 100% of the CentOS market, in other words. If the comparison is Ubuntu, well, I'm not so sure it so dramatically overrides, especially on the server, and maybe not even on the desktop. > However, there are a ton of apps out there, and > almost no developers who have been earning their living as programmers, > who have any knowledge of selinux. Case in point: something here, > developed in-house over the last 10-12 years, lots of cgi. Another case: > Computer Associates' SiteMinder, big bucks commercial product. CA should know better, and if they are targeting RHEL commercially they should be supporting the default RHEL configuration. >From what I see, SELinux capability is more about packaging and is more in the >policy than in the programs themselves; that is, there really shouldn't be any >rewriting of apps required, just someone fingerprinting (using permissive mode >and audit2allow) the application, and making a policy package for that >application. notes: [1] http://blogs.computerworld.com/14884/who_really_has_the_most_linux_users [2] http://news.cnet.com/8301-13505_3-10312978-16.html [3] http://www.internetnews.com/bus-news/article.php/3842561/Red+Hat+Were+75+of+the+Paid+Linux+Market.htm ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] linux-2.6.18.tar.bz2 is missing
Le 2010-11-30 à 14:58, Eero Volotinen a écrit : > 2010/11/30 Pascal Robert : >> We have to rebuild our kernel to add support for a Mainpine fax board on a >> CentOS 5.5 board: >> >> >> http://www.hylafax.org/content/Handbook:Basic_Server_Configuration:Modem-specific_Guidance#Mainpine_IQ_Express >> >> We followed all steps, but when calling rpmbuild, we are getting: >> >> [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec >> Construction pour plate-formes cibles: x86_64 >> Construction pour cible x86_64 >> erreur: Fichier /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2: Aucun >> fichier ou répertoire de ce type >> So it doesn't find linux-2.6.18.tar.bz2 >> >> We do have both the kernel-devel and kernel-headers packages installed, so I >> don't understand why that file is missing. Googling for >> "linux-2.6.18.tar.bz2 is missing" didn't bring any useful info. So where/how >> can we rebuild or get that archive? > > it is inside the kernel source .src.rpm package .. that one that you > downloaded and installed? Hum, right... Nothing to see here... This is what happen when a coworker told you that he did all the steps and you trust his words :-) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] linux-2.6.18.tar.bz2 is missing
2010/11/30 Pascal Robert : > > Le 2010-11-30 à 14:58, Eero Volotinen a écrit : > >> 2010/11/30 Pascal Robert : >>> We have to rebuild our kernel to add support for a Mainpine fax board on a >>> CentOS 5.5 board: >>> >>> >>> http://www.hylafax.org/content/Handbook:Basic_Server_Configuration:Modem-specific_Guidance#Mainpine_IQ_Express >>> >>> We followed all steps, but when calling rpmbuild, we are getting: >>> >>> [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec >>> Construction pour plate-formes cibles: x86_64 >>> Construction pour cible x86_64 >>> erreur: Fichier /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2: Aucun >>> fichier ou répertoire de ce type >>> So it doesn't find linux-2.6.18.tar.bz2 >>> >>> We do have both the kernel-devel and kernel-headers packages installed, so I >>> don't understand why that file is missing. Googling for >>> "linux-2.6.18.tar.bz2 is missing" didn't bring any useful info. So where/how >>> can we rebuild or get that archive? >> >> it is inside the kernel source .src.rpm package .. that one that you >> downloaded and installed? > > Hum, right... Nothing to see here... This is what happen when a coworker told > you that he did all the steps and you trust his words :) -- Eero, RHCE ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
On Tuesday, November 30, 2010 02:13:17 pm Robert Heller wrote: > Right. clonezilla is much more than dd. I would suspect that > clonezilla is a bundling of sfdisk, dump/restore, and grub-install, or > something link that. According to the clonezilla website, dd is one of the supported methods: "Based on Partclone (default), Partimage (optional), ntfsclone (optional), or dd to image or clone a partition. However, Clonezilla, containing some other programs, can save and restore not only partitions, but also a whole disk. " I have yet to have a dd clone go awry; not that it can't happen, but in years of doing this sort of thing, on multiple different Unix-type OS's (and real AT&T Unix) I have yet to have issues there. But that reminds me that I need to get a newer clonezilla live anyway ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
On Tuesday, November 30, 2010 01:10:14 pm Brunner, Brian T. wrote: > Even if the two disks have the same manufacturer and manufacturer part > number, different firmware revisions can fail to boot after > dd if=/dev/spinpoint.partnumber.fwrev1 of=/dev/spinpoint.partnumber.fwrev2 > Been there, done that, got bit where the sun doesn't shine. Care to share specifics? This would be interesting information. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] linux-2.6.18.tar.bz2 is missing
On Tue, Nov 30, 2010 at 12:12 PM, Pascal Robert wrote: >>> [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec You are building as root. This is a bad practice. When building a CentOS custom kernel, please try following the instructions in: http://wiki.centos.org/HowTos/Custom_Kernel Akemi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 01:55:11 pm m.r...@5-cent.us wrote: >> However, there are a ton of apps out there, and >> almost no developers who have been earning their living as programmers, >> who have any knowledge of selinux. Case in point: something here, >> developed in-house over the last 10-12 years, lots of cgi. Another case: >> Computer Associates' SiteMinder, big bucks commercial product. > > CA should know better, and if they are targeting RHEL commercially they > should be supporting the default RHEL configuration. Right. So, hey, do you have the rights to call CA and lean on them? Please? I can barely get the network folks, who actually can contact them, to understand selinux (I think of them as operators, not sysadmins). And I notice that you don't address the other point, all the in-house apps, and if you think management will say "sure, spend whatever it takes to rewrite that so it conforms to selinux...", you're living in somewhere I don't. And just about everywhere I've worked, both as a developer and as a sysadmin had a *lot* of in-house apps. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Help with yum and cpio: MD5 sum mismatch
I am trying to install Ruby-1.8.7p302 on a CentOS-5.5 server in preparation for a Rails-3 application deployment. I have downloaded the source from Rubyforge.org, unpacked it, and ran ./config and make. Everything built without error. I then ran checkinstall to create an rpm package. That too completed without error. However, when I try to install the resulting package using: yum localinstall /path/to/package --nogpgcheck I get this message: . . . Running Transaction Installing : ruby-1.8.7 1/1 Error unpacking rpm package ruby-1.8.7-p302-1.i386 error: unpacking of archive failed on file /usr/bin/make;4cf56119: cpio: MD5 sum mismatch Failed: ruby-1.8.7.i386 0:p302-1 Does anyone here know how to work around this? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tue, Nov 30, 2010 at 03:11:24PM -0500, Lamar Owen wrote: > Reality check: IDC analysts have estimated Red Hat's share of the paid > commercial Linux market as 62%[1], [2], with Red Hat estimating higher > [3]. That's RHEL: which ships SELinux enabled, enforcing, targeted, > by default. And, this being the CentOS list, we're in a default SELinux Reality check: how many of those installs are RedHat OOB installs with default options? I know the 10,000 machines we have where I work are all meant to be "corporate standard" and this, by default, does _not_ have SELinux enabled. > they should be supporting the default RHEL configuration. Shoulda, coulda, woulda... didna. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CF disks images and centos
> On Tuesday, November 30, 2010 01:10:14 pm Brunner, Brian T. wrote: > > Even if the two disks have the same manufacturer and > > manufacturer part number, different firmware revisions can fail to boot after > > dd if=/dev/spinpoint.partnumber.fwrev1 of=/dev/spinpoint.partnumber.fwrev2 > > > Been there, done that, got bit where the sun doesn't shine. > > Care to share specifics? This would be interesting information. 1: a few years back 2: we qualified Hitachi TravelStar lap-top drives (IIRC 20GB) and 3: tried to do our old method of copying a master to the multiple "programmed parts" using a disk duplicator machine (CDC Disk Duplicator, Pro Model) and found that 4: differing FW versions were incompatible (non-bootable), but the file system looked identical/perfect if the drives were mounted on a system that booted elsewhere (eg linux rescue). We found out the two groups of drives had 1 of 2 different FW versions. dd if=/dev/spinpoint.partnumber.fwrev1 of=/dev/spinpoint.partnumber.fwrev1 booted, dd if=/dev/spinpoint.partnumber.fwrev2 of=/dev/spinpoint.partnumber.fwrev2 booted; dd of fw1 to fw2, or of fw2 to fw1, did not boot. We since shifted to another drive brand and size; IIRC the old one is no longer in production; www.pricewatch.com does not list the drive as I recall it. If closer details are /needed/ by anybody, I can go bother the techs to look them up. *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Stephen Harris wrote: > On Tue, Nov 30, 2010 at 03:11:24PM -0500, Lamar Owen wrote: >> Reality check: IDC analysts have estimated Red Hat's share of the paid >> commercial Linux market as 62%[1], [2], with Red Hat estimating higher >> [3]. That's RHEL: which ships SELinux enabled, enforcing, targeted, >> by default. And, this being the CentOS list, we're in a default SELinux > > Reality check: how many of those installs are RedHat OOB installs with > default options? I know the 10,000 machines we have where I work are > all meant to be "corporate standard" and this, by default, does _not_ > have SELinux enabled. And how many reset them to permissive, or off, because enforcing breaks what's been working? And about apache... most of those attacks are preventable through defensive configuration and coding for httpd itself. Looking to selinux to protect you is very sloppy. > >> they should be supporting the default RHEL configuration. > > Shoulda, coulda, woulda... didna. How many folks actually use the defaults? Hell, we don't use the default partitioning scheme. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Converting to Raid1
On Tuesday 30 November 2010 11:59, Matt wrote: > Have a CentOS 4.x 32 bit server running on a single 500M SATA drive. > What is easiest way to convert too RAID 1 on it? Anyone have a link? > Would be open to hardware or software just do not want to reinstall > the entire mess. http://tinyurl.com/3659gcx You are aware that you are going to need 2 partitions of equal size for the mirror? -- Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted http://counter.li.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] linux-2.6.18.tar.bz2 is missing
2010/11/30 Akemi Yagi : > On Tue, Nov 30, 2010 at 12:12 PM, Pascal Robert wrote: > [r...@hylafax SPECS]# rpmbuild -ba --target x86_64 kernel-2.6.spec > > You are building as root. This is a bad practice. When building a > CentOS custom kernel, please try following the instructions in: > > http://wiki.centos.org/HowTos/Custom_Kernel I suggest to use mock for building CentOS/RHEL or fedora packages. http://fedoraproject.org/wiki/Projects/Mock For example: mock -r epel-5-x86_64 --rebuild kernel.src.rpm Best regards, Morten ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote: > Reality check: how many of those installs are RedHat OOB installs with > default options? No idea. How many aren't default OOB? For that matter, how many CentOS installs are out there are set: 1.) OOB, SELinux enforcing/targeted; 2.) SELinux permissive; 3.) SELinux off; 4.) SELinux enforcing, some other policy than targeted? I would guess no one knows. But all of my CentOS installs are OOB as concerning SELinux, except the two scalix installs, which have some custom 'stuff' thanks to the scalix instance naming. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote: >> Reality check: how many of those installs are RedHat OOB installs with >> default options? > > No idea. How many aren't default OOB? > > For that matter, how many CentOS installs are out there are set: > 1.) OOB, SELinux enforcing/targeted; > 2.) SELinux permissive; > 3.) SELinux off; > 4.) SELinux enforcing, some other policy than targeted? > > I would guess no one knows. But all of my CentOS installs are OOB as > concerning SELinux, except the two scalix installs, which have some custom > 'stuff' thanks to the scalix instance naming. All I know is at the last two companies I worked at - AT&T, a small team building software for the NOC, a smaller root CA, and here at the federal agency I'm at, we either turned it off, or have it set to permissive. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 03:31:44 pm m.r...@5-cent.us wrote: > Lamar Owen wrote: > > CA should know better, and if they are targeting RHEL commercially they > > should be supporting the default RHEL configuration. > Right. So, hey, do you have the rights to call CA and lean on them? Nope, sorry. Can't help you there. > And I notice that you don't address the other point, all the in-house > apps, In house apps must be addressed in-house; I'll address mine (and expose a smaller risk by integrating SELinux), and you or your company can address yours. I thought that was obvious enough to not require reply, as dealing with in house developers always invokes some degree of politics. > and if you think management will say "sure, spend whatever it takes > to rewrite that so it conforms to selinux...", you're living in somewhere > I don't. And just about everywhere I've worked, both as a developer and as > a sysadmin had a *lot* of in-house apps. We have a few; none required a rewrite; you're getting a bit melodramatic, there, as there isn't going to be any application that is going to require a complete 100% rewrite to work with SELinux. Few required much of any thing to be changed, and even then all changes were to the filesystem labeling of the contexts. Nothing more. Not that we have a lot of in house apps; I try to do as much as possible with OOB CentOS, pulling in the bare minimum third-party stuff I can (Plone is the largest third-party app I pull in currently). But the targeted policy and Plone, to pull the biggest example, just worked fine with each other, no sweat, once I allowed zeo and the zope clients rights to bind the appropriate ports. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 03:31:44 pm m.r...@5-cent.us wrote: >> Lamar Owen wrote: >> > CA should know better, and if they are targeting RHEL commercially >> > they should be supporting the default RHEL configuration. > >> Right. So, hey, do you have the rights to call CA and lean on them? > > Nope, sorry. Can't help you there. > So, that's out. >> And I notice that you don't address the other point, all the in-house >> apps, > > In house apps must be addressed in-house; I'll address mine (and expose a > smaller risk by integrating SELinux), and you or your company can address > yours. I thought that was obvious enough to not require reply, as dealing > with in house developers always invokes some degree of politics. With the developers? Ah, nope, that's *heavy* duty politics with upper management to get them to spend the money (and how does this contribute to this quarter's ROI?!?!?!) > >> and if you think management will say "sure, spend whatever it takes >> to rewrite that so it conforms to selinux...", you're living in >> somewhere I don't. And just about everywhere I've worked, both as a developer and >> as a sysadmin had a *lot* of in-house apps. > > We have a few; none required a rewrite; you're getting a bit melodramatic, > there, as there isn't going to be any application that is going to require > a complete 100% rewrite to work with SELinux. I regret to inform you there's no melodrama here. And when the codebase might be, oh, 50k, or 100k, or 250k lines, and there's all the enhancements that management (or management of other departments) want, and fixing bugs, modifying for selinux is a major budget item. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/2010 3:13 PM, Marko Vojinovic wrote: > > P.S. I am just waiting for the day when SELinux is going to become locked in > enforcing mode by the kernel developers, much as the traditional permissions > system is a mandatory thing right now. :-D I thought there was a security API in the kernel that was designed specifically _not_ to lock it to an implementation. Is there a standards group for SELinux? It's one thing to follow Posix, something else to be locked to a non-standard concept. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Leonard den Ottolander wrote: > With the ever increasing complexity of software is there any software > you trust? I know I don't. Are you running your Flash plugin in Mozilla > as a different user than the one you logged into under X? Care to > elaborate how to accomplish such a feat? Or can you provide any > pointers? That one's easy, don't ever install the plugin, or anything else from Adobe. Second step, set NoScript to block everything and everyone. If any site has content that requires either of those, I will never see it. That's their loss, not mine. If they want me to see it they can make it available via the approved methods. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Help with yum and cpio: MD5 sum mismatch
On Tue, 30 Nov 2010, James B. Byrne wrote: > make. Everything built without error. I then ran > checkinstall ... checkinstall is a third party solution and does not keep up too well > Running Transaction > Installing : ruby-1.8.7 > 1/1 > Error unpacking rpm package ruby-1.8.7-p302-1.i386 > error: unpacking of archive failed on file /usr/bin/make;4cf56119: > cpio: MD5 sum mismatch try a local install with rpm rather than yum; and add the --nomd5 option there. that said, if it is encountering a later compression (think: xz), you'll need to address the matter with a 'real' rebuild -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 01:22:53 pm m.r...@5-cent.us wrote: > Right - change *local* policy for every iteration. On the servers I would of course put policy into revision control and build it into our customization package (I've built RPM's for a long time). Then consistent contexts can get propagated across the ESX CentOS guests. And policy doesn't have to be changed for every iteration, any more than ownership or file permissions have to be kept up to date for every iteration. > I'm talking about the real, outside world, *not* my own personal system. > .. > As I said, I work in the real world with all this, and you seem to be > arguing, based on your own personal experience that those of us in the > workplace should do thus-and-so, and we're telling you what it's like in > the trenches, and why we don't like selinux. Well, Mark, I have always been an advocate of 'eating my own dog food' figuratively speaking. If I, the CIO, can't get it to work on my personal system, then it's not likely going to work when deployed to production servers, either. And since I delve into the trenches (fusion splicing fiber when needed, for that matter) nearly daily, fighting the ever present malware, the ever present spam tsunami, and the ever present risk of hacks (filled a /var/log partition one day; server VM template got an update after that to increase the size of that partition), I take a lot more rest when a known and proven security enhancement is working. Now, I'm not so naive that I'm going to say our systems aren't vulnerable; I'm sure some enterprising soul out there could probably break in, and then we'd have to clean up the mess; cost of doing business. But every reasonable step to increase security is a step I'm willing to take; especially when the cost is small, in my production server farm, with the mix of applications we run. YMMV. The OP asked " Question is whether worth pursuing as SELinux is the way of the future. Or is SELinux a good idea that never really made it's way into the sun." My opinion, and the opinion of Upstream (judging from the OOB setup), among many other studied opinions here on this list, is that the OP (Alison, I think?) should study SELinux, as it is most definitely going to increase in the future. It's not going away, and falling back on permissive mode as the final operating state is just going ostrich on the problems out there. I truly do sympathize with your situation; the malicious attackers out there looking for a way in to every system they can get their grubby little paws on will not sympathize, and if the lack of SELinux support creates a hole, they will exploit it. And I've read through some forum postings from you on your issues with SiteMinder; so I understand it's frustrating. I do understand that. This thread has already, for me at least, futher reinforced the need to better understand the workings of SELinux; the documentation has improved a lot since I last read it, so now is the time to dig back in and see if some improvements have been made. Because, no, it's not as easy as it should be, and, yes it can sometimes break in arcane ways (but so can KDE, or GNOME, or anything else). But it is worth studying, which is the the answer I give to the OP's question. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 01:22:53 pm m.r...@5-cent.us wrote: >> I'm talking about the real, outside world, *not* my own personal system. >> .. >> As I said, I work in the real world with all this, and you seem to be >> arguing, based on your own personal experience that those of us in the >> workplace should do thus-and-so, and we're telling you what it's like in >> the trenches, and why we don't like selinux. > > Well, Mark, I have always been an advocate of 'eating my own dog food' > figuratively speaking. If I, the CIO, can't get it to work on my personal > system, then it's not likely going to work when deployed to production Oh, I see: you're the CIO? So you can mandate this. Not having ever been anywhere near a management position, and all of my managers (with three exceptions, one small, and two microscopically small) being at least 3 levels of managment down from VP level, and mostly they have no clue about selinux, if they're not Windows-centric, not where I live. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 04:52:42 pm Les Mikesell wrote: > I thought there was a security API in the kernel that was designed > specifically _not_ to lock it to an implementation. Yes; Linux Security Modules (LSM). According to the wikipedia.org page on said subject, the current 'officially' recognized modules are: AppArmor, SELinux, SMACK, and TOMOYO Linux. > Is there a > standards group for SELinux? It's one thing to follow Posix, something > else to be locked to a non-standard concept. Hmmm, https://security.wiki.kernel.org/index.php/Projects seems to be the place to look for information on the general topic of security (and lists more modules than the Wikipedia article referenced above). The SELinux site itself is selinuxproject.org which has a lot of information; quite a bit updated since the last time I looked. It's as standard as pretty much any other open source project; there have been several developer summits, for instance, and it has some well established commercial players working together. But if you're looking for an ISO or ANSI or IEEE committee, no, none that I can tell. Nor is there one for the Linux kernel, or for glibc, for that matter. Or TCP/IP, either. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Wednesday, December 01, 2010 04:54 AM, m.r...@5-cent.us wrote: > And about apache... most of those attacks are preventable through > defensive configuration and coding for httpd itself. Looking to selinux to > protect you is very sloppy. The key word is most. If one bothered to go through all the steps to lock down apache, one can also bother to apply the similar stuff with SELinux which would be must more comprehensive and take care of the other 1% or whatever cases too. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote: > That one's easy, don't ever install the plugin, or anything else from > Adobe. Second step, set NoScript to block everything and everyone. If > any site has content that requires either of those, I will never see it. > That's their loss, not mine. If they want me to see it they can make it > available via the approved methods. Well, that's the point: there are corporate/enterprise applications written in various scripting languages that you simply have to use if you are that corporation's employee. Whitelisting sites is good; being able to restrict the plugin's access is better. AJAXed applications are becoming the norm, not the exception, and I have seen (and evaluated) applications where the client was in Air, or Flash (that had to have a particular Flash plugin, and the non-Adobe solutions weren't acceptable), or had fillable PDF's, and other interesting things along those lines. And the number of Java applications that require the Oracle 1.6 JRE are numerous; many won't work with OpenJDK. So you have to have an Oracle JRE. And, yes, those can be a challenge to integrate properly (SELinux or no SELinux). Scalix, for instance, is primarily written in Java (so is OpenXchange, for that matter), but at least it bundles a tested JRE and plays nice with the SELinux targeted policy. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Lamar Owen wrote: > On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote: >> That one's easy, don't ever install the plugin, or anything else from >> Adobe. Second step, set NoScript to block everything and everyone. If >> any site has content that requires either of those, I will never see it. >> That's their loss, not mine. If they want me to see it they can make it >> available via the approved methods. > > Well, that's the point: there are corporate/enterprise applications > written in various scripting languages that you simply have to use if you > are that corporation's employee. Whitelisting sites is good; being able On this, I have to agree with Lamar. Last summer - or was it the year before? - when I was job-hunting, I saw one corporate "career" page - maybe Lockheed-Martin? - anyway, they had an idiot flash video of someone talking about their "featured jobs". And a year or two before, I saw a corporate web page (not a consulting firm) that WOULD NOT ALLOW YOU onto the page to fill out an application and offer your resume if you didn't have flash!!! mark "go find a job in Hollywood" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/10 12:31 PM, m.r...@5-cent.us wrote: > And I notice that you don't address the other point, all the in-house > apps, and if you think management will say "sure, spend whatever it takes > to rewrite that so it conforms to selinux...", you're living in somewhere > I don't. And just about everywhere I've worked, both as a developer and as > a sysadmin had a *lot* of in-house apps. 90% of the time, you just have to reorganize the application installation directories to better suit the default settings. for instance, all our java-ware can run just fine in /home/$APPUSER/$APPNAME and run as a regular user. if we want to put it in /opt/$COMPANY/$APP then we might have to play with selinux defaults some, since /opt isn't part of the RHEL mindset. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tuesday, November 30, 2010 06:04:56 pm John R Pierce wrote: > for instance, all our java-ware can run just fine in > /home/$APPUSER/$APPNAME and run as a regular user. if we want to put > it in /opt/$COMPANY/$APP then we might have to play with selinux > defaults some, since /opt isn't part of the RHEL mindset. Yep; Scalix plays in /opt/scalix (among others), and that was one of the things we had to address. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Guide to SELinux
Since the "SELinux - way of the future or good idea but !!!" thread is deep in heated discussion, I decided not to derail to ask a simple question. I found this guide for SELinux: http://www.linux-books.us/centos_0005.php and it looks like it's straight out of RedHat. However, it's dated 2005. Will this be sufficient to help understand a CentOS 5 - or 6 - installation of SELinux? Is there a more recent guide (freely) available out there? Thanks in advance, Rob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tue, Nov 30, 2010 at 4:19 PM, wrote: > Lamar Owen wrote: >> On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote: >>> Reality check: how many of those installs are RedHat OOB installs with >>> default options? >> >> No idea. How many aren't default OOB? >> >> For that matter, how many CentOS installs are out there are set: >> 1.) OOB, SELinux enforcing/targeted; >> 2.) SELinux permissive; >> 3.) SELinux off; >> 4.) SELinux enforcing, some other policy than targeted? >> >> I would guess no one knows. But all of my CentOS installs are OOB as >> concerning SELinux, except the two scalix installs, which have some custom >> 'stuff' thanks to the scalix instance naming. > > All I know is at the last two companies I worked at - AT&T, a small team > building software for the NOC, a smaller root CA, and here at the federal > agency I'm at, we either turned it off, or have it set to permissive. I disabled it on the last 1000 hosts *I* installed ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tue, Nov 30, 2010 at 5:23 PM, Lamar Owen wrote: > On Tuesday, November 30, 2010 04:53:38 pm Bob McConnell wrote: >> That one's easy, don't ever install the plugin, or anything else from >> Adobe. Second step, set NoScript to block everything and everyone. If >> any site has content that requires either of those, I will never see it. >> That's their loss, not mine. If they want me to see it they can make it >> available via the approved methods. > > Well, that's the point: there are corporate/enterprise applications written > in various scripting languages that you simply have to use if you are that > corporation's employee. Whitelisting sites is good; being able to restrict > the plugin's access is better. AJAXed applications are becoming the norm, > not the exception, and I have seen (and evaluated) applications where the > client was in Air, or Flash (that had to have a particular Flash plugin, and > the non-Adobe solutions weren't acceptable), or had fillable PDF's, and other > interesting things along those lines. > > And the number of Java applications that require the Oracle 1.6 JRE are > numerous; many won't work with OpenJDK. So you have to have an Oracle JRE. > And, yes, those can be a challenge to integrate properly (SELinux or no > SELinux). Scalix, for instance, is primarily written in Java (so is > OpenXchange, for that matter), but at least it bundles a tested JRE and plays > nice with the SELinux targeted policy. No, *THAT* is the sort of reason that I got involved in JPackage packaging of JDK RPM's ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with yum and cpio: MD5 sum mismatch
On Tue, Nov 30, 2010 at 3:48 PM, James B. Byrne wrote: > I am trying to install Ruby-1.8.7p302 on a CentOS-5.5 server in > preparation for a Rails-3 application deployment. I have downloaded > the source from Rubyforge.org, unpacked it, and ran ./config and > make. Everything built without error. I then ran checkinstall to > create an rpm package. That too completed without error. Your RPM was built on a Fedora, RHEL 6, or other more recent OS with the updated version of RPM. I'm afraid you'll have to recompile it to get it to work well: use 'rpm2cpio' to take apart the SRPM and get the files, then deposit them in a relevant "SOURCES" directory with the .spec file in your relevant SPECS directory, and try to rebuild RPM's with the .spec file. I can get into more detail if you need it, but it's how I backported Torque 2.4.10 to RHEL 5 from the EPEL RHEL 6 repository two weeks ago. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samsung CLP-325W network connection?
fred smith wrote: > On Mon, Nov 29, 2010 at 07:50:45PM +, Timothy Murphy wrote: >> Anyone got this working over a LAN under CentOS? >> The instructions claim it is easy to connect >> after pressing the WPS button on printer and router. >> >> Sadly, I don't see a WPS button on my Linksys WRT54GL router. > > I'm not at home right now where I can go look, but I think MY wrt54gl > has a WPS button. I've never found a use for it, I've looked carefully, and I'm pretty sure there is no such button on my WRT54GL; the only button is called Reset. > As someone else has already suggested, if you can access the printer > via hard-wired network, you can set it up the way you want instead > of the way some marketing-droid thinks he'd like you to do it. I've installed the UnifiedLinuxDriver_1.07 from Samsung, and this allows me to setup (and use) the printer after connecting to my router with ethernet, and then I can access the printer web-page at the IP address (192.168.2.33) given by dhcpd on my LAN. Unfortunately this web-page does not indicate any way of connecting the printer by WiFi. It seems to me that I shall have to run Windows on my server, at least temporarily, to setup this printer as a WiFi device. -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samsung CLP-325W network connection?
John R Pierce wrote: >> The instructions claim it is easy to connect >> after pressing the WPS button on printer and router. >> >> Sadly, I don't see a WPS button on my Linksys WRT54GL router. > does this printer have any other connectivity options? It does; I have set it up using an Ethernet connection to my router. > if its got > ethernet, maybe you can plug it in via ethernet, and then access its > wireless configuration and manually set it up Unfortunately, I don't see any way of setting up a wireless configuration even though I can access the printer's web-page at its IP address. -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samsung CLP-325W network connection?
Eero Volotinen wrote: >> Anyone got this working over a LAN under CentOS? > http://www.openprinting.org/printer/Samsung/Samsung-CLP-325w > > at least printer is supported. I did read this web-page. Unfortunately the author does not say whether he/she configured the printer to work through WiFi. > You should configure wlan by hand.. How, exactly? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samsung CLP-325W network connection?
On 11/30/10 6:26 PM, Timothy Murphy wrote: > >> You should configure wlan by hand.. > How, exactly? probably by hooking the printer up to ethernet, finding its IP address (maybe on a self-test printout?) then connecting to its IP with whatever configuration management they offer (my Brother has a webserver in it), and setup the wireless for whatever you use (WPA-PSK, the passkey, the SSID, etc), then see if you can disconnect the ethernet and it comes up on wireless. then you'd need to find the IP its been assigned on wireless, and point the Linux print drivers at that IP. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samsung CLP-325W network connection?
On Wed, Dec 01, 2010 at 02:19:21AM +, Timothy Murphy wrote: > fred smith wrote: > > > On Mon, Nov 29, 2010 at 07:50:45PM +, Timothy Murphy wrote: > >> Anyone got this working over a LAN under CentOS? > >> The instructions claim it is easy to connect > >> after pressing the WPS button on printer and router. > >> > >> Sadly, I don't see a WPS button on my Linksys WRT54GL router. > > > > I'm not at home right now where I can go look, but I think MY wrt54gl > > has a WPS button. I've never found a use for it, > > I've looked carefully, and I'm pretty sure there is no such button > on my WRT54GL; the only button is called Reset. I'm at home now, so I just took a look at my wrt54gl and you're right, nothing labeled WPS. but it has something labeled "easy secure setup" which may , or may not, be the same thing. whatever it is, I've never used it. > > > As someone else has already suggested, if you can access the printer > > via hard-wired network, you can set it up the way you want instead > > of the way some marketing-droid thinks he'd like you to do it. > > I've installed the UnifiedLinuxDriver_1.07 from Samsung, > and this allows me to setup (and use) the printer > after connecting to my router with ethernet, > and then I can access the printer web-page > at the IP address (192.168.2.33) given by dhcpd on my LAN. > > Unfortunately this web-page does not indicate any way > of connecting the printer by WiFi. > > It seems to me that I shall have to run Windows on my server, > at least temporarily, to setup this printer as a WiFi device. there's gotta be a way. or one would think so. Does the MFG provide any user forums where you might find a solution? -- Fred Smith -- fre...@fcshome.stoneham.ma.us - The Lord detests the way of the wicked but he loves those who pursue righteousness. - Proverbs 15:9 (niv) - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovic wrote: > On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote: >> And about apache... most of those attacks are preventable through >> defensive configuration and coding for httpd itself. Looking to selinux to >> protect you is very sloppy. > > So a guy in a circus, performing acrobatics on a trapeze doesn't actually ever > need a safety fishnet below, right? All he needs to do is make sure never to > slip, or miss to catch the trapeze bar while performing. If he isn't sloppy, > he will never fall. Simple. ;-) Historically (although it's gotten better), the SELinux net was erected by blocking off all the ladders to the trapeze. This is great for safety of bystanders and keeping the clowns from making the trapeze slippery with cream pies, but made it hard to actually entertain the crowd. And entertaining the crowd is what a circus gets paid for. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Wednesday, December 01, 2010 11:37 AM, Nico Kadel-Garcia wrote: > On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovic wrote: >> On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote: >>> And about apache... most of those attacks are preventable through >>> defensive configuration and coding for httpd itself. Looking to selinux to >>> protect you is very sloppy. >> >> So a guy in a circus, performing acrobatics on a trapeze doesn't actually >> ever >> need a safety fishnet below, right? All he needs to do is make sure never to >> slip, or miss to catch the trapeze bar while performing. If he isn't sloppy, >> he will never fall. Simple. ;-) > > Historically (although it's gotten better), the SELinux net was > erected by blocking off all the ladders to the trapeze. This is great > for safety of bystanders and keeping the clowns from making the > trapeze slippery with cream pies, but made it hard to actually > entertain the crowd. And entertaining the crowd is what a circus gets > paid for. Kinda hard to blame the net if the performers don't want to learn how to use the access ports provided to get through. Maybe the circus should think about getting performers willing to do that and not have to worry about insurance for not using a net. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/30/10 9:28 PM, Marko Vojinovic wrote: > On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote: >> And about apache... most of those attacks are preventable through >> defensive configuration and coding for httpd itself. Looking to selinux to >> protect you is very sloppy. > > So a guy in a circus, performing acrobatics on a trapeze doesn't actually ever > need a safety fishnet below, right? All he needs to do is make sure never to > slip, or miss to catch the trapeze bar while performing. If he isn't sloppy, > he will never fall. Simple. ;-) Analogies rarely work well, but this one would be better if you assume the crew doesn't have time to do a good job of setting up both the trapeze rigging and the net. Would you rather have a trapeze you can trust or a trapeze and a net both badly rigged and likely to break? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On 11/30/10, Tony Schreiner wrote: > That error would happen if you did not have a space between [ and $? > > Tony Schreiner > Thank you very much for your help. Actually, I didn't have got a clear understanding of your code. Sorry for my mis-understanding. At now, I analyzed the code and totally understand it. I corrected my mistake in typing the command but still receiving the following error: '-bash: $LOGFILE: ambiguous redirect' Can you please do me favor and correct me on my mistake? Please be informed that I am using centos 5.2 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] centos 5.5 - not detecting internet connection
Good day, By accident booted with dsl internet not connected. When reconnecting dsl - centos did not detect it. Is there a way to make it trigger detection rather then rebooting Please. Thanks Regards Johan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 5.5 - not detecting internet connection
On Wed, 01 Dec 2010 07:34:19 +0200 Johan Scheepers wrote: > By accident booted with dsl internet not connected. > When reconnecting dsl - centos did not detect it. > Is there a way to make it trigger detection rather then rebooting Please. If you're using DHCP and not using Network Manager then got to system-config-network (main menu-preferences-administration-network) and click on activate. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
>>> I would guess no one knows. But all of my CentOS installs are OOB as >>> concerning SELinux, except the two scalix installs, which have some >>> custom >>> 'stuff' thanks to the scalix instance naming. >> >> All I know is at the last two companies I worked at - AT&T, a small team >> building software for the NOC, a smaller root CA, and here at the federal >> agency I'm at, we either turned it off, or have it set to permissive. > > I disabled it on the last 1000 hosts *I* installed Hmmm... it would be interesting take some Centos systems with production like deployments (say 3 with SELinux and 3 without) and ask a professional pen-tester to try to get into them. Anyone willing to contribute funds (or time) to such a study? It would be educational experience and good PR, at the least. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Guide to SELinux
2010/12/1 Rob Del Vecchio : > Since the "SELinux - way of the future or good idea but !!!" thread is deep > in heated discussion, I decided not to derail to ask a simple question. > I found this guide for > SELinux: http://www.linux-books.us/centos_0005.php and it looks like it's > straight out of RedHat. > However, it's dated 2005. Will this be sufficient to help understand a > CentOS 5 - or 6 - installation of SELinux? > Is there a more recent guide (freely) available out there? See docs.redhat.com @ http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to separate individual logs?
On 11/30/10, John Doe wrote: > > My pseudo-code does exactly what you described (re-read it)... > > And it creates .log files... > $ ll -n > total 36 > -rw-r--r-- 1 2000 500 4678 nov 30 10:49 Edit3 > -rw-r--r-- 1 2000 500 39 nov 30 10:54 HLR.log > -rw-r--r-- 1 2000 500 2320 nov 30 10:54 IPTR.log > -rw-r--r-- 1 2000 500 478 nov 30 10:54 SCCP.log > -rw-r--r-- 1 2000 500 754 nov 30 10:54 SNMP.log > -rw-r--r-- 1 2000 500 507 nov 30 10:54 TCAP.log > -rw-r--r-- 1 2000 500 281 nov 30 10:54 XAPP.log > -rwxr-xr-x 1 2000 500 207 nov 30 10:54 test.sh* > > If you think it is not doing it, I cannot help you... > Either ask your sysadmin to help you, or use someone else code... > > JD > Thank you very much for your technical support. I carefully read your code and analyzed it. At now , I can understand it. Sorry for my mis-understanding. I tried to run it but got error. I even tried to make it as an script file and made it executable but still getting the following error: 'syntax error near unexpected token 'done' 'done' I am using centos 5.2 It seems that something wrong my case. Can you please help me? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
