Re: No more selinux-policy-*-sources
On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote: I there some docs (FAQ/ReleaseNotes?) that describe how to make changes to policy in FC5? Doing minor tweaks is described at: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow As for wholesale policy changes, I don't know. Paul.
re: deskbar-applet on x86_64(was: Re: match between gnome 2.14 manifesto and upcoming fc5 features)
it seems ok now also in x86_64 with deskbar-applet-2.14.0-1.fc5 Thanks Gianluca
Re: rawhide report: 20060314 changes
On Tue, Mar 14, 2006 at 01:18:14AM -0800, Nathanael D. Noblet wrote: On Tue, 2006-03-14 at 03:09 -0500, Build System wrote: Broken deps for i386 -- ekiga - 1.99.1-2.i386 requires libpt_linux_x86_r.so.1.9.3 ekiga - 1.99.1-2.i386 requires libopal_linux_x86_r.so.2.1 I can confirm that the yum update failed to get ekiga because of failed deps above. They'll get fixed later I presume? yes, sorry about that. Daniel -- Daniel Veillard | Red Hat http://redhat.com/ veill...@redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
Re: Help Needed: FC5 Blocker List and Rawhide Install Testing
Ralf Ertzinger wrote: Hi. On Wed, 8 Mar 2006 17:04:09 +0100, Patrice Dumas wrote: [du...@nor75-15-82-67-190-22 include]$ rpm -qf /usr/X11R6/include/Mrm/MrmAppl.h openmotif-devel-2.3.0-0.1.9.2 [du...@nor75-15-82-67-190-22 include]$ rpm -qf /usr/X11R6/include/Mrm/ file /usr/X11R6/include/Mrm is not owned by any package If yes, does rpm -ql openmotif show any files in /usr/X11R6? No they appear to be in /usr/include [du...@nor75-15-82-67-190-22 include]$ rpm -ql openmotif-devel | grep X11R6 echoes nothing, and there is: [du...@nor75-15-82-67-190-22 include]$ rpm -ql openmotif-devel | grep MrmAppl.h /usr/include/Mrm/MrmAppl.h I had the same effect while migrating to modular X. Maybe someone more versed in RPM internals can tell why RPM thinks that oponmotif owns files in /usr/X11R6 when rpm -ql show none of those files. The files in the -devel package install to /usr/include/X11 which was (and might still be, if rpm -qf is reporting ownership of those files) symlinked to /usr/X11R6/include/X11
Re: No more selinux-policy-*-sources
Paul Howarth wrote: On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote: I there some docs (FAQ/ReleaseNotes?) that describe how to make changes to policy in FC5? Doing minor tweaks is described at: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow I've taken a look at AppArmor and it looks like a much more incremental and easier to use solution than selinux. It's not as powerful but all this power doesn't help much if most people will turn off selinux anyway because it gets in the way. Has anyone heard of any efforts trying to port it over to Fedora? Regards, Dennis
Re: No more selinux-policy-*-sources
Dennis Jacobfeuerborn wrote: Paul Howarth wrote: On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote: I there some docs (FAQ/ReleaseNotes?) that describe how to make changes to policy in FC5? Doing minor tweaks is described at: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow I've taken a look at AppArmor and it looks like a much more incremental and easier to use solution than selinux. It's not as powerful but all this power doesn't help much if most people will turn off selinux anyway because it gets in the way. Has anyone heard of any efforts trying to port it over to Fedora? Not an answer to your question but there's an interesting discussion on AppArmor and SELinux in Dan Walsh's blog: http://danwalsh.livejournal.com/424.html Paul.
Re: No more selinux-policy-*-sources
Not an answer to your question but there's an interesting discussion on AppArmor and SELinux in Dan Walsh's blog: http://danwalsh.livejournal.com/424.html maybe it's time to accept that SELinux as technology is doomed. Not because the code is bad, but because it's Just Too Complex(tm). Complexity kills, and I think the time it is taking to get to the point where at least less than 99% of the people turns selinux off first thing is waay too long already. Maybe it's a matter of focus; sometimes I get the impression the focus is to give more coverage rather than to get the existing coverage to the point where people use it... but maybe the later is just so much work and so time consuming that it takes more time to get it than it takes the codebase to change again.
Re: No more selinux-policy-*-sources
On 3/14/06, Dennis Jacobfeuerborn d.jacobfeuerb...@conversis.de wrote: I've taken a look at AppArmor and it looks like a much more incremental and easier to use solution than selinux. It's not as powerful but all this power doesn't help much if most people will turn off selinux anyway because it gets in the way. Has anyone heard of any efforts trying to port it over to Fedora? My understanding is that it still requires kernel patches which are not in the mainline kernel yet. If you want to use it.. you'll have to use a patched kernel. Snowball's chance in hell the Fedora kernels are going to include apparmor specific patches that should be going into mainline kernel for everyone to use. You want to see it ported and see it available in Fedora Extras... then go chew the novell developers ears off about getting the required kernel patches into the mainline kernel. Please go read up in the lkml archives about Immunix's SubDomain (newly renamed as Novell AppArmor) to gain insight on where in the process things are to get Immunix's..err i mean Novell's kernel patches into the mainline kernel. -jefNew name==new press release==old newsspaleta
Re: No more selinux-policy-*-sources
Arjan van de Ven wrote: Not an answer to your question but there's an interesting discussion on AppArmor and SELinux in Dan Walsh's blog: http://danwalsh.livejournal.com/424.html maybe it's time to accept that SELinux as technology is doomed. Not because the code is bad, but because it's Just Too Complex(tm). Complexity kills, and I think the time it is taking to get to the point where at least less than 99% of the people turns selinux off first thing is waay too long already. I wouldn't say it's doomed I would just say that it seems focused on addressing needs most users don't have. It should be pitched as a solution to people who have extreme security needs and the resources to support such complex solutions. AppArmor looks more attractive to me because while it may not be perfect at least it's usable and easily understandable compared to selinuxes black wizardry. Regards, Dennis
Re: No more selinux-policy-*-sources
I'm not sure I buy that SELinux is doomed. While it may be complex we use it on all of our linux servers and desktops. We've had a few problems but that caused us to read the docs and learn how to write policy to deal with these things. Just like any new technology there are going to be learning curves, but that doesn't stop many from learning other really complex systems that now seem simple. I think that as more and more people begin tinkering with selinux we'll begin to see more and more tools that allow most non-technical people to deal with the issues interacting with selinux. Cheers, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/ Arjan van de Ven wrote: snip maybe it's time to accept that SELinux as technology is doomed. Not because the code is bad, but because it's Just Too Complex(tm). Complexity kills, and I think the time it is taking to get to the point where at least less than 99% of the people turns selinux off first thing is waay too long already. Maybe it's a matter of focus; sometimes I get the impression the focus is to give more coverage rather than to get the existing coverage to the point where people use it... but maybe the later is just so much work and so time consuming that it takes more time to get it than it takes the codebase to change again.
Re: No more selinux-policy-*-sources
Jeff Spaleta wrote: On 3/14/06, Dennis Jacobfeuerborn d.jacobfeuerb...@conversis.de wrote: I've taken a look at AppArmor and it looks like a much more incremental and easier to use solution than selinux. It's not as powerful but all this power doesn't help much if most people will turn off selinux anyway because it gets in the way. Has anyone heard of any efforts trying to port it over to Fedora? My understanding is that it still requires kernel patches which are not in the mainline kernel yet. If you want to use it.. you'll have to use a patched kernel. Snowball's chance in hell the Fedora kernels are going to include apparmor specific patches that should be going into mainline kernel for everyone to use. You want to see it ported and see it available in Fedora Extras... then go chew the novell developers ears off about getting the required kernel patches into the mainline kernel. Please go read up in the lkml archives about Immunix's SubDomain (newly renamed as Novell AppArmor) to gain insight on where in the process things are to get Immunix's..err i mean Novell's kernel patches into the mainline kernel. Maybe I should have chosen my wording more carefully. When I said port it over to Fedora I meant to ask if someone is providing the necessary packages to run AppArmor on Fedora. It looks like an interesting technology to me but to determine if it's really useful I'd first have to actually test it and such packages would help doing that. I'm very aware that any sort of official inclusion into Fedora is quite unlikely even in the midterm future. Regards, Dennis
Re: No more selinux-policy-*-sources
On Tue, 2006-03-14 at 16:55 +0100, Dennis Jacobfeuerborn wrote: Stephen Smalley wrote: No, there is quite a bit of ongoing work on improving useability for SELinux, including several new higher level tools that have been recently released. [snip] Where can I get more information about these tools? http://tresys.com/selinux/index.shtml http://selinux-ide.sourceforge.net/index.php -- Stephen Smalley National Security Agency
Re: No more selinux-policy-*-sources
On Tue, Mar 14, 2006 at 15:13:15 +0100, Arjan van de Ven ar...@fenrus.demon.nl wrote: maybe it's time to accept that SELinux as technology is doomed. Not because the code is bad, but because it's Just Too Complex(tm). Complexity kills, and I think the time it is taking to get to the point where at least less than 99% of the people turns selinux off first thing is waay too long already. I would expect that for FC4 very few people would have a problem with the targetted policy. I had some issues on my web server, because I was doing some nonstandard things. However the benefit of limiting the damage from security bugs in services exposed to the internet makes this a very good trade off. I aggree that the documentation seems lacking. I have read through a fair amount of what is available and am developing an understanding of the model, but I am know where near being able to write policies from scratch. Personally, I find SELinux interesting and I will be playing with MCS and MLS in FC5. I will also try to get some practice writing policies for commercial software that I don't trust not to phone home. (Currently I run such software as a separate user and have my firewall block any nonlocal traffic. But this is a pain.)
Re: mock question
On Tue, 2006-03-14 at 18:48 +0100, Gianluca Sforna wrote: may I use mock to test compilation of the 64bit variant of a rpm using my regular 32bit centrino laptop? Nope. -- Ignacio Vazquez-Abrams ivazq...@ivazquez.net http://fedora.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 signature.asc Description: This is a digitally signed message part
Re: wpa_supplicant support for ifup
On Wed, 2006-03-15 at 02:02 +0100, Dominik 'Rathann' Mierzejewski wrote: On Wednesday, 15 March 2006 at 00:02, Michael H. Warfield wrote: On Tue, 2006-03-14 at 12:26 -0500, Bill Nottingham wrote: Harald Hoyer (har...@redhat.com) said: What do you think about the attached patch to ifup-wireless? Works for me :) This should really be done in NM. Some of us would prefer to avoid being plagued by NM. It (wpa_supplicant) works just fine, independent of NM and I've just got it hooked in the bottom of the ifup scripts as they describe doing on the project site. So far, I haven't found a problem that NM solves for me and a few that it creates for me. NM and wpa_supplicant should each be optional and orthogonal to each other. +1 Personally, I find NM quite troublesome and the named dependency puts me off immensely. Why the hell do I need to install a domain name server(!) on a laptop? I'm sticking with ifup/ifdown for the time being. For a few reasons: 1) because if at any point you change a network with your laptop, it takes up to 30 seconds for Mozilla and most other apps to notice. Ubuntu even patches glibc to stat /etc/resolv.conf fairly often, just so this doesn't happen! Which is something upstream glibc refused to do. 2) You can't do split DNS with glibc. When using a VPN, split DNS means directing only requests for stuff on the VPN to the VPN's name servers. while cnn.com goes to your local nameservers, not the VPN's. We don't do that quite yet, but we planned for it, will do it soon, and named allows for that. glibc doesn't, and upstream doesn't want to add that capability. 3) If you don't like named, DON'T USE IT. What you don't seem to realize is that NM doesn't require named. It doesn't launch named. It doesn't use named unless named is running, and named's dbus service is enabled. NM will happily write /etc/resolv.conf, just like you want, if you don't run named. The choice is, actually, up to you. So running a local nameserver, and pointing everything to 127.0.0.1 works out quite nicely. I'm not quite sure what your problem is here, since you don't even have to use named at all. Dan
Re: wpa_supplicant support for ifup
On Tue, 2006-03-14 at 21:51 -0500, Bill Nottingham wrote: Chris Adams (cmad...@hiwaay.net) said: What do you think about the attached patch to ifup-wireless? Works for me :) This should really be done in NM. NM doesn't support system network configuration; only when a user logs in will NM work. That is supposed to change eventually, but people are trying to use WPA today. True. But the goal is to only have *one* source of network configuration; hence, I'm leery to add features for something that we're going to be deprecating. (It's obviously late for FC5 final.) I'll look at it some more. Bill I am still not sure why people feel we need to run a networking daemon and client to configure a single static ip address for a server, or a wireless desktop that only connects to one network. It seems like we are starting to get as piggish of resources as other operating systems. Not everyone has a laptop they drag around and connect to every network under the sun, and then vpn back somewhere else. Sure that is becoming more common, but there are plenty of machines that just sit there with an ipv4 dhcp given address and run. Jon
[Bug 178343] h2ph problem with gcc internal defines
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: h2ph problem with gcc internal defines https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178343 [EMAIL PROTECTED] changed: What|Removed |Added OtherBugsDependingO||185406 nThis|| -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug, or are watching someone who is. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list
[Bug 185406] h2ph problem with gcc internal defines
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: h2ph problem with gcc internal defines https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185406 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |MODIFIED --- Additional Comments From [EMAIL PROTECTED] 2006-03-14 10:08 EST --- Fixed with perl-5.8.5-26.RHEL4, available for download and testing from: http://people.redhat.com/~jvdias/perl/RHEL-4 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug, or are watching someone who is. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list