[CentOS] CentOS-announce Digest, Vol 101, Issue 6

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CEEA-2013:1025  CentOS 5 tzdata Update (Johnny Hughes)
   2. CEEA-2013:1025  CentOS 6 tzdata Update (Johnny Hughes)
   3. CEBA-2013:1036 CentOS 6 ibus-hangul FASTTRACK Update
  (Johnny Hughes)


--

Message: 1
Date: Tue, 9 Jul 2013 11:05:31 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2013:1025  CentOS 5 tzdata Update
To: centos-annou...@centos.org
Message-ID: <20130709110531.ga20...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2013:1025 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2013-1025.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
281cd1085064ef4fd068838d8b4249b38ad10c006f04195ac56bb8f69f6f845b  
tzdata-2013c-2.el5.i386.rpm
35373d693d8965bc3d847d92839ddb7934f920eedac41822128664922901e094  
tzdata-java-2013c-2.el5.i386.rpm

x86_64:
0ca9d0fd0634df1d9007653f5d29fa420838520485c29f5c2dd158a8b65e6c4e  
tzdata-2013c-2.el5.x86_64.rpm
5f7b300b2ece95ba0372ae126f7c23b95ce2e2b2dacd11b44a2ac295e8122410  
tzdata-java-2013c-2.el5.x86_64.rpm

Source:
3f0632a84264f02b6aaf60b156980801b826b762e810c37815aa7b622134fa31  
tzdata-2013c-2.el5.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

Message: 2
Date: Tue, 9 Jul 2013 12:47:29 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2013:1025  CentOS 6 tzdata Update
To: centos-annou...@centos.org
Message-ID: <20130709124729.ga50...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2013:1025 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2013-1025.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
c9534b3f1b49068bfc2f4925aa6f17670d9577f43478c20ef68b37975adb41a9  
tzdata-2013c-2.el6.noarch.rpm
350c4cfc1098dd8c997aae6dec030c35e69b4ccde9c6750624ff38e4e563c611  
tzdata-java-2013c-2.el6.noarch.rpm

x86_64:
c9534b3f1b49068bfc2f4925aa6f17670d9577f43478c20ef68b37975adb41a9  
tzdata-2013c-2.el6.noarch.rpm
350c4cfc1098dd8c997aae6dec030c35e69b4ccde9c6750624ff38e4e563c611  
tzdata-java-2013c-2.el6.noarch.rpm

Source:
c4e91b7a79faec1b915884298d6ed40088b768bf8761036e94e0a4af3275db4e  
tzdata-2013c-2.el6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

Message: 3
Date: Wed, 10 Jul 2013 09:16:25 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEBA-2013:1036 CentOS 6 ibus-hangul
FASTTRACK   Update
To: centos-annou...@centos.org
Message-ID: <20130710091625.ga64...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Bugfix Advisory 2013:1036 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-1036.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
87741a71934a7768442e60f3b5bf5cc95627cf3602202396d94a85eea5842872  
ibus-hangul-1.3.0.20100329-6.el6.i686.rpm

x86_64:
6206b30b537b13d11d5eaa3f051d8a6d0dac87c6edf46dbf54c9b25a12cd7dbd  
ibus-hangul-1.3.0.20100329-6.el6.x86_64.rpm

Source:
c30566424afcda83b6e086652907bae3e81aea47ef94e4a846504d47eb5aeb7b  
ibus-hangul-1.3.0.20100329-6.el6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

___
CentOS-announce mailing list
centos-annou...@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 101, Issue 6
***
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Understanding RPM trigger scripts?

[James Pearson]

Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote:
> While looking into doing similar things a few years ago I ran across the
> following PDF.
> It has several pages on doing triggers, and looked promising to help my
> understanding, I just got pulled onto a different project before getting
> to test out the ideas.
> I think page 25 would be of interest to you.
> 
> http://www.redhat.com/promo/summit/2010/presentations/summit/opensource-
> for-it-leaders/thurs/pwaterma-2-rpm/RPM-ifying-System-Configurations.pdf
> 
> I hope this pointer to info helps.

Thanks - but it doesn't really give any more info that isn't elsewhere 
on the Web e.g. it doesn't give any clues on how to check if the trigger 
script is being run by the RPM containing the trigger script or by the 
triggering RPM

After several hours of installing, upgrading, removing, etc (in various 
combinations) test trigger and triggering RPMS, I think I've now got 
something that I can work with - it's a bit messy, but it will now work 
in a predictable fashion

Thanks

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Disabling user switching in CentOS 6

[James Pearson]

Vanhorn, Mike wrote:
> 
>>We've applied the patch available from
>> to the gnome-session
>>SRPM - which works for us (with the above gconf settings)
> 
> Interestingly, I have just done the same thing, but the user switching is
> still enabled and functioning.

I've just 'downgraded' gnome-session to the default version - and now 
when I logout, I have a (working) 'Switch User' button on the 'Log out 
of this system now?' window

Upgrading to our modified gnome-session RPM and, after a reboot, that 
button is gone ...

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS Dojo and Barbecue - Aldershot, UK on 12th July 2013

[Karanbir Singh]

> Details on the day: http://wiki.centos.org/Events/Dojo/Aldershot2013
> Registration URL : http://centosdojoaldershot.eventbrite.co.uk/#

Couple of days left, we still have 4 slots open - get them while you can!

- KB

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] postfix as default MTA

[Timothy Murphy]

Ron Loftin wrote:

> I can't speak directly to RedHat's reasoning, but I can say that I find
> Postfix MUCH easier to deal with than Sendmail.  After 20+ years in
> Unix/Linux system admin, I still find Sendmail arcane and confusing,
> while Postfix configuration details are much more comprehensible to the
> ordinary mortal mind.

For a contrary opinion, while sendmail.cf is difficult to follow,
I've never found sendmail.mc too difficult.

However, I'm finding postfix very difficult to configure with spamassassin.
Postfix/dovecot works well enough,
but the recommended addition of amavisd-new with clamav and spamassassin
seems extraordinarily complicated and spaghetti-like,
and I haven't found any documentation in *.centos.org
that describes the specific spamassassin side of the setup.
[The alternative sendmail/procmail/spamassassin combination
I run on another server seems much easier to follow.]

Everything on my server appears to be running as it should,
but I don't think any spam is being caught.
Eg I have set
ok_languages en it fr de ga
in /etc/mail/spamassassin/local.cf (and re-started spamassassin)
but I am still inundated with chinese spam.

If anyone knows of any documentation on the recommended CentOS setup
of postfix/dovecot with amavis, clamav and spamassassin
I should be grateful for a pointer.

What I'd really like is to see what happens to a given email
as it goes through its rather complicated journey through my system.

In particular, I don't really see the point of amavis,
since as far as I can see spamassassin can be used directly with postfix.
(I don't care about clamav, as I don't think I'd be tempted
to read any email likely to infect my system.]

Any advice or elucidation gratefully received,
especially from anyone running this 5-program email combination.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
School of Mathematics, Trinity College, Dublin 2, Ireland


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] 36-Year-Old Seth Vidal Tragically Killed

[Larry Martell]

This is a big loss to the open source community. I sure hope they
catch the driver.


http://www.businessinsider.com/36-year-old-seth-vidal-tragically-killed-2013-7
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[Nemrow, Jason]

Yep. I disabled SELinux and everything is working now for ssl and apache.  I 
will have to look later and study up on how to make SELinux work with this 
setup.

Thanks a Lot!!!

Jason Nemrow
Systems Operations Specialist
Information Technology Services
Eastern New Mexico University


-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
Larry Martell
Sent: Tuesday, July 09, 2013 3:10 PM
To: CentOS mailing list
Subject: Re: [CentOS] httpd ssl problems

On Tue, Jul 9, 2013 at 3:06 PM, Nemrow, Jason  wrote:
> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Larry Martell
> Sent: Tuesday, July 09, 2013 3:00 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] httpd ssl problems
>
> On Tue, Jul 9, 2013 at 2:56 PM, Nemrow, Jason  wrote:
>> Not much of a noob, but I will try.
>>
>> I just configured httpd and installed mod_ssl and got my certificate from 
>> GoDaddy and put them on the server with ssl.conf pointing at them.  I am 
>> getting this error:
>>
>> SSLCertificateFile: file '/etc/pki/tls/certs/enmu.edu.crt' does not
>> exist or is empty
>>
>> It's a cute error. I have checked several times for misspellings, looked at 
>> the enmu.edu.crt file (looks like a cert to me) and I can certify that it is 
>> not empty and it most certainly exists. Want some proof? Here...
>>
>> [root@itsnv607 ~]# ls -l /etc/pki/tls/certs total 1224
>> -rw-r--r--. 1 root   root   571450 Apr  7  2010 ca-bundle.crt
>> -rw-r--r--. 1 root   root   651083 Apr  7  2010 ca-bundle.trust.crt
>> -rw-r--r--. 1 apache apache   1874 Jul  9 11:54 enmu.edu.crt
>> -rwxr-xr-x. 1 root   root 3197 Jul  9 11:54 gd_bundle.crt
>> -rw---. 1 root   root 1164 Jul  8 14:33 localhost.crt
>> -rwxr-xr-x. 1 root   root  610 Feb 21 16:45 make-dummy-cert
>> -rw-r--r--. 1 root   root 2242 Feb 21 16:45 Makefile
>> -rwxr-xr-x. 1 root   root 1131 Jul  9 11:52 www.enmu.edu.csr
>> -rwxr-xr-x. 1 root   root 1708 Jul  9 11:52 
>> www.enmu.edu.key
>>
>> Just for fun, I started playing with permissions, just in case that mattered 
>> (it didn't). You can see that enmu.edu.crt is there, where it is supposed to 
>> be, and is not empty.
>>
>> What would cause this error besides what it actually says?

> Permissions on the dir? selinux?

> Well, I don't see a problem with permissions on the directory (the certs 
> directory):
>
> [root@itsnv607 ~]# ls -l /etc/pki/tls
> total 24
> lrwxrwxrwx. 1 root root19 Jul  8 14:31 cert.pem -> certs/ca-bundle.crt
> drwxr-xr-x. 2 root root  4096 Jul  9 12:57 certs drwxr-xr-x. 2 root
> root  4096 Jul  8 14:32 misc -rw-r--r--. 1 root root 10906 Oct 12
> 2012 openssl.cnf drwxr-xr-x. 2 root root  4096 Jul  8 14:33 private
>
> I am reading up on SELinux to see if it's mucking things up...

As a quick test you can disable it and see if that fixes it.

echo 0 >/selinux/enforce
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos






Confidentiality Notice:

This e-mail, including all attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information as defined 
under FERPA. Any unauthorized review, use, disclosure or distribution is 
prohibited unless specifically provided under the New Mexico Inspection of 
Public Records Act. If you are not the intended recipient, please contact the 
sender and destroy all copies of this message
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[Johnny Hughes]

On 07/10/2013 11:46 AM, Larry Martell wrote:
> This is a big loss to the open source community. I sure hope they
> catch the driver.
>
>
> http://www.businessinsider.com/36-year-old-seth-vidal-tragically-killed-2013-7

The driver has now turned himself in.

Seth was a contributor to CentOS in the early days and all the CentOS
Project guys knew him.  Very sad event.  My thoughts and prayers are
with his family in their time of loss.

Thanks,
Johnny Hughes




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[Ljubomir Ljubojevic]

On 07/10/2013 06:46 PM, Larry Martell wrote:
> This is a big loss to the open source community. I sure hope they
> catch the driver.
>
>
> http://www.businessinsider.com/36-year-old-seth-vidal-tragically-killed-2013-7

Driver already turned him self in. He was driving with suspended driving 
license.


-- 
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[John R. Dennison]

On Wed, Jul 10, 2013 at 07:18:45PM +0200, Ljubomir Ljubojevic wrote:
> 
> Driver already turned him self in. He was driving with suspended driving 
> license.

Revoked.  Subtle yet very important difference.





John
-- 
One man's ways may be as good as another's, but we all like our own best.

-- Jane Austen (16 December 1775 - 18 July 1817), English novelist,
   Persuasion (posthumous, 1818)


pgp24kxAvEGeb.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[Larry Martell]

On Wed, Jul 10, 2013 at 10:51 AM, Nemrow, Jason  wrote:
> Yep. I disabled SELinux and everything is working now for ssl and apache.  I 
> will have to look later and study up on how to make SELinux work with this 
> setup.

It's always selinux ;-)

If you install the selinux utilities (policycoreutils-python) then you
can use them to set up the security polices. Look in
/var/log/audit/audit.log for the offending lines and then use commands
like this, for example this is what I had to do to allow mysqld to
run:

sudo audit2allow -a -m mysqld > /tmp/mysqld.te
sudo checkmodule -M -m /tmp/mysqld.te -o /tmp/mysqld.mod
sudo semodule_package -o /tmp/mysqld.pp -m /tmp/mysqld.mod
sudo semodule -i /tmp/mysqld.pp

>
> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf 
> Of Larry Martell
> Sent: Tuesday, July 09, 2013 3:10 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] httpd ssl problems
>
> On Tue, Jul 9, 2013 at 3:06 PM, Nemrow, Jason  wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of Larry Martell
>> Sent: Tuesday, July 09, 2013 3:00 PM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] httpd ssl problems
>>
>> On Tue, Jul 9, 2013 at 2:56 PM, Nemrow, Jason  wrote:
>>> Not much of a noob, but I will try.
>>>
>>> I just configured httpd and installed mod_ssl and got my certificate from 
>>> GoDaddy and put them on the server with ssl.conf pointing at them.  I am 
>>> getting this error:
>>>
>>> SSLCertificateFile: file '/etc/pki/tls/certs/enmu.edu.crt' does not
>>> exist or is empty
>>>
>>> It's a cute error. I have checked several times for misspellings, looked at 
>>> the enmu.edu.crt file (looks like a cert to me) and I can certify that it 
>>> is not empty and it most certainly exists. Want some proof? Here...
>>>
>>> [root@itsnv607 ~]# ls -l /etc/pki/tls/certs total 1224
>>> -rw-r--r--. 1 root   root   571450 Apr  7  2010 ca-bundle.crt
>>> -rw-r--r--. 1 root   root   651083 Apr  7  2010 ca-bundle.trust.crt
>>> -rw-r--r--. 1 apache apache   1874 Jul  9 11:54 enmu.edu.crt
>>> -rwxr-xr-x. 1 root   root 3197 Jul  9 11:54 gd_bundle.crt
>>> -rw---. 1 root   root 1164 Jul  8 14:33 localhost.crt
>>> -rwxr-xr-x. 1 root   root  610 Feb 21 16:45 make-dummy-cert
>>> -rw-r--r--. 1 root   root 2242 Feb 21 16:45 Makefile
>>> -rwxr-xr-x. 1 root   root 1131 Jul  9 11:52 www.enmu.edu.csr
>>> -rwxr-xr-x. 1 root   root 1708 Jul  9 11:52 
>>> www.enmu.edu.key
>>>
>>> Just for fun, I started playing with permissions, just in case that 
>>> mattered (it didn't). You can see that enmu.edu.crt is there, where it is 
>>> supposed to be, and is not empty.
>>>
>>> What would cause this error besides what it actually says?
>
>> Permissions on the dir? selinux?
>
>> Well, I don't see a problem with permissions on the directory (the certs 
>> directory):
>>
>> [root@itsnv607 ~]# ls -l /etc/pki/tls
>> total 24
>> lrwxrwxrwx. 1 root root19 Jul  8 14:31 cert.pem -> certs/ca-bundle.crt
>> drwxr-xr-x. 2 root root  4096 Jul  9 12:57 certs drwxr-xr-x. 2 root
>> root  4096 Jul  8 14:32 misc -rw-r--r--. 1 root root 10906 Oct 12
>> 2012 openssl.cnf drwxr-xr-x. 2 root root  4096 Jul  8 14:33 private
>>
>> I am reading up on SELinux to see if it's mucking things up...
>
> As a quick test you can disable it and see if that fixes it.
>
> echo 0 >/selinux/enforce
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> 
>
>
>
>
> Confidentiality Notice:
>
> This e-mail, including all attachments, is for the sole use of the intended 
> recipient(s) and may contain confidential and privileged information as 
> defined under FERPA. Any unauthorized review, use, disclosure or distribution 
> is prohibited unless specifically provided under the New Mexico Inspection of 
> Public Records Act. If you are not the intended recipient, please contact the 
> sender and destroy all copies of this message
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[m . roth]

John R. Dennison wrote:
> On Wed, Jul 10, 2013 at 07:18:45PM +0200, Ljubomir Ljubojevic wrote:
>>
>> Driver already turned him self in. He was driving with suspended driving
>> license.
>
> Revoked.  Subtle yet very important difference.
>
Even worse. Could someone point me to where they're getting this
information? All I get with googling is the story of his death from
yesterday.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] postfix as default MTA

[Les Mikesell]

On Tue, Jul 9, 2013 at 11:54 PM, Devin Reade  wrote:
>
>> Of course, what really matters is that you choose a solution that meets
>> your specific needs.  From what I've read over the past several years,
>> it really boils down to personal preference rather than any great
>> difference in functionality.
>
> Yeah, in my case of 20+ years in UNIX admin and development, I've become
> comfortable with administering sendmail-based systems, and postfix is
> the devil not known :)
>

I haven't stayed quite up to the minute on MTA's, but my impression
was that sendmail really, really needed the milter interface but once
it was added  and tools like MimeDefang were developed to handle
external processing within steps of the SMTP conversion (and under
different user ID's if you want) it became as good as anything.
Maybe RedHat just never found MimeDefang...

--
   Les Mikesell
  lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[Larry Martell]

On Wed, Jul 10, 2013 at 11:25 AM,   wrote:
> John R. Dennison wrote:
>> On Wed, Jul 10, 2013 at 07:18:45PM +0200, Ljubomir Ljubojevic wrote:
>>>
>>> Driver already turned him self in. He was driving with suspended driving
>>> license.
>>
>> Revoked.  Subtle yet very important difference.
>>
> Even worse. Could someone point me to where they're getting this
> information? All I get with googling is the story of his death from
> yesterday.

http://www.heraldsun.com/breakingnews/x177810618/Driver-arrested-in-cyclist-hit-and-run
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[John R. Dennison]

On Wed, Jul 10, 2013 at 01:25:54PM -0400, m.r...@5-cent.us wrote:
> Even worse. Could someone point me to where they're getting this
> information? All I get with googling is the story of his death from
> yesterday.

http://abclocal.go.com/wtvd/story?section=news/local&id=9166340




John
-- 
I don't know.  Just because we are stupid doesn't mean everybody else was.

-- JP Morgan CEO Jamie Dimon, arguing against increased regulation as a
   response to his company's $2 billion loss, in a conference call,
   10 May 2012


pgpnM_GOXsuUd.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[Scott Robbins]

On Wed, Jul 10, 2013 at 01:25:54PM -0400, m.r...@5-cent.us wrote:
> John R. Dennison wrote:
> > On Wed, Jul 10, 2013 at 07:18:45PM +0200, Ljubomir Ljubojevic wrote:
> >>
> >> Driver already turned him self in. He was driving with suspended driving
> >> license.
> >
> > Revoked.  Subtle yet very important difference.
> >
> Even worse. Could someone point me to where they're getting this
> information? All I get with googling is the story of his death from
> yesterday.

http://www.wral.com/man-charged-in-durham-hit-and-run-that-killed-bicyclist/12644209/
 


-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[James Hogarth]

> It's always selinux ;-)
>
> If you install the selinux utilities (policycoreutils-python) then you
> can use them to set up the security polices. Look in
> /var/log/audit/audit.log for the offending lines and then use commands
> like this, for example this is what I had to do to allow mysqld to
> run:
>
> sudo audit2allow -a -m mysqld > /tmp/mysqld.te
> sudo checkmodule -M -m /tmp/mysqld.te -o /tmp/mysqld.mod
> sudo semodule_package -o /tmp/mysqld.pp -m /tmp/mysqld.mod
> sudo semodule -i /tmp/mysqld.pp
>


Well always when you step outside normal practices...

Where did you install that mysql from by the way as the base policy has
mysql contexts and policies in place...

In general your advice would work but it's bad practice...

The above assumes what you want the application is trying to do is what you
want to happen - this is probably not quite the case.

For the OP it's likely to be the context of the certificates where you put
them... copy them (not move) to somewhere like /etc/httpd so they get the
context httpd_etc_t (in the alternative make a dedicated /etc/httpd/certs
directory to support multiple certs for virtualhosts with a context of
cert_t as this howto describes
http://www.freeipa.org/page/Apache_SNI_With_Kerberos)...

The http_t domain has permission to read that context type so that will
work properly and the various bits restricted appropriately...

As for your mysql I'm guessing it installed to /opt or /usr/local or had a
version number in place such as /var/lib/mysql55 which took the files out
of the standard locations and consequently the file contexts would have
been incorrect as they would have inherited from those other locations
probably resulting in mysqld in the wrong domain too (initrc_t perhaps or
bin_t depending how it was started). Using the audit2allow -a -M etc method
outlined above would then result in mysqld having too broad access or
possibly other processes getting access to the mysql database files or
config files improperly (depending on how the auto generated rule went).

To fix that scenario given that the base selinux policy already has rules
for mysql all you need to do is ensure that the right file contexts are on
the files in the improper locations.

First use semanage fcontext -l | grep mysql to get a list of all file
contexts related to mysql.

Then for each of these (there's only about 21) check to see where you
custom install has put the equivalent file (eg /usr/libexec/mysqld might be
in /usr/local/bin/mysqld or /opt/mysql/bin/msqld).

With that knowledge in hand simply copy and paste the context to the new
file for example:

original from the list above:/usr/libexec/mysqldregular
file   system_u:object_r:mysqld_exec_t:s0

Add your new path:
semanage fcontext -a -t mysqld_exec_t '/usr/local/bin/mysqld' && restorecon
-Rv /usr/local/bin/mysqld

With the correct contexts on the files you should then be able start the
service and it'll be properly confined in its correct domain.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[Larry Martell]

On Wed, Jul 10, 2013 at 12:23 PM, James Hogarth  wrote:
>> It's always selinux ;-)
>>
>> If you install the selinux utilities (policycoreutils-python) then you
>> can use them to set up the security polices. Look in
>> /var/log/audit/audit.log for the offending lines and then use commands
>> like this, for example this is what I had to do to allow mysqld to
>> run:
>>
>> sudo audit2allow -a -m mysqld > /tmp/mysqld.te
>> sudo checkmodule -M -m /tmp/mysqld.te -o /tmp/mysqld.mod
>> sudo semodule_package -o /tmp/mysqld.pp -m /tmp/mysqld.mod
>> sudo semodule -i /tmp/mysqld.pp
>>
>
>
> Well always when you step outside normal practices...
>
> Where did you install that mysql from by the way as the base policy has
> mysql contexts and policies in place...

I got from just doing 'yum install mysql' I don't have access to that
system any more to see where it got installed.

>
> In general your advice would work but it's bad practice...
>
> The above assumes what you want the application is trying to do is what you
> want to happen - this is probably not quite the case.
>
> For the OP it's likely to be the context of the certificates where you put
> them... copy them (not move) to somewhere like /etc/httpd so they get the
> context httpd_etc_t (in the alternative make a dedicated /etc/httpd/certs
> directory to support multiple certs for virtualhosts with a context of
> cert_t as this howto describes
> http://www.freeipa.org/page/Apache_SNI_With_Kerberos)...
>
> The http_t domain has permission to read that context type so that will
> work properly and the various bits restricted appropriately...
>
> As for your mysql I'm guessing it installed to /opt or /usr/local or had a
> version number in place such as /var/lib/mysql55 which took the files out
> of the standard locations and consequently the file contexts would have
> been incorrect as they would have inherited from those other locations
> probably resulting in mysqld in the wrong domain too (initrc_t perhaps or
> bin_t depending how it was started). Using the audit2allow -a -M etc method
> outlined above would then result in mysqld having too broad access or
> possibly other processes getting access to the mysql database files or
> config files improperly (depending on how the auto generated rule went).
>
> To fix that scenario given that the base selinux policy already has rules
> for mysql all you need to do is ensure that the right file contexts are on
> the files in the improper locations.
>
> First use semanage fcontext -l | grep mysql to get a list of all file
> contexts related to mysql.
>
> Then for each of these (there's only about 21) check to see where you
> custom install has put the equivalent file (eg /usr/libexec/mysqld might be
> in /usr/local/bin/mysqld or /opt/mysql/bin/msqld).
>
> With that knowledge in hand simply copy and paste the context to the new
> file for example:
>
> original from the list above:/usr/libexec/mysqldregular
> file   system_u:object_r:mysqld_exec_t:s0
>
> Add your new path:
> semanage fcontext -a -t mysqld_exec_t '/usr/local/bin/mysqld' && restorecon
> -Rv /usr/local/bin/mysqld
>
> With the correct contexts on the files you should then be able start the
> service and it'll be properly confined in its correct domain.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[James Hogarth]

I got from just doing 'yum install mysql' I don't have access to that
> system any more to see where it got installed.
>
>
Well that's very weird as selinux enabled mysql is supported right out of
the box under those conditions...

Unless this was the early EL5 days whilst Red Hat and co were still in the
process of writing a lot of the policies... but then with the targeted
policy in place until they wrote an actual policy it still wouldn't be
restricted...

Ah well that's the end of that ;)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 36-Year-Old Seth Vidal Tragically Killed

[m . roth]

Larry Martell wrote:
> On Wed, Jul 10, 2013 at 11:25 AM,   wrote:
>> John R. Dennison wrote:
>>> On Wed, Jul 10, 2013 at 07:18:45PM +0200, Ljubomir Ljubojevic wrote:

 Driver already turned him self in. He was driving with suspended
 driving license.
>>>
>>> Revoked.  Subtle yet very important difference.
>>>
>> Even worse. Could someone point me to where they're getting this
>> information? All I get with googling is the story of his death from
>> yesterday.
>
> http://www.heraldsun.com/breakingnews/x177810618/Driver-arrested-in-cyclist-hit-and-run

Thanks. I can't say I appreciate it, when it's about something this bad,
but it's good to know. Given that the driver turned himself in, sounds as
if he just drove away without thinking to stop. Bad for him, and bad for
all of us. I hadn't known who was the leader on yum, and I really,
*really* appreciate that piece of software.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] postfix as default MTA

[Greg Bailey]

On 07/10/2013 09:37 AM, Timothy Murphy wrote:
>
> For a contrary opinion, while sendmail.cf is difficult to follow,
> I've never found sendmail.mc too difficult.
>
> However, I'm finding postfix very difficult to configure with spamassassin.
> Postfix/dovecot works well enough,
> but the recommended addition of amavisd-new with clamav and spamassassin
> seems extraordinarily complicated and spaghetti-like,
> and I haven't found any documentation in *.centos.org
> that describes the specific spamassassin side of the setup.
> [The alternative sendmail/procmail/spamassassin combination
> I run on another server seems much easier to follow.]
>
> Everything on my server appears to be running as it should,
> but I don't think any spam is being caught.
> Eg I have set
> ok_languages en it fr de ga
> in /etc/mail/spamassassin/local.cf (and re-started spamassassin)
> but I am still inundated with chinese spam.
>
> If anyone knows of any documentation on the recommended CentOS setup
> of postfix/dovecot with amavis, clamav and spamassassin
> I should be grateful for a pointer.


I've had good success installing spamass-milter-postfix from the EPEL 
repository, and then adding:

smtpd_milters = unix:/var/run/spamass-milter/postfix/sock

to /etc/postfix/main.cf, as instructed in 
/usr/share/doc/spamass-milter-postfix-0.3.2/README.Postfix

I don't have any amavis stuff configured.

-Greg

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd ssl problems

[Gordon Messmer]

On 07/10/2013 09:51 AM, Nemrow, Jason wrote:
> Yep. I disabled SELinux and everything is working now for ssl and
> apache.  I will have to look later and study up on how to make
> SELinux work with this setup.


restorecon -R -v /etc/pki/tls

It sounds like you saved the crt file somewhere else first, and then 
used "mv" to place it in /etc/pki/tls/certs.  Use "cp" instead.  A file 
that's moved will keep its original SELinux context.  A file that's 
copied will be a new file, and will get its context from the parent 
directory.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] postfix as default MTA

[Rob Kampen]

On 07/11/2013 04:37 AM, Timothy Murphy wrote:

Ron Loftin wrote:


I can't speak directly to RedHat's reasoning, but I can say that I find
Postfix MUCH easier to deal with than Sendmail.  After 20+ years in
Unix/Linux system admin, I still find Sendmail arcane and confusing,
while Postfix configuration details are much more comprehensible to the
ordinary mortal mind.

For a contrary opinion, while sendmail.cf is difficult to follow,
I've never found sendmail.mc too difficult.

However, I'm finding postfix very difficult to configure with spamassassin.
Postfix/dovecot works well enough,
but the recommended addition of amavisd-new with clamav and spamassassin
seems extraordinarily complicated and spaghetti-like,
and I haven't found any documentation in *.centos.org
that describes the specific spamassassin side of the setup.
[The alternative sendmail/procmail/spamassassin combination
I run on another server seems much easier to follow.]

Everything on my server appears to be running as it should,
but I don't think any spam is being caught.
Eg I have set
ok_languages en it fr de ga
in /etc/mail/spamassassin/local.cf (and re-started spamassassin)
but I am still inundated with chinese spam.

If anyone knows of any documentation on the recommended CentOS setup
of postfix/dovecot with amavis, clamav and spamassassin
I should be grateful for a pointer.

try the E-Mail item here
http://wiki.centos.org/HowTos#head-0facb50d5796bee0bd394636c32ffa9a997a6ab5


What I'd really like is to see what happens to a given email
as it goes through its rather complicated journey through my system.

In particular, I don't really see the point of amavis,
since as far as I can see spamassassin can be used directly with postfix.
(I don't care about clamav, as I don't think I'd be tempted
to read any email likely to infect my system.]

Any advice or elucidation gratefully received,
especially from anyone running this 5-program email combination.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos