Re: [CentOS] 5.3 and XFS

[Nifty Cluster Mitch]

On Thu, Apr 16, 2009 at 07:34:13AM -0700, Akemi Yagi wrote:
> On Thu, Apr 16, 2009 at 7:21 AM, Karanbir Singh  wrote:
> > Joseph L. Casale wrote:
> >> I never thought of that given that they come from the plus repo. So its 
> >> only

> >
> > iirc, the xfs kmod's are not kernel ver dependant anymore, and havent
> > been for a while.
> >
> > Tru / Akemi ?
> 
> The kABI-tracking kmod-xfs for CentOS-5 started in Oct 2008.  The
> CentOS-4 version has been tested and will be offered shortly (as soon
> as you/Tru builds it for release).  :-D
> 
> But the code is somewhat getting old.  Maybe it's time to get the
> project xfs going again?  Tru is the leader of this project.

OLD?  What is broken that needs fixing?

XFS is in rather good shape and should not require much activity.
As technology goes it was cutting edge technology when SGI designed it.
It may be that ext4 will catch up but based on the clock the new ext4
may not be as stable as XFS is.  A year from now... who knows.

I do see xfs related patches going to Linus today ... so it is not idle.





-- 
T o m  M i t c h e l l 
Found me a new hat, now what?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Dan Roberts]

Thanks - this is helpful but still not quite a fix.   The suggested  
fixes seem general for the three issues of dovecot, nmbd, and spamc -  
but audit2allow does at least create them.

[...@trailrunner ~]$ cat dovecotsocketselinux.te

module dovecotsocketselinux 1.0;

require {
type dovecot_t;
class socket create;
}

#= dovecot_t ==
allow dovecot_t self:socket create;
[...@trailrunner ~]$
[...@trailrunner ~]$
[...@trailrunner ~]$ cat nmbdselinux.te

module nmbdselinux 1.0;

require {
type samba_share_t;
type nmbd_t;
class file { rename getattr unlink append };
class dir { search setattr };
}

#= nmbd_t ==
allow nmbd_t samba_share_t:dir { search setattr };
allow nmbd_t samba_share_t:file { rename getattr unlink append };
[...@trailrunner ~]$
[...@trailrunner ~]$
[...@trailrunner ~]$ cat spamcselinux.te

module spamcselinux 1.0;

require {
type spamc_exec_t;
type procmail_t;
class file { read execute execute_no_trans };
}

#= procmail_t ==
allow procmail_t spamc_exec_t:file { read execute execute_no_trans };
[...@trailrunner ~]$

The problem is that when these are installed, dovecot fails - port 993  
already in use.

So now what - again, default CentOS options and configuration for all  
three of these.

On Apr 30, 2009, at 1:38 PM, Ned Slider wrote:

> Dan Roberts wrote:
>> Ok, but how?
>>
>
> http://wiki.centos.org/HowTos/SELinux
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Rsync/SSH automation problem?

[Les Mikesell]

Gordon Messmer wrote:
> James Bensley wrote:
>> I have a win2k3 server that its backing up to a CentOS 5.3 server. On
>> the Win2k3 machine I plan to have rsync back up nightly to the CentOS
>> server through ssh. The command I am using is as follows:
>>
>> rsync -vrPtz -e ssh myu...@myserver:/remote/backup/folder/ 
>> /local/backup/folder/
> 
> The first thing I'm sure you noticed was that this syntax copies data 
> from a remote system to the local one, which is the opposite of what you 
> described doing, above.
> 
> The second thing you will notice, eventually, is that rsync over ssh 
> under Cygwin is unreliable.  This has been the case for years and has 
> something to do with Cygwin's emulation of blocking sockets which causes 
> rsync to hang.  Even if your backups are working now, I strongly 
> recommend against continuing in this manner.

You have always been able to initiate the command over ssh from a 
windows box with the answering copy under sshd on linux.  Very recent 
versions may even work the other way.

> If you want to use rsync on Windows, the best thing to do is run rsync 
> and ssh daemons on the Windows host.  Rsync should only listen for 
> localhost connections.  Run your backup jobs from Linux; ssh to the 
> Windows machine and forward a port for rsync.  A local rsync can then 
> connect to the Windows machine over the port forward.

Or, if you want it automated more nicely to keep a history of backups 
with a web interface to browse/restore them, look at backuppc. 
http://backuppc.sourceforge.net/  You can still use rsync as the copy 
mechanism if you want.

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] esata

[Jerry Geis]

I am trying to get esata working. my lspci is below.

When I plug in the disk an turn it on - dmesg reports nothing.
Is it supposed to report anything like a usb disk does?

Is there a module to load?

My motherboard is GA-MA78GM-US2H.

Jerry


-
00:00.0 Host bridge: Advanced Micro Devices [AMD] RS780 Host Bridge
00:01.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge 
(int gfx)
00:0a.0 PCI bridge: Advanced Micro Devices [AMD] RS780 PCI to PCI bridge 
(PCIE port 5)
00:11.0 SATA controller: ATI Technologies Inc SB700/SB800 SATA 
Controller [AHCI mode]
00:12.0 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI0 
Controller
00:12.1 USB Controller: ATI Technologies Inc SB700 USB OHCI1 Controller
00:12.2 USB Controller: ATI Technologies Inc SB700/SB800 USB EHCI Controller
00:13.0 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI0 
Controller
00:13.1 USB Controller: ATI Technologies Inc SB700 USB OHCI1 Controller
00:13.2 USB Controller: ATI Technologies Inc SB700/SB800 USB EHCI Controller
00:14.0 SMBus: ATI Technologies Inc SBx00 SMBus Controller (rev 3a)
00:14.1 IDE interface: ATI Technologies Inc SB700/SB800 IDE Controller
00:14.2 Audio device: ATI Technologies Inc SBx00 Azalia (Intel HDA)
00:14.3 ISA bridge: ATI Technologies Inc SB700/SB800 LPC host controller
00:14.4 PCI bridge: ATI Technologies Inc SBx00 PCI to PCI Bridge
00:14.5 USB Controller: ATI Technologies Inc SB700/SB800 USB OHCI2 
Controller
00:18.0 Host bridge: Advanced Micro Devices [AMD] Family 10h [Opteron, 
Athlon64, Sempron] HyperTransport Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] Family 10h [Opteron, 
Athlon64, Sempron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] Family 10h [Opteron, 
Athlon64, Sempron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] Family 10h [Opteron, 
Athlon64, Sempron] Miscellaneous Control
00:18.4 Host bridge: Advanced Micro Devices [AMD] Family 10h [Opteron, 
Athlon64, Sempron] Link Control
01:05.0 VGA compatible controller: ATI Technologies Inc Radeon HD 3200 
Graphics
01:05.1 Audio device: ATI Technologies Inc RS780 Azalia controller
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Rsync/SSH automation problem?

[Gordon Messmer]

James Bensley wrote:
> 
> I have a win2k3 server that its backing up to a CentOS 5.3 server. On
> the Win2k3 machine I plan to have rsync back up nightly to the CentOS
> server through ssh. The command I am using is as follows:
> 
> rsync -vrPtz -e ssh myu...@myserver:/remote/backup/folder/ 
> /local/backup/folder/

The first thing I'm sure you noticed was that this syntax copies data 
from a remote system to the local one, which is the opposite of what you 
described doing, above.

The second thing you will notice, eventually, is that rsync over ssh 
under Cygwin is unreliable.  This has been the case for years and has 
something to do with Cygwin's emulation of blocking sockets which causes 
rsync to hang.  Even if your backups are working now, I strongly 
recommend against continuing in this manner.

If you want to use rsync on Windows, the best thing to do is run rsync 
and ssh daemons on the Windows host.  Rsync should only listen for 
localhost connections.  Run your backup jobs from Linux; ssh to the 
Windows machine and forward a port for rsync.  A local rsync can then 
connect to the Windows machine over the port forward.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Dan Roberts]

I would like not to disable SELinux, and I have the guide from the  
nsa.  But try as I might these three things are being difficult.
Given that it was a default install for them I have no idea how or why.

Some google searches and even the SELinux FAQ suggest remedy options  
that involve data that I just don't seem to have - that's where the  
expertise of someone who has had to deal with something similar would  
be very helpful.


On Apr 30, 2009, at 11:44 AM, Lanny Marcus wrote:

> On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts  wrote:
>> Following a hard drive corruption I have reinstalled the latest  
>> version of
>> CentOS and all current patch files.
>> For most applications I selected the default options.  By doing  
>> this I
>> expected that the packages would play nice with one another and I  
>> could
>> customize as necessary.
>> Setting SELinux to enforce I encountered all sorts of problems -  
>> but most
>> were resolvable, save for Dovecot, Procmail (for spamc), and an odd  
>> one
> 
>> take on making a local policy module I am quickly getting lost .
>> The
>> option to simply disable SElinux with respect to Apache, Dovecote or
>> anything else is suggested - but not something I see in the GUI  
>> window, and
>> I have not figured out how to do it from the command line.
>
> Disabling SELinux is *not* recommended, by those who know, on this
> mailing list and in other places.  Maybe drop it down from "Enforcing"
> to Permissive, until you get it configured properly.
>
> You might want to go to  and download the .pdf
> version of their manual about hardening RHEL 5. Look for the December
> 20, 2007 version. On page 42, they begin discussing SELinux and how to
> configure/troubleshoot it. "Guide to the Secure Configuration of Red
> Hat Enterprise Linux 5". HTH and GL
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Ned Slider]

Dan Roberts wrote:
> Ok, but how?
> 

http://wiki.centos.org/HowTos/SELinux

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ps error

[P.A]

Bill, good point but I looked and don't think that is what happened. This
box is not in production and has a private ip.
I took care of the ps issue by reinstalling procps-3.2.7-11.1.el5.i386. The
RPM issue was fix by reinstalling the rpm package. 

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of Bill Campbell
Sent: Thursday, April 30, 2009 12:54 PM
To: centos@centos.org
Subject: Re: [CentOS] ps error

On Thu, Apr 30, 2009, P.A wrote:
>
>   Hi does anyone know what the problem here is
>
>   [r...@dnstest lib]# ps
>
>   ps: error while loading shared libraries: libproc-3.2.3.so: cannot
>   open shared object file: No such file or directory

When programs like ps, sed, find, etc. start showing shared
library problems, it is usually an indication that the box has
been partially cracked.  I say partially since the cracker will
install/replace versions of /bin/ps et al with ones that are
built for another version of Linux.

As other have noted, ``rpm -V'' is usually useful to detect
changed files.

Frequently crackers put their programs under /tmp, /var/tmp, or
the /dev directories with directory names such as ``..'' that
are not easily seen.  They try to install versions of find, ps,
netstat, etc. that are designed to hide their processes.

If you have a good system to monitor changes on *ALL* critical
files and directories, and can identify changed, added, or
deleted files, it is possible to restore a cracked system without
a complete reinstall.  Otherwise the only safe method is to take
the system off line, do a fresh install, and try to figure out
how the system was cracked.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

If you have to choose between trusting the natural stability of gold and
the honesty and intelligence of members of the government, with due respect
for these gentlemen, I advise you, as long as the capitalist system lasts,
to vote for gold. -- George Bernard Shaw
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Lanny Marcus]

On Thu, Apr 30, 2009 at 9:07 AM, Dan Roberts  wrote:
> Following a hard drive corruption I have reinstalled the latest version of
> CentOS and all current patch files.
> For most applications I selected the default options.  By doing this I
> expected that the packages would play nice with one another and I could
> customize as necessary.
> Setting SELinux to enforce I encountered all sorts of problems - but most
> were resolvable, save for Dovecot, Procmail (for spamc), and an odd one

> take on making a local policy module I am quickly getting lost .   The
> option to simply disable SElinux with respect to Apache, Dovecote or
> anything else is suggested - but not something I see in the GUI window, and
> I have not figured out how to do it from the command line.

Disabling SELinux is *not* recommended, by those who know, on this
mailing list and in other places.  Maybe drop it down from "Enforcing"
to Permissive, until you get it configured properly.

You might want to go to  and download the .pdf
version of their manual about hardening RHEL 5. Look for the December
20, 2007 version. On page 42, they begin discussing SELinux and how to
configure/troubleshoot it. "Guide to the Secure Configuration of Red
Hat Enterprise Linux 5". HTH and GL
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ps error

[Bill Campbell]

On Thu, Apr 30, 2009, P.A wrote:
>
>   Hi does anyone know what the problem here is
>
>   [r...@dnstest lib]# ps
>
>   ps: error while loading shared libraries: libproc-3.2.3.so: cannot
>   open shared object file: No such file or directory

When programs like ps, sed, find, etc. start showing shared
library problems, it is usually an indication that the box has
been partially cracked.  I say partially since the cracker will
install/replace versions of /bin/ps et al with ones that are
built for another version of Linux.

As other have noted, ``rpm -V'' is usually useful to detect
changed files.

Frequently crackers put their programs under /tmp, /var/tmp, or
the /dev directories with directory names such as ``..'' that
are not easily seen.  They try to install versions of find, ps,
netstat, etc. that are designed to hide their processes.

If you have a good system to monitor changes on *ALL* critical
files and directories, and can identify changed, added, or
deleted files, it is possible to restore a cracked system without
a complete reinstall.  Otherwise the only safe method is to take
the system off line, do a fresh install, and try to figure out
how the system was cracked.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

If you have to choose between trusting the natural stability of gold and
the honesty and intelligence of members of the government, with due respect
for these gentlemen, I advise you, as long as the capitalist system lasts,
to vote for gold. -- George Bernard Shaw
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Directory and File Perms

[Joseph L. Casale]

>I've handled these kind of complex samba rights problems by either using
>acls or if it's particularly thorny, an inotify script - needs
>inotify-tools-3.13-1.el5.rf.

Nice tool! That's far more elegant than what I had planned.
Thanks!
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Directory and File Perms

[Toby Bluhm]

Joseph L. Casale wrote:
> I have a directory shared out via Samba for Quickbooks and seem
> to have some issues with permissions. The directory being shared
> is a subdirectory in an ext3 partition being mounted with the acl
> option.
> 
> It has been setup as follows:
>  chown root:DOMAIN\AD_Group /mnt/Intuit_Data/
>  chmod 2770 /mnt/Intuit_Data/
> 
> And the Samba share config is has:
>  create mask = 0660
>  directory mask = 0770
> 
> So when a user creates a file from their Windows box through Explorer
> or any other app, it gets perms as you might expect:
>  -rw-rw 1 Domain+jcasale DOMAIN+AD_Group   0 Apr 29 14:24 test.txt
> and it can be deleted by anyone.
> 
> Problem is QB uses gamin and this file monitoring daemon runs as root
> and all sorts of changes take place as you work with the data, from creating
> the company file to editing it in QB, it ends up slowly changing to 0400?
> 
> 
> Here is what I am seeing now:
> User creates a new company file through QB (this is already fubar'ed):
> # ll
> -rw--- 1 Domain+jcasale DOMAIN+AD_Group 7647232 Apr 29 14:37 Company.QBW
> -rw-r--r-- 1 root   DOMAIN+AD_Group 420 Apr 29 14:36 
> Company.QBW.ND
> -rw-r--r-- 1 Domain+jcasale DOMAIN+AD_Group 1114112 Apr 29 14:36 
> Company.QBW.TLG
> drwx-- 2 root   root  16384 Apr 24 09:34 lost+found
> -rw-rw 1 root   DOMAIN+AD_Group 300 Apr 24 10:17 qbdir.dat
> 
> Now after working with the company in QB, this is what happens:
> # ll
> -rw--- 1 Domain+jcasale DOMAIN+AD_Group 7331840 Apr 29 14:37 Company.QBW
> -rw-r--r-- 1 root   DOMAIN+AD_Group 420 Apr 29 14:37 
> Company.QBW.ND
> -rw--- 1 Domain+jcasale DOMAIN+AD_Group 1245184 Apr 29 14:37 
> Company.QBW.TLG
> drwx-- 2 root   root  16384 Apr 24 09:34 lost+found
> -rw-rw 1 root   DOMAIN+AD_Group 300 Apr 24 10:17 qbdir.dat
> 
> 
> What are my options to control this here? Edit init scripts for that daemon?
> I don't know what would happen if it doesn't run as root, but maybe as a user
> that has GID of DOMAIN+AD_Group?
> 

I've handled these kind of complex samba rights problems by either using 
acls or if it's particularly thorny, an inotify script - needs 
inotify-tools-3.13-1.el5.rf.


-- 
tkb
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ps error

[Ralph Angenendt]

P.A wrote:
> Hi does anyone know what the problem here is
> 
>  
> 
> [r...@dnstest lib]# ps
> 
> ps: error while loading shared libraries: libproc-3.2.3.so: cannot open
> shared object file: No such file or directory

rpm -qf $(which ps)
rpm -V procps


> [r...@dnstest lib]# ln -s libproc-3.2.7.so libproc-3.2.3.so
> 
> [r...@dnstest lib]# ps
> 
> ps: /lib/libproc-3.2.3.so: version `_3_1_14' not found (required by ps)

Why should that work?

> as far as I know only ps is giving me this error.

ps --version

> CentOS release 5.3 (Final)

Was that a CentOS 4 machine in an earlier life?

Ralph


pgp4YQliFHbmx.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Andrew Colin Kissa]

The audit.log should contain more detail than is being provided here,  
if it is a unix socket you should see the path, i suspect it is the  
unix socket not the tcp sockets (pop3/imap)



On 30 Apr 2009, at 4:50 PM, Dan Roberts wrote:


Ok, but how?

There appear to be a lot of different options when employing  
audit2allow and I am reluctant to start blazing away trying  
different elements.  I am missing the details of what socket an dhow  
the execution is occuring so that I can begin to develop the proper  
audit2allow sequence.





On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:


Hi

Dovecot is trying to open a socket, and procmail is trying to  
execute spamc, You should be able to fix these issues using  
audit2allow.


Andrew.

On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.


For most applications I selected the default options.  By doing  
this I expected that the packages would play nice with one another  
and I could customize as necessary.


Setting SELinux to enforce I encountered all sorts of problems -  
but most were resolvable, save for Dovecot, Procmail (for spamc),  
and an odd one with Apache.


Given that these were all installed with the CentOS install  
defaults, I can't believe I am the only one with these issues but  
finding a solution has not been self evident.  Hoping someone here  
can help.


For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to   
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992


For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df


For Apache it's even more strange - When started I get:
Syntax error on line 283 of /etc/httpd/conf/httpd.conf
DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even  
run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to  
correct the problem.  I run a virtual server too, and in trying to  
find a fix for this that may be a problem - but first things first.


All the other issues I had I could resolve when I ran the  
specified "sealert" tag and followed the suggested instructions -  
but those above don't budge.  When I go to the fedora.redhat.com/ 
docs/selinux-fq-fc5 site to take on making a local policy module I  
am quickly getting lost .   The option to simply disable SElinux  
with respect to Apache, Dovecote or anything else is suggested -  
but not something I see in the GUI window, and I have not figured  
out how to do it from the command line.


Again, because these are default packages, I hope that someone  
else knows how to resolve these.


With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:


The info and Raw Audit message for dovecot_t is:
Source Contextsystem_u:system_r:dovecot_t:s0
Target Contextsystem_u:system_r:dovecot_t:s0
Target ObjectsNone [ socket ]
Sourcedovecot
Source Path   /usr/sbin/dovecot
Port  
Host  trailrunner
Source RPM Packages   dovecot-1.0.7-7.el5
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name trailrunner
	Platform  Linux trailrunner  
2.6.18-128.1.6.el5xen #1 SMP Wed

  Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count   2
First SeenWed Apr 29 15:39:51 2009
Last Seen Wed Apr 29 15:47:31 2009
Local ID  e1b070ab-586a-4c5a-befe-b6a46b9ab992
Line Numbers

Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:   
denied  { create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=4003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbi

[CentOS] ps error

[P.A]

Hi does anyone know what the problem here is

 

[r...@dnstest lib]# ps

ps: error while loading shared libraries: libproc-3.2.3.so: cannot open
shared object file: No such file or directory

 

[r...@dnstest lib]# ln -s libproc-3.2.7.so libproc-3.2.3.so

 

[r...@dnstest lib]# ps

ps: /lib/libproc-3.2.3.so: version `_3_1_14' not found (required by ps)

 

as far as I know only ps is giving me this error.

 

 

CentOS release 5.3 (Final)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Dan Roberts]

Ok, but how?

There appear to be a lot of different options when employing  
audit2allow and I am reluctant to start blazing away trying different  
elements.  I am missing the details of what socket an dhow the  
execution is occuring so that I can begin to develop the proper  
audit2allow sequence.





On Apr 30, 2009, at 8:43 AM, Andrew Colin Kissa wrote:


Hi

Dovecot is trying to open a socket, and procmail is trying to  
execute spamc, You should be able to fix these issues using  
audit2allow.


Andrew.

On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.


For most applications I selected the default options.  By doing  
this I expected that the packages would play nice with one another  
and I could customize as necessary.


Setting SELinux to enforce I encountered all sorts of problems -  
but most were resolvable, save for Dovecot, Procmail (for spamc),  
and an odd one with Apache.


Given that these were all installed with the CentOS install  
defaults, I can't believe I am the only one with these issues but  
finding a solution has not been self evident.  Hoping someone here  
can help.


For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to   
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992


For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df


For Apache it's even more strange - When started I get:
Syntax error on line 283 of /etc/httpd/conf/httpd.conf
DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even  
run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to  
correct the problem.  I run a virtual server too, and in trying to  
find a fix for this that may be a problem - but first things first.


All the other issues I had I could resolve when I ran the specified  
"sealert" tag and followed the suggested instructions - but those  
above don't budge.  When I go to the fedora.redhat.com/docs/selinux- 
fq-fc5 site to take on making a local policy module I am quickly  
getting lost .   The option to simply disable SElinux with respect  
to Apache, Dovecote or anything else is suggested - but not  
something I see in the GUI window, and I have not figured out how  
to do it from the command line.


Again, because these are default packages, I hope that someone else  
knows how to resolve these.


With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:


The info and Raw Audit message for dovecot_t is:
Source Contextsystem_u:system_r:dovecot_t:s0
Target Contextsystem_u:system_r:dovecot_t:s0
Target ObjectsNone [ socket ]
Sourcedovecot
Source Path   /usr/sbin/dovecot
Port  
Host  trailrunner
Source RPM Packages   dovecot-1.0.7-7.el5
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name trailrunner
	Platform  Linux trailrunner  
2.6.18-128.1.6.el5xen #1 SMP Wed

  Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count   2
First SeenWed Apr 29 15:39:51 2009
Last Seen Wed Apr 29 15:47:31 2009
Local ID  e1b070ab-586a-4c5a-befe-b6a46b9ab992
Line Numbers

Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:   
denied  { create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=4003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
subj=system_u:system_r:dovecot_t:s0 key=(null)


The Raw Audit Message for Procmail is:
Source Contextsystem_u:system_r:procmail_t:s0
Target Contextsystem_u:object_r:spamc_exec_t

Re: [CentOS] Defaults of CentOS Install not working with SELinux

[Andrew Colin Kissa]

Hi

Dovecot is trying to open a socket, and procmail is trying to execute  
spamc, You should be able to fix these issues using audit2allow.


Andrew.

On 30 Apr 2009, at 4:07 PM, Dan Roberts wrote:

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.


For most applications I selected the default options.  By doing this  
I expected that the packages would play nice with one another and I  
could customize as necessary.


Setting SELinux to enforce I encountered all sorts of problems - but  
most were resolvable, save for Dovecot, Procmail (for spamc), and an  
odd one with Apache.


Given that these were all installed with the CentOS install  
defaults, I can't believe I am the only one with these issues but  
finding a solution has not been self evident.  Hoping someone here  
can help.


For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to   
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992


For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df


For Apache it's even more strange - When started I get:
Syntax error on line 283 of /etc/httpd/conf/httpd.conf
DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even  
run chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to  
correct the problem.  I run a virtual server too, and in trying to  
find a fix for this that may be a problem - but first things first.


All the other issues I had I could resolve when I ran the specified  
"sealert" tag and followed the suggested instructions - but those  
above don't budge.  When I go to the fedora.redhat.com/docs/selinux- 
fq-fc5 site to take on making a local policy module I am quickly  
getting lost .   The option to simply disable SElinux with respect  
to Apache, Dovecote or anything else is suggested - but not  
something I see in the GUI window, and I have not figured out how to  
do it from the command line.


Again, because these are default packages, I hope that someone else  
knows how to resolve these.


With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:


The info and Raw Audit message for dovecot_t is:
Source Contextsystem_u:system_r:dovecot_t:s0
Target Contextsystem_u:system_r:dovecot_t:s0
Target ObjectsNone [ socket ]
Sourcedovecot
Source Path   /usr/sbin/dovecot
Port  
Host  trailrunner
Source RPM Packages   dovecot-1.0.7-7.el5
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name trailrunner
	Platform  Linux trailrunner  
2.6.18-128.1.6.el5xen #1 SMP Wed

  Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count   2
First SeenWed Apr 29 15:39:51 2009
Last Seen Wed Apr 29 15:47:31 2009
Local ID  e1b070ab-586a-4c5a-befe-b6a46b9ab992
Line Numbers

Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:   
denied  { create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=4003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
subj=system_u:system_r:dovecot_t:s0 key=(null)


The Raw Audit Message for Procmail is:
Source Contextsystem_u:system_r:procmail_t:s0
Target Contextsystem_u:object_r:spamc_exec_t:s0
Target Objects./spamc [ file ]
Sourceprocmail
Source Path   /usr/bin/procmail
Port  
Host  trailrunner
Source RPM Packages   procmail-3.22-17.1.el5.centos
Target RPM Packages
Policy RPM 

Re: [CentOS] eth0 killed when adding virtual interface and multiple NICs are present

[Ross Walker]

On Apr 30, 2009, at 7:31 AM, Kai Schaetzl   
wrote:

> JohnS wrote on Thu, 30 Apr 2009 02:17:13 -0400:
>
>> Kai, I read the Xen list and the way your doing it (the last option)
>> looks like something I may try for testing in VMs.
>
> It works fine, I'm converting all my setups to that now.
>
>> Indeed also I when I installed Xen I had to manually take out peth0  
>> when
>> I uninstalled it.
>
> How did you manually take it down? The problem seems to be that  
> peth0 is
> the physical interface now. But I'm not able to take it down as a  
> bridge
> nor as a physical interface. And not without breaking the network
> connection, anyway.

The problem with Xen's network scripts are they assume a bare bones  
default network setup. If you have anything more then that then I  
recommend disabling the automated network setup in xend.sxp and  
manually setting up your bridges which sounds like the conclusion you  
came to after much discussion.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tool for packet detection

[nate]

Agnello George wrote:
> Hi
> I have small query, all our server are centos based 5 and 5.2 . We are
> looking ofr a tool to that measure packet loss. we have servers in two IDC's
> bothin the US  and we are trying  to download a 2gb file from the internet.
> Some server are able to download the file at a higher  b/w rate in one IDC
> ...while servers at he the other  IDC download the same file at a lowe b/w
> rate . Is ther any tool to measure packet losses.
> Thanks a lot  !

ping.

Also latency is much more likey a culprit of your bandwidth issues
rather than packet loss. Use ping or traceroute to measure the latency
from the sources to the destination(s). I have one of my sites upload
roughly 550GB of data per day to another site that is on the other side
of the country, fortunately the data comes from 40+ servers so running
them all in parallel I can get the data pretty fast(about 350Mbit).
Running each server one at a time I tend to get roughly 7Mbit/s a pop(each
side has a gigabit internet link).

In order to improve throughput I'm using rsync over HPNSSH, which does
some basic TCP magic to improve throughput over higher latency
connections -
http://www.psc.edu/networking/projects/hpn-ssh/

Interestingly enough on downloads I get higher performance, with 10
connections I can get 250Mbit, whereas on uploads I get about 70mbit,
just came across that a couple of days ago. Perhaps for some reason
HPNSSH is not as optimized for uploads(?). In any case I work around
it with multiple threads/processes since I'm dealing with roughly
150k files of various sizes per day.

Worst case split the file up on the other side and transfer it in
parallel and reconstruct it locally.

nate

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 5.3 on an EeePC??

[Warren Young]

R P Herrold wrote:
> 
> oh please -- move advocacy to a new thread raher than 
> hijacking.  

It's just a natural evolution of the conversation.  IMO, the answer to 
the original question is "No," so the obvious next direction to the 
conversation is "okay, what instead, then?"

Nate's answer was polite, factual, and helpful.  Hardly the sort of 
noise you find on "advocacy" forums.

You can't wave the off-topic flag, either.  Last month we were talking 
about network switches here, for Bob's sake.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Defaults of CentOS Install not working with SELinux

[Dan Roberts]

Following a hard drive corruption I have reinstalled the latest  
version of CentOS and all current patch files.


For most applications I selected the default options.  By doing this I  
expected that the packages would play nice with one another and I  
could customize as necessary.


Setting SELinux to enforce I encountered all sorts of problems - but  
most were resolvable, save for Dovecot, Procmail (for spamc), and an  
odd one with Apache.


Given that these were all installed with the CentOS install defaults,  
I can't believe I am the only one with these issues but finding a  
solution has not been self evident.  Hoping someone here can help.


For Dovecot I get the following:
	SELinux is preventing dovecot (dovecot_t) "create" to   
(dovecot_t). For complete SELinux messages. run sealert -l  
e1b070ab-586a-4c5a-befe-b6a46b9ab992


For procmail I get the following:
	SELinux is preventing procmail (procmail_t) "execute" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
0a554689-4948-4edf-9964-dddbfe6a2492
	SELinux is preventing sh (procmail_t) "read" to ./spamc  
(spamc_exec_t). For complete SELinux messages. run sealert -l  
1f1ebd83-412d-4e93-a36f-6f3d34c663df


For Apache it's even more strange - When started I get:
Syntax error on line 283 of /etc/httpd/conf/httpd.conf
DocumentRoot must be  directory

But it is a directory, has the correct permissions and I have even run  
chcon -R -h -t httpd_sys_content_t /web/www/ in an effort to correct  
the problem.  I run a virtual server too, and in trying to find a fix  
for this that may be a problem - but first things first.


All the other issues I had I could resolve when I ran the specified  
"sealert" tag and followed the suggested instructions - but those  
above don't budge.  When I go to the fedora.redhat.com/docs/selinux-fq- 
fc5 site to take on making a local policy module I am quickly getting  
lost .   The option to simply disable SElinux with respect to Apache,  
Dovecote or anything else is suggested - but not something I see in  
the GUI window, and I have not figured out how to do it from the  
command line.


Again, because these are default packages, I hope that someone else  
knows how to resolve these.


With respect to the to reports from SELinux regarding Dovecot and  
promail, here is a bit more info:


The info and Raw Audit message for dovecot_t is:
Source Contextsystem_u:system_r:dovecot_t:s0
Target Contextsystem_u:system_r:dovecot_t:s0
Target ObjectsNone [ socket ]
Sourcedovecot
Source Path   /usr/sbin/dovecot
Port  
Host  trailrunner
Source RPM Packages   dovecot-1.0.7-7.el5
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name trailrunner
	Platform  Linux trailrunner 2.6.18-128.1.6.el5xen  
#1 SMP Wed

  Apr 1 10:38:05 EDT 2009 i686 athlon
Alert Count   2
First SeenWed Apr 29 15:39:51 2009
Last Seen Wed Apr 29 15:47:31 2009
Local ID  e1b070ab-586a-4c5a-befe-b6a46b9ab992
Line Numbers

Raw Audit Messages
	host=trailrunner type=AVC msg=audit(1241041651.976:33): avc:  denied   
{ create } for  pid=3884 comm="dovecot"  
scontext=system_u:system_r:dovecot_t:s0  
tcontext=system_u:system_r:dovecot_t:s0 tclass=socket
	host=trailrunner type=SYSCALL msg=audit(1241041651.976:33):  
arch=4003 syscall=102 success=no exit=-13 a0=1 a1=bf851070  
a2=9e45030 a3=3e1 items=0 ppid=3883 pid=3884 auid=4294967295 uid=0  
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)  
ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot"  
subj=system_u:system_r:dovecot_t:s0 key=(null)


The Raw Audit Message for Procmail is:
Source Contextsystem_u:system_r:procmail_t:s0
Target Contextsystem_u:object_r:spamc_exec_t:s0
Target Objects./spamc [ file ]
Sourceprocmail
Source Path   /usr/bin/procmail
Port  
Host  trailrunner
Source RPM Packages   procmail-3.22-17.1.el5.centos
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing Mode

Re: [CentOS] 5.3 on an EeePC??

[Warren Young]

nate wrote:
>> (There are even some things the simpler Red Hattish tools can do that
>> the Debian ones can't, easily.  rpm -qa, for one.)
> 
> rpm -qa typically just lists all of the packages on the system,
> the equivalent in debian is dpkg -l.

Not really equivalent.  The output is only sort of greppable.  I 
frequently say something like "rpm -qa |grep -i mysql-", in that 
particular case because MySQL, Inc. keeps changing the way they name 
their RPMs, so I can never remember the exact package name to query on a 
given system when I'm looking at versions to decide whether to upgrade. 
  If the truncated part of a long package name has what you want to 
grep, you won't find that package.

And yes, I do remember RTFMing dpkg(1) and found that you can change the 
output format of dpkg -l to be more like rpm -qa, but I recall that the 
required command was way too long to type each time.  Sure, I can wrap 
it in a script, but then I'm customizing all my systems to add commands 
to it that should have been in the base distro.

Of such minor things are distro choices made.

> A single unified source for patches,
> security fixes etc.

Yes, that's one of the things I take into account when deciding whether 
I want to use Ubuntu for a particular task: whether I need access to its 
huge repositories, or if I can get by with what CentOS provides, plus 
maybe a few third-party add-ons.  Beyond a certain point, the choice 
becomes clear.

This is not the case for most of my server-class machines, however. 
Basics like LAMP and Samba are all I really need in most cases.

> Also the debian package databases are in plain text format, while
> I'm sure it has happened I have never personally heard of someone
> suffering from package database corruption on debian(assuming they
> were running the 'stable' version). Such corruption reports seem
> somewhat common in the RPM world with the binary databases.

It's been many years since I had to run rpm --rebuilddb.  It never did 
fail on me the few times I did have to run it, and the need to run it 
was *always* due to a kernel panic while manipulating the RPM DB, or 
proximate in time to it.  Kernel panics always were rare on stable Linux 
distros even way back in the mid 90s, increasingly rare now, and RPM DB 
updates are rare in their own right.  Rare squared.

> Add to that the well tested ability to upgrade between minor
> and major version numbers time and time again. I don't have to
> hold my breath when I go from Debian 4.0 to 5.0, I can do it from
> remote without ever losing connectivity, I don't even have to reboot
> at the end I can continue running the older kernel if I want.

I like that feature in principle, though I can't think I'd actually want 
it on any of my servers.  On a desktop, sure, but never on a production 
server.  I'd rather keep something creaking along on CentOS 3, running 
the server's tired old hardware into the ground, building a new CentOS 5 
box to replace it in a swift cut-over, rather than upgrade that old box 
in place.

I do like the way Ubuntu LTS works in this regard, though.  It stays 
locked in the LTS jail, mostly as stable as CentOS with regard to 
updates, as long as you just do apt-get upgrade, but you can break out 
with a dist-upgrade to get onto the bleeding edge releases if you really 
want to.  I still can't see myself ever doing that on a production 
server, but I guess it's nice to know I could.

> I've never really been fond of yum myself, though it is much better
> than what was there before(nothing, before rhn at least).

The only thing I don't like about yum is how hard it is to kill an 
in-progress yum update, while it's still in the package downloading 
phase.  Other than that, I greatly prefer it to the wordy apt-foo commands.

> I currently maintain roughly 100 SRPMS

And does your experience line up with mine, which is that the debian/* 
big-tree-of-assorted-files is a mess, nowhere near as clean as 
package-name.spec?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] eth0 killed when adding virtual interface and multiple NICs are present

[Kai Schaetzl]

JohnS wrote on Thu, 30 Apr 2009 02:17:13 -0400:

> Kai, I read the Xen list and the way your doing it (the last option)
> looks like something I may try for testing in VMs.

It works fine, I'm converting all my setups to that now.

> Indeed also I when I installed Xen I had to manually take out peth0 when
> I uninstalled it.

How did you manually take it down? The problem seems to be that peth0 is 
the physical interface now. But I'm not able to take it down as a bridge 
nor as a physical interface. And not without breaking the network 
connection, anyway.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tool for packet detection

[John Doe]

From: Agnello George 
> I have small query, all our server are centos based 5 and 5.2 . We are 
> looking 
> ofr a tool to that measure packet loss. we have servers in two IDC's bothin 
> the US  and we are trying  to download a 2gb file from the internet. Some 
> server are able to download the file at a higher  b/w rate in one IDC 
> ...while 
> servers at he the other  IDC download the same file at a lowe b/w rate . Is 
> ther any tool to measure packet losses. 
> Thanks a lot  !   

In the mean time, ifconfig shows you the values for errors/dropped/collisions...
You can also see them in /proc/net/dev

JD


  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 5.3 on an EeePC??

[Michael A. Peters]

Beartooth wrote:

> 
>   I try never to install Ffx anywhere without NoScript, Adblock, 
> and several more.

I do not use Adblock because I am a member of an online community that 
specifically forbids blocking of advertisements, their primary revenue 
source.

An exception is made for noscript - which will block flash 
advertisements not on white listed servers because they do not expect a 
user to compromise security measures (it's a geek community) to use the 
site, and the advertiser has the option of using a standard jpeg or gif 
banner which won't be blocked by noscript (but will be blocked by adblock).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos