Re: [CentOS] Centos convert to rhel?

2009-07-31 Thread Ingemar Nilsson
Tom Brown wrote:

> tell said managers to open the coffers and pay for support if they are 
> that worried

Well, it hasn't happened to me (yet). I just thought that it might be 
why some people seem to be somewhat worried.

Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Centos convert to rhel?

2009-07-31 Thread Ingemar Nilsson
Tom Brown wrote:

> why is everyone getting so jumpy - its only a domain name thats at 
> stake, he's been AWOL for a year or more and the project has been OK
> 
> people should worry less

I understand the worries. The news have reached the front page of 
Slashdot, and thus might reach certain technically inclined managers, 
which in turn may cause questions about contingency plans to be directed 
at the IT staff. I have a feeling that "I have no contingency plan, 
don't worry, the problem will be solved" is not such a good answer to 
such queries.

Thus, the worrying.

Regards
Ingemar

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux policy module sources

2008-05-05 Thread Ingemar Nilsson

Jim Perrin wrote:


With CentOS 5, you don't really need the selinux module source
anymore. It's usually enough to clear the logs and in permissive mode,
run the offending application. Then 'grep yourapp
/var/log/audit/audit.log | audit2allow -M localmodname'. Check the
module for sanity and make sure it's not allowing god-knows-what, then
semodule -i localmodname.  It'll be there on reboot from now on. no
need (although it's a good idea) to keep the module file hanging
around.


I know that you can generate policy modules from audit logs with 
audit2allow, but I'd like to know how it all works. This is for a 
variety of reasons:


* Is the denial because of a bug in the policy with the default 
configuration, or because I made some configuration change that requires 
additional permissions? In the first case, a bug report would probably 
be appropriate.
* Maybe the error actually occurs because of some mislabeled file? 
Correcting a label is surely better than adding some unnecessary permission.
* I might want to develop policy modules for our own software, using new 
file contexts and new types. In this case, simply adding avc rules with 
audit2allow would be inappropriate, since the system does not know about 
my planned policy module.
* I'd like to use the source for existing policy modules as inspiration 
for my own work.


In addition, the policy generation tool (accessed through 
system-config-selinux) asks a few questions and then produces a .te, a 
.fc, a .if and (IIRC) a .pp file for my custom software. I know that the 
.te file is compiled into the .pp file, but what about e.g. the .fc 
file? Is it stored somewhere where restorecon will look for it, or is it 
simply used for the initial relabeling? Can I put it somewhere, like a 
/etc/selinux/.../file_contexts.d/ directory (no, it doesn't exist), or 
do I have to add the corresponding rules to the monolithic 
/etc/selinux/.../file_contexts file?


Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] SELinux policy module sources

2008-05-05 Thread Ingemar Nilsson

Hi.

I'm trying to figure out where the SELinux policy modules shipped with 
the system live, and how they work. The modules listed by 'semodule -l' 
are the same as those available in 
/etc/selinux/targeted/modules/active/modules, but those are not part of 
any package, and are presumably added and removed to this location as 
they are added and removed to the kernel.


I later found these modules to live in /usr/share/selinux. If I create a 
policy module of my own, is this the place to put it to make sure that 
it is loaded when the system boots? Or do I also need to list it 
somewhere, such in a configuration file? The reason why I ask is because 
there are a few .pp files in this directory that are not visible in the 
list of loaded modules, and they are also not available in the 
/etc/selinux/.../modules directory above.


I today tried to figure out what these precompiled policy packages 
contain, but that isn't exactly obvious. I found .if files in 
/usr/share/selinux/devel/include/... that correspond to the .pp files in 
/usr/share/selinux, but nothing else. The .if files only contain 
definitions, but don't these need to be used somewhere, such as in .te 
files? And what about the .fc files that the policy generation tool in 
system-config-selinux creates? Are such files not needed?


Lots of questions, but the documentation on this subject isn't exactly 
stellar. :)


Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SSH Question relating to Public and Private Keys

2008-04-15 Thread Ingemar Nilsson

Fajar Priyanto wrote:

On Tuesday 15 April 2008 16:13:55 William L. Maltby wrote:

How sensitive is the data and how critical are the functions that that
could be disrupted? What is the scope of exposure to intrusion from
outside the organization (LAN, firewalls, in place, etc.).


For example rsync functions.
It won't work automatically anymore in cron if we use passphrase.


Do you know what command rsync will run on the remote host? If you do, 
you can create a key pair without a passphrase and add the public key to 
the remote host, along with a forced command. This will allow the client 
with the corresponding private key to run this command only.


Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Custom SELinux file contexts?

2008-04-14 Thread Ingemar Nilsson

Ingemar Nilsson wrote:


/etc/selinux/targeted/contexts/files/file_contexts.local works fine
for me. Did you use restorecon afterwards to relabel the relevant
files/directories?


It works now, I don't know what mistake I made. Thanks anyway.


It only works when using the name file_contexts.local though, using a 
subdirectory like file_contexts.d or a file named 
file_contexts.somethingelse does not work.


Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Custom SELinux file contexts?

2008-04-14 Thread Ingemar Nilsson

Daniel de Kok wrote:

On Mon, Apr 14, 2008 at 5:05 PM, Ingemar Nilsson <[EMAIL PROTECTED]> wrote:

 but rather put one or more similar files somewhere. A file_contexts.d
firectory would be nice, but it isn't available. Just creating your own
file_contexts.local file does not work, I already tried.


/etc/selinux/targeted/contexts/files/file_contexts.local works fine
for me. Did you use restorecon afterwards to relabel the relevant
files/directories?


It works now, I don't know what mistake I made. Thanks anyway.

Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] Custom SELinux file contexts?

2008-04-14 Thread Ingemar Nilsson

Hi.

Do anyone know of some place to put custom SELinux file context 
specifications? I would prefer not to append lines to


/etc/selinux/targeted/contexts/files/file_contexts

but rather put one or more similar files somewhere. A file_contexts.d 
firectory would be nice, but it isn't available. Just creating your own 
file_contexts.local file does not work, I already tried.


I'm running CentOS 5.1

Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Securing SSH

2008-03-25 Thread Ingemar Nilsson

Tim Alberts wrote:

I got keys setup so I know 
I'm talking to my server.


This is probably not what he meant. You can use a key pair to 
authenticate with the SSH server and turn off password authentication 
entirely. That makes password guessing attacks utterly impossible, 
because the server will only accept a response signed with your private key.


ssh-keygen -t rsa

or

ssh-keygen -t dsa

generates a key pair. Do this on your local machine, and append the 
contents of your $HOME/.ssh/id_rsa.pub (or id_dsa if you chose DSA 
instead of RSA) to your $HOME/.ssh/authorized_keys file on the remote 
system.


This method is somewhat more complicated to setup, since all users must 
have public keys in their $HOME/.ssh/authorized_keys file, or they can't 
login.


Regards
Ingemar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos