from:"Matt Nicholson"

Re: Connect to active session with NX in F10

2009-01-26 Thread Matt Nicholson

I haven't done it, but I know the NX/FreeNX server can be put into a
mirroring mode, where it basically connects to a local VNC server to show
display :0

Matthew Nicholson
nichol...@eps.harvard.edu
Harvard University
FAS IT Research Computing
Dept. Of Earth and Planetary Science


On Mon, Jan 26, 2009 at 10:36 AM, Joseph L. Casale <
jcas...@activenetwerx.com> wrote:

> Is there any way to use nx to connect to the active session at the console
> of an
> F10 wkst? If I walk away and leave it locked, I am hoping to connect to
> that session
> remotely?
>
> Thanks!
> jlc
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux question(s) (/home really = /n/home..)

2008-11-05 Thread Matt Nicholson

Right, but I'm on a fully updated F9. I got the F10 libxcb package
updated/installed, and all seems to be well. kinda a bit hack-y to add to my
image/kickstart, but, if it works, it works, and I'll be rebuilding a F10
version as soon as its out I'm sure.

Thanks for the help!

Matt
On Wed, Nov 5, 2008 at 8:44 AM, Daniel J Walsh <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt Nicholson wrote:
> > output from /var/log/messages as I try to login as guest user: (xguest):
> >
> > Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
> > Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for
> unused
> > subsystem ns
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
> > (version 2.22.0), pid 3121 user 'xguest'
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration
> > source at position 0
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at
> > position 1
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address
> > "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> > source at position 2
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> > audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> > comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> > scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> > tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> > RLIMIT_CORE: Permission denied
> > Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
> 3229[0:0]
> > Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is
> not
> > aligned on a size(0x3e8) boundary
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting
> (version
> > 2.22.0), pid 3258 user 'gdm'
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration
> > source at position 0
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
> > source at position 1
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
> > source at position 2
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
> > position 3
> > Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> > "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> > source at position 4
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value
> > for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> > existing read-only value: Value for
> > `/apps/gnome-screensaver/power_management_delay' set in a read-only
> source
> > at the front of your configuration path
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value
> > for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> > existing read-only value: Value for
> > `/apps/gnome-screensaver/power_management_delay' set in a read-only
> source
> > at the front of your configuration path
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
> set
> > UID on session object.
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called
> SUID
> > root and real-time/high-priority scheduling was requested in the
> > configuration. However, we lack the necessary priviliges:
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are
> not
> > in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
> > SUID again.
> > Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
> enabling
> > real-time scheduling please acquire the appropriate PolicyKit priviliges,
> or
> > become a member of 'pulse-rt', or increase

Re: selinux question(s) (/home really = /n/home..)

2008-11-04 Thread Matt Nicholson

So, after finding a similar sounding bug, I upgraded libxcb to the version
from rawhide, and everything is working nowtime to go file a bug/comment
on one...

On Tue, Nov 4, 2008 at 2:22 PM, Matt Nicholson <[EMAIL PROTECTED]> wrote:

>
> output from /var/log/messages as I try to login as guest user: (xguest):
>
> Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
> Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
> subsystem ns
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
> (version 2.22.0), pid 3121 user 'xguest'
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration source at position 0
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readwrite:/home/xguest/.gconf" to a writable configuration
> source at position 1
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
> configuration source at position 2
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> RLIMIT_CORE: Permission denied
> Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
> 3229[0:0]
> Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not
> aligned on a size(0x3e8) boundary
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
> 2.22.0), pid 3258 user 'gdm'
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
> source at position 0
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
> source at position 1
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
> source at position 2
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
> position 3
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> source at position 4
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
> set UID on session object.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
> root and real-time/high-priority scheduling was requested in the
> configuration. However, we lack the necessary priviliges:
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
> in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
> SUID again.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
> enabling real-time scheduling please acquire the appropriate PolicyKit
> priviliges, or become a member of 'pulse-rt', or increase the
> RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
> front:0 doesn't support 44100 Hz, changed to 44099 Hz.
>
> Obviously, the things that stick out in there are the :
>
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
>

Re: selinux question(s) (/home really = /n/home..)

2008-11-04 Thread Matt Nicholson

output from /var/log/messages as I try to login as guest user: (xguest):

Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns
Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
(version 2.22.0), pid 3121 user 'xguest'
Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
source at position 0
Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
"xml:readwrite:/home/xguest/.gconf" to a writable configuration source at
position 1
Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
source at position 2
Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied
Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from 3229[0:0]
Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd000) is not
aligned on a size(0x3e8) boundary
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
2.22.0), pid 3258 user 'gdm'
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
source at position 0
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
source at position 1
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
"xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
source at position 2
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
"xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
position 3
Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
source at position 4
Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting value
for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
existing read-only value: Value for
`/apps/gnome-screensaver/power_management_delay' set in a read-only source
at the front of your configuration path
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot set
UID on session object.
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
root and real-time/high-priority scheduling was requested in the
configuration. However, we lack the necessary priviliges:
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
SUID again.
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For enabling
real-time scheduling please acquire the appropriate PolicyKit priviliges, or
become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO
resource limits for this user.
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
front:0 doesn't support 44100 Hz, changed to 44099 Hz.

Obviously, the things that stick out in there are the :

Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
RLIMIT_CORE: Permission denied

and:

Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
subsystem ns

more specifically, the sealert says:

SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket
(xguest_t).



On Tue, Nov 4, 2008 at 2:03 PM, Matt

Re: selinux question(s) (/home really = /n/home..)

2008-11-04 Thread Matt Nicholson

yes, all upto date. a new build from my kickstart is finishing updating
right now (had to add oddjob/turn it on by default). Once its done I'll send
what info I can.

Before i was getting an selinux alert/error, but i generated and loaded a
local policy, which took care of the selinux alert, but still didn't fix
xguest (it just bouces back out to GDM).

More coming soon. Thanks for all the help!

On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Matt Nicholson wrote:
> > Right, that did it (after i started the oddjobd service, that is).
> >
> > Now, the original reason i turned selinux back on was to use
> > xguestsaddly, this isn't working still...
> >
> Why not?  Are you fully up2date?
>
> xguest should be working on F9 and F10 right now.
>
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ
> JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI
> =rAZp
> -END PGP SIGNATURE-
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux question(s) (/home really = /n/home..)

2008-11-04 Thread Matt Nicholson

Right, that did it (after i started the oddjobd service, that is).

Now, the original reason i turned selinux back on was to use
xguestsaddly, this isn't working still...

On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Matt Nicholson wrote:
> > So, I have an environment, where we pull user data/auth from
> ldap/kerberos
> > for a bunch of fedora workstations. I would love to have selinux turned
> on
> > on these, but, right now it jsut doesn't work with our setup.
> >
> > See, your users home directories are in a few different places. for the
> most
> > part, LDAP think their home is at /n/home, or /n/data/home. So, i have
> /home
> > bind mounted to those locations, and, sith selinux off, its all nice and
> > happy. Another weird thing, is that /home is local on these workstations,
> so
> > when a user sits at a workstation for the first time, an empty homedir
> must
> > be created. We hope to move to nfs /home soon, but not yet.
> >
> Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir
>
> yum install oddjob\*
>
> Should fix the problem.
>
> > once i turn it on, however, users cannot log in, and the home directoies
> > cannot be created. I get selinux messages like:
> >
> > Summary:
> >
> > SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t).
> >
> > Detailed Description:
> >
> > SELinux denied access requested by sshd. It is not expected that this
> access
> > is
> > required by sshd and this access may signal an intrusion attempt. It is
> also
> > possible that the specific version or configuration of the application is
> > causing it to require additional access.
> >
> > Allowing Access:
> >
> > Sometimes labeling problems can cause SELinux denials. You could try to
> > restore
> > the default system file context for ./nichols2,
> >
> > restorecon -v './nichols2'
> >
> > If this does not work, there is currently no automatic way to allow this
> > access.
> > Instead, you can generate a local policy module to allow this access -
> see
> > FAQ
> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> > disable
> > SELinux protection altogether. Disabling SELinux protection is not
> > recommended.
> > Please file a bug report (
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> >
> > Additional Information:
> >
> > Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
> > Target Contextsystem_u:object_r:home_root_t:s0
> > Target Objects./nichols2 [ dir ]
> > Sourcesshd
> > Source Path   /usr/sbin/sshd
> > Port  
> > Host  dhcp-0016533596-c5-74
> > Source RPM Packages   openssh-server-5.1p1-2.fc9
> > Target RPM Packages
> > Policy RPMselinux-policy-3.3.1-103.fc9
> > Selinux Enabled   True
> > Policy Type   targeted
> > MLS Enabled   True
> > Enforcing ModeEnforcing
> > Plugin Name   catchall_file
> > Host Name dhcp-0016533596-c5-74
> > Platform  Linux dhcp-0016533596-c5-74
> > 2.6.26.6-79.fc9.i686
> >   #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686
> i686
> > Alert Count   1
> > First SeenTue Nov  4 10:49:41 2008
> > Last Seen Tue Nov  4 10:49:41 2008
> > Local ID  803e925f-1d6e-4473-9054-dbaf0c0f3abd
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
> > denied  { create } for  pid=4956 comm="sshd" name="nichols2"
> > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> >
> > host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
> > arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
> > a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="sshd"
> > exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> key=(null)
> >
> > Thats fo

selinux question(s) (/home really = /n/home..)

2008-11-04 Thread Matt Nicholson

So, I have an environment, where we pull user data/auth from ldap/kerberos
for a bunch of fedora workstations. I would love to have selinux turned on
on these, but, right now it jsut doesn't work with our setup.

See, your users home directories are in a few different places. for the most
part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home
bind mounted to those locations, and, sith selinux off, its all nice and
happy. Another weird thing, is that /home is local on these workstations, so
when a user sits at a workstation for the first time, an empty homedir must
be created. We hope to move to nfs /home soon, but not yet.

once i turn it on, however, users cannot log in, and the home directoies
cannot be created. I get selinux messages like:

Summary:

SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t).

Detailed Description:

SELinux denied access requested by sshd. It is not expected that this access
is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./nichols2,

restorecon -v './nichols2'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see
FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:home_root_t:s0
Target Objects./nichols2 [ dir ]
Sourcesshd
Source Path   /usr/sbin/sshd
Port  
Host  dhcp-0016533596-c5-74
Source RPM Packages   openssh-server-5.1p1-2.fc9
Target RPM Packages
Policy RPMselinux-policy-3.3.1-103.fc9
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall_file
Host Name dhcp-0016533596-c5-74
Platform  Linux dhcp-0016533596-c5-74
2.6.26.6-79.fc9.i686
  #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count   1
First SeenTue Nov  4 10:49:41 2008
Last Seen Tue Nov  4 10:49:41 2008
Local ID  803e925f-1d6e-4473-9054-dbaf0c0f3abd
Line Numbers

Raw Audit Messages

host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
denied  { create } for  pid=4956 comm="sshd" name="nichols2"
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Thats for an ssh login attempt. I get the same for one via GDM. I've tried
adding "context=system_r:object_r:home_root_t" when i bind mount the /home
on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
should I? any help would be awesome.

Thanks,

Matt
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: fedora 9/10 Guest account?

2008-11-04 Thread Matt Nicholson

Hmm, doesn't seem to be working:

This is on a fully updated F9 install, selinux in enforcing mode, xguest
installed. When trying to login at the Guest user:

Summary:

SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket
(xguest_t).

Detailed Description:

SELinux denied access requested by dbus-daemon. It is not expected that this
access is required by dbus-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextxguest_u:xguest_r:xguest_dbusd_t:s0
Target Contextxguest_u:xguest_r:xguest_t:s0
Target Objectssocket [ unix_stream_socket ]
Sourcedbus-daemon
Source Path   /bin/dbus-daemon
Port  
Host  dhcp-0016533596-c5-74
Source RPM Packages   dbus-1.2.4-1.fc9
Target RPM Packages
Policy RPMselinux-policy-3.3.1-103.fc9
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name dhcp-0016533596-c5-74
Platform  Linux dhcp-0016533596-c5-74
2.6.26.6-79.fc9.i686
  #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count   1
First SeenTue Nov  4 10:20:32 2008
Last Seen Tue Nov  4 10:20:32 2008
Local ID  6306343f-6166-4ca6-ada5-770e4c3a3a91
Line Numbers

Raw Audit Messages

host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225812032.80:22): avc:
denied  { read write } for  pid=2820 comm="dbus-daemon"
path="socket:[29372]" dev=sockfs ino=29372
scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket

host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225812032.80:22):
arch=4003 syscall=11 success=yes exit=0 a0=804c8f7 a1=bfcd858c
a2=bfcd99b4 a3=7 items=0 ppid=2819 pid=2820 auid=35027 uid=35027 gid=35027
euid=35027 suid=35027 fsuid=35027 egid=35027 sgid=35027 fsgid=35027
tty=(none) ses=2 comm="dbus-daemon" exe="/bin/dbus-daemon"
subj=xguest_u:xguest_r:xguest_dbusd_t:s0 key=(null)



Any help/ideas?
On Tue, Nov 4, 2008 at 9:37 AM, Matt Nicholson <[EMAIL PROTECTED]> wrote:

>
> Hmm, interesting. I'm rebuilding my image with that package installed, and
> selinux in enforcing mode on a test vm right now, and I'll see how it goes.
>
> Thanks,
>
> Matt
>
> On Mon, Nov 3, 2008 at 3:36 PM, Doncho N. Gunchev <
> [EMAIL PROTECTED]> wrote:
>
>> Matt Nicholson wrote:
>>
>>> I'm looking to get a guest account setup, possibly on a whole host of
>>> workstations I run running F9.
>>> These workstations auth against and ldap/kerberos setup we have, fyi.
>>>
>>> so far, my idea is to create a local "guest" user, and user pam_mount to
>>> create a tmpfs home directory for the guest user on login, so that it will
>>> be removed on logout. I want this user to only be able to login though GDM.
>>>
>>> Does any one have any experiance doing something like this? is there any
>>> though of taking the Guest user system Ubutu recently implemented on?
>>>
>>> Any help/ideas would be great.
>>>
>>> Matt
>>>
>> What about http://james-morris.livejournal.com/25640.html :-)
>>
>> --
>> fedora-list mailing list
>> fedora-list@redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines:
>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>
>
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: fedora 9/10 Guest account?

2008-11-04 Thread Matt Nicholson

Hmm, interesting. I'm rebuilding my image with that package installed, and
selinux in enforcing mode on a test vm right now, and I'll see how it goes.

Thanks,

Matt
On Mon, Nov 3, 2008 at 3:36 PM, Doncho N. Gunchev <[EMAIL PROTECTED]
> wrote:

> Matt Nicholson wrote:
>
>> I'm looking to get a guest account setup, possibly on a whole host of
>> workstations I run running F9.
>> These workstations auth against and ldap/kerberos setup we have, fyi.
>>
>> so far, my idea is to create a local "guest" user, and user pam_mount to
>> create a tmpfs home directory for the guest user on login, so that it will
>> be removed on logout. I want this user to only be able to login though GDM.
>>
>> Does any one have any experiance doing something like this? is there any
>> though of taking the Guest user system Ubutu recently implemented on?
>>
>> Any help/ideas would be great.
>>
>> Matt
>>
> What about http://james-morris.livejournal.com/25640.html :-)
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

fedora 9/10 Guest account?

2008-11-03 Thread Matt Nicholson

I'm looking to get a guest account setup, possibly on a whole host of
workstations I run running F9.
These workstations auth against and ldap/kerberos setup we have, fyi.

so far, my idea is to create a local "guest" user, and user pam_mount to
create a tmpfs home directory for the guest user on login, so that it will
be removed on logout. I want this user to only be able to login though GDM.

Does any one have any experiance doing something like this? is there any
though of taking the Guest user system Ubutu recently implemented on?

Any help/ideas would be great.

Matt
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Calendar choice: looking for advice

2008-09-12 Thread Matt Nicholson

https://www.nuevasync.com

point it at your google calendar account (and contacts if you want), and
then point your PDA (or iphone) at it, like an exchange server. Add
something on your PDA, instantly sync'd over the air to google, and the
other way around too.

use something like Gcal daemon/calgoo/etc to sync desktop programs, and your
good to go. basically google ends up being your web-frontend/data store, and
everything syncs with it.

"works for me"

On Fri, Sep 12, 2008 at 11:14 AM, Marcelo M. Garcia <
[EMAIL PROTECTED]> wrote:

> Timothy Murphy wrote:
>
>> I've been looking at two "calendar" programs,
>> for keeping a record of appointments, etc.
>>
>> These are Google Calendar, which seems to me
>> to be well-designed, and the default choice
>> which any rival must improve upon in some way.
>>
>> The rival I have been looking at is the setup described in
>> "Building a Simple Calendar Server with Fedora and WebDAV"
>> at > Building_a_Simple_Calendar_Server_with_Fedora_and_WebDAV>.
>>
>> I also looked briefly at KOrganizer".
>>
>> But I was wondering if anyone has looked into this
>> more carefully, and if so what conclusion they came to?
>>
>> Any suggestions gratefully received.
>>
>>
>>  Hi
>
> Have you consider the add-on to Thunderbird?
>
> M.
>
> https://addons.mozilla.org/en-US/thunderbird/addon/2313
>
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: problems w/ net (http) install

2008-06-20 Thread Matt Nicholson

Okay, so, I just downloaded my custom bootcd and kickstarted a VM in
virtualbox here @ home {(everything else is @ work). And yep. no problems
doing the install over http. So, now I'm not sure if it was a symtom of the
VM i was doing my test installs in @ work, if the speed (1GB) of the
connection to the system was over running things (I'm on cable @ home, so
its fast, but not that fast), so what, but, it doesn't seem to be a "Fedora"
problem now so much as problem with my setup.

I must admit, I'm a Ubuntu/Debian guy, but do a lot of RHEL @ work. I
haven't had much interaction with the Fedora Community, and this was my
first email to this list. Its a really good impression, what with the
helpful suggestions and all, on such an odd issue. I'm sure I'll return.

Thanks,
Matt

On Fri, Jun 20, 2008 at 5:36 PM, Matt Nicholson <[EMAIL PROTECTED]> wrote:

> Craig,
>
> For your 4 points:
>
> NFS isn't strictly off the table, but the system hosting this install tree
> will need to be accessible from alot of system across a large number of
> subnets/VLAN's. I would rather have port 80 open to these nets/the world
> than NFS, but then again I can just make it an "ro" export. Something to try
> next week.
>
> I'm not mounting the iso's, but rather have full fledged, rsync'd copies of
> the install tree, local on disk.
>
> No energy saving on the Xserve. It doesn't powerdown/spin down at all,
> ever.
>
> The Xserve is running Leopard Server, 10.5.3. Unfortunatly, no erros in
> the logs. Everything looks normal.
>
> And Rick,
>
> Nope the packages aren't big ones, fairly standard, 1MB-ish packages,
> although the packages do change. The keep alive is set at 300 seconds, which
> = 5 minutes. The thing is, this is all happening while anaconda is preparing
> to install (ie, not when its acctually downloading and installing the rpms,
> the set jsut before that starts). It zips right though until it hits one of
> these files. If it wasn't interupted, the whole thing could finish in maybe
> 1 minute, if not less, so I don't think timeouts are an issue. I've even
> up'd the number of conenction Apache allows, and the nubmer of servers it
> spawns, jsut incase anaconda was hammering it with too many requests.
>
> Matt
>
>
> On Fri, Jun 20, 2008 at 4:36 PM, Craig White <[EMAIL PROTECTED]>
> wrote:
>
>>  I. On Fri, 2008-06-20 at 15:45 -0400, Matt Nicholson wrote:
>> > Greetings everyone,
>> >
>> > So, I'm trying to setup a local server for some net-installs I hope to
>> > do with a kickstart file. I am, however, running into an issue.
>> >
>> > I have a copy of the fedora 9 install media on the web server that the
>> > install will be pulled from, and everything is in tip top shape. This
>> > server is actually a fairly new Xserve, and I am using it simply
>> > because it is available, has to disk-space and bandwidth, and is a
>> > pretty fast system for multiple systems to kickstart aganst. I would
>> > rather be doing this off a Fedora/RHEL server, but, this is what I
>> > have for the time being.
>> >
>> > Anyways, I've rsync'd the install media to the server, and its
>> > accessible, however, durring the install, I always get a file or two
>> > (sometimes different, sometimes the same), that anaconda spits back at
>> > me, saying it could not find/read the file, make sure its not
>> > currupted, etc etc etc. I can reboot, or retry, and retry always
>> > works, that is, until it hit the next file ti doesn't like. I get
>> > about 3-4 of these per install, EVERY TIME. I've checked, the files
>> > are there, they are the right size, I've even done an MD% of them and
>> > they match their sources. I even re-rsync'd the whole thing a few
>> > times.If this is a one time deal, I wouldn't mind, but I need to be
>> > able to basically start an install (via kickstart) and walk away.
>> >
>> > Now, normally, I would just say forget it, and do it over FTP, but FTP
>> > on this Xserver is very, very slow, and my installs, while succeeding
>> > without error, are about 10 times longer with the same package set.
>> > Also the network alyout means NFS is off the table as well.
>> >
>> > Any ideas? I would love any insight.
>> 
>> I'd be curious about why the network layout means that NFS is off the
>> table but HTTP is on the table.
>>
>> Anyway, are you 'loop' mounting the ISO files? Is there something that
>> delays reading the files?
>>
>> Is Energy saving allowing the hard drive to spin down on the XServer?
>> (Mac's sometimes default to sleep modes with hard drive spin down which
>> would be a mistake for a server).
>>
>> What OS is on the X-Serve? Are there errors in the web server logs on
>> the X-Serve?
>>
>> Craig
>>
>> --
>> fedora-list mailing list
>> fedora-list@redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Re: problems w/ net (http) install

2008-06-20 Thread Matt Nicholson

Craig,

For your 4 points:

NFS isn't strictly off the table, but the system hosting this install tree
will need to be accessible from alot of system across a large number of
subnets/VLAN's. I would rather have port 80 open to these nets/the world
than NFS, but then again I can just make it an "ro" export. Something to try
next week.

I'm not mounting the iso's, but rather have full fledged, rsync'd copies of
the install tree, local on disk.

No energy saving on the Xserve. It doesn't powerdown/spin down at all, ever.

The Xserve is running Leopard Server, 10.5.3. Unfortunatly, no erros in the
logs. Everything looks normal.

And Rick,

Nope the packages aren't big ones, fairly standard, 1MB-ish packages,
although the packages do change. The keep alive is set at 300 seconds, which
= 5 minutes. The thing is, this is all happening while anaconda is preparing
to install (ie, not when its acctually downloading and installing the rpms,
the set jsut before that starts). It zips right though until it hits one of
these files. If it wasn't interupted, the whole thing could finish in maybe
1 minute, if not less, so I don't think timeouts are an issue. I've even
up'd the number of conenction Apache allows, and the nubmer of servers it
spawns, jsut incase anaconda was hammering it with too many requests.

Matt

On Fri, Jun 20, 2008 at 4:36 PM, Craig White <[EMAIL PROTECTED]> wrote:

> I. On Fri, 2008-06-20 at 15:45 -0400, Matt Nicholson wrote:
> > Greetings everyone,
> >
> > So, I'm trying to setup a local server for some net-installs I hope to
> > do with a kickstart file. I am, however, running into an issue.
> >
> > I have a copy of the fedora 9 install media on the web server that the
> > install will be pulled from, and everything is in tip top shape. This
> > server is actually a fairly new Xserve, and I am using it simply
> > because it is available, has to disk-space and bandwidth, and is a
> > pretty fast system for multiple systems to kickstart aganst. I would
> > rather be doing this off a Fedora/RHEL server, but, this is what I
> > have for the time being.
> >
> > Anyways, I've rsync'd the install media to the server, and its
> > accessible, however, durring the install, I always get a file or two
> > (sometimes different, sometimes the same), that anaconda spits back at
> > me, saying it could not find/read the file, make sure its not
> > currupted, etc etc etc. I can reboot, or retry, and retry always
> > works, that is, until it hit the next file ti doesn't like. I get
> > about 3-4 of these per install, EVERY TIME. I've checked, the files
> > are there, they are the right size, I've even done an MD% of them and
> > they match their sources. I even re-rsync'd the whole thing a few
> > times.If this is a one time deal, I wouldn't mind, but I need to be
> > able to basically start an install (via kickstart) and walk away.
> >
> > Now, normally, I would just say forget it, and do it over FTP, but FTP
> > on this Xserver is very, very slow, and my installs, while succeeding
> > without error, are about 10 times longer with the same package set.
> > Also the network alyout means NFS is off the table as well.
> >
> > Any ideas? I would love any insight.
> 
> I'd be curious about why the network layout means that NFS is off the
> table but HTTP is on the table.
>
> Anyway, are you 'loop' mounting the ISO files? Is there something that
> delays reading the files?
>
> Is Energy saving allowing the hard drive to spin down on the XServer?
> (Mac's sometimes default to sleep modes with hard drive spin down which
> would be a mistake for a server).
>
> What OS is on the X-Serve? Are there errors in the web server logs on
> the X-Serve?
>
> Craig
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

problems w/ net (http) install

2008-06-20 Thread Matt Nicholson

Greetings everyone,

So, I'm trying to setup a local server for some net-installs I hope to do
with a kickstart file. I am, however, running into an issue.

I have a copy of the fedora 9 install media on the web server that the
install will be pulled from, and everything is in tip top shape. This server
is actually a fairly new Xserve, and I am using it simply because it is
available, has to disk-space and bandwidth, and is a pretty fast system for
multiple systems to kickstart aganst. I would rather be doing this off a
Fedora/RHEL server, but, this is what I have for the time being.

Anyways, I've rsync'd the install media to the server, and its accessible,
however, durring the install, I always get a file or two (sometimes
different, sometimes the same), that anaconda spits back at me, saying it
could not find/read the file, make sure its not currupted, etc etc etc. I
can reboot, or retry, and retry always works, that is, until it hit the next
file ti doesn't like. I get about 3-4 of these per install, EVERY TIME. I've
checked, the files are there, they are the right size, I've even done an MD%
of them and they match their sources. I even re-rsync'd the whole thing a
few times.If this is a one time deal, I wouldn't mind, but I need to be able
to basically start an install (via kickstart) and walk away.

Now, normally, I would just say forget it, and do it over FTP, but FTP on
this Xserver is very, very slow, and my installs, while succeeding without
error, are about 10 times longer with the same package set. Also the network
alyout means NFS is off the table as well.

Any ideas? I would love any insight.

Thanks!

Matt
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Re: Connect to active session with NX in F10

Re: selinux question(s) (/home really = /n/home..)

Re: selinux question(s) (/home really = /n/home..)

Re: selinux question(s) (/home really = /n/home..)

Re: selinux question(s) (/home really = /n/home..)

Re: selinux question(s) (/home really = /n/home..)

selinux question(s) (/home really = /n/home..)

Re: fedora 9/10 Guest account?

Re: fedora 9/10 Guest account?

fedora 9/10 Guest account?

Re: Calendar choice: looking for advice

Re: problems w/ net (http) install

Re: problems w/ net (http) install

problems w/ net (http) install

14 matches

Site Navigation

Mail list logo

Footer information