[CentOS-announce] CEBA-2012:0008 CentOS 5 gnome-screensaver Update
CentOS Errata and Bugfix Advisory 2012:0008 Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-0008.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: ea48a7e44c4d147177b900cc46338d3ca544f9b333cfcc235dc6544f27deb13a gnome-screensaver-2.16.1-8.el5_7.5.i386.rpm x86_64: 81830f4a846ed33c5ea9e3b23295b39950ab81a29c0a94f0dedb90b76cb1baa4 gnome-screensaver-2.16.1-8.el5_7.5.x86_64.rpm Source: 97165f207769fb6222d35179017359e2e7b62a374d2e0fec72268a4063ec950b gnome-screensaver-2.16.1-8.el5_7.5.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net ___ CentOS-announce mailing list CentOS-announce@centos.org http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2012:0009 CentOS 6 bind Update
CentOS Errata and Bugfix Advisory 2012:0009 Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-0009.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 5e336743367a5824ee075ee94cd55f7e84e106131cff72eb8549bd52bab580d8 bind-9.7.3-8.P3.el6_2.2.i686.rpm 0a2e1e34f8fff5e0eee35f1959d599e9d5523ceade4ec147552d63417e0b2b8b bind-chroot-9.7.3-8.P3.el6_2.2.i686.rpm 1551d76b2d3a564df94e2e368e7ce9c1cf7e47245f9cba70bdf0ebd7288fbe9f bind-devel-9.7.3-8.P3.el6_2.2.i686.rpm b91bf00604644abd34e832ac2865918f502bceccb451b413b69fedd4af5bdb7d bind-libs-9.7.3-8.P3.el6_2.2.i686.rpm eea16fe13180d0a59344ea4d556bef303baa2a326d72e90a4bc91027815dbf2e bind-sdb-9.7.3-8.P3.el6_2.2.i686.rpm 3c7d503016a1be8e52466f78f0cdd77c787cc0fce5234f3d4b430823abca82db bind-utils-9.7.3-8.P3.el6_2.2.i686.rpm x86_64: 7ad821ac2594ba27639b7dc9b326948acae335964553f392862881943c0b bind-9.7.3-8.P3.el6_2.2.x86_64.rpm 3c5c06e5625c91edcbbfa38524607c5067d7d810fd3041e72b6bf7f23bace352 bind-chroot-9.7.3-8.P3.el6_2.2.x86_64.rpm 1551d76b2d3a564df94e2e368e7ce9c1cf7e47245f9cba70bdf0ebd7288fbe9f bind-devel-9.7.3-8.P3.el6_2.2.i686.rpm 4d9001e4021cbca87d5661a36470c73ecfba01afb09ab2f95b29ca8f5558 bind-devel-9.7.3-8.P3.el6_2.2.x86_64.rpm b91bf00604644abd34e832ac2865918f502bceccb451b413b69fedd4af5bdb7d bind-libs-9.7.3-8.P3.el6_2.2.i686.rpm 1cc972496a4a69afcca02da38253b78c24b5b6eff7c3e7782780fa6071c876fc bind-libs-9.7.3-8.P3.el6_2.2.x86_64.rpm 13496bff1649e4928c17776920b7ff8e324d8dcfd29fab48bc2282f0f7ccb57c bind-sdb-9.7.3-8.P3.el6_2.2.x86_64.rpm 24c1795e60d1766d88cc472b259e87cd650f1f7f5b1e379fe64c8e44035ef4f4 bind-utils-9.7.3-8.P3.el6_2.2.x86_64.rpm Source: b926065d9775d45835bda078bd448e50d2712606c517ac58da029931ea976682 bind-9.7.3-8.P3.el6_2.2.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net ___ CentOS-announce mailing list CentOS-announce@centos.org http://lists.centos.org/mailman/listinfo/centos-announce
Re: [CentOS-virt] Has anyone been able to start a Fedora 16 VM in Xen PV?
On Mon, 9 Jan 2012, R P Herrold wrote: On Tue, 10 Jan 2012, Norman Gaywood wrote: https://bugzilla.redhat.com/show_bug.cgi?id=746602 (pygrub cannot start F16 PV guests (GPT partition) under Xen 4.1.1) why would one use GPT for a domU? seems like gross overkill ... following on myself, I moved a F15 box to F16 trivially just now at PMman, with grub2 in place and the full boat SELinux, running recovery backups, and so forth I understand the desire to do native installs of domU's, but if the goal is not to test the installer, but rather to have a F16 environment to run in, F16 is readily available, and it took what? a bit under a half an hour from a standing start to all done, not even pushing hard I'll be at Fedora's FudCon in Blacksburg this weekend, if anyone wants to stop up, say 'Hi, and try it themselves in the PMman environment, as I can clone and hand off a copy of that machine at will; I'll tear off a x64_64 box as well -- Russ herrold [log file is in reverse cronological sequence] 2012-01-10 04:07:09 Backup Management herr...@owlriver.com VM userbackup has been renamed: F16 post panel backup (120) 2012-01-10 04:06:36 Support Message herr...@owlriver.com Subject: post second backup herrold@2009-windows-7 ~/.ssh $ ssh -i f16 -l root 198.178.231.162 Last login: Tue Jan 10 09:04:19 2012 from cpe-75-180-54-15.columbus.res.rr.com [root@none ~]# date Tue Jan 10 09:06:17 EST 2012 [root@none ~]# T (1) 2012-01-10 04:06:01 VM State Change herr...@owlriver.com VM state has changed to Starting 2012-01-10 04:05:54 VM Management herr...@owlriver.com VM was issued a START command 2012-01-10 04:05:53 Backup Management herr...@owlriver.com VM backup is requesting the VM startup 2012-01-10 04:05:52 Backup Management herr...@owlriver.com User VM backup has completed: vm_54818_1326186306 2012-01-10 04:05:07 Backup Management herr...@owlriver.com User VM backup has been initiated: vm_54818_1326186306 2012-01-10 04:04:48 VM State Change herr...@owlriver.com VM state has changed to Stopping 2012-01-10 04:04:46 VM Management herr...@owlriver.com VM was issued a STOP command 2012-01-10 04:04:45 Backup Management herr...@owlriver.com VM backup is requesting the VM shutdown 2012-01-10 04:04:44 Backup Management herr...@owlriver.com VM backup has been ordered 2012-01-10 04:04:03 Backup Management herr...@owlriver.com VM userbackup has been renamed: F16 but pre-panel yum run (119) 2012-01-10 04:02:45 VM Management herr...@owlriver.com Yum update has been initiated on the VM: 75.180.54.15 2012-01-10 04:02:43 VM Management herr...@owlriver.com Yum was requested through the control panel: 75.180.54.15 2012-01-10 04:01:59 VM State Change herr...@owlriver.com VM state has changed to Starting 2012-01-10 04:01:52 VM Management herr...@owlriver.com VM was issued a START command 2012-01-10 04:01:51 Backup Management herr...@owlriver.com VM backup is requesting the VM startup 2012-01-10 04:01:50 Backup Management herr...@owlriver.com User VM backup has completed: vm_54818_1326185950 2012-01-10 03:59:11 Backup Management herr...@owlriver.com User VM backup has been initiated: vm_54818_1326185950 2012-01-10 03:58:52 VM State Change herr...@owlriver.com VM state has changed to Stopping 2012-01-10 03:58:50 VM Management herr...@owlriver.com VM was issued a STOP command 2012-01-10 03:58:49 Backup Management herr...@owlriver.com VM backup is requesting the VM shutdown 2012-01-10 03:58:43 Backup Management herr...@owlriver.com VM backup has been ordered 2012-01-10 03:57:56 VM Management herr...@owlriver.com VM friendly name has changed: F16 i386 2012-01-10 03:57:23 Support Message herr...@owlriver.com Subject: more of the fstab # /dev/xvda1 / ext4 defaults 1 1 /dev/xvda2 swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults T (2) 2012-01-10 03:57:03 Support Message herr...@owlriver.com Subject: fstab [root@none ~]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Sun Oct 9 21:31:47 2011 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) T (2) 2012-01-10 03:56:17 Support Message herr...@owlriver.com Subject: rest of the paste 20:10:09 UTC 2012 i686 i686 i386 GNU/Linux [root@none ~]# date Tue Jan 10 08:55:28 EST 2012 [root@none ~]# T (2) 2012-01-10 03:55:44 Support Message herr...@owlriver.com Subject: and we're back herrold@2009-windows-7 ~/.ssh $ ssh -i f16 -l root 198.178.231.162 Last login: Tue Jan 10 08:31:38 2012 from cpe-75-180-54-15.columbus.res.rr.com [root@none ~]# uname -a Linux none 3.1.7-1.fc16.i686.PAE #1 SMP Tue Jan 3 20:10: T (2) 2012-01-10 03:55:13 Support Message herr...@owlriver.com Subject: reboot delay [root@(none) ~]# reboot (from another box, watch it) [herrold@bronson rc.d]$ ping
Re: [CentOS-virt] Has anyone been able to start a Fedora 16 VM in Xen PV?
Ditto on my end - I tried both with the same results you mention... On Tue, 10 Jan 2012, Norman Gaywood wrote: On Mon, Jan 09, 2012 at 07:20:05PM -0500, S.Tindall wrote: On Mon, 2012-01-09 at 18:56 -0500, R P Herrold wrote: On Tue, 10 Jan 2012, Norman Gaywood wrote: https://bugzilla.redhat.com/show_bug.cgi?id=746602 (pygrub cannot start F16 PV guests (GPT partition) under Xen 4.1.1) why would one use GPT for a domU? seems like gross overkill There are a bunch of grub2-related issues associated with F16 anaconda and one of the easiest ways to deal with them is to use gpt. There is a nogpt kernel option that may help, but I have not tried it. Yes, GPT is the default for F16 so it is easier just to go with it. I have tried the nogpt option and F16 installs OK (as it does without it). However it still can't boot: [root@dom0 ~]# sfdisk -d /dev/VM/f16 # partition table of /dev/VM/f16 unit: sectors /dev/VM/f161 : start= 2048, size= 1024000, Id=83, bootable /dev/VM/f162 : start= 1026048, size= 40916992, Id=8e /dev/VM/f163 : start=0, size=0, Id= 0 /dev/VM/f164 : start=0, size=0, Id= 0 [root@dom0 ~]# pygrub -i /dev/VM/f16 Traceback (most recent call last): File /usr/bin/pygrub, line 691, in ? chosencfg = run_grub(file, entry, fs) File /usr/bin/pygrub, line 545, in run_grub g = Grub(file, fs) File /usr/bin/pygrub, line 203, in __init__ self.read_config(file, fs) File /usr/bin/pygrub, line 402, in read_config if self.cf.filename is None: AttributeError: Grub instance has no attribute 'cf' The error is in the parsing of the grub2 config I believe. -- Norman Gaywood, Computer Systems Officer University of New England, Armidale, NSW 2351, Australia ngayw...@une.edu.auPhone: +61 (0)2 6773 3337 http://mcs.une.edu.au/~normFax: +61 (0)2 6773 3312 Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt Scot P. Floess RHCT (Certificate Number 605010084735240) Chief Architect FlossWare http://sourceforge.net/projects/flossware http://flossware.sourceforge.net https://github.com/organizations/FlossWare ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-es] Sendmail
Hola lista, como le hago para que sendmail no necesite agregar los dominios en el access para permitir enviar correo a dominios no dados de alta?? esto es poco automatizado!! Centos5.4 + sendmail+spamassassin+mailscanner+clamd Gracias -- -- LCC Felipe Humberto Cabada Arismendiz ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] Montar disco
Hola amigos esperando que todos se encuentren bien acudo a ustedes para ver si me pueden hechar una mano con un problema, tengo un servidor HP proliant con centos 5.7 con dos discos 146 GB montados en Raid por hardware que viene por defecto, adquirimos un nuevo disco de 2TB el cual esta ya montado y lo reconoce bien mi linux puedo copiar y hacer todo en el disco en el mismo servidor, ahora la idea es este disco compartirlo en la red via samba para que los usuarios puedan usarlo como contenedor de sus archivos para ello expongo lo siguiente 1.- El disco esta montado aqui /dev/sda1 1,8T 196M 1,7T 1% /root/archivos [root@localhost ~]# df -h S.ficheros Tamaño Usado Disp Uso% Montado en /dev/sdb5 143G 2,7G 133G 2% / /dev/sdb3 494M 11M 458M 3% /tmp /dev/sdb1 99M 11M 83M 12% /boot tmpfs 220M 0 220M 0% /dev/shm /dev/sda1 1,8T 196M 1,7T 1% /root/archivos 2.- Puedo copiar mover archivos en el mismo servidor sin problemas en el fstab esta montado asi /dev/sda1 /root/archivos ext3 defaults0 0 3.- Cuando arranca el equipo se monta bien ahora en mi archivo smb.conf tengo esto [root@localhost ~]# cat /etc/samba/smb.conf [global] log file = /var/log/samba/log.%m name resolve order = wins hosts bcast announce version = 5.2 domain master = yes encrypt passwords = true wins proxy = yes wins support = true dns proxy = yes netbios name = archivos max wins ttl = 518400 server string = archivos max ttl = 86400 local master = yes workgroup = ARQUITECTOS os level = 100 debug level = 2 announce as = nt min wins ttl = 21600 max log size = 50 security = share username map = /etc/samba/smbusers smb passwd file = /etc/samba/smbpasswd encrypt passwords = yes Win7 Support client ntlmv2 auth = yes client lanman auth = yes client plaintext auth = yes lanman auth = yes ntlm auth = yes [archivos] comment = directorio publico writeable = yes delete readonly = yes browseable = yes public = yes guest ok = Yes path = /root/archivos create mask = 1777 directory mask = 1777 hide dot files = Yes 4.- Pero al tratar de entra a las carpeta compartida que esta en el nuevo disco me sale el error que pueden verlo aqui http://servicomecuador.com/capturas/error.JPG 5.- Ya le cambie los permisos y los propietarios del la carpeta compartida a nobody y a permisos 777 por si era eso pero sigue sin funcionar [root@localhost archivos]# cd archivos/ [root@localhost archivos]# ll total 20 drwxrwxrwx 2 nobody nobody 4096 ene 10 20:30 archivos drwx-- 2 root root 16384 ene 10 19:59 lost+found [root@localhost archivos]# Ojalá que alguíen me pueda hechar una mano gracias a todos César ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Relay access denied [RCPT_TO] postfix+ centos 5.7
2012/1/9 diego sanchez dieg...@gmail.com El 07/01/2012 02:54 a.m., Carlos Sura escribió: Tengo CentOS instalado con postfix y 5 IP's rotando en cada correo que envio (nunca es la misma). puedo enviar mensajes, pero cuando es de recibir, es decir mando de esta dirección a una dirección de correo del servidor @dominio.com me dice el siguiente mensaje: Remote host said: 554 5.7.1usua...@midominio.com: Relay access denied [RCPT_TO] He estado investigando, pero no tengo ningún relay y no tengo idea de porque me causaria ese error, si me ayudan se los agradecere. les dejo unos datos de interes. postconf -n http://tinypaste.com/68912159 dovecot -f http://tinypaste.com/c4291650 Carlos, al parecer no estas autenticandote con el usuario. En mi caso, solo autentiqué con una cuenta (la de mi gmail), pero tal vez te sirva http://www.freelinuxtutorials.com/quick-tips-and-tricks/configure-postfix-to-use-gmail-in-rhelcentos/ ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Gracias por tu amable respuesta, ya lo solucione. El problema es que trataba de hacer relay usando GMAIL, de lo cual yo no estaba avisado, hasta que me dijeron, lo quite y ya funciona muy bien. Saludos -- Carlos Sura.- www.carlossura.com ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] yum-priorities behavior with downgrades [was: sa-update error with perl]
Johnny Hughes wrote: On 01/09/2012 09:59 PM, Anthony wrote: In both cases, you are not going to be told about packages already installed that are newer than those in the CentOS. You can find those RPMs though by doing this: rpm -qa | egrep \.rf | sort that will tell you all repoforge rpms installed ... then do this to see which ones also have duplicates from base or updates: yum --disablerepo=\* --enablerepo=base --enablerepo=updates --showduplicates list all $(rpm -q --qf '%{name} ' $(rpm -qa | grep \.rf)) That should work to tell you which .rf packages are also in base or updates. and if you find any that are .rf (not .rfx==repoforge extras), you can report them to the repoforge mailing list or on their github, because packages that conflict with base+updates are supposed to be in rfx now, not rf. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tuesday 10 January 2012 04:05:43 Marko Vojinovic wrote: On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote: file_t means the file has no label, so the only way to create this type of file would be to remove the security attributes on the file. On an SELinux system, file_t should never be created, they are only created on a disabled SELinux system. I guess you could try to use chcon -t file_t on a file, but I believe the kernel will block that. Or you could attempt to delete the SELinux label, but that might also be denied. Ok, now I think I understand. The OP has stale files in /tmp which are not labelled, due to not purging /tmp on reboot. SELinux doesn't know how these files should be labelled, so it doesn't even try, and gives them the type file_t, which is a synonym for this file doesn't have a type. So the answer for the OP is to use chcon on this file to label it somehow. If that doesn't work, he should delete the file and recreate it (while SELinux is active), so that it gets properly labelled. I learned something new today. :-) Thanks for the explanation! Best, :-) Marko +1 I think I'm finally getting the hang of this SELinux. Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] missing email
On 1/9/2012 10:31 AM, m.r...@5-cent.us wrote: I *loathe* dnsorbs Maybe this one will get through its crap. Maybe if I add a few more words John R. Dennison wrote: On Mon, Jan 09, 2012 at 12:49:31PM -0500, m.r...@5-cent.us wrote: I haven't gotten anything from the list since my email of 09:34 EST. Do I have a problem, or is the list quiet? Please cc me offlist, if this goes through. I hope you get 20,000 replies :) Nope, jes' one, so far. snip You _could_ just have checked the archive. Actually, I went to the archives, and at least saw something from *sigh* Bennett that was dated 12:34 or so today; that was why I asked. Dunno if someone (NOT my hosting co - I don't have any filtering turned on) is delaying, or filtering, or if I'd been dropped for some reason, or In response to this message from *sigh* Mark, I dug up a bounce message that I got when trying to send email to this list yesterday. The bounce indicated that at the time, all mail from Gmail (or at least one particular Gmail SMTP server) was being blocked. I followed the link in the bounce message and got the IP of that SMTP server removed from the blacklist. Maybe the blacklist server had temporarly gotten into a state where it was reporting all IP addresses as spam sources (not just gmail). Or more generally, if a spam filter is so aggressive that it starts blocking all mail from Gmail, it's probably aggressive enough that it erratically blocks mail from lots of other sources as well. (If that had been the case though, you presumably would have gotten a bounce message like I did.) Here is the bounce message: Delivery to the following recipient failed permanently: centos-d...@centos.org Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 Service unavailable; Client host [209.85.210.179] blocked using ix.dnsbl.manitu.net; Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at Sun, 08 Jan 2012 22:02:35 +0100. Your admin should visit http://www.dnsbl.manitu.net/lookup.php?value=209.85.210.179 (state 14). - Original message - Received: by 10.50.153.234 with SMTP id vj10mr16576276igb.16.1326063636220; Sun, 08 Jan 2012 15:00:36 -0800 (PST) Return-Path: bennetthasel...@gmail.com Received: from [192.168.1.33] (50-54-225-130.evrt.wa.frontiernet.net. [50.54.225.130]) by mx.google.com with ESMTPS id l35sm243526964ibj.0.2012.01.08.15.00.34 (version=SSLv3 cipher=OTHER); Sun, 08 Jan 2012 15:00:35 -0800 (PST) Sender: Bennett Haselton bennetthasel...@gmail.com Message-ID: 4f0a2011.1020...@peacefire.org Date: Sun, 08 Jan 2012 15:00:33 -0800 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] defense-in-depth possible for sshd?
If an attacker finds an exploit to take control of httpd, they're still blocked in part by the fact that httpd runs as the unprivileged apache user and hence can't write any root-owned files on the system, unless the attacker also knows of a second attack that lets apache escalate its privilege. Basically correct? What about sshd -- assuming that the attacker can connect to sshd at all (i.e. not prevented by a firewall), if they find an exploit to let them take control of sshd, would that imply immediate total control of the machine? Because if they can control sshd they can tell sshd, Allow root login (even if prohibited in sshd.conf) and accept 'foo' as the password, then the attacker can log in as root. Is it possible, even in theory, to provide a second layer of defense behind sshd to prevent the attacker from controlling the machine, if the attacker controls sshd? The log me in as root attack would appear to imply that an extra layer is not possible. (Note I'm not talking about extra layers of security *in front* of sshd, like a firewall that only permits logins from known locations. I'm also not talking about detection after the fact -- obviously you can detect unexpected root logins from the /var/log/secure* files if the attacker doesn't erase them -- only whether you could use extra layers to *prevent* the attacker from owning the machine if they take control of sshd.) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On 01/10/12 11:12, Bennett Haselton wrote: What about sshd -- assuming that the attacker can connect to sshd at all (i.e. not prevented by a firewall), if they find an exploit to let them take control of sshd, would that imply immediate total control of the UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication unprivileged process is subject to additional restrictions. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 also selinux is everywhere this days... (default mechanism for defense-in-depth) HTH, Adrian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On 1/10/2012 2:02 AM, Adrian Sevcenco wrote: On 01/10/12 11:12, Bennett Haselton wrote: What about sshd -- assuming that the attacker can connect to sshd at all (i.e. not prevented by a firewall), if they find an exploit to let them take control of sshd, would that imply immediate total control of the UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to ``sandbox'' then the pre-authentication unprivileged process is subject to additional restrictions. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 OK. So it sounds like if you found a particular exploit in sshd that could *only* do certain things -- like write a file to an arbitrary location on disk -- then this privilege separation would prevent that exploit from being used to make the child process write somewhere that it didn't have privileges to write to. On the other hand if you found an exploit that let you take complete control of sshd, you could just tell it allow logins from root, accept 'foo' as the password, and then do whatever you were going to do before, and that would presumably work, wouldn't it? Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware player CentOS 6 2-button 3-button touch pad with pointing device Lenovo ThinkPad
On Monday 09 January 2012 23:36:53 Igor Furlan wrote: Is there a way to revert the 'copypaste' functionality back to the traditional UNIX way of doing it, highlight the text with left mouse/touchpad button and paste it with the middle mouse/touchpad button. AFAIK, it *should* work while in CentOS. I mean, when both the select and paste operations are inside CentOS. Selecting in Windows and pasting in CentOS (and vice versa) has to be done in the Windows-style. I am yet to see a Windows machine configured to have the select and copy operations merged into one, let alone paste-ing with the middle mouse button... ;-) Any hint | solution | RTFM pointer | advice is more than welcome Maybe take a look at gpm? man gpm yum info gpm HTH, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] bug submission justified for distribution of obsolete java software?
Readers, Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
From: Bennett Haselton benn...@peacefire.org On 1/10/2012 2:02 AM, Adrian Sevcenco wrote: UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. OK. So it sounds like if you found a particular exploit in sshd that could *only* do certain things -- like write a file to an arbitrary location on disk -- then this privilege separation would prevent that exploit from being used to make the child process write somewhere that it didn't have privileges to write to. Do a ps and look at the sshd tree. Example: root 6014 0.0 0.1 97816 3760 ? S 11:01 0:00 \_ sshd: bob [priv] bob 6029 0.0 0.0 97816 1796 ? S 11:01 0:00 \_ sshd: bob@pts/2 bob 6030 0.0 0.0 108392 1760 pts/2 Ss 11:01 0:00 \_ -bash The sshd child is running as bob; so it has bob (and not root) rights... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On 10 January 2012 13:04, e-letter inp...@gmail.com wrote: Readers, Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 Why is this a bug? The bug comments mention that the latest CentOS 6 has 1.10.4 which is supported by the Icedtea people. I quote from the comments: ---8 The newest version of IcedTea in CentOS6 (6.2) is 1.10.4: http://mirrors.kernel.org/centos/6.2/os/i386/Packages/java-1.6.0-openjdk-1.6.0.0-1.41.1.10.4.el6.i686.rpm ---8 Thus ypgrade your CentOS to the latest point release as a minimum as suggested in the issue you raised. Again from the issue raised, the following link is pretty enlightening: http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e868f43c0e ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On 1/10/2012 5:16 AM, John Doe wrote: From: Bennett Haseltonbenn...@peacefire.org On 1/10/2012 2:02 AM, Adrian Sevcenco wrote: UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. OK. So it sounds like if you found a particular exploit in sshd that could *only* do certain things -- like write a file to an arbitrary location on disk -- then this privilege separation would prevent that exploit from being used to make the child process write somewhere that it didn't have privileges to write to. Do a ps and look at the sshd tree. Example: root 6014 0.0 0.1 97816 3760 ?S11:01 0:00 \_ sshd: bob [priv] bob 6029 0.0 0.0 97816 1796 ?S11:01 0:00 \_ sshd: bob@pts/2 bob 6030 0.0 0.0 108392 1760 pts/2Ss 11:01 0:00 \_ -bash The sshd child is running as bob; so it has bob (and not root) rights... JD Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On 1/9/2012 8:05 PM, Marko Vojinovic wrote: On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote: file_t means the file has no label, so the only way to create this type of file would be to remove the security attributes on the file. On an SELinux system, file_t should never be created, they are only created on a disabled SELinux system. I guess you could try to use chcon -t file_t on a file, but I believe the kernel will block that. Or you could attempt to delete the SELinux label, but that might also be denied. Ok, now I think I understand. The OP has stale files in /tmp which are not labelled, due to not purging /tmp on reboot. SELinux doesn't know how these files should be labelled, so it doesn't even try, and gives them the type file_t, which is a synonym for this file doesn't have a type. So the answer for the OP is to use chcon on this file to label it somehow. If that doesn't work, he should delete the file and recreate it (while SELinux is active), so that it gets properly labelled. OK, I did delete the files in the /tmp/ directory, and as the running apache process re-created them, it created them with the correct type: [root@g6950-21025 tmp]# ls -lZ * -rw-r--r-- apache apache system_u:object_r:httpd_sys_script_rw_t hostname_ICECOOK.INFO -rw-r--r-- apache apache system_u:object_r:httpd_sys_script_rw_t hostname_LAZYFROG.INFO etc. So the documentation is missing something about clearing files out of /tmp/ (or they won't get relabeled properly and processes won't be able to access them under SELinux), but at least it's working now. Bennett I learned something new today. :-) Thanks for the explanation! Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2012 08:37 AM, Bennett Haselton wrote: On 1/9/2012 8:05 PM, Marko Vojinovic wrote: On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote: file_t means the file has no label, so the only way to create this type of file would be to remove the security attributes on the file. On an SELinux system, file_t should never be created, they are only created on a disabled SELinux system. I guess you could try to use chcon -t file_t on a file, but I believe the kernel will block that. Or you could attempt to delete the SELinux label, but that might also be denied. Ok, now I think I understand. The OP has stale files in /tmp which are not labelled, due to not purging /tmp on reboot. SELinux doesn't know how these files should be labelled, so it doesn't even try, and gives them the type file_t, which is a synonym for this file doesn't have a type. So the answer for the OP is to use chcon on this file to label it somehow. If that doesn't work, he should delete the file and recreate it (while SELinux is active), so that it gets properly labelled. OK, I did delete the files in the /tmp/ directory, and as the running apache process re-created them, it created them with the correct type: [root@g6950-21025 tmp]# ls -lZ * -rw-r--r-- apache apache system_u:object_r:httpd_sys_script_rw_t hostname_ICECOOK.INFO -rw-r--r-- apache apache system_u:object_r:httpd_sys_script_rw_t hostname_LAZYFROG.INFO etc. So the documentation is missing something about clearing files out of /tmp/ (or they won't get relabeled properly and processes won't be able to access them under SELinux), but at least it's working now. Bennett I learned something new today. :-) Thanks for the explanation! Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Now if only more people used RHEL we could further enhance the products. :^) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MQW0ACgkQrlYvE4MpobPciQCgoohOteHLbwzG1m9t5Okc3eFi YZ0AoIVKKb3ckO9eKDKAiItfWl/XM4R5 =TqSo -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
From: Bennett Haselton benn...@peacefire.org On 1/10/2012 5:16 AM, John Doe wrote: The sshd child is running as bob; so it has bob (and not root) rights... Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. How would your bob owned child sshd take complete control of the parent root owned sshd...? JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On Tue, Jan 10, 2012 at 2:49 PM, John Doe jd...@yahoo.com wrote: From: Bennett Haselton benn...@peacefire.org On 1/10/2012 5:16 AM, John Doe wrote: The sshd child is running as bob; so it has bob (and not root) rights... Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. How would your bob owned child sshd take complete control of the parent root owned sshd...? JD Or, if you simply WANT more layers, then deploy defense-in-depth in FRONT of sshd. VPN or port-knocking springs to mind BR Bent ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On 10/01/12 13:34, Bennett Haselton wrote: On 1/10/2012 5:16 AM, John Doe wrote: From: Bennett Haseltonbenn...@peacefire.org On 1/10/2012 2:02 AM, Adrian Sevcenco wrote: UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. OK. So it sounds like if you found a particular exploit in sshd that could *only* do certain things -- like write a file to an arbitrary location on disk -- then this privilege separation would prevent that exploit from being used to make the child process write somewhere that it didn't have privileges to write to. Do a ps and look at the sshd tree. Example: root 6014 0.0 0.1 97816 3760 ?S11:01 0:00 \_ sshd: bob [priv] bob 6029 0.0 0.0 97816 1796 ?S11:01 0:00 \_ sshd: bob@pts/2 bob 6030 0.0 0.0 108392 1760 pts/2Ss 11:01 0:00 \_ -bash The sshd child is running as bob; so it has bob (and not root) rights... JD Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. Probably. If a flaw were to exist in OpenSSH that allows execution of arbitrary code then pretty much anything is possible, which is why it is wise to always stay fully patched and limit exposure by only providing access (to the sshd service) to those that need it. Heck, even security through obscurity (running on a non-standard port) will limit exposure to the extent that the casual attacker scanning for machines vulnerable to a zero-day vulnerability will probably pass you by given the number of lower hanging fruit out there. What you are talking about is essentially a zero-day vulnerability that's being actively exploited in the wild. So although you said you weren't talking about layers of security in front of sshd, these are exactly the layers of defence that will help limit the scope of such an attack. You can't look at security in isolation, you have to look at the whole picture, identify the risks in your systems and then take measures to mitigate those risks that are relevant to you. IOW, if you only access the system from a handful of locations, firewalling the sshd service to only allow access from those IP ranges essentially makes the rest of the discussion redundant. Similarly, running on a non-standard port will be highly effective against the casual attacker scanning large areas of the IP address space for vulnerable machines to attack, less so against a targeted attack. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
Dne 10.1.2012 4:02, email builder napsal(a): Why? Just remove that package and install the one from CentOS. Spamassassin doesn't need to be touched. Hello, Seems to me that you are still using the mix of repos. Packages from RF work fine. root@specs2:1280:279:/$ rpm -q spamassassin perl-IO-Socket-INET6 perl-Net-DNS perl-NetAddr-IP| sort perl-IO-Socket-INET6-2.57-2.el5.rfx perl-NetAddr-IP-4.044-1.el5.rf perl-Net-DNS-0.66-1.el5.rfx spamassassin-3.3.2-2.el5.rfx root@specs2:1279:278:/$ sa-update -D Jan 10 15:07:53.098 [32233] dbg: logger: adding facilities: all Jan 10 15:07:53.098 [32233] dbg: logger: logging level is DBG Jan 10 15:07:53.098 [32233] dbg: generic: SpamAssassin version 3.3.2 Jan 10 15:07:53.098 [32233] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin Jan 10 15:07:53.098 [32233] dbg: config: timing enabled Jan 10 15:07:53.099 [32233] dbg: config: score set 0 chosen. Jan 10 15:07:53.104 [32233] dbg: dns: is Net::DNS::Resolver available? yes Jan 10 15:07:53.104 [32233] dbg: dns: Net::DNS version: 0.66 Jan 10 15:07:53.104 [32233] dbg: generic: sa-update version svn917659 Jan 10 15:07:53.104 [32233] dbg: generic: using update directory: /var/lib/spamassassin/3.003002 Jan 10 15:07:53.231 [32233] dbg: diag: perl platform: 5.008008 linux Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Digest::SHA1, version 2.13 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: HTML::Parser, version 3.68 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Net::DNS, version 0.66 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: NetAddr::IP, version 4.044 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Time::HiRes, version 1.9717 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Archive::Tar, version 1.56 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: IO::Zlib, version 1.10 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Digest::SHA1, version 2.13 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: MIME::Base64, version 3.07 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: DB_File, version 1.814 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Net::SMTP, version 2.29 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Mail::SPF, version v2.006 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: IP::Country::Fast, version 604.001 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Razor2::Client::Agent, version 2.84 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Net::Ident, version 1.23 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.57 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: IO::Socket::SSL, version 1.44 Jan 10 15:07:53.231 [32233] dbg: diag: [...] module installed: Compress::Zlib, version 2.037 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: Mail::DKIM, version 0.39 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: DBI, version 1.616 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: Getopt::Long, version 2.35 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: LWP::UserAgent, version 5.835 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: HTTP::Date, version 5.831 Jan 10 15:07:53.232 [32233] dbg: diag: [...] module installed: Encode::Detect, version 1.01 Jan 10 15:07:53.232 [32233] dbg: gpg: Searching for 'gpg' Jan 10 15:07:53.232 [32233] dbg: util: current PATH is: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib64/ccache/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin Jan 10 15:07:53.233 [32233] dbg: util: executable for gpg was found at /usr/bin/gpg Jan 10 15:07:53.233 [32233] dbg: gpg: found /usr/bin/gpg Jan 10 15:07:53.233 [32233] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE Jan 10 15:07:53.235 [32233] dbg: channel: attempting channel updates.spamassassin.org Jan 10 15:07:53.235 [32233] dbg: channel: update directory /var/lib/spamassassin/3.003002/updates_spamassassin_org Jan 10 15:07:53.235 [32233] dbg: channel: channel cf file /var/lib/spamassassin/3.003002/updates_spamassassin_org.cf Jan 10 15:07:53.236 [32233] dbg: channel: channel pre file /var/lib/spamassassin/3.003002/updates_spamassassin_org.pre Jan 10 15:07:53.236 [32233] dbg: channel: metadata version = 1227079 Jan 10 15:07:53.240 [32233] dbg: dns: 2.3.3.updates.spamassassin.org = 1227079, parsed as 1227079 Jan 10 15:07:53.240 [32233] dbg: channel: current version is 1227079, new version is 1227079, skipping channel Jan 10 15:07:53.240 [32233] dbg: diag: updates complete, exiting with code 1 Regards, DH ___ CentOS mailing list
Re: [CentOS] SELinux and access across 'similar types'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2012 09:00 AM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MSugACgkQrlYvE4MpobM0zACeLICuSgbL//G4cvB1VLwNFbMV 2NkAoIyMI0hVMQ0BPrTXkj60Dl3tmnkw =l1Kw -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
e-letter wrote: Readers, Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed mark java; why did it have to be java? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
John Doe wrote: From: Bennett Haselton benn...@peacefire.org On 1/10/2012 5:16 AM, John Doe wrote: The sshd child is running as bob; so it has bob (and not root) rights... Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. How would your bob owned child sshd take complete control of the parent root owned sshd...? I have not read the details of any given exploit, but as I understand it, if one can craft an exploit that breaks in the middle of the login, the child would die, leaving one in the parent (root) process. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Write to USB pendrives horribly slow
Hello there, since I installed CentOS6 few months ago (kept up-to-date using yum), I'm facing very poor performances when writing to USB pendrives. The hardware: a Dell Latitude E6500 laptop (Intel Core Duo P8600 @2.40Ghz), 4Go RAM + 4Go swap, several USB2 pendrives of various brands (less than old, all formatted as vfat). When I perform a copy (with cp or midnight commander, copying big AVI files between 300Mo to 1.4Go) to those devices, whatever the source is on the same device or on another disk, I notice that the CPU activity shows 2 phases as far as I can see with the Gnome system monitor applet: - a phase where both CPUs show less than 20% of activity, and IOWait is 80%. It lasts the time I would expect such copy to last (say, it's like writing at 1-4MB/sec to such devices, which is reasonable or expected). - a phase, at least twice as long as 1st phase but this ratio depends on the file copy size, where CPUs show 5% of activity but IOWait is at 100%. During phase 1, system and applications are responsive, as expected during a file copy to external USB2 disks. During phase 2, system is slow, applications are often non responsive. I was not facing this behaviour w/ Fedora 11, not w/ the Windows XP system also installed on this laptop. I'm not facing such poor performances when writing to externals SATA drives (thru the same USB2 ports), even formatted as vfat. Neither when writing to those pendrives from another hardware system. `hdparm -tT` is useless here. I wonder if some mount options aren't wrong with USB pendrives, see: /dev/sdd1 on /media/monolith type vfat (rw,nosuid,nodev,uhelper=udisks,shortname=mixed,dmask=0077,utf8=1,flush) my suspicion is about the flush option, which I find atypical here. BTW, I'm still unable to control the mount options that are automatically set by Gnome - even if I can mount manually if I want. Any hint? Regards, -- wwp signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On Tue, Jan 10, 2012 at 8:47 AM, m.r...@5-cent.us wrote: Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On Tue, January 10, 2012 17:15, Les Mikesell wrote: On Tue, Jan 10, 2012 at 8:47 AM, m.r...@5-cent.us wrote: One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. So if I were to develop a CPU type and/or OS that didn't support Java then you would lock yourself out of the very language you appear to advocate? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tue, Jan 10, 2012 at 8:27 AM, Daniel J Walsh dwa...@redhat.com wrote: On 01/10/2012 09:00 AM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. Why is it vendor-specific to RHEL? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
Les Mikesell wrote: On Tue, Jan 10, 2012 at 8:47 AM, m.r...@5-cent.us wrote: Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. No, I wouldn't. You argue wrongly. For one, by your first sentence, you deny all of my arguments, with no reasons for that denial. As someone who's worked more as a programmer than an admin, and both for a long time, in a lot of languages, I see almost all java programs as huge. I also know that *if* you write your code correctly, the code will compile and run on pretty much anything, unless you're writing windowing-system specific stuff. Then there's java, that in everything I read from the mid-nineties through the mid-oughts, was presented as being free from memory errors, etc, etc, but as one huge counter-example, just about every time I see a tomcat app crash, the stack traces are 150-200 calls deep, and there are, indeed, memory errors. Further, it's nothing more than a re-imagining (as they say) of Pascal p-code (quick: what other language besides java used the command writeln?). The difference between recompile and run on a vm that's compiled for that machine is? Oh, right, it is, in effect, another layer that sits on top of the o/s, like a pseudo-os, or windowing system. I can go on... but I really need to get around to writing my article to be entitled, The Failure of OOP in General, and Java in Particular. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On Tue, Jan 10, 2012 at 10:17 AM, Giles Coochey gi...@coochey.net wrote: But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. So if I were to develop a CPU type and/or OS that didn't support Java then you would lock yourself out of the very language you appear to advocate? Being locked out of some oddball thing is not at all the same situation as being locked into what only a single vendor provides. But try something like 'jenkins' (http://jenkins-ci.org/) with an assortment of cross-platform nodes to get the idea of how handy a language with remoting across many platforms can be. It's painless to install try, even if you only use it on a single box. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)
I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. The contents of that are: ls -a .GPLTRANS.TBL .. Packages images .discinfoRELEASE-NOTES-en-US.html isolinux .treeinfoRPM-GPG-KEY-CentOS-6 lost+found CentOS_BuildTag RPM-GPG-KEY-CentOS-Debug-6 repodata EFI RPM-GPG-KEY-CentOS-Security-6 EULA RPM-GPG-KEY-CentOS-Testing-6 I've tried mounting /dev/sda2 on a new mountpoint, and both ln -s isolinux and images to /mnt/isolinux, and neither was accepted. Does anyone have any idea at all what the thing is looking for? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
Les Mikesell wrote: On Tue, Jan 10, 2012 at 10:17 AM, Giles Coochey gi...@coochey.net wrote: But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. So if I were to develop a CPU type and/or OS that didn't support Java then you would lock yourself out of the very language you appear to advocate? Being locked out of some oddball thing is not at all the same situation as being locked into what only a single vendor provides. But try something like 'jenkins' (http://jenkins-ci.org/) with an assortment of cross-platform nodes to get the idea of how handy a language with remoting across many platforms can be. It's painless to install try, even if you only use it on a single box. I have a one-word answer: perl. A longer answer - are you suggesting system admin chores being done using some kind of java monstrosity? I mean, I don't remember what Spacewalk's written in, but it was a very large pain, and if it's not in java, then the java version would be a *lot* worse. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)
From: m.r...@5-cent.us m.r...@5-cent.us I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Write to USB pendrives horribly slow
From: wwp subscr...@free.fr I wonder if some mount options aren't wrong with USB pendrives, see: /dev/sdd1 on /media/monolith type vfat (rw,nosuid,nodev,uhelper=udisks,shortname=mixed,dmask=0077,utf8=1,flush) my suspicion is about the flush option, which I find atypical here. I guess it is to be safe in case users remove their usb keys without unmounting first... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 83, Issue 4
Send CentOS-announce mailing list submissions to centos-annou...@centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-requ...@centos.org You can reach the person managing the list at centos-announce-ow...@centos.org When replying, please edit your Subject line so it is more specific than Re: Contents of CentOS-announce digest... Today's Topics: 1. CEBA-2012:0008 CentOS 5 gnome-screensaver Update (Johnny Hughes) 2. CEBA-2012:0009 CentOS 6 bind Update (Johnny Hughes) -- Message: 1 Date: Tue, 10 Jan 2012 14:51:20 + From: Johnny Hughes joh...@centos.org Subject: [CentOS-announce] CEBA-2012:0008 CentOS 5 gnome-screensaver Update To: centos-annou...@centos.org Message-ID: 20120110145120.ga5...@chakra.karan.org Content-Type: text/plain; charset=us-ascii CentOS Errata and Bugfix Advisory 2012:0008 Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-0008.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: ea48a7e44c4d147177b900cc46338d3ca544f9b333cfcc235dc6544f27deb13a gnome-screensaver-2.16.1-8.el5_7.5.i386.rpm x86_64: 81830f4a846ed33c5ea9e3b23295b39950ab81a29c0a94f0dedb90b76cb1baa4 gnome-screensaver-2.16.1-8.el5_7.5.x86_64.rpm Source: 97165f207769fb6222d35179017359e2e7b62a374d2e0fec72268a4063ec950b gnome-screensaver-2.16.1-8.el5_7.5.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net -- Message: 2 Date: Tue, 10 Jan 2012 15:51:33 + From: Johnny Hughes joh...@centos.org Subject: [CentOS-announce] CEBA-2012:0009 CentOS 6 bind Update To: centos-annou...@centos.org Message-ID: 20120110155133.ga8...@chakra.karan.org Content-Type: text/plain; charset=us-ascii CentOS Errata and Bugfix Advisory 2012:0009 Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-0009.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 5e336743367a5824ee075ee94cd55f7e84e106131cff72eb8549bd52bab580d8 bind-9.7.3-8.P3.el6_2.2.i686.rpm 0a2e1e34f8fff5e0eee35f1959d599e9d5523ceade4ec147552d63417e0b2b8b bind-chroot-9.7.3-8.P3.el6_2.2.i686.rpm 1551d76b2d3a564df94e2e368e7ce9c1cf7e47245f9cba70bdf0ebd7288fbe9f bind-devel-9.7.3-8.P3.el6_2.2.i686.rpm b91bf00604644abd34e832ac2865918f502bceccb451b413b69fedd4af5bdb7d bind-libs-9.7.3-8.P3.el6_2.2.i686.rpm eea16fe13180d0a59344ea4d556bef303baa2a326d72e90a4bc91027815dbf2e bind-sdb-9.7.3-8.P3.el6_2.2.i686.rpm 3c7d503016a1be8e52466f78f0cdd77c787cc0fce5234f3d4b430823abca82db bind-utils-9.7.3-8.P3.el6_2.2.i686.rpm x86_64: 7ad821ac2594ba27639b7dc9b326948acae335964553f392862881943c0b bind-9.7.3-8.P3.el6_2.2.x86_64.rpm 3c5c06e5625c91edcbbfa38524607c5067d7d810fd3041e72b6bf7f23bace352 bind-chroot-9.7.3-8.P3.el6_2.2.x86_64.rpm 1551d76b2d3a564df94e2e368e7ce9c1cf7e47245f9cba70bdf0ebd7288fbe9f bind-devel-9.7.3-8.P3.el6_2.2.i686.rpm 4d9001e4021cbca87d5661a36470c73ecfba01afb09ab2f95b29ca8f5558 bind-devel-9.7.3-8.P3.el6_2.2.x86_64.rpm b91bf00604644abd34e832ac2865918f502bceccb451b413b69fedd4af5bdb7d bind-libs-9.7.3-8.P3.el6_2.2.i686.rpm 1cc972496a4a69afcca02da38253b78c24b5b6eff7c3e7782780fa6071c876fc bind-libs-9.7.3-8.P3.el6_2.2.x86_64.rpm 13496bff1649e4928c17776920b7ff8e324d8dcfd29fab48bc2282f0f7ccb57c bind-sdb-9.7.3-8.P3.el6_2.2.x86_64.rpm 24c1795e60d1766d88cc472b259e87cd650f1f7f5b1e379fe64c8e44035ef4f4 bind-utils-9.7.3-8.P3.el6_2.2.x86_64.rpm Source: b926065d9775d45835bda078bd448e50d2712606c517ac58da029931ea976682 bind-9.7.3-8.P3.el6_2.2.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #cen...@irc.freenode.net -- ___ CentOS-announce mailing list centos-annou...@centos.org http://lists.centos.org/mailman/listinfo/centos-announce End of CentOS-announce Digest, Vol 83, Issue 4 ** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On Tue, Jan 10, 2012 at 10:32 AM, m.r...@5-cent.us wrote: Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. No, I wouldn't. You argue wrongly. For one, by your first sentence, you deny all of my arguments, with no reasons for that denial. The reasons are obvious. Java is common on phones, so there goes the 'huge' argument. OpenNMS can monitor thousands of nodes, so it's not slow. It's not more or less vulnerable to attack than anything else, so why even mention it? As someone who's worked more as a programmer than an admin, and both for a long time, in a lot of languages, I see almost all java programs as huge. So how do they run on phones? And what is huge these days anyway - an extra dollar's worth of RAM? I also know that *if* you write your code correctly, the code will compile and run on pretty much anything, unless you're writing windowing-system specific stuff. That's if you know every quirk of every target system - and have all the associated compilers, and take the time to compile on all of them. Then there's java, that in everything I read from the mid-nineties through the mid-oughts, was presented as being free from memory errors, etc, etc, but as one huge counter-example, just about every time I see a tomcat app crash, the stack traces are 150-200 calls deep, and there are, indeed, memory errors. You can write badly in any language, can't you? And why bring up old versions? You can take just about anything you were running in the 90's up to maybe a few months ago and realize now that it had horrible bugs. Unless maybe it was written by Donald Knuth... Further, it's nothing more than a re-imagining (as they say) of Pascal p-code (quick: what other language besides java used the command writeln?). That's a good thing, now that (a) processes are fast enough that you don't care about the interpreter speed and (b) there are techniques to use native libraries anywhere it does matter. The difference between recompile and run on a vm that's compiled for that machine is? Oh, right, it is, in effect, another layer that sits on top of the o/s, like a pseudo-os, or windowing system. Yes, if you don't like language abstractions you could code in assembly for a particular CPU. I can go on... but I really need to get around to writing my article to be entitled, The Failure of OOP in General, and Java in Particular. There's something to be said for functional programming and message passing instead of objects in these days of distributed and multi-cpu systems, but nobody really thinks that way. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos6.2, parted and alignment
On Monday, January 09, 2012 02:03:23 PM John R Pierce wrote: Is there another tool I can use for GPT partitions over 2TB ? Hmm, I have an EL6.2 installation (i386) with four mounted volumes over 2TB; IIRC parted was used to make them. I don't recall doing anything special to get the partitions aligned, either. That doesn't mean I didn't do anything; I just don't recall doing anything. :-) There is gdisk, though, if you want to go that route, but I haven't tried it with 2TB LUN's. The EPEL repo for 6 has gdisk. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On Tue, Jan 10, 2012 at 10:47 AM, m.r...@5-cent.us wrote: But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. So if I were to develop a CPU type and/or OS that didn't support Java then you would lock yourself out of the very language you appear to advocate? Being locked out of some oddball thing is not at all the same situation as being locked into what only a single vendor provides. But try something like 'jenkins' (http://jenkins-ci.org/) with an assortment of cross-platform nodes to get the idea of how handy a language with remoting across many platforms can be. It's painless to install try, even if you only use it on a single box. I have a one-word answer: perl. But which version, on systems where it isn't included? A longer answer - are you suggesting system admin chores being done using some kind of java monstrosity? I mean, I don't remember what Spacewalk's written in, Spacewalk's problem is that it is written as components in a bunch of different languages and tied to a specific DB interface. Java could have solved all of those problems, but Red Hat did about as much as any company could to kill java - by shipping something that didn't quite work and wasn't quite java back then. but it was a very large pain, and if it's not in java, then the java version would be a *lot* worse. Yes, I would love to see a complete admin system in java, although you don't want to spin up a JVM for every command line you type - you'd want a long-running service with agents already running/connected everywhere. OpenNMS is excellent for the monitoring part of system administration. Jenkins is great for doing builds and maybe deployment (java or not). Jenkins can be expanded to do a lot more as a generic cross-platform distributed queuing/scheduling/scripting system but since it was designed as a continuous integration build system (compile/test across a matrix of platforms whenever a source change is committed), security isn't a real strong point. Both are painless rpm installs on linux if you let them run on their own ports with their embedded web servers. Try them before repeating misinformation about how bad things are. And then there are things like elasticsearch that might be possible in some other language but it just doesn't seem to exist (not particularly admin related, but if other languages are so great where is the equivalent?). If you don't like the verbosity of java (and who does?), you can use groovy as a more modern dynamic typed alternative for scripting. It runs in the same jvm and can import/access any normal jars that are already compiled in java. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos6.2, parted and alignment
On Mon, Jan 9, 2012 at 1:03 PM, John R Pierce pie...@hogranch.com wrote: Using gparted (GUIs, why did it have to be GUIs), you at least don't get that idiot warning. yeah, no gui on my file or database servers. not gonna happen. Having the X libs installed so you can run a gui program with a remote display doesn't bother a server much. And it's sometimes handy to be able to run wireshark like that if you need to peek at a few packets in real time. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
On 01/10/2012 07:17 AM, Hakan Koseoglu wrote: On 10 January 2012 13:04, e-letter inp...@gmail.com wrote: Readers, Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 Why is this a bug? The bug comments mention that the latest CentOS 6 has 1.10.4 which is supported by the Icedtea people. I quote from the comments: ---8 The newest version of IcedTea in CentOS6 (6.2) is 1.10.4: http://mirrors.kernel.org/centos/6.2/os/i386/Packages/java-1.6.0-openjdk-1.6.0.0-1.41.1.10.4.el6.i686.rpm ---8 Thus ypgrade your CentOS to the latest point release as a minimum as suggested in the issue you raised. Again from the issue raised, the following link is pretty enlightening: http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e868f43c0e This is the critical point ... you are using an unsupported version of icedtea 1.7.4 (or java-1.6.0-openjdk if you prefer that name). However, if you do an update then you will have a supported version of icedtea (version 1.10.4). The only bug here is that you are not running updates :D signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)
John Doe wrote: From: m.r...@5-cent.us m.r...@5-cent.us I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... This doesn't vaguely answer my question. The install.img mounted the partition, by itself, as /mnt/isolinux. That's what *IT* did. I thought I had the partition as a clone of the dvd by mount -o loop and rsync. But I've just rebuilt the USB key partition from the latest 2 DVDs we have locally (I rsync'd Pagckages/. from the second one into the Packages directory I made when I rsync'd the first DVD, so it should look like a one-disk DVD. As soon as that finishes, I'll try another time Unless someone has the explicit answer to what is the image, or directory, the install.img wants to mount to get the repo, please don't reply. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bug submission justified for distribution of obsolete java software?
Les Mikesell wrote: On Tue, Jan 10, 2012 at 10:32 AM, m.r...@5-cent.us wrote: Would someone advise whether the distribution of an obsolete version of java should be reported as a bug; http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=827 One *could* argue that Java is a bug, being a) so error-prone, b) so vulnerable to attack, and c) so huge and slow, and shouldn't be allowed But you'd be wrong on all counts. I'd argue the opposite - that you should only be allowed to use languages that work across CPU types and OS's so as to never be locked into a monopolistic single vendor. No, I wouldn't. You argue wrongly. For one, by your first sentence, you deny all of my arguments, with no reasons for that denial. The reasons are obvious. Java is common on phones, so there goes the 'huge' argument. OpenNMS can monitor thousands of nodes, so it's not Really? And how much memory is in them? And is it optimized for the phones? Is it a subset of the full JVM? slow. It's not more or less vulnerable to attack than anything else, so why even mention it? Based on the reports, more vulnerable. And every bloody java app I've had to deal with ranges from acceptable to slwww. As someone who's worked more as a programmer than an admin, and both for a long time, in a lot of languages, I see almost all java programs as huge. snip I also know that *if* you write your code correctly, the code will compile and run on pretty much anything, unless you're writing windowing-system specific stuff. That's if you know every quirk of every target system - and have all the associated compilers, and take the time to compile on all of them. Hah. You mean like gcc, that runs on everything I've ever heard of? Then there's java, that in everything I read from the mid-nineties through the mid-oughts, was presented as being free from memory errors, etc, etc, but as one huge counter-example, just about every time I see a tomcat app crash, the stack traces are 150-200 calls deep, and there are, indeed, memory errors. You can write badly in any language, can't you? And why bring up old versions? You can take just about anything you were running in the Old versions? Only if you want to call crashes last year, on the current openjdk or Sun java on an updated CentOS old. 90's up to maybe a few months ago and realize now that it had horrible bugs. Unless maybe it was written by Donald Knuth... I dunno 'bout that. A lot of the C code or the perl, esp. if I, or people I respected based on evidence had anything to do with, did maintenance on it, didn't have more bugs than crap written today. (Btw, have you seen the report today on slashdot, about the FBI's Sentinel case management system, that LockMart was writing using Agile methodology, is way behind and delayed again...?) Further, it's nothing more than a re-imagining (as they say) of Pascal p-code (quick: what other language besides java used the command writeln?). That's a good thing, now that (a) processes are fast enough that you don't care about the interpreter speed and (b) there are techniques to use native libraries anywhere it does matter. Sorry, but I've run into a lot of sites that are dog-slow, and it's *not* my connection. The difference between recompile and run on a vm that's compiled for that machine is? Oh, right, it is, in effect, another layer that sits on top of the o/s, like a pseudo-os, or windowing system. Yes, if you don't like language abstractions you could code in assembly for a particular CPU. That's a non-sequiteur. All compilers can do that... but except for things like device drivers, very few folks have ever touched assembly. I can go on... but I really need to get around to writing my article to be entitled, The Failure of OOP in General, and Java in Particular. There's something to be said for functional programming and message passing instead of objects in these days of distributed and multi-cpu systems, but nobody really thinks that way. A friend who worked for (was it ArcInfo? Or Autocad?) back in the late seventies, or maybe it was early eighties, told me they were early adopters of OOP, and they had an orientation talk, and were handed cheat sheets: method == function, message passing == parameter passing, etc. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] defense-in-depth possible for sshd?
On 01/10/2012 07:58 AM, Ned Slider wrote: On 10/01/12 13:34, Bennett Haselton wrote: On 1/10/2012 5:16 AM, John Doe wrote: From: Bennett Haseltonbenn...@peacefire.org On 1/10/2012 2:02 AM, Adrian Sevcenco wrote: UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. OK. So it sounds like if you found a particular exploit in sshd that could *only* do certain things -- like write a file to an arbitrary location on disk -- then this privilege separation would prevent that exploit from being used to make the child process write somewhere that it didn't have privileges to write to. Do a ps and look at the sshd tree. Example: root 6014 0.0 0.1 97816 3760 ?S11:01 0:00 \_ sshd: bob [priv] bob 6029 0.0 0.0 97816 1796 ?S11:01 0:00 \_ sshd: bob@pts/2 bob 6030 0.0 0.0 108392 1760 pts/2Ss 11:01 0:00 \_ -bash The sshd child is running as bob; so it has bob (and not root) rights... JD Yes, I understand that. What I said was that if you could take complete control of the sshd process you were connecting to, even if that process was completely unprivileged, you could still make it say Accept a login from 'root' with password 'foo' and then log in as root. Probably. If a flaw were to exist in OpenSSH that allows execution of arbitrary code then pretty much anything is possible, which is why it is wise to always stay fully patched and limit exposure by only providing access (to the sshd service) to those that need it. Heck, even security through obscurity (running on a non-standard port) will limit exposure to the extent that the casual attacker scanning for machines vulnerable to a zero-day vulnerability will probably pass you by given the number of lower hanging fruit out there. What you are talking about is essentially a zero-day vulnerability that's being actively exploited in the wild. So although you said you weren't talking about layers of security in front of sshd, these are exactly the layers of defence that will help limit the scope of such an attack. You can't look at security in isolation, you have to look at the whole picture, identify the risks in your systems and then take measures to mitigate those risks that are relevant to you. IOW, if you only access the system from a handful of locations, firewalling the sshd service to only allow access from those IP ranges essentially makes the rest of the discussion redundant. Similarly, running on a non-standard port will be highly effective against the casual attacker scanning large areas of the IP address space for vulnerable machines to attack, less so against a targeted attack. Ding, Ding, Ding what he ^^^ said :D Limit access to the sshd port from only authorized places ... and the authorized places can be an openvpn type connection if you always need access from difference IPs. If you have a laptop, put an openvpn client on it and take it with you if you need access from dynamic places. Connect the openvpn to the endpoint someplace and then use that to connect to the sshd on the server via the vpn. Wide open sshd ports on the Internet are dangerous. There have been NO critical sshd security issues in any release of RHEL (and therefore CentOS) since 2003 ... and that was for CentOS-2.1. Critical being the kind that allows remote access directly via sshd ... please see this link for an explanation of the severities: https://access.redhat.com/security/updates/classification/ So, the person is not getting sshd access remotely via an exploit. They MIGHT get access via some other exploit (httpd exploit of php code that provides shell access, something that then can escalate that to root level access (that would be an Important level of problem (allowing local user to escalate)) ... but the vast majority of the time, it is logins via the sshd port because of bad passwords (or published passwords, or e-mailed passwords, etc.), no IP control on the sshd port via iptables, allowing root to login directly, not using keys for access, etc. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Upgrade Question
We've got about 200 existing servers running CentOS/RHEL 5.6 and all new servers are being provisioned using CentOS/RHEL 6.1. So that everything is consistent we need to upgrade the servers running CentOS/RHEL 5.6. I've searched the CentOS wiki, the Red Hat site, and the internet looking for something official on upgrading/migrating from CentOS/RHEL 5.x to CentOS/RHEL 6.x. There's got to be a way other than having 2 times hardware. Any ideas??? Thanks, Gene Poole + It's impossible for everything to be true. + ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade Question
On Tue, 10 Jan 2012 13:55:05 -0500 Gene Poole wrote: We've got about 200 existing servers running CentOS/RHEL 5.6 and all new servers are being provisioned using CentOS/RHEL 6.1. So that everything is consistent we need to upgrade the servers running CentOS/RHEL 5.6. I've searched the CentOS wiki, the Red Hat site, and the internet looking for something official on upgrading/migrating from CentOS/RHEL 5.x to CentOS/RHEL 6.x. There's got to be a way other than having 2 times hardware. Backup your data/configurations, reformat, re-install your data/configurations. There is no other official way to change from v5 to v6. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances
But this thread's gotten way OT: *does* anyone have any idea what the .img file is that the running o/s from install.img is looking for, after the partitioning, when it's ready to install? Possibly, but without the info I previously requested, I won't be trying to reproduce the problem. e.g. the source file[s] and command[s] used to make your bootable USB stick. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade Question
Gene Poole wrote: We've got about 200 existing servers running CentOS/RHEL 5.6 and all new servers are being provisioned using CentOS/RHEL 6.1. So that everything is consistent we need to upgrade the servers running CentOS/RHEL 5.6. I've searched the CentOS wiki, the Red Hat site, and the internet looking for something official on upgrading/migrating from CentOS/RHEL 5.x to CentOS/RHEL 6.x. There's got to be a way other than having 2 times hardware. Any ideas??? What we do is build one, then create /boot/new and /new on the next server, rsync over to them, then mkdir /boot/old and /old, and (using zsh with modules loaded) mv * old, mv old/lost+found ., mv old/new/* ., make sure a few things are correct (for example, ifcfg-eth*, /etc/ssh/), and sync, then reboot. All your other stuff is fine mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances
Darr247 wrote: But this thread's gotten way OT: *does* anyone have any idea what the .img file is that the running o/s from install.img is looking for, after the partitioning, when it's ready to install? Possibly, but without the info I previously requested, I won't be trying to reproduce the problem. e.g. the source file[s] and command[s] used to make your bootable USB stick. I started by listing that: 1. I have a partitioned USB stick, 8G, with a 10M FAT32 partition, and the rest as ext3. 2. Rsync'd isolinux to the FAT partition, renamed isolinux.cfg to syslinux.cfg 3. syslinux to the USB 4. mounted DVD.iso, and rsync'd all of that to the ext3 partition. 5. mounted the second DVD, and rsync'd Packages/* to the Packages directory already there, and so have a 1 DVD, effectively, on the USB. But the question is what image# 1 that it's looking for? It's not trying to look on the USB for an .iso, is it? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2012 11:20 AM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 8:27 AM, Daniel J Walsh dwa...@redhat.com wrote: On 01/10/2012 09:00 AM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. Why is it vendor-specific to RHEL? I was talking Money not vendor specific. The question meant as a jab was if more people used RHEL instead of Centos, we could pay more developers. I thought the @redhat.com would signify why I would want that. :^) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MlXwACgkQrlYvE4MpobN0+QCguSaHEiMoNRrNh0YyAZA5f8B4 yJMAoLKFGdmHimjZ+QG/IFOD5W5K3QPO =Ra86 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos6.2, parted and alignment
On 01/10/12 9:39 AM, Les Mikesell wrote: Having the X libs installed so you can run a gui program with a remote display doesn't bother a server much. And it's sometimes handy to be able to run wireshark like that if you need to peek at a few packets in real time. painfully slow over a remote link. if I need to sniff traffic, I'll use tcpdump. if I need fancier analysis, I'll tcpdump it to a file, and scp the file to my local system and analyze it with wireshark. also, I'm documenting a procedure for operations that I'm trying to automate and simplify as much as possible...And, having to explain how to setup a remote X session, then how to do something with pointy-clicky would be painful, a one line command replaced with pages of screenshots? ugh. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Clustering solutions - mail, www, storage.
Hi all. I am currently working for a hosting provider in a 100+ linux hosts' environment. We have www, mail HA solutions, as storage we mainly use NFS at the moment. We are also using DRBD, Heartbeat, Corosync. I am now gathering info to make a cluster with: - two virtualization nodes (active master and passive slave); - two storage nodes (for vm files) used by mentioned virtualization nodes (also active/passive). For virtualization I am thinking to use OpenVZ or KVM. For storage NFS or iSCSI. Could you please share your experiences with these technologies? Which one would you use and why? Are there any good alternatives in CentOS? Thanks for the info, Rafal. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walsh dwa...@redhat.com wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. Why is it vendor-specific to RHEL? I was talking Money not vendor specific. The question meant as a jab was if more people used RHEL instead of Centos, we could pay more developers. I thought the @redhat.com would signify why I would want that. :^) OK, I can understand why you would want that. I don't understand why you think anyone else would want even more nonstandard variations in linux distributions. And if this isn't intended to be vendor-specific, why isn't it an independent upstream project or included in the kernel? --- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos6.2, parted and alignment
On 01/10/2012 08:56 PM, John R Pierce wrote: And, having to explain how to setup a remote X session, then how to do something with pointy-clicky would be painful, a one line command replaced with pages of screenshots? ugh. There is NX/FreeNX server/client via ssh. Safe and simple remote GUI. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos6.2, parted and alignment
On Tue, Jan 10, 2012 at 1:56 PM, John R Pierce pie...@hogranch.com wrote: Having the X libs installed so you can run a gui program with a remote display doesn't bother a server much. And it's sometimes handy to be able to run wireshark like that if you need to peek at a few packets in real time. painfully slow over a remote link. if I need to sniff traffic, I'll use tcpdump. if I need fancier analysis, I'll tcpdump it to a file, and scp the file to my local system and analyze it with wireshark. I normally have at least one box per location (at least per location with slow networking...) where I can park a freenx desktop session. Then I can connect to that with NX (which runs over ssh). And from there I can work mostly in xterms ssh'd to the other nearby systems. The advantages are that the desktop stays stable with all open windows even when I disconnect and reconnect (even across different locations/OS's on the connecting NX client), and that starting GUI programs in those xterms opens a very nicely performing window on my NX client, wherever that might be. also, I'm documenting a procedure for operations that I'm trying to automate and simplify as much as possible... And, having to explain how to setup a remote X session, then how to do something with pointy-clicky would be painful, a one line command replaced with pages of screenshots? ugh. Different mindset, maybe. While I'd prefer a text line that I can cut/paste even if it is long and complicated, other people here are mostly used to windows and expect screenshots in the docs and drop-down picklists for options. Anyway, I think it is worth setting up freenx/NX even to run a bunch of xterms, and once you have it, GUI programs work too. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of m.r...@5-cent.us Sent: Tuesday, January 10, 2012 12:48 To: CentOS mailing list Subject: Re: [CentOS] USB install annoyances (not OT) John Doe wrote: From: m.r...@5-cent.us m.r...@5-cent.us I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... This doesn't vaguely answer my question. I think it does, but not to the detail level you need. Details below. The install.img mounted the partition, by itself, as /mnt/isolinux. That's what *IT* did. I thought I had the partition as a clone of the dvd by mount -o loop and rsync. But I've just rebuilt the USB key partition from the latest 2 DVDs we have locally (I rsync'd Pagckages/. from the second one into the Packages directory I made when I rsync'd the first DVD, so it should look like a one-disk DVD. As soon as that finishes, I'll try another time Unless someone has the explicit answer to what is the image, or directory, the install.img wants to mount to get the repo, please don't reply. From what I recall: you can * boot the USB * layout and format the disks (we assume using anaconda) And when you get towards package selection, anaconda fails indicating ' that it can't find image# 1.' The image# 1 it is looking for is the .iso which could have been burnt to a DVD for doing the install, i.e., not something from the images directory from THAT iso. As RHEL6 anaconda derives from something post the rawhide that I submitted the following bug on, it may help you understand. https://bugzilla.redhat.com/show_bug.cgi?id=435976 summary: anaconda will not trust any mounted file system for the rpm's to install, it only trusts media images and http. I hope this helps you, of course I could always be wrong. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances
But the question is what image# 1 that it's looking for? It's not trying to look on the USB for an .iso, is it? That sounds like the bug mentioned at the bottom of the CentOS How-to: http://wiki.centos.org/HowTos/InstallFromUSBkey https://bugzilla.redhat.com/show_bug.cgi?id=568343 (around comment 5) I recently did a network install initiated from a USB stick, but not an install from the stick (I didn't have a Linux machine handy and the 64-bit CentOS 6.2 ISO won't fit on a FAT file system). It is worth noting that the upstream vendor suggests using dd to create the USB media: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/Making_USB_Media.html One would assume that might work if you just needed DVD 1 of CentOS. -- William Hooper ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)
Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote: Behalf Of m.r...@5-cent.us John Doe wrote: From: m.r...@5-cent.us m.r...@5-cent.us I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... This doesn't vaguely answer my question. snip From what I recall: you can * boot the USB * layout and format the disks (we assume using anaconda) And when you get towards package selection, anaconda fails indicating ' that it can't find image# 1.' The image# 1 it is looking for is the .iso which could have been burnt to a DVD for doing the install, i.e., not something from the images directory from THAT iso. As RHEL6 anaconda derives from something post the rawhide that I submitted the following bug on, it may help you understand. https://bugzilla.redhat.com/show_bug.cgi?id=435976 summary: anaconda will not trust any mounted file system for the rpm's to install, it only trusts media images and http. So you're saying that the second partition has to actually hold a .iso, *not* the contents? Augh! Well, I'll delete the contents of the filesystem, and rsync the .iso, and try again. I *did* note, this last time (I thought I'd found something else), that the popup window said iso 9660 Thanks! mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On 01/11/2012 05:04 AM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walshdwa...@redhat.com wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. Why is it vendor-specific to RHEL? I was talking Money not vendor specific. The question meant as a jab was if more people used RHEL instead of Centos, we could pay more developers. I thought the @redhat.com would signify why I would want that. :^) OK, I can understand why you would want that. I don't understand why you think anyone else would want even more nonstandard variations in linux distributions. And if this isn't intended to be vendor-specific, why isn't it an independent upstream project or included in the kernel? The logical code to SELinux isn't specific to RH, not by a long shot. (Of course, RH may wind up doing some way un-Unixy/very-vendor-specific things in the near future, but that has nothing to do with SELinux) http://userspace.selinuxproject.org/trac http://www.gentoo.org/proj/en/hardened/selinux/ https://wiki.ubuntu.com/SELinux ... But the difficult thing about SELinux isn't how it works, its the detail required for each policy to wrap each program up correctly without denying useful functionality in the process, not to mention deploying them with packages, and dealing with the whole new universe of inaccurate bug reports SELinux has spawned... *That* is very hard -- and that is what Red Hat has been so good about over the last while. In the process Fedora has spawned a slew of new tools to make SELinux policy easier to deal with -- and in the process of doing that Fedora acquired/affirmed its reputation for eating babies. SElinux exists all over the place, and there are binaries for it in nearly every distro -- but nearly everyone has decided that its too hard so its just a set of accessory packages almost nobody installs, and if installed not activated, and if activated quickly de-activated (the #1 web server fix your frustrations on the web advice for noobs is still disable SELinux, it sux). Honestly, though, at this point the tools really are there. A packager that wants to publish an SELinux policy with his package finds it easy if the tools are understood -- what is really lacking now is just a very public, beginner-friendly introduction to the core concepts of SELinux which includes a nice intro to the somewhat arbitrary jargon that surrounds access policy concepts. Minds are very slowly changing and I am beginning to see a lot more functionality in non-Fedora-derived distros, but it takes a long time to turn the tide several years' worth of mailing archive, newsgroup, blog and forum advice *against* learning SELinux and turning it off instead -- and of course the biggest problem with that advice for those new to SELinux is that often it produces instant gratification. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Clustering solutions - mail, www, storage.
I am currently working for a hosting provider in a 100+ linux hosts' environment. We have www, mail HA solutions, as storage we mainly use NFS at the moment. We are also using DRBD, Heartbeat, Corosync. I am now gathering info to make a cluster with: - two virtualization nodes (active master and passive slave); - two storage nodes (for vm files) used by mentioned virtualization nodes (also active/passive). For virtualization I am thinking to use OpenVZ or KVM. For storage NFS or iSCSI. Could you please share your experiences with these technologies? Which one would you use and why? Are there any good alternatives in CentOS? Thanks for the info, Rafal. I mainly go with Xen for a virtualization platform but KVM will work as well assuming that your hardware supports it. For a storage platform I'm assuming you are going to use servers with disk exporting as either NFS or iSCSI. If you are going this route I would suggest spending the money on a redundant storage array (one with redundant heads, power supplies, etc) that serves NFS as that I have found the easiest to deal with for migrations and everything else. If you can't do that, I would use servers with enough disk storage to make a decent array, setup DRBD in master/slave and export via NFS to your virtualization hosts. If money is really tight you could setup just two servers that act as virtualization hosts and storage platforms with an active/active two-node cluster using master/master DRBD + GFS. Be warned that you will lose quite a bit of performance due to the overhead of the cluster VS a dedicated purpose-built storage array... but we've been running this for a while without issue in some areas. -Tait ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade Question
On Tue, Jan 10, 2012 at 1:35 PM, m.r...@5-cent.us wrote: We've got about 200 existing servers running CentOS/RHEL 5.6 and all new servers are being provisioned using CentOS/RHEL 6.1. So that everything is consistent we need to upgrade the servers running CentOS/RHEL 5.6. I've searched the CentOS wiki, the Red Hat site, and the internet looking for something official on upgrading/migrating from CentOS/RHEL 5.x to CentOS/RHEL 6.x. There's got to be a way other than having 2 times hardware. Any ideas??? What we do is build one, then create /boot/new and /new on the next server, rsync over to them, then mkdir /boot/old and /old, and (using zsh with modules loaded) mv * old, mv old/lost+found ., mv old/new/* ., make sure a few things are correct (for example, ifcfg-eth*, /etc/ssh/), and sync, then reboot. All your other stuff is fine Have you looked at http://rear.sourceforge.net/ (and in EPEL) as a potential backup/clone/rollout mechanism? It seems like something that might suit your sensibilities, but I'm not sure what kind of contortions you would need to do to boot into its recovery image remotely.For anyone too lazy to look, it builds a bootable iso containing your own current system's tools to re-install itself, recreating the filesystem (LVM/raid/partitions) and dropping in a backup that can be included or separate. It is intended for mostly automated restores back onto the same system but I think it can be abused for cloning and there is a point where you can adjust the filesystem layout. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2012 03:04 PM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walsh dwa...@redhat.com wrote: On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote: Now if only more people used RHEL we could further enhance the products. :^) Why isn't it accepted as more of a standard? I don't understand the question. Why is it vendor-specific to RHEL? I was talking Money not vendor specific. The question meant as a jab was if more people used RHEL instead of Centos, we could pay more developers. I thought the @redhat.com would signify why I would want that. :^) OK, I can understand why you would want that. I don't understand why you think anyone else would want even more nonstandard variations in linux distributions. And if this isn't intended to be vendor-specific, why isn't it an independent upstream project or included in the kernel? --- Les Mikesell lesmikes...@gmail.com Again, there is nothing that we do that is Vendor specific, Everything we do with SELinux is open source. We are working to get our stuff upstream. I have no idea what you are talking about as far as variations in Linux Distributions. I work regularly with people in Centos, RHEL, gentoo, ubunto, debian, fedora and today even Mandriva. SELinux was just released for android also. As I tweeted yesterday. https://twitter.com/#!/rhatdan http://selinuxproject.org/page/SEAndroid -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MrQAACgkQrlYvE4MpobMAeACfXKfcoJpD2CNVAfCIeY7hEKhn rBYAn3kxUoglq8xZZ5KjMIT+YKP9+XEN =QXaL -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)[SOLVED]
Yet another denial - it's as though it's also blocking me based on the relationship of included text vs. new text. blah, blah, blah. Let's see if this is enough new text to get through. Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote: Behalf Of m.r...@5-cent.us snip I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... snip And when you get towards package selection, anaconda fails indicating ' that it can't find image# 1.' The image# 1 it is looking for is the .iso which could have been burnt to a DVD for doing the install, i.e., not something from the images directory from THAT iso. snip Thank you, Todd, that was the answer. So, in RHEL 6, they're protecting us against ourselves (we might not have copied everything). So with the FAT32 partition as it was, I then deleted everything on the second partition, and copied both DVDs onto it... and it's installing even as we speak. I suppose I need to submit a revised how to build a USB key for CentOS 6. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Clustering solutions - mail, www, storage.
On 01/10/2012 02:59 PM, Rafał Radecki wrote: Hi all. I am currently working for a hosting provider in a 100+ linux hosts' environment. We have www, mail HA solutions, as storage we mainly use NFS at the moment. We are also using DRBD, Heartbeat, Corosync. I am now gathering info to make a cluster with: - two virtualization nodes (active master and passive slave); - two storage nodes (for vm files) used by mentioned virtualization nodes (also active/passive). For virtualization I am thinking to use OpenVZ or KVM. For storage NFS or iSCSI. Could you please share your experiences with these technologies? Which one would you use and why? Are there any good alternatives in CentOS? Thanks for the info, Rafal. If you plan to use DRBD, do you really need external SAN? If not, this might be good; https://alteeve.com/w/2-Node_Red_Hat_KVM_Cluster_Tutorial -- Digimer E-Mail: digi...@alteeve.com Freenode handle: digimer Papers and Projects: http://alteeve.com Node Assassin: http://nodeassassin.org omg my singularity battery is dead again. stupid hawking radiation. - epitron ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade Question
Les Mikesell wrote: On Tue, Jan 10, 2012 at 1:35 PM, m.r...@5-cent.us wrote: We've got about 200 existing servers running CentOS/RHEL 5.6 and all new servers are being provisioned using CentOS/RHEL 6.1. So that everything is consistent we need to upgrade the servers running CentOS/RHEL 5.6. snip Any ideas??? What we do is build one, then create /boot/new and /new on the next server, rsync over to them, then mkdir /boot/old and /old, and (using zsh with modules loaded) mv * old, mv old/lost+found ., mv old/new/* ., make sure a few things are correct (for example, ifcfg-eth*, /etc/ssh/), and sync, then reboot. All your other stuff is fine Have you looked at http://rear.sourceforge.net/ (and in EPEL) as a potential backup/clone/rollout mechanism? It seems like something snip The one difference with the method we use is that you *don't* have to format /, and so anything you have under it is still safe. We normally have a few directories that are local, and so need to be saved (web, a temp that everyone can use that is guaranteed *not* to go away, etc). It's also pretty quick: you don't affect the running system while you're rsyncing over, so then the rotation takes long enough to issue the few commands, check grub and fstab, and reboot. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
2012/1/10 夜神 岩男 supergiantpot...@yahoo.co.jp: But the difficult thing about SELinux isn't how it works, its the detail required for each policy to wrap each program up correctly without denying useful functionality in the process, not to mention deploying them with packages, and dealing with the whole new universe of inaccurate bug reports SELinux has spawned... *That* is very hard -- and that is what Red Hat has been so good about over the last while. But the hardest part is that these things are application specific and there is no standardization for locations where applications do things. In fact, distributions intentionally move those locations around in their packaging. In the process Fedora has spawned a slew of new tools to make SELinux policy easier to deal with -- and in the process of doing that Fedora acquired/affirmed its reputation for eating babies. That reputation is well deserved. Would it not have made sense to have the needed diagnostic tools before shipping the thing that needs it? Honestly, though, at this point the tools really are there. A packager that wants to publish an SELinux policy with his package finds it easy if the tools are understood -- what is really lacking now is just a very public, beginner-friendly introduction to the core concepts of SELinux which includes a nice intro to the somewhat arbitrary jargon that surrounds access policy concepts. And wouldn't it have been a good idea to have the documentation before turning on something non-standard that breaks things? Minds are very slowly changing and I am beginning to see a lot more functionality in non-Fedora-derived distros, but it takes a long time to turn the tide several years' worth of mailing archive, newsgroup, blog and forum advice *against* learning SELinux and turning it off instead -- and of course the biggest problem with that advice for those new to SELinux is that often it produces instant gratification. Yeah, the whole idea seems like what a car company would have to do to come back after selling a model that gets a lot of publicity for crashing and burning. The earlier opinions weren't wrong, after all. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tue, Jan 10, 2012 at 3:26 PM, Daniel J Walsh dwa...@redhat.com wrote: Again, there is nothing that we do that is Vendor specific, Everything we do with SELinux is open source. We are working to get our stuff upstream. I have no idea what you are talking about as far as variations in Linux Distributions. I work regularly with people in Centos, RHEL, gentoo, ubunto, debian, fedora and today even Mandriva. SELinux was just released for android also. As I tweeted yesterday. OK, so the part that breaks things is getting widely shipped. Are the parts that make each specific application work again getting pushed upstream into the corresponding projects? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/10/2012 04:41 PM, Les Mikesell wrote: On Tue, Jan 10, 2012 at 3:26 PM, Daniel J Walsh dwa...@redhat.com wrote: Again, there is nothing that we do that is Vendor specific, Everything we do with SELinux is open source. We are working to get our stuff upstream. I have no idea what you are talking about as far as variations in Linux Distributions. I work regularly with people in Centos, RHEL, gentoo, ubunto, debian, fedora and today even Mandriva. SELinux was just released for android also. As I tweeted yesterday. OK, so the part that breaks things is getting widely shipped. Are the parts that make each specific application work again getting pushed upstream into the corresponding projects? That is not the way it works. SELinux Reference policy is a database of rules that govern the default ways application run. These rules that have been written for Fedora/RHEL are public and are being moved upstream. Different Distributions can choose to use these policies or write there own. Out of the Reference Policy you can build your own version of targeted or MLS policy or you can write your policy from scratch. http://fedoraproject.org/wiki/SELinux/Policies http://oss.tresys.com/projects/refpolicy We do not ship apache policy with the apache package, so we do not attempt to get the apache policy upstreamed to the apache package. This allows different people to write their own policies on how they want to run apache or they can grab the reference policy version. The place that SELinux breaks applications is when an application does something that SELinux did not expect. I wrote a paper and presentation on the four main causes of SELinux issues. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux4things.odp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MsrEACgkQrlYvE4MpobNruQCgj3WNAyM8G98hB3Efo2AwLNDP /7wAni7kQWcq76hJ4f4ujutlqGX4JsJ4 =m/ck -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)[SOLVED] (mostly)
Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote: Behalf Of m.r...@5-cent.us snip I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... snip And when you get towards package selection, anaconda fails indicating ' that it can't find image# 1.' The image# 1 it is looking for is the .iso which could have been burnt to a DVD for doing the install, i.e., not something from the images directory from THAT iso. snip Thank you, Todd, that was the answer. So, in RHEL 6, they're protecting us against ourselves (we might not have copied everything). So with the FAT32 partition as it was, I then deleted everything on the second partition, and copied both DVDs onto it... and it's installing even as we speak. I suppose I need to submit a revised how to build a USB key for CentOS 6. And then there's the bug report I need to file: my only question being whether it's with CentOS, or upstream. Given this stupid bios, I had to make the USB key /dev/sda, so I told it not to install the bootloader. Went to reboot with linux rescue to install grub... and the same program that mounts the iso for the install, will *not* do that for linux rescue, and it wants images/install.img in the directory mark ah, consistancy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances
m.roth spake thusly: I started by listing that: 1. I have a partitioned USB stick, 8G, with a 10M FAT32 partition, and the rest as ext3. 2. Rsync'd isolinux to the FAT partition, renamed isolinux.cfg to syslinux.cfg 3. syslinux to the USB 4. mounted DVD.iso, and rsync'd all of that to the ext3 partition. 5. mounted the second DVD, and rsync'd Packages/* to the Packages directory already there, and so have a 1 DVD, effectively, on the USB. But the question is what image# 1 that it's looking for? It's not trying to look on the USB for an .iso, is it? mark I did not see that synopsis in your original post (and I'm not sure I could figure out what commands you used by that). The only 2 replies to this thread I saw in digest 84 issue 9 were to John Doe. Anyway, this is what I have in my notes, though I see you've marked this as solved... mostly assuming sdb as the USB device. From blank USB stick to bootable install: yum install livecd-tools syslinux dd if=/dev/zero of=/dev/sdb bs=512 count=1000 parted /dev/sdb mklabel msdos parted /dev/sdb mkpartfs p ext2 0% 100% tune2fs -m0 /dev/sdb1 parted /dev/sdb toggle 1 boot umount /dev/sdb1 livecd-iso-to-disk path to/DVD.iso /dev/sdb1 mkdir /mnt/iso mount -o loop path to/DVD.iso /mnt/iso mkdir /media/usb stick/images cp /mnt/iso/images/install.img /media/usb stick/images/ cp path to/DVD.iso /media/usb stick/ TEST: qemu -m 512 /dev/sdb I guess I should add yum install qemu to my notes, as I don't think that's installed by default. But using livecd-iso-to-disk makes it NOT ask for the image file location during the install. Try it. :-) Personally, I think they should've named it bootable-iso-tools, but everyone's probably used to the livecd-tools name by now. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos 6.2 Postfix - forward through SMTP smarthost with SMTP-AUTH
Hi All, I have set up three servers in a development environment. Via CR they're updated to Centos 6.2 It appears that these servers have postfix installed on them by default, which unfortunately I'm not very well acquainted with. All I want is a quick and dirty way to enable these hosts to send email through my own SMTP host. My (sendmail) SMTP host uses SMTP AUTH on a non-standard port and my dev (virtual env) runs off my laptop, so a dynamic IP. Does anyone have a quick and dirty configuration for setting up postfix to forward all remote mail through my smarthost? I'm guessing that I can put the hostname, the port, and the username and password somewhere in the postfix configuration and it will just work... Many Thanks in Advance, Giles ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos 5.7, I10 video, 1920x1080 monitor
I have a Centos 5.7 machine with Intel I10 video (built-in, I guess -- this is one of those all-in-one mini terminal things) that I'm trying to put a new 1920x1080 monitor onto, without conspicuous success. Prior to this it's been using a smaller monitor with no issues. Try as I might I can't get the new monitor to run at its 1920x1080 resolution. I just realized that I forgot to write down the actual resolution that it runs at but it's less than it should be, maybe 1280x1024? Obviously the display looks pretty crappy like that. I tried following the instructions posted here: http://www.ubuntugeek.com/how-change-display-resolution-settings-using-xrandr.html but when I got to the step of typing xrandr --newmode ... all I got was a help screen for xrandr command line options (and --newmode wasn't listed as one of them). I tried this: system-config-display --reconfig --set-resolution=1920x1080 --set-depth=24 --set-driver=vesa --set-videoram=0 It rewrote the xorg.conf file but I still didn't get 1920x1080. I tried changing vesa to i810 in xorg.conf and was then told that the xserver can't be started. It then took me to a simple GUI-style monitor setup screen and I told it that a 1920x1080 LCD monitor was connected. It then created the following xorg.conf, but I still don't get 1920x1080. The Xorg.0.log file is over 2000 lines so I won't include it in this mesage but I have posted it here: http://www.melvilletheatre.com/Xorg.0.log.bz2 Here is what I currently have for xorg.conf but again, it doesn't give me the full resolution on the monitor: # Xorg configuration created by system-config-display Section ServerLayout Identifier single head configuration Screen 0 Screen0 0 0 InputDeviceKeyboard0 CoreKeyboard EndSection Section InputDevice Identifier Keyboard0 Driver kbd Option XkbModel pc105 Option XkbLayout us EndSection Section Monitor Identifier Monitor0 ModelNameLCD Panel 1920x1080 ### Comment all HorizSync and VertSync values to use DDC: HorizSync31.5 - 67.0 VertRefresh 56.0 - 65.0 Option dpms EndSection Section Device Identifier Videocard0 Driver vesa EndSection Section Screen Identifier Screen0 Device Videocard0 MonitorMonitor0 DefaultDepth 24 SubSection Display Viewport 0 0 Depth 24 EndSubSection EndSection -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB install annoyances (not OT)[SOLVED]
On 01/11/2012 10:31 AM, m.r...@5-cent.us wrote: Yet another denial - it's as though it's also blocking me based on the relationship of included text vs. new text. blah, blah, blah. Let's see if this is enough new text to get through. Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote: Behalf Of m.r...@5-cent.us snip I've retried again, and it still fails. I see that it's mounted /dev/sda2, which is where I've got the contents of a DVD, as /mnt/isolinux. Unless you specifically need the DVD contents, maybe try with the ISOs instead... snip And when you get towards package selection, anaconda fails indicating ' that it can't find image# 1.' The image# 1 it is looking for is the .iso which could have been burnt to a DVD for doing the install, i.e., not something from the images directory from THAT iso. snip Thank you, Todd, that was the answer. So, in RHEL 6, they're protecting us against ourselves (we might not have copied everything). So with the FAT32 partition as it was, I then deleted everything on the second partition, and copied both DVDs onto it... and it's installing even as we speak. I suppose I need to submit a revised how to build a USB key for CentOS 6. Yes please mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
Why? Just remove that package and install the one from CentOS. Spamassassin doesn't need to be touched. Seems to me that you are still using the mix of repos. Packages from RF work fine. Well, kind of. If you review this thread, you'll see that the the fix was to stop using the RepoForge package for perl-NetAddr-IP so that it wasn't mixed with CentOS packages for perl-Net-DNS and perl-IO-Socket-INET6. Maybe your position is that you won't fix perl-NetAddr-IP because you only support it when used when all other packages are from RepoForge, but I don't think that's realistic at all - everyone running CentOS will have mostly CentOS packages - naturally. They'll pick up some others they want or need for various reasons from RepoForge, so I'd imagine you'll see mixing of packages quite often amongst people who add RepoForge to their yum systems. Therefore, I'd have thought you'd be interested to learn of an incompatibility in one of the RepoForge packages. root@specs2:1280:279:/$ rpm -q spamassassin perl-IO-Socket-INET6 perl-Net-DNS perl-NetAddr-IP| sort perl-IO-Socket-INET6-2.57-2.el5.rfx perl-NetAddr-IP-4.044-1.el5.rf perl-Net-DNS-0.66-1.el5.rfx spamassassin-3.3.2-2.el5.rfx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.2 Postfix - forward through SMTP smarthost with SMTP-AUTH
On 01/10/2012 05:54 PM, Giles Coochey wrote: Hi All, I have set up three servers in a development environment. Via CR they're updated to Centos 6.2 It appears that these servers have postfix installed on them by default, which unfortunately I'm not very well acquainted with. All I want is a quick and dirty way to enable these hosts to send email through my own SMTP host. My (sendmail) SMTP host uses SMTP AUTH on a non-standard port and my dev (virtual env) runs off my laptop, so a dynamic IP. Does anyone have a quick and dirty configuration for setting up postfix to forward all remote mail through my smarthost? I'm guessing that I can put the hostname, the port, and the username and password somewhere in the postfix configuration and it will just work... Many Thanks in Advance, Giles ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos /etc/postfix Edit main.cf # The relayhost parameter specifies the default host to send mail to # when no entry is matched in the optional transport(5) table. When # no relayhost is given, mail is routed directly to the destination. # # On an intranet, specify the organizational domain name. If your # internal DNS uses no MX records, specify the name of the intranet # gateway host instead. # # In the case of SMTP, specify a domain, host, host:port, [host]:port, # [address] or [address]:port; the form [host] turns off MX lookups. # # If you're connected via UUCP, see also the default_transport parameter. # #relayhost = $mydomain #relayhost = [gateway.my.domain] #relayhost = uucphost #relayhost = [an.ip.add.ress] I would recommend reading up on the configurations . -- Brian - Get the latest Fremont, OH Weather http://www.Fremont-OH-Weather.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Is avahi essential?
I've been getting a few avahi-daemon errors in /var/log/messages, eg --- Jan 11 00:40:24 helen avahi-daemon[12732]: Invalid query packet. Jan 11 00:40:29 helen last message repeated 17 times --- (This is on a CentOS-5.7 server.) So I looked up avahi on the web, but as far as I could see it is not doing anything essential; so I was wondering if stopping avahi-daemon would have any bad effect? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is avahi essential?
On Jan 10, 2012, at 7:51 PM, Timothy Murphy gayle...@eircom.net wrote: I've been getting a few avahi-daemon errors in /var/log/messages, eg --- Jan 11 00:40:24 helen avahi-daemon[12732]: Invalid query packet. Jan 11 00:40:29 helen last message repeated 17 times --- (This is on a CentOS-5.7 server.) So I looked up avahi on the web, but as far as I could see it is not doing anything essential; so I was wondering if stopping avahi-daemon would have any bad effect? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Avahi is a mdns daemon. You can safely disable it in most cases. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade Question
On Tue, Jan 10, 2012 at 3:35 PM, m.r...@5-cent.us wrote: What we do is build one, then create /boot/new and /new on the next server, rsync over to them, then mkdir /boot/old and /old, and (using zsh with modules loaded) mv * old, mv old/lost+found ., mv old/new/* ., make sure a few things are correct (for example, ifcfg-eth*, /etc/ssh/), and sync, then reboot. All your other stuff is fine Have you looked at http://rear.sourceforge.net/ (and in EPEL) as a potential backup/clone/rollout mechanism? It seems like something snip The one difference with the method we use is that you *don't* have to format /, and so anything you have under it is still safe. We normally have a few directories that are local, and so need to be saved (web, a temp that everyone can use that is guaranteed *not* to go away, etc). But that also means you don't get to re-arrange your filesystem layout to set up a bigger /boot, change filesystem types, or fix something you've learned could be better in the years of running the previous version. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 5.7, I10 video, 1920x1080 monitor
On 01/10/2012 05:56 PM, Frank Cox wrote: I have a Centos 5.7 machine with Intel I10 video (built-in, I guess -- this is one of those all-in-one mini terminal things) that I'm trying to put a new 1920x1080 monitor onto, without conspicuous success. Prior to this it's been using a smaller monitor with no issues. Try as I might I can't get the new monitor to run at its 1920x1080 resolution. I just realized that I forgot to write down the actual resolution that it runs at but it's less than it should be, maybe 1280x1024? Obviously the display looks pretty crappy like that. I tried following the instructions posted here: http://www.ubuntugeek.com/how-change-display-resolution-settings-using-xrandr.html but when I got to the step of typing xrandr --newmode ... all I got was a help screen for xrandr command line options (and --newmode wasn't listed as one of them). I tried this: system-config-display --reconfig --set-resolution=1920x1080 --set-depth=24 --set-driver=vesa --set-videoram=0 It rewrote the xorg.conf file but I still didn't get 1920x1080. I tried changing vesa to i810 in xorg.conf and was then told that the xserver can't be started. It then took me to a simple GUI-style monitor setup screen and I told it that a 1920x1080 LCD monitor was connected. It then created the following xorg.conf, but I still don't get 1920x1080. The Xorg.0.log file is over 2000 lines so I won't include it in this mesage but I have posted it here: http://www.melvilletheatre.com/Xorg.0.log.bz2 Here is what I currently have for xorg.conf but again, it doesn't give me the full resolution on the monitor: # Xorg configuration created by system-config-display Section ServerLayout Identifier single head configuration Screen 0 Screen0 0 0 InputDeviceKeyboard0 CoreKeyboard EndSection Section InputDevice Identifier Keyboard0 Driver kbd Option XkbModel pc105 Option XkbLayout us EndSection Section Monitor Identifier Monitor0 ModelNameLCD Panel 1920x1080 ### Comment all HorizSync and VertSync values to use DDC: HorizSync31.5 - 67.0 VertRefresh 56.0 - 65.0 Option dpms EndSection Section Device Identifier Videocard0 Driver vesa EndSection Section Screen Identifier Screen0 Device Videocard0 MonitorMonitor0 DefaultDepth 24 SubSection Display Viewport 0 0 Depth 24 EndSubSection EndSection Are you sure that your video card can support your desired resolution? -- _ °v° /(_)\ ^ ^ Mark LaPierre Registerd Linux user No #267004 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and access across 'similar types'
On Tue, Jan 10, 2012 at 3:50 PM, Daniel J Walsh dwa...@redhat.com wrote: That is not the way it works. SELinux Reference policy is a database of rules that govern the default ways application run. Yes, but it is application developers that know what their applications need to do. Is there a way for them to express that? These rules that have been written for Fedora/RHEL are public and are being moved upstream. There has to be a better approach than letting the Fedora guys second-guess where application components should live, then second-guess what the application needs to do. In fact, that sounds like a recipe for years of problems for everyone who uses the results. Different Distributions can choose to use these policies or write there own. So after the Fedora version of second-guessing, that gets pushed off to other distributions to likely make it even worse? Out of the Reference Policy you can build your own version of targeted or MLS policy or you can write your policy from scratch. But is there a way that these can originate from the group that manages the application, and appear automatically as a result in distributions that include the application or if you compile from the source distribution? The place that SELinux breaks applications is when an application does something that SELinux did not expect. Well, of course. The issue is how SELinux is supposed to learn from the person who does know what the application is going to do. I don't run an OS distribution to what a distribution does, I run it so it does what the application is supposed to do. That is, the application is the point, not what SELinux guesses it was supposed to do. I wrote a paper and presentation on the four main causes of SELinux issues. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf Don't these all boil done to SELinux not understanding the application's needs? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 5.7, I10 video, 1920x1080 monitor
On Tue, 10 Jan 2012 20:50:36 -0500 Mark LaPierre wrote: Are you sure that your video card can support your desired resolution? I am now. After much fiddling around trying this and that I gave up and booted off of a Centos 6.2 install disk, and that came up in the 1920x1080 resolution all by itself. So I've decided that it's time to upgrade that machine to Centos 6. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Write to USB pendrives horribly slow
Hello John, On Tue, 10 Jan 2012 08:57:14 -0800 (PST) John Doe jd...@yahoo.com wrote: From: wwp subscr...@free.fr I wonder if some mount options aren't wrong with USB pendrives, see: /dev/sdd1 on /media/monolith type vfat (rw,nosuid,nodev,uhelper=udisks,shortname=mixed,dmask=0077,utf8=1,flush) my suspicion is about the flush option, which I find atypical here. I guess it is to be safe in case users remove their usb keys without unmounting first... OK, meaning no write-cache for those devices, makes sense in some way. But this doesn't explain the main issue I reported, although I didn't find a way to change the default mount options used by Gnome (gconf settings don't match those that are used). Regards, -- wwp signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos