Re: [CentOS] Centos convert to rhel?
Tom Brown wrote: > tell said managers to open the coffers and pay for support if they are > that worried Well, it hasn't happened to me (yet). I just thought that it might be why some people seem to be somewhat worried. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos convert to rhel?
Tom Brown wrote: > why is everyone getting so jumpy - its only a domain name thats at > stake, he's been AWOL for a year or more and the project has been OK > > people should worry less I understand the worries. The news have reached the front page of Slashdot, and thus might reach certain technically inclined managers, which in turn may cause questions about contingency plans to be directed at the IT staff. I have a feeling that "I have no contingency plan, don't worry, the problem will be solved" is not such a good answer to such queries. Thus, the worrying. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux policy module sources
Jim Perrin wrote: With CentOS 5, you don't really need the selinux module source anymore. It's usually enough to clear the logs and in permissive mode, run the offending application. Then 'grep yourapp /var/log/audit/audit.log | audit2allow -M localmodname'. Check the module for sanity and make sure it's not allowing god-knows-what, then semodule -i localmodname. It'll be there on reboot from now on. no need (although it's a good idea) to keep the module file hanging around. I know that you can generate policy modules from audit logs with audit2allow, but I'd like to know how it all works. This is for a variety of reasons: * Is the denial because of a bug in the policy with the default configuration, or because I made some configuration change that requires additional permissions? In the first case, a bug report would probably be appropriate. * Maybe the error actually occurs because of some mislabeled file? Correcting a label is surely better than adding some unnecessary permission. * I might want to develop policy modules for our own software, using new file contexts and new types. In this case, simply adding avc rules with audit2allow would be inappropriate, since the system does not know about my planned policy module. * I'd like to use the source for existing policy modules as inspiration for my own work. In addition, the policy generation tool (accessed through system-config-selinux) asks a few questions and then produces a .te, a .fc, a .if and (IIRC) a .pp file for my custom software. I know that the .te file is compiled into the .pp file, but what about e.g. the .fc file? Is it stored somewhere where restorecon will look for it, or is it simply used for the initial relabeling? Can I put it somewhere, like a /etc/selinux/.../file_contexts.d/ directory (no, it doesn't exist), or do I have to add the corresponding rules to the monolithic /etc/selinux/.../file_contexts file? Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux policy module sources
Hi. I'm trying to figure out where the SELinux policy modules shipped with the system live, and how they work. The modules listed by 'semodule -l' are the same as those available in /etc/selinux/targeted/modules/active/modules, but those are not part of any package, and are presumably added and removed to this location as they are added and removed to the kernel. I later found these modules to live in /usr/share/selinux. If I create a policy module of my own, is this the place to put it to make sure that it is loaded when the system boots? Or do I also need to list it somewhere, such in a configuration file? The reason why I ask is because there are a few .pp files in this directory that are not visible in the list of loaded modules, and they are also not available in the /etc/selinux/.../modules directory above. I today tried to figure out what these precompiled policy packages contain, but that isn't exactly obvious. I found .if files in /usr/share/selinux/devel/include/... that correspond to the .pp files in /usr/share/selinux, but nothing else. The .if files only contain definitions, but don't these need to be used somewhere, such as in .te files? And what about the .fc files that the policy generation tool in system-config-selinux creates? Are such files not needed? Lots of questions, but the documentation on this subject isn't exactly stellar. :) Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SSH Question relating to Public and Private Keys
Fajar Priyanto wrote: On Tuesday 15 April 2008 16:13:55 William L. Maltby wrote: How sensitive is the data and how critical are the functions that that could be disrupted? What is the scope of exposure to intrusion from outside the organization (LAN, firewalls, in place, etc.). For example rsync functions. It won't work automatically anymore in cron if we use passphrase. Do you know what command rsync will run on the remote host? If you do, you can create a key pair without a passphrase and add the public key to the remote host, along with a forced command. This will allow the client with the corresponding private key to run this command only. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Custom SELinux file contexts?
Ingemar Nilsson wrote: /etc/selinux/targeted/contexts/files/file_contexts.local works fine for me. Did you use restorecon afterwards to relabel the relevant files/directories? It works now, I don't know what mistake I made. Thanks anyway. It only works when using the name file_contexts.local though, using a subdirectory like file_contexts.d or a file named file_contexts.somethingelse does not work. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Custom SELinux file contexts?
Daniel de Kok wrote: On Mon, Apr 14, 2008 at 5:05 PM, Ingemar Nilsson <[EMAIL PROTECTED]> wrote: but rather put one or more similar files somewhere. A file_contexts.d firectory would be nice, but it isn't available. Just creating your own file_contexts.local file does not work, I already tried. /etc/selinux/targeted/contexts/files/file_contexts.local works fine for me. Did you use restorecon afterwards to relabel the relevant files/directories? It works now, I don't know what mistake I made. Thanks anyway. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Custom SELinux file contexts?
Hi. Do anyone know of some place to put custom SELinux file context specifications? I would prefer not to append lines to /etc/selinux/targeted/contexts/files/file_contexts but rather put one or more similar files somewhere. A file_contexts.d firectory would be nice, but it isn't available. Just creating your own file_contexts.local file does not work, I already tried. I'm running CentOS 5.1 Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Securing SSH
Tim Alberts wrote: I got keys setup so I know I'm talking to my server. This is probably not what he meant. You can use a key pair to authenticate with the SSH server and turn off password authentication entirely. That makes password guessing attacks utterly impossible, because the server will only accept a response signed with your private key. ssh-keygen -t rsa or ssh-keygen -t dsa generates a key pair. Do this on your local machine, and append the contents of your $HOME/.ssh/id_rsa.pub (or id_dsa if you chose DSA instead of RSA) to your $HOME/.ssh/authorized_keys file on the remote system. This method is somewhat more complicated to setup, since all users must have public keys in their $HOME/.ssh/authorized_keys file, or they can't login. Regards Ingemar ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos