Re: [CentOS] C7 : Firewalld

[Vijay Rajah]

On 25/10/14 1:42 AM, Always Learning wrote:

Being a fan of IPtables and dreading the eventual transition to Centos
7, I wondered if in C7's firewalld an interface can be assigned to a
single zone or to multiple zones such as 'private' and 'trusted'.


You can still use iptables with Centos7, if you want... (AFAIK both 
firewalld & iptables use the same kernel functions)


To stop and disable firewalld

systemctl stop firewalld
systemctl mask firewalld

TO install iptables..

yum install iptables-services

Enable and start iptables

systemctl enable iptables
systemctl start iptables

for IPV6
systemctl enable ip6tables



For example interface em1 having both trusted and public zones assigned
to it. If multiple zones per interface are permitted presumably one can
segregate traffic by IP range ?




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 : Firewalld

[Timothy Murphy]

Vijay Rajah wrote:

> You can still use iptables with Centos7, if you want... (AFAIK both
> firewalld & iptables use the same kernel functions)

As a matter of interest, how does firewalld compare with shorewall?
They look rather similar.

I am running CentOS-7 on a home server, with shorewall.
I was not aware until I read this thread that firewalld was installed,
but I find now that it is running.
I'm rather surprised there have been no conflicts with shorewall.
Maybe one over-rules the other?

(I notice it is installed but not running on my Fedora-20 laptop.)

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin 2, Ireland


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Upgrading to CentOS-7 on a new partition

[Timothy Murphy]

I would like to upgrade a CentOS-6.5 home server
to CentOS-7 on a new partition.
What is the simplest way to achieve this?
I would like to be able to boot into either version of CentOS
until I am sure the new version is running OK.

Incidentally, I think most people today must have enough space
on their hard drive to install a new OS on a new partition -
it is surprising that this option never seems to be mentioned
in upgrade documentation.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin 2, Ireland


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What is a client certificate?

[Leon Fauster]

Am 24.10.2014 um 18:31 schrieb Valeri Galtsev :
> 
> On Fri, October 24, 2014 10:43 am, Timothy Murphy wrote:
>> A very ignorant question, sans doute.
>> 
>> I get my certificates from cacert.org, to whom I am very grateful.
>> I follow what I take to be the official procedure,
>> first creating .key and .csr on my server
>> and then getting .crt by going to Server Certificate=>New
>> at the cacert site.
>> 
>> I then place the key certficate *.key in /etc/pki/tls/private/
>> and what I call the client certificate *.crt in /etc/pki/tls/certs/ .
>> 
>> But I notice that there at www.cacert.org there is
>> a Client Certificate folder as well as the Server Certificate folder,
>> and it seems that one can create a "client certificate" there.
> 
> In two words: some of the stuff you would only serve to clients that
> authenticate themselves. Well known way of authentication is:
> username/password. Client certificate serves the same purpose, it is just
> less known way of doing it.


conceptional that means that the former is something that you 
known and the latter is something that you have (+ known), to 
authenticate yourself.   


>> 
>> My quesion is: what is the purpose of this second client certificate?
>> 
>> And while I am on the topic, what are the recommended file permissions
>> for PKI certificates?
>> I was a little surprised to find my .key has permission 640,
>> while .crt has permission 644.
>> The folder /etc/pki/tls/private/ on my server
>> does not seem to have any special security;
>> it is owned by root but can be opened and listed by anybody.
>> Is that the recommended setup?
>> 
> 
> For secret key I usually have 400 (-r---). For Certificate, it doesn't
> matter that much: your server passes it over to anyone who requests it at
> the very beginning of SSL/TLS connection. I still keep it without write
> permission. You only change certificate/key once every year or two, so you
> don't need write permission for these files in general...
> 
> Note that if some daemon needs secret key and it is not designed to start
> as root (to read the key...) then drop privileges, then you will have to
> make secret key group readable, grant it to appropriate group, and make
> sure the poor daemon who can not start as root first is a member of that
> group.


and keep your key/cert-pair out of your system backups. 

--
LF




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Q. LUKS or ecryptfs-utils ?

[Devin Reade]

--On Wednesday, October 22, 2014 03:32:32 PM -0400 "James B. Byrne"
 wrote:

> We can live with manually mounting the file system and providing a
> pass-phrase at boot.  we are also looking into a semi-auto USB based
> solution to that issue.

Regarding the USB comment, see
CentOS 5.4+:

CentOS 6.5+: 

I don't have a solution for CentOS 7 yet.  If someone comes up with one,
please drop me a note.

Devin

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [exim] Some feature

[Always Learning]

On Fri, 2014-10-24 at 13:35 +0400, Фадеев Виталий Львович wrote:

> Yes. Its worked if i send email to  fvl+t...@domain.com from  f...@domain.com 
> account, but doesnt work if a i send to another user like  
> realuser+t...@domain.com . 
> In logs "Unknown user"

What is your Exim configuration syntax for delivering emails to

(a)   f...@domain.com

(b)   fvl+t...@domain.com

(c)  realu...@domain.com

?

What specific configuration are you using for email delivery ?


-- 
Regards,

Paul.
England, EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Upgrading to CentOS-7 on a new partition

[Ted Miller]

On 10/25/2014 09:40 AM, Timothy Murphy wrote:


I would like to upgrade a CentOS-6.5 home server
to CentOS-7 on a new partition.
What is the simplest way to achieve this?
I would like to be able to boot into either version of CentOS
until I am sure the new version is running OK.

Incidentally, I think most people today must have enough space
on their hard drive to install a new OS on a new partition -
it is surprising that this option never seems to be mentioned
in upgrade documentation.


A couple of observations after doing this:

1. It requires a custom disk layout, but is not particularly hard.
2. AFAIK, you can share your SWAP partition between the two installations.
3. Centos 7 uses grub2 as its boot loader.  It is significantly different 
from "legacy grub" used in Centos 6 and before.
  a. It uses a configuration file that is auto-generated, and not supposed 
to be edited.
  b. It is capable of finding other installations (including legacy grub 
and windows), and creating links to them.
  c. 'b' only seems to work IF the other boot partitions are mounted 
somewhere in your file tree.  What I have done is mount the other 
partitions (the /boot partition, if it is on a separate partition, 
otherwise /) under /mnt (e.g. /mnt/C6) when you are doing your custom disk 
layout.  As long as they are mounted somewhere in the file system, grub2 
seems to find them OK, and add them to your boot menu.  It is apparently 
incapable of looking on unmounted partitions and finding Operating Systems 
lurking there.
  d. grub2 is (theoretically) capable of booting off of LVM (and I have 
done so successfully), BUT that capability is disabled and unsupported in 
RHEL/Centos 7.  You still have to put /boot on a non-LVM partition.


Ted Miller
Elkhart, IN, USA

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule

[admin]

Hi gents,

I seem to have a small issue with fping and Observium(a monitoring 
solution). The particular VPS I'm using does have SELinux enabled and it 
seems to be causing issues when the httpd process is attempting to use 
Fping?


Here is what I know so far :

Output from "audit2why -a" :

---
type=AVC msg=audit(1414265994.125:6744): avc:  denied  { create } for  
pid=8968 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0

  Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module 
to allow this access.


---

Which does seem to confirm that something is wrong between httpd and fping.

I then ran "audit2allow -M fping-httpd < audit2allow" which did create 
both the .te and .pp files. The issue is that inside the .te file, I 
have a warning saying that the rules already exists! Which does make 
sense since I had to allow those particular function for the Mysql

connection to function properly.

---
.te file :

"module fping-httpd 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket create;
}

#= httpd_t ==

# This avc is allowed in the current policy
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket create;
"
---

Is the "Missing type enforcement" related to all of this? I really don't 
want to disable SELinux and would rather learn to actually use it properly.


Thank you!


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 : Firewalld

[Marcelo Ricardo Leitner]

On 25-10-2014 09:40, Timothy Murphy wrote:

Vijay Rajah wrote:


You can still use iptables with Centos7, if you want... (AFAIK both
firewalld & iptables use the same kernel functions)


Yes.. both are just frontends for iptables with profile presets, no more 
than that.



As a matter of interest, how does firewalld compare with shorewall?
They look rather similar.


Pretty much same idea, but firewalld should be more evolved in terms of 
user friendly. It even has a GUI if you want.


firewalld also has other abilities, like allowing changing just the 
runtime configuration, or just the persistent one..


Yet, if you are an advanced shorewall/iptables user, you may struggle to 
do the same on firewalld without resorting to its --direct commands.



I am running CentOS-7 on a home server, with shorewall.
I was not aware until I read this thread that firewalld was installed,
but I find now that it is running.
I'm rather surprised there have been no conflicts with shorewall.
Maybe one over-rules the other?

(I notice it is installed but not running on my Fedora-20 laptop.)


Probably your shorewall is just starting later than firewalld and is 
overwritting firewalld rules


Marcelo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule

[Greg Lindahl]

On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:

> # This avc is allowed in the current policy
> allow httpd_t self:capability net_raw;
> allow httpd_t self:rawip_socket create;

This confusing output means that the first "allow" line is in the
current policy, and the second is not.

-- greg


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] And now for something completely different. Win7 on KVM

[James B. Byrne]

On Fri, October 24, 2014 16:09, Nathan Duehr wrote:
>> On Oct 22, 2014, at 15:15, James B. Byrne  wrote:
>>
>>
>> As you can probably guess by now I am working my way down through my
>> outstanding issue list trying to get as many deferred items closed out as I
>> can before the next security storm hits.
>
> They stopped?  :-)
>

I am in the eye of the hurricane more likely.  But I will take whatever calm I
can find. For however long it lasts.


-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Update from 6.5 to 6.6 breaks epel qt5

[Devin Reade]

Just a heads up, if anyone is doing QT development with the EPEL
RPMs, the update from RHEL 6.5 to 6.6 breaks the current qt5 RPMS.  
In fact, I had to uninstall qt5 to perform the update.

I've submitted a bug report upstream, so hopefully it'll get resolved
before too much longer.  In the interim, you either get to update,
or you get to stop your qt5 development ...



Devin

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule

[admin]

I've just recreated the module and enabled it, yet I can't seem to allow 
fping to be used by the httpd process. It seems that the last error was 
just a byproduct of a bad module I had not properly removed. Are there 
any additional troubleshooting steps I could try?


What I've done so far :

1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
2) semodule -i observium_fping.pp

3) semodule -l | grep fping
**
fping   1.0
observium_fping 1.0
**

4) cat /var/log/audit/audit.log | grep fping

type=AVC msg=audit(1414295291.964:357): avc:  denied  { create } for  
pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1414295291.964:357): arch=c03e syscall=41 
success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282 
pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 
fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping" 
subj=unconfined_u:system_r:httpd_t:s0 key=(null)




On 10/25/2014 8:30 PM, Greg Lindahl wrote:

On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:


# This avc is allowed in the current policy
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket create;

This confusing output means that the first "allow" line is in the
current policy, and the second is not.

-- greg


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos