Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-27 Thread Dave Quigley 

On 7/28/2013 1:40 AM, Dave Quigley wrote:

On 7/26/2013 6:55 AM, Daniel J Walsh wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/25/2013 06:45 PM, James Hogarth wrote:


On 25 Jul 2013 19:55, "Daniel J Walsh" mailto:dwa...@redhat.com>> wrote:





The only provisos/additions I could suggest on the above then is to make
it clear in the release notes that server and client should be
matching for
any additional fcontext rules to eliminate any server/client relabel
discrepancies.

In addition rather than defaulting to the file_t context might I suggest
using the current/standard nfs_t context for unknown labels (unless
overridden by mount options of course)?




I am not sure we can do this. Eric do you know of a way to do
something like this?




I don't believe this is possible with our current implementation. I'd
need to look again. The caveat for this operating mode in the IETF
specification we wrote is the the policies are homogenous in this
environment. The server is not really label aware. Its mostly supposed
to be simple attribute storage. In our case here it is aware however
because we don't currently have any policy translation infrastructure it
is supposed to be a homogenous environment.

Dave


Also another tidbit of information. Currently the server has no idea 
what the security context of the process making the filesystem call to 
an NFS mount. The next phase of Labeled NFS is to work on implementing 
RPCSECGSSv3 which among other useful features allows us to assert the 
security context of the calling process from the client. So its not 
possible for the server to make truely informed decisions about NFS calls.


Dave

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-27 Thread Dave Quigley 

On 7/26/2013 6:55 AM, Daniel J Walsh wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/25/2013 06:45 PM, James Hogarth wrote:


On 25 Jul 2013 19:55, "Daniel J Walsh" mailto:dwa...@redhat.com>> wrote:





The only provisos/additions I could suggest on the above then is to make
it clear in the release notes that server and client should be matching for
any additional fcontext rules to eliminate any server/client relabel
discrepancies.

In addition rather than defaulting to the file_t context might I suggest
using the current/standard nfs_t context for unknown labels (unless
overridden by mount options of course)?




I am not sure we can do this. Eric do you know of a way to do something like 
this?




I don't believe this is possible with our current implementation. I'd 
need to look again. The caveat for this operating mode in the IETF 
specification we wrote is the the policies are homogenous in this 
environment. The server is not really label aware. Its mostly supposed 
to be simple attribute storage. In our case here it is aware however 
because we don't currently have any policy translation infrastructure it 
is supposed to be a homogenous environment.


Dave
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: /etc/default in Fedora

2012-03-17 Thread Dave Quigley 

On 3/17/2012 7:17 AM, Daniel J Walsh wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/17/2012 05:38 AM, Matej Cepl wrote:

On 17.3.2012 10:18, Daniel J Walsh wrote:

Here is the current httpd man page.

http://people.fedoraproject.org/~dwalsh/SELinux/httpd_selinux.html





OK, in the end it IS a wiki ...
http://wiki.apache.org/httpd/DistrosDefaultLayout?action=diff&rev1=46&rev2=47



Suggestions for further edits are welcome.

Matěj


I would also suggest they use setroubleshoot.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9kctwACgkQrlYvE4MpobODGwCfaKgUBvbEBLALem3FnMo/yDJN
lDYAn17aIAUIAvSmt8LD2tY4N33An+tF
=uzJb
-END PGP SIGNATURE-


Suggesting setroubleshoot is fine but you need to also tell them how to 
set it up when they are running without X. One guy told me that 
setroubleshoot is fine and all but all his machines are headless so he 
doesn't have X and the nice little applet to notify him. I had to 
correct him and send him a reference to your page on how to set up 
setroubleshoot on headless machines so that the messages are sent to 
another box or to an email account.


Dave
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: /etc/default in Fedora

2012-03-06 Thread Dave Quigley 

On 3/6/2012 11:27 AM, Paul Wouters wrote:

On Tue, 6 Mar 2012, Daniel J Walsh wrote:


Why /etc/default dir is used instead of /etc/sysconfig? To be
honest - it's not really user friendly from long time RH Linux user
POV.


Just disable SELinux in /etc/selinux/config.


Or the more obvious place for people with /etc/sysconfig hardcoded in
their brain, /etc/sysconfig/selinux :)

Though to be honest, F17 is the first version where I have been working
with selinux enabled for more then two days. In fact, I have left it
enabled since I installed F17 weeks ago.

I think the only somewhat "valid" reason to disabled selinux is if people
are using special directories they made up, eg /vol or /opt or anything.
(or when copying/dealing with /var/lib/libvirtd/images content in other
locations :)

Paul


Alternatively you could look at Dan Walsh's 4 things SELinux is trying 
to tell you talk and in about 30 minutes figure out how to make those 
special directories work and not disable the security on your system.


Dave
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Need Little IT advice Here...

2011-08-12 Thread Dave Quigley 
You should look into the xguest package on Fedora. It provides a 
sandboxed user which gets wiped on logout. If you need to add more tools 
for the guest to use I'd suggest contacting Dan Walsh for additional 
help since he is the maintainer.

Dave

On 8/11/2011 11:58 PM, Manuel Escudero wrote:
> Hi, I was Wondering if there was a tool for Linux in general
> that let me undo the system changes at reboot or something
> like that, For example:
>
> I want to set a standard configuration in a machine and then
> let that machine to be used by many users, but as soon as
> the user Log Out (preferably in that moment)
> I want the machine to undo all the possible
> changes the user may have done while he/she was using it.
>
> I've seen this behavior on Windows Machines in Schools and Offices,
> and I know it has something to do about a server controlling all the
> individual computers but I want to apply that behavior to a Single Linux
> computer without having the server in the middle...
>
> If there's not a "General Linux Tool" I would like to Know wich
> distro and desktop enviroment are the best choice to get this done,
> using what tools,
>
> P.S. it's like... Having a customized "LiveCD Behavior" but with
> the system installed, so if I need to do changes, I can ensure I can
> do them without many problems, and then "Lock the system" again...
>
> Hope somebody knows,
>
> Thanks!
>
> --
> Manuel Escudero
> Linux User #509052
> Twitter: @Jmlevick 
> Blogger: Blog Xenode 
> PGP/GnuPG: E2F5 12FA E1C3 FA58 CF15  8481 B77B 00CA C1E1 0FA7
> Xenode Systems - xenodesystems.com  -
> "Conéctate a Tu Mundo"
>
>

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel