Re: SELinux Exim Problem
On Mon, Sep 7, 2009 at 1:34 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiullifrankc.fed...@gmail.com wrote: On F11 when exim attempts to retrieve mail from my ISP, I get the following: How are you pulling the mail from your ISP? Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:exim_t:s0 Target Context system_u:object_r:boot_t:s0 Target Objects /boot [ dir ] Source exim Source Path /usr/sbin/exim Port Unknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPM selinux-policy-3.6.12-80.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1 SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon Alert Count 327 First Seen Sun 12 Jul 2009 05:09:10 PM PDT Last Seen Sat 05 Sep 2009 09:05:41 AM PDT Local ID c330c7e2-7fd7-45ae-8ebb-8de1def6e145 Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1252166741.77:28): avc: denied { getattr } for pid=2279 comm=exim path=/boot dev=sda1 ino=2 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=4003 syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0 items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) = Other information: RPMs: exim-4.69-10.fc11.i586 selinux-policy-3.6.12-80.fc11.noarch selinux-policy-targeted-3.6.12-80.fc11.noarch The mail does get through but I get an SELinux error for each message. I've looked for '/boot' in exim config files but came up empty. I installed F11 but kept my home directory which is on a different disk. Since I have not heard anyone else complaining about this, I figure that it's my configuration. I just don't know where else to look. Frank -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines fetchmail Frank -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
SELinux Exim Problem
On F11 when exim attempts to retrieve mail from my ISP, I get the following: Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Unknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-80.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1 SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon Alert Count 327 First SeenSun 12 Jul 2009 05:09:10 PM PDT Last Seen Sat 05 Sep 2009 09:05:41 AM PDT Local ID c330c7e2-7fd7-45ae-8ebb-8de1def6e145 Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1252166741.77:28): avc: denied { getattr } for pid=2279 comm=exim path=/boot dev=sda1 ino=2 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=4003 syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0 items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) = Other information: RPMs: exim-4.69-10.fc11.i586 selinux-policy-3.6.12-80.fc11.noarch selinux-policy-targeted-3.6.12-80.fc11.noarch The mail does get through but I get an SELinux error for each message. I've looked for '/boot' in exim config files but came up empty. I installed F11 but kept my home directory which is on a different disk. Since I have not heard anyone else complaining about this, I figure that it's my configuration. I just don't know where else to look. Frank -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
IPTable setting for Infrastructure
I recently installed F11 over F10. Everything appears to be working just fine. However, I just remembered that Mike McGrath had sent out an email about settings for IPTables that he wanted everyone to use. Unfortunately, I did not bookmark the page. I did try the Infrastructure SOPs (https://fedoraproject.org/w/index.php?title=Special:PrefixIndexfrom=Infrastructure%2FSOPnamespace=0) but did not see it there. Unless, of course, I can only see out of one eye. Does anyone have the link? Thank, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: IPTable setting for Infrastructure
On Thu, Aug 13, 2009 at 12:20 PM, Ricky Zhouri...@fedoraproject.org wrote: On 2009-08-13 11:59:35 AM, Frank Chiulli wrote: I recently installed F11 over F10. Everything appears to be working just fine. However, I just remembered that Mike McGrath had sent out an email about settings for IPTables that he wanted everyone to use. Unfortunately, I did not bookmark the page. I did try the Infrastructure SOPs (https://fedoraproject.org/w/index.php?title=Special:PrefixIndexfrom=Infrastructure%2FSOPnamespace=0) but did not see it there. Unless, of course, I can only see out of one eye. Does anyone have the link? It's at http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/, but it's down now due to a scheduled outage. I think it's linked from hte Orientation SOP, but maybe we should link it from elsewhere as well. Thanks, Ricky Ricky, Thanks. Everything is up-to-date again and bookmarked! Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: exim: SELinux
On Mon, Jul 27, 2009 at 6:34 AM, Daniel J Walshdwa...@redhat.com wrote: On 07/26/2009 05:45 PM, Frank Chiulli wrote: Sorry for the delay in responding. I've been on the road and unable to access my Fedora box. So after a little grief with SELinux and permissions I have a log file of exim. I'd post it here but it's 724 lines long. I looked for boot in the file but came up empty. Is there some snippet of the file that I could post? Frank Just compress the log file. I've attached the compressed log file. Frank exim_debug.log.bz2 Description: BZip2 compressed data -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Sorry for the delay in responding. I've been on the road and unable to access my Fedora box. So after a little grief with SELinux and permissions I have a log file of exim. I'd post it here but it's 724 lines long. I looked for boot in the file but came up empty. Is there some snippet of the file that I could post? Frank On Thu, Jul 16, 2009 at 1:37 AM, Gordon Messmeryiny...@eburg.com wrote: On 07/14/2009 07:33 PM, Frank Chiulli wrote: Here's what I did: - as root, I ran '/etc/init.d/exim stop' - as root, I ran 'exim -bd -d+all/tmp/ex.file 21' - as a normal user, I ran 'fetchmail' In the past, this would result in an AVC error; but not this time. BTW, there was one new message in my mail file as a result of this. Sadly, starting exim in that way will not give it the same SELinux context as it would get when run by the init process. If you stop the service and service exim start, it should get its old context, and the AVC messages should return. That'll get you back to where you can debug the problem. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
John, I tried as you suggested below. The result...no errors!!! Ok so now I'm confused. exim is normally started at boot time by /etc/init.d/exim. There is no reference to boot in that script. That script is part of the exim package. Here's what I did: - as root, I ran '/etc/init.d/exim stop' - as root, I ran 'exim -bd -d+all /tmp/ex.file 21' - as a normal user, I ran 'fetchmail' In the past, this would result in an AVC error; but not this time. BTW, there was one new message in my mail file as a result of this. Frank On Tue, Jul 14, 2009 at 12:33 AM, John Hornejohn.ho...@plymouth.ac.uk wrote: On Mon, 2009-07-13 at 13:05 -0700, Frank Chiulli wrote: Nigel, No reference to boot in the exim.conf. That was one of the first things that I checked. Could there be a redirection (e.g. via /etc/aliases) or a .forward file referring to /boot somewhere on your system? It would require having an account within /boot which in itself would be a bit odd. Alternatively, try running exim with debugging cranked up in a terminal session, e.g: exim -bd -d+all /tmp/ex.file 21 Then try accessing mail from your isp using a separate session. Once done (or it has failed), control-c the above session and look in the 'ex.file' to see where /boot is being used. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Fwd: exim: SELinux
Probably should have posted to this list first. Frank -- Forwarded message -- From: Frank Chiulli frankc.fed...@gmail.com Date: Mon, Jul 13, 2009 at 5:17 AM Subject: Re: exim: SELinux To: Didar Hossain didar.hoss...@gmail.com Cc: Fedora Infrastructure fedora-infrastructure-l...@redhat.com Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk wrote: Don't mean to be completely rude but doesn't this belong on a support forum? On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Nigel, No reference to boot in the exim.conf. That was one of the first things that I checked. Frank On Mon, Jul 13, 2009 at 6:06 AM, Nigel Metheringhamnigel.methering...@dev.intechnology.co.uk wrote: On 13 Jul 2009, at 13:17, Frank Chiulli wrote: Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Without having seen the config I can only make wild guesses... However the wild guess I would make is that exim is doing a check for available space in the spool and log directories, and this is triggering the SELinux check on the statvfs() call. It is a wild guess though :-) Can you make sure that there are no references to boot in the config files Nigel. -- [ Nigel Metheringham nigel.methering...@intechnology.com ] [ - Comments in this message are my own and not ITO opinion/policy - ] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Here is the original post: This is a recently installed/patched F11 system. It was a fresh install to one disk leaving my home directory untouched on another disk. Today, I installed exim and removed sendmail via yum at the command line. I am using the same exim.conf file that I had used with F10 after having compared it to the original one. I am now receiving the following message when I attempt to retrieve mail from my ISP: Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim (exim_t) getattr boot_t. For complete SELinux messages. run sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Unknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Alert Count 289 First SeenSun Jul 12 14:22:12 2009 Last Seen Sun Jul 12 14:23:53 2009 Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied { getattr } for pid=2508 comm=exim path=/boot dev=sda1 ino=2 scontext=unconfined_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003 syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4 a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm=exim exe=/usr/sbin/exim subj=unconfined_u:system_r:exim_t:s0 key=(null) Frank On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walshdwa...@redhat.com wrote: On 07/13/2009 08:24 AM, Frank Chiulli wrote: I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk wrote: Don't mean to be completely rude but doesn't this belong on a support forum? On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
exim: SELinux
This is a recently installed/patched F11 system. It was a fresh install to one disk leaving my home directory untouched on another disk. Today, I installed exim and removed sendmail via yum at the command line. I am using the same exim.conf file that I had used with F10 after having compared it to the original one. I am now receiving the following message when I attempt to retrieve mail from my ISP: Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim (exim_t) getattr boot_t. For complete SELinux messages. run sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Unknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Alert Count 289 First SeenSun Jul 12 14:22:12 2009 Last Seen Sun Jul 12 14:23:53 2009 Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied { getattr } for pid=2508 comm=exim path=/boot dev=sda1 ino=2 scontext=unconfined_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003 syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4 a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm=exim exe=/usr/sbin/exim subj=unconfined_u:system_r:exim_t:s0 key=(null) Any thoughts/suggestions? Thanks, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Infrastructure Tickets
On Fri, Feb 20, 2009 at 11:46 AM, Mike McGrath mmcgr...@redhat.com wrote: Just a reminder for you to all check your infrastructure tickets. If you are working on them, great. If not, unset them so we know and can assign them to someone else: https://fedorahosted.org/fedora-infrastructure/report/7 -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list Mike, I have one ticket: #116 Fedora Poll. It is waiting on WordPress-MU. I checked Ticket #178 but nothing has been posted since early December. Just so you know, I'm still interested in working this when they get wp-mu up and running. So I'm going to leave my name on it. I've also added myself to the CC list for Ticket #178. BTW, I've also been working with Toshio on packagedb. Later, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: CSI (Security Policy) Help
On Sun, Feb 1, 2009 at 11:08 AM, Stephen John Smoogen smo...@gmail.com wrote: On Sat, Jan 31, 2009 at 10:09 PM, Frank Chiulli frankc.fed...@gmail.com wrote: I'm not running samba. If I put the following rule before the LOG rule, will the packets be dropped and the messages stopped? -A INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.0/24 -m multiport --ports 137,138 -j DROP I normally go with 135:139 as they are noisy ports. On a public network I have a list of ports I drop because they are noisy -A INPUT -p tcp -m tcp --dport 67:68 -j DROP -A INPUT -p tcp -m tcp --dport 135:139 -j DROP -A INPUT -p tcp -m tcp --dport 445 -j DROP -A INPUT -p udp -m udp --dport 67:68 -j DROP -A INPUT -p udp -m udp --dport 135:139 -j DROP -A INPUT -p udp -m udp --sport 177 --dport 177 -j DROP -A INPUT -p udp -m udp --dport 445 -j DROP -A INPUT -p udp -m udp --dport 1024:1030 -j DROP The 1024:1030 UDP drop the enormouse anmount of UDP pop-up spam. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice Stephen, Thanks for the suggestions. I'm hoping that my router throws most of those away because so far all I've seen in messages is local traffic. I discovered something interesting while looking at messages. I saw the following message repeated several times: Feb 1 09:03:46 localhost kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:47:b7:86:61:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=40094 PROTO=UDP SPT=68 DPT=67 LEN=308 I was curious what it was because of 'SRC=0.0.0.0'. It turned out to be my Wii. I discovered this based on my router which keeps track of MAC addresses and IP addresses. I had forgotten that it was on my net. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
CSI (Security Policy) Help
So I've implemented the CSI (Security Policy) as previously posted by Mike (http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singel/) Now I'm seeing the following messages in /var/log/messages: Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:01:41:10:5b:08:00 SRC=192.168.2.248 DST=192.168.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:3b:02:0e:b7:08:00 SRC=192.168.2.250 DST=192.168.2.255 LEN=229 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=209 192.168.2.248 is a NAS device 192.168.2.250 is a Hawking print server I'm not an iptables expert. Usually I just leave it alone. Can someone help me write one or more rules to eliminate the messages? Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: CSI (Security Policy) Help
On Sat, Jan 31, 2009 at 7:59 PM, seth vidal skvi...@fedoraproject.org wrote: On Sat, 2009-01-31 at 21:30 -0600, Mike McGrath wrote: On Sat, 31 Jan 2009, Frank Chiulli wrote: So I've implemented the CSI (Security Policy) as previously posted by Mike (http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singel/) Now I'm seeing the following messages in /var/log/messages: Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:01:41:10:5b:08:00 SRC=192.168.2.248 DST=192.168.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:3b:02:0e:b7:08:00 SRC=192.168.2.250 DST=192.168.2.255 LEN=229 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=209 192.168.2.248 is a NAS device 192.168.2.250 is a Hawking print server I'm not an iptables expert. Usually I just leave it alone. Can someone help me write one or more rules to eliminate the messages? I suspect that before you were blocking these messages but didn't notice. You'll see the DPT=137 and DPT=138. Those are both ports that the various IP's are trying to hit on your machine. If you check out those ports in /etc/services In this case those devices seem to be using netbios. If you want to get rid of them you can just remove the: -A INPUT -j LOG --log-prefix FW-REJECT Or setup netbios, or block the ports explicitly or allow it and let them drop naturally. Those are windows/samba/cifs ports. if you've got samba running and/or a windows (or now-adays even a mac) running on the same network you'll probably find your culprit. -sv I'm not running samba. If I put the following rule before the LOG rule, will the packets be dropped and the messages stopped? -A INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.0/24 -m multiport --ports 137,138 -j DROP Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: CSI (Security Policy)
On Thu, Jan 29, 2009 at 9:51 AM, Mike McGrath mmcgr...@redhat.com wrote: Hey all. I've placed our security policy CSI docs in a standard location now. Just a reminder: If you have shell access on any of our servers you need to be compliant with all of these rules by the end of March. Which should be plenty of time to get any oddities worked out. http://infrastructure.fedoraproject.org/csi/security-policy/en-US/ -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list Mike, This is probably nothing but there is a duplicate rule in your /etc/sysctl.conf. The line: net.ipv4.conf.all.accept_redirects = 0 appears twice. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: RFC - sysadmin guidelines
On Thu, Jan 15, 2009 at 9:25 PM, Frank Chiulli frankc.fed...@gmail.com wrote: On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath mmcgr...@redhat.com wrote: On Sun, 11 Jan 2009, Mike McGrath wrote: This isn't really required but it's my intention to implement these policies (or what we come to after some discussion). This is targeted _ONLY_ at this team and those with shell access to our servers. Its not my intention to roll it out to the larger community, though its certainly a good idea for people to read through it. http://mmcgrath.fedorapeople.org/policy/ Mike, Take a look at Section 1.2. Host Network Security. There is a duplicate setting. The 4th setting is: net.ipv4.conf.all.accept_redirects = 0 This setting is duplicated in the 14th setting. I'm guessing that the 4th setting should be removed. Frank Mike, First let me say that the examples are a great addition to the page. I was looking at the iptables sample configuration and had some questions. I compared your suggested configuration to my current configuration (Fedora 10). With the exception of the lines with '--tcp-flags' in your sample configuration, they're pretty close. I don't have those yet. The first three lines that start with '-A' in your sample are the same as mine except the order is different. Does the order make a difference? Here are the lines from my file: -A INPUT -m state --state ESTABLISHED,RELATED -j accept -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT Here are yours: -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT Thanks, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: RFC - sysadmin guidelines
On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath mmcgr...@redhat.com wrote: On Sun, 11 Jan 2009, Mike McGrath wrote: This isn't really required but it's my intention to implement these policies (or what we come to after some discussion). This is targeted _ONLY_ at this team and those with shell access to our servers. Its not my intention to roll it out to the larger community, though its certainly a good idea for people to read through it. http://mmcgrath.fedorapeople.org/policy/ Mike, Take a look at Section 1.2. Host Network Security. There is a duplicate setting. The 4th setting is: net.ipv4.conf.all.accept_redirects = 0 This setting is duplicated in the 14th setting. I'm guessing that the 4th setting should be removed. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: The Scope and Ownership of fedora-list
On Mon, Aug 25, 2008 at 8:51 PM, Chris Tyler [EMAIL PROTECTED] wrote: This list, fedora-list@redhat.com, is one of the first lists that most Fedora users join, and therefore quite important to the community. However, it's a high-volume list (and is sometimes perceived to have a high noise level), so many veterans of the Fedora community aren't subscribed. As the result of discussion at the last public (IRC) board meeting, it's been proposed that narrow the scope of this list a bit. The current description of this list simply reads: fedora-users: For users of Fedora Do you really mean 'fedora-list' and not 'fedora-users' or are you proposing a new list 'fedora-users'? Just want to be sure. The proposed replacement is: fedora-users: Help and support for using the Fedora distribution. Same comment. Feedback on this proposed change is welcome. In addition, this list has been without an owner. Paul Frields and I have assumed ownership of the list, and we'd welcome one or two experienced members of the community to join us. -- Chris Tyler -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Password Migration
Should the password migration associated with FAS2 be complete by now? I still have to use my old password on publictest1. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: But 429469
On Sat, Mar 8, 2008 at 10:36 AM, Mike McGrath [EMAIL PROTECTED] wrote: In our efforts to track down https://bugzilla.redhat.com/429459 I've disabled all iscsi on xen2. Some of those guests have been moved elsewhere, and some of them have been converted to local storage. Please do not enable iscsi on xen2 without coordinating it and making sure we're not in the middle of something on that ticket. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list Is that the right ticket? 429459's title is Sound should be turned off on locked screens Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Printing Problems on F8
My system is running Fedora 8 and is up-to-date. I have an HP Deskjet 932C printer attached to a Hawking HPS12U print server on the network. I've configured the printer using system-config-printer. I set the printer mode to be draft. I can print a short simple text file. But it prints double-spaced and is not in draft mode. At this point, that's all I've tried to print. Package info: $ rpm -qa | grep ^cup cups-1.3.4-4.fc8 cups-libs-1.3.4-4.fc8 $ rpm -qa | grep ^hp hplip-2.7.7-6.fc8 hpijs-2.7.7-6.fc8 Does anyone have a clue how to fix either problem? Thanks, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Ticket #116 - Fedora Poll
I've accepted this ticket. The first thing I did was look for any Fedora packages (repoquery); but came up empty. Next, I tried Source Forge. A query for 'poll' yielded 70 results. None of these are written in Python. AFAIK Python is not a requirement. I've downloaded and am testing the first item - Presto Poll. This is written in PHP. I was wondering if anyone has any suggestions? On another note: Since I can't use IRC directly from work, I have been using http://www.ircatwork.com. However for some reason that didn't work today. I get a message that the account has been suspended. I tried googling for another web site that did something similar but didn't come up with one. Anyone know of one? Thanks, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: FC6 guests
On Jan 8, 2008 8:26 AM, Matt Domsch [EMAIL PROTECTED] wrote: On Tue, Jan 08, 2008 at 11:23:25AM -0500, Luke Macken wrote: So, we still have a handful of FC6 guests lying around in PHX. After a quick look, it seems that we're using them for the following services. publictest1 - pkgdb-dev - ns-slapd - mysqld - postgres - wevisor I use pt1 for some mirrormanager hacking, but that can be done on any system now, and I have nothing valuable on there, so it can go away at any time from my POV. Thanks, Matt -- Matt Domsch Linux Technology Strategist, Dell Office of the CTO linux.dell.com www.dell.com/linux ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list I used pt1 to write some scripts for Mike McGrath to post-process Apache logs. I'll make sure that I have a copy on my machine. He'll probably want to move them elsewhere also if he hasn't already. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
A Volunteer
Hi, My name is Frank and I would like to volunteer to help. I've already traded a few emails with Mike McGrath. He suggested that I send a short introduction the list. So here it is. I am 58 years old. I have been writing software for about 37 years professionally - longer if you count college. But of course when I was in college, we had to suffer with punched cards and paper tape. I have been doing System Administration on and off the whole time usually in combination with some application development work. I am currently working on SGI (IRIX) hardware. But have also worked on Sun (Solaris and Sun/OS), VAXes and Control Data (CDC). I have written lots of Perl scripts and shell scripts. I have used several different shells over the years. Most of my recent scripts have been written in Korn shell. I have not used Python to date. I am reading Learning Python online. This is thanks to my employer who has granted me access to Safari. I have some knowledge of databases but am not an expert by any means. I can write some basic SQL. I don't have anything specific in mind for an area in which to help. So I'm open. If you have any questions, please ask away. If you want my help, please speak up. Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list