Re: F23 Server firewall-cmd problem? (SOLVED)
On Fri, 2015-10-30 at 11:31 +0200, Cristian Sava wrote: > On Fri, 2015-10-30 at 11:06 +0200, Cristian Sava wrote: > > Hi, > > > > I installed a f23 server (fedora server only) and I configured 2 > > bridged interfaces. > > Now I allow forward traffic between br0 and br1: > > > > [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 > > -i > > br0 -o br1 -j ACCEPT > > success > > [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 > > -i > > br1 -o br0 -j ACCEPT > > success > > [root@s ~]# > > > > That is working well, as expected, but adding "--permanent" kills > > all > > forwarding. Is it a bug? > > > > [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 > > filter > > FORWARD 0 -i br0 -o br1 -j ACCEPT > > success > > [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 > > filter > > FORWARD 0 -i br1 -o br0 -j ACCEPT > > success > > > > C. Sava > > > My bad, sorry, it is (not working): > [root@s ~]# firewall-cmd --permanent --direct --add-rule ipv4 > filter FORWARD 0 -i br0 -o br1 -j ACCEPT > success > [root@s ~]# firewall-cmd --permanent --direct --add-rule ipv4 > filter FORWARD 0 -i br1 -o br0 -j ACCEPT > success > > C.Sava > Sorry, it was a selinux problem here, now solved. Now it's working after restarting firewalld. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F23 Server firewall-cmd problem?
On Fri, 2015-10-30 at 11:06 +0200, Cristian Sava wrote: > Hi, > > I installed a f23 server (fedora server only) and I configured 2 > bridged interfaces. > Now I allow forward traffic between br0 and br1: > > [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i > br0 -o br1 -j ACCEPT > success > [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i > br1 -o br0 -j ACCEPT > success > [root@s ~]# > > That is working well, as expected, but adding "--permanent" kills all > forwarding. Is it a bug? > > [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 > filter > FORWARD 0 -i br0 -o br1 -j ACCEPT > success > [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 > filter > FORWARD 0 -i br1 -o br0 -j ACCEPT > success > > C. Sava > My bad, sorry, it is (not working): [root@s ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i br0 -o br1 -j ACCEPT success [root@s ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i br1 -o br0 -j ACCEPT success C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F23 Server firewall-cmd problem?
Hi, I installed a f23 server (fedora server only) and I configured 2 bridged interfaces. Now I allow forward traffic between br0 and br1: [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i br0 -o br1 -j ACCEPT success [root@s ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i br1 -o br0 -j ACCEPT success [root@s ~]# That is working well, as expected, but adding "--permanent" kills all forwarding. Is it a bug? [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 0 -i br0 -o br1 -j ACCEPT success [root@s ~]# firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 0 -i br1 -o br0 -j ACCEPT success C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F23 Beta 1 Workstation x86_64, first shutdown, error
Tried Fedora server (cli, no graphics) and it does not shutdown nor > > I > > can get root rights even I am root! > > > Does it work if as root you do "setenforce 0; reboot" Yes, it works! Thank you for the tip. After reboot is ok. But ... Fedora 23 beta rc1 seems ok and after updates appeared that problem. Today, updating F22 ... same problem. The difference f23-f22: f22 needs sudo (the right way!) but f23 (cli, as root with no root rights) it does not require sudo for "setenforce 0; reboot"! C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F23 Beta 1 Workstation x86_64, first shutdown, error
On Wed, 2015-09-16 at 04:20 -0400, Joerg Lechner wrote: > Hi, > - installed F23 Beta 1 Workstation x86_64 on external disk from usb > flash medium > - dnf update > - installation of about 20 user programs > - Gnome SW utility update was requested by the system > - Gnome SW utility update started > - system tries to shutdown - error, see screenshot > - after power off and start again the system performed the update as > normally the system does. > > This procedure was directly after installation, the error occured > during the trial of a first shutdown after installation. > I took the screenshot, because this might point to an error or not, I > don't know. > Kind Regards > -- > test mailing list > test@lists.fedoraproject.org > To unsubscribe: > https://admin.fedoraproject.org/mailman/listinfo/test Tried Fedora server (cli, no graphics) and it does not shutdown nor I can get root rights even I am root! -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: [Fwd: [Action Required] Fedora 21 Server Beta Validation]
On Tue, 2014-10-28 at 08:28 -0400, Stephen Gallagher wrote: > Whoops, I forgot to CC the QA list on this. If you wish to volunteer for > any part of this, PLEASE make sure that ser...@lists.fedoraproject.org > is listed in the TO: or CC: lines, or we will probably miss it. I'm using Fedora for servers and I'm testing F21. Using F21-beta-tc4 x64 (fully updated) to build a mailserver was successfully. I used postfix (both stock and rebuilt with VDA quota patch). Rebuilding postfix, maildrop and courier-imap was successfully completed using and tested with F21. SSL/TLS encryption seems to work well. Not using yet selinux and firewall. Still to test other server peaces. Congrats, very good work, C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - networking problem & questions
On Thu, 2013-07-04 at 17:26 +0300, Cristian Sava wrote: > On Wed, 2013-07-03 at 11:37 -0700, Adam Williamson wrote: > > On 2013-07-03 1:47, Cristian Sava wrote: > > > I have a server with two NICs (on-board and attached). > > > HW: ASRock H67M-GE + I3-2120 + 8GB + 1TB (hdd, sata) > > > > > 1) Why "route" shows iface=p4p1, p5p1 instead enp4s0, enp5s0 ? > > > > This will likely be something to do with: > > > > https://fedoraproject.org/wiki/Common_F19_bugs#biosdevname-vs-systemd > > > > I'd say p4p1 is the biosdevname name for the interface, enp4s0 is the > > systemd name. I don't understand why some tools would show one and some > > tools the other, though. It sounds like we haven't quite figured out > > *all* the interactions between biosdevname and the systemd stuff here. > > Did you do your install with biosdevname=0 ? Was biosdevname in your > > package set at install time? > > Thank you all. > > I did some more tests and I attached the results to the bug report. > You are right Adam, biosdevname=0 solved the problem. > But analyzing my tests I wonder why commenting out IPV6 part is > impacting the default route, why the kernel-3.9.8 is sometimes (not > always!) responsible for that. > Hope my tests will help to debug that. > Installing F19 Gnome Desktop in VirtualBox-4.2.14 under Win7_x64: route gives p2p1 and we have ifcfg-enp0s3 !!! [root@localhost ~]# uname -a Linux localhost.localdomain 3.9.9-301.fc19.x86_64 #1 SMP Thu Jul 4 15:10:36 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# rpm -q NetworkManager NetworkManager-0.9.8.2-5.fc19.x86_64 [root@localhost ~]# route Kernel IP routing table Destination Gateway GenmaskFlags Metric Ref Use Iface default 193.x.y.193 0.0.0.0 UG0 00 p2p1 193.x.y.192 *255.255.255.224 U 1 00 p2p1 [root@localhost ~]# ls /etc/sysconfig/network-scripts ifcfg-enp0s3 ifdown-eth ifdown-postifdown-tunnel ifup-eth ifup-isdn ifup-ppp ifup-wireless ifcfg-lo ifdown-ippp ifdown-ppp ifup ifup-ippp ifup-plip ifup-routes init.ipv6-global ifdownifdown-ipv6 ifdown-routes ifup-aliases ifup-ipv6 ifup-plusb ifup-sit network-functions ifdown-bnep ifdown-isdn ifdown-sit ifup-bnep ifup-ipx ifup-post ifup-tunnel network-functions-ipv6 C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - networking problem & questions
On Wed, 2013-07-03 at 11:37 -0700, Adam Williamson wrote: > On 2013-07-03 1:47, Cristian Sava wrote: > > I have a server with two NICs (on-board and attached). > > HW: ASRock H67M-GE + I3-2120 + 8GB + 1TB (hdd, sata) > > > 1) Why "route" shows iface=p4p1, p5p1 instead enp4s0, enp5s0 ? > > This will likely be something to do with: > > https://fedoraproject.org/wiki/Common_F19_bugs#biosdevname-vs-systemd > > I'd say p4p1 is the biosdevname name for the interface, enp4s0 is the > systemd name. I don't understand why some tools would show one and some > tools the other, though. It sounds like we haven't quite figured out > *all* the interactions between biosdevname and the systemd stuff here. > Did you do your install with biosdevname=0 ? Was biosdevname in your > package set at install time? Thank you all. I did some more tests and I attached the results to the bug report. You are right Adam, biosdevname=0 solved the problem. But analyzing my tests I wonder why commenting out IPV6 part is impacting the default route, why the kernel-3.9.8 is sometimes (not always!) responsible for that. Hope my tests will help to debug that. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - networking problem & questions
On Wed, 2013-07-03 at 11:37 -0700, Adam Williamson wrote: > On 2013-07-03 1:47, Cristian Sava wrote: > > I have a server with two NICs (on-board and attached). > > HW: ASRock H67M-GE + I3-2120 + 8GB + 1TB (hdd, sata) > > > 1) Why "route" shows iface=p4p1, p5p1 instead enp4s0, enp5s0 ? > > This will likely be something to do with: > > https://fedoraproject.org/wiki/Common_F19_bugs#biosdevname-vs-systemd > > I'd say p4p1 is the biosdevname name for the interface, enp4s0 is the > systemd name. I don't understand why some tools would show one and some > tools the other, though. It sounds like we haven't quite figured out > *all* the interactions between biosdevname and the systemd stuff here. > Did you do your install with biosdevname=0 ? Was biosdevname in your > package set at install time? I did a basic install from DVD with "basic server infrastructure", no other options. Trying the same install on AMD x64 (3500+, skt 939) worked as expected. Today I'll do more tests and I'll tell you the results. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - networking problem & questions
On Wed, 2013-07-03 at 11:47 +0300, Cristian Sava wrote: > After updating aujour: > > The external network is not reachable anymore but the internal network > is ok if NM is enabled and working. > This setup does not work with network service anymore. > Any advice how to fix (not downgrade-ing?)? > > https://bugzilla.redhat.com/show_bug.cgi?id=980785 Mainly, this bug is due to kernel-3.9.8-300.fc19.x86_64 and downgrading to kernel-3.9.5-301.fc19.x86_64 solve the networking accessibility. The other points are still valid. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 - networking problem & questions
I have a server with two NICs (on-board and attached). HW: ASRock H67M-GE + I3-2120 + 8GB + 1TB (hdd, sata) [root@physics network-scripts]# cat ifcfg-enp4s0 IPV6_PEERDNS="yes" IPV6INIT="yes" UUID="b43c0128-ec02-4793-98c9-f396fb9438d2" IPADDR1="192.168.1.1" IPADDR0="172.16.0.1" PREFIX1="24" PREFIX0="16" DEFROUTE="yes" IPV4_FAILURE_FATAL="yes" HWADDR="64:70:02:14:43:EF" BOOTPROTO="none" IPV6_DEFROUTE="yes" IPV6_AUTOCONF="yes" IPV6_FAILURE_FATAL="no" IPV6_PEERROUTES="yes" TYPE="Ethernet" ONBOOT="yes" NAME="enp4s0" [root@physics network-scripts]# cat ifcfg-enp5s0 TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=enp5s0 UUID=fc903246-75fa-4680-86f8-b5132fc891c5 ONBOOT=yes IPADDR0=193.x.y.130 PREFIX0=26 GATEWAY0=193.x.y.129 DNS1=193.x.y.254 DOMAIN=central.ucv.ro IPADDR1=193.x.y.162 PREFIX1=26 IPADDR2=193.x.y.163 PREFIX2=26 HWADDR=00:25:22:F9:71:3D IPV6_PEERDNS=yes IPV6_PEERROUTES=yes [root@physics ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default g129.central.uc 0.0.0.0 UG 0 0 0 p5p1 link-local * 255.255.0.0 U 1002 0 0 p4p1 link-local * 255.255.0.0 U 1003 0 0 p5p1 172.16.0.0 * 255.255.0.0 U 1 0 0 p4p1 192.168.1.0* 255.255.255.0 U 0 0 0 p4p1 193.x.y.128* 255.255.255.192 U 1 0 0 p5p1 [root@s194 sysconfig]# cat iptables # Custom file edited on 02-Jul-2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on 2013-07-02 11:48 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING --dst 193.x.y.162 -p tcp -j DNAT --to 192.168.1.73 -A OUTPUT --dst 193.x.y.162 -p tcp -j DNAT --to 192.168.1.73 -A PREROUTING --dst 193.x.y.163 -p tcp -j DNAT --to 192.168.1.200 -A OUTPUT --dst 193.x.y.163 -p tcp -j DNAT --to 192.168.1.200 -A POSTROUTING -s 192.168.1.0/24 -p tcp --dst 192.168.1.73 --dport 22 -j SNAT --to 192.168.1.1 -A POSTROUTING -s 192.168.1.0/24 -o p5p1 -j SNAT --to-source 193.x.y.130 -A POSTROUTING -s 172.16.0.0/16 -o p5p1 -j SNAT --to-source 193.x.y.130 COMMIT With F19 install (no updates) it is the same with NM or with network service. The problems: 1) Why "route" shows iface=p4p1, p5p1 instead enp4s0, enp5s0 ? 2) Why "ifconfig" does show only the IPADDR0 without aliases? 3) All is working as expected when 192.168.1.73 is on-line. If ...73 not on-line, the address 193.x.y.162 is assigned to the the server, it responds to "ping 193.x.y.162" but it should be unreachable (or something equivalent) because 192.168.1.73 is off. Similar for 193.x.y.163 . After updating aujour: The external network is not reachable anymore but the internal network is ok if NM is enabled and working. This setup does not work with network service anymore. Any advice how to fix (not downgrade-ing?)? https://bugzilla.redhat.com/show_bug.cgi?id=980785 C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Wrong rpm name kde-plasma-networkmanagement-openconnect-0.9.0.8-3.fc19.x86_64.r ?
What is kde-plasma-networkmanagement-openconnect-0.9.0.8-3.fc19.x86_64.r in Fedora-19-x86_64-DVD.iso (.../Packages)? My download does not seem wrong? C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Fail2ban denied again by selinux
On Tue, 2013-06-18 at 23:01 -0700, Adam Williamson wrote: > On Wed, 2013-06-19 at 08:51 +0300, Cristian Sava wrote: > > After recent updates fail2ban was broken again. > > For this kind of thing, the appropriate thing to do is file a bug > report. It doesn't make much sense to post it to the mailing list: you > cause noise for the 99% of people who don't use fail2ban, but your > report is not easily findable by anyone who does use fail2ban after a > few days - a bug report against fail2ban is going to be much easier to > find later. Done https://bugzilla.redhat.com/show_bug.cgi?id=975695 You're right. sorry for the noise. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Fail2ban denied again by selinux
After recent updates fail2ban was broken again.
* Plugin catchall (100. confidence) suggests
***
If you believe that python2.7 should be allowed write access on the
fail2ban directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextsystem_u:system_r:fail2ban_client_t:s0
Target Contextsystem_u:object_r:fail2ban_var_run_t:s0
Target Objectsfail2ban [ dir ]
Sourcefail2ban-client
Source Path /usr/bin/python2.7
Port
Host s198.xx.yy.ro
Source RPM Packages python-2.7.5-1.fc19.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.12.1-52.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name s198.xx.yy.ro
Platform Linux s198.xx.yy.ro 3.9.5-301.fc19.x86_64
#1
SMP Tue Jun 11 19:39:38 UTC 2013 x86_64
x86_64
Alert Count 35
First Seen2013-06-17 14:04:13 EEST
Last Seen 2013-06-19 08:28:22 EEST
Local ID 9d6fd1b8-250e-4425-b3e3-7590dc3bc1f1
Raw Audit Messages
type=AVC msg=audit(1371619702.236:67): avc: denied { write } for
pid=871 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=11022
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1371619702.236:67): arch=x86_64 syscall=access
success=no exit=EACCES a0=1ab48c0 a1=3 a2=32adbbbf88 a3=0 items=0 ppid=1
pid=871 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=4294967295 tty=(none) comm=fail2ban-client
exe=/usr/bin/python2.7 subj=system_u:system_r:fail2ban_client_t:s0
key=(null)
Hash: fail2ban-client,fail2ban_client_t,fail2ban_var_run_t,dir,write
** Fixing **
[cristi@s198 ~]$ systemctl status fail2ban.service
fail2ban.service - Fail2ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: failed (Result: start-limit) since Wed 2013-06-19 08:28:22
EEST; 1min 45s ago
Process: 871 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
status=255)
Jun 19 08:28:21 s198.xx.yy.ro systemd[1]: fail2ban.service holdoff
tim
Jun 19 08:28:21 s198.xx.yy.ro systemd[1]: Stopping Fail2ban Service...
Jun 19 08:28:21 s198.xx.yy.ro systemd[1]: Starting Fail2ban Service...
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: fail2ban.service: control
pr...5
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: Failed to start Fail2ban
Ser
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: Unit fail2ban.service
entere
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: fail2ban.service holdoff
tim
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: Stopping Fail2ban Service...
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: Starting Fail2ban Service...
Jun 19 08:28:22 s198.xx.yy.ro systemd[1]: fail2ban.service: control
pr...5
[cristi@s198 ~]$ sudo grep fail2ban-client /var/log/audit/audit.log |
audit2allow -M myfail2ban_client
[sudo] password for cristi:
IMPORTANT ***
To make this policy package active, execute:
semodule -i myfail2ban_client.pp
[cristi@s198 ~]$ sudo semodule -i myfail2ban_client.pp
[cristi@s198 ~]$ sudo systemctl restart fail2ban.service
[cristi@s198 ~]$ systemctl status fail2ban.servicefail2ban.service -
Fail2ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: active (running) since Wed 2013-06-19 08:33:09 EEST; 7s ago
Process: 2083 ExecStart=/usr/bin/fail2ban-client -x start
(code=exited, status=0/SUCCESS)
Main PID: 2086 (fail2ban-server)
CGroup: name=systemd:/system/fail2ban.service
└─2086 /usr/bin/python /usr/bin/fail2ban-server -b
-s /var/run/fai...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.server : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.jail : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.jail : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.jail : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.filter : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.filter : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.filter : ...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban.actions[2086]: INFO Set
banTim...
Jun 19 08:33:09 s198.xx.yy.ro fail2ban-server[2086]:
fail2ban.jail : ...
Jun 19 08:33:09 s198.xx.yy.ro systemd[1]: Started Fail2ban Service.
Cristian Sava
--
test mailing list
test@lists.fedorapro
SELinux is preventing accounts-daemon from read access on the directory /var/log
On any F19 x64 Gnome we get:
SELinux is preventing accounts-daemon from read access on the
directory /var/log.
* Plugin catchall (100. confidence) suggests
***
If you believe that accounts-daemon should be allowed read access on the
log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextsystem_u:system_r:accountsd_t:s0
Target Contextsystem_u:object_r:var_log_t:s0
Target Objects/var/log [ dir ]
Sourceaccounts-daemon
Source Path accounts-daemon
Port
Host s198.central.ucv.ro
Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64
Target RPM Packages filesystem-3.2-10.fc19.x86_64
Policy RPMselinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name s198.central.ucv.ro
Platform Linux s198.central.ucv.ro
3.9.5-301.fc19.x86_64 #1
SMP Tue Jun 11 19:39:38 UTC 2013 x86_64
x86_64
Alert Count 9303
First Seen2013-06-14 07:41:29 EEST
Last Seen 2013-06-14 18:10:33 EEST
Local ID 0f10e959-1983-410a-80b4-9eb06538e467
Raw Audit Messages
type=AVC msg=audit(1371222633.229:4335): avc: denied { read } for
pid=432 comm="accounts-daemon" name="log" dev="dm-1" ino=1179686
scontext=system_u:system_r:accountsd_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1371222633.229:4335): arch=x86_64
syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7f00d27c5d10
a2=1002fce a3=0 items=0 ppid=1 pid=432 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none)
comm=accounts-daemon exe=/usr/libexec/accounts-daemon
subj=system_u:system_r:accountsd_t:s0 key=(null)
Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
Cristian Sava
--
test mailing list
test@lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-TC3-x64 does not install on VirtualBox
On Thu, 2013-06-13 at 14:48 +0300, Cristian Sava wrote: > Trying to install F19-tc3-x64 on VirtualBox-4.2.12 on Win7_x64 with > success. Sssd trouble on anaconda. > I succeeded to install TC2 on VBox on F18-x64. Typo error, I want to say "no cuccess" C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19-TC3-x64 does not install on VirtualBox
Trying to install F19-tc3-x64 on VirtualBox-4.2.12 on Win7_x64 with success. Sssd trouble on anaconda. I succeeded to install TC2 on VBox on F18-x64. Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Thu, 2013-06-06 at 12:58 -0400, Daniel J Walsh wrote: > > > Please send me the te files that you created, or the original avc messages. > > After the last selinux related updates all is working as expected. No need of custom modules. Thanks Daniel and to all of you. Congrats for the new Fedora! Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - network instead NM is working now, but I have a question
On Tue, 2013-06-11 at 06:22 -0400, fla...@dailybrood.com wrote: > If you're using vlan would this work? "ip link add link eth0 name > eth0.10 type vlan id 10 (Creates a new vlan device eth0.10 on device > eth0)." > http://rpm.pbone.net/index.php3/stat/45/idpl/20307932/numer/8/nazwa/ip-link It should do. Anyway you will have to make ifcfg-... by hand and do things accordingly. ip link ... is for use in rc.local. Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - network instead NM is working now - alias interfaces are working!!!
I can also confirm that something like DEVICE=p2p1:0 in ifcfg-enp0s3:0 is now working with both NetworkManager or network!!! Congrats! Great work done! Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - network instead NM is working now, but I have a question
On Tue, 2013-06-11 at 10:59 +0300, Cristian Sava wrote: > I am testing F19-TC2 LXDE in a VirtualBox. > Now "network" instead NM is working as expected. > > We do not have the "device" mentioned in > /etc/sysconfig/network-scripts/ifcfg-enp0s3 > > How is advised to add an alias interface? > Do we have to get the interface name from "route" or whatever and add it > in ifcfg-enp0s3:0 as DEVICE=p2p1:0 ? > Do we still need to use /etc/rc.d/rc.local for that? > I did not find any obvious hint on the net, so an advice is welcome. I can confirm that something like DEVICE=p2p1:0 in ifcfg-enp0s3:0 is now working!!! Congrats! Good work done! [root@localhost network-scripts]# cat ifcfg-enp0s3 PEERROUTES="yes" IPV6INIT="yes" UUID="e4e1bc69-70c3-49d2-a991-68a8e7533485" IPV6_PEERDNS="yes" DEFROUTE="yes" PEERDNS="yes" IPV4_FAILURE_FATAL="no" HWADDR="08:00:27:88:5C:09" BOOTPROTO="dhcp" IPV6_DEFROUTE="yes" IPV6_AUTOCONF="yes" IPV6_FAILURE_FATAL="no" IPV6_PEERROUTES="yes" TYPE="Ethernet" ONBOOT="yes" NAME="enp0s3" [root@localhost network-scripts]# cat ifcfg-enp0s3:0 DEVICE="p2p1:0" PEERROUTES="yes" IPV6INIT="yes" UUID="e4e1bc69-70c3-49d2-a991-68a8e7533485" IPV6_PEERDNS="yes" DEFROUTE="yes" PEERDNS="yes" IPV4_FAILURE_FATAL="no" HWADDR="08:00:27:88:5C:09" #BOOTPROTO="dhcp" BOOTPROTO="none" IPADDR=10.0.2.246 NETMASK=255.255.255.0 IPV6_DEFROUTE="yes" IPV6_AUTOCONF="yes" IPV6_FAILURE_FATAL="no" IPV6_PEERROUTES="yes" TYPE="Ethernet" ONBOOT="yes" NAME="enp0s3:0" [root@localhost network-scripts]# ifup ifcfg-enp0s3:0 [root@localhost network-scripts]# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default 10.0.2.20.0.0.0 UG0 00 p2p1 10.0.2.0* 255.255.255.0 U 0 00 p2p1 link-local * 255.255.0.0 U 1002 00 p2p1 [root@localhost network-scripts]# ifconfig lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 0 (Local Loopback) RX packets 12 bytes 720 (720.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12 bytes 720 (720.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 p2p1: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:fe88:5c09 prefixlen 64 scopeid 0x20 ether 08:00:27:88:5c:09 txqueuelen 1000 (Ethernet) RX packets 65 bytes 8826 (8.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 110 bytes 12346 (12.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 p2p1:0: flags=4163 mtu 1500 inet 10.0.2.246 netmask 255.255.255.0 broadcast 10.0.2.255 ether 08:00:27:88:5c:09 txqueuelen 1000 (Ethernet) [root@localhost network-scripts]# Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 - network instead NM is working now, but I have a question
I am testing F19-TC2 LXDE in a VirtualBox. Now "network" instead NM is working as expected. We do not have the "device" mentioned in /etc/sysconfig/network-scripts/ifcfg-enp0s3 How is advised to add an alias interface? Do we have to get the interface name from "route" or whatever and add it in ifcfg-enp0s3:0 as DEVICE=p2p1:0 ? Do we still need to use /etc/rc.d/rc.local for that? I did not find any obvious hint on the net, so an advice is welcome. [cristi@localhost network-scripts]$ sudo systemctl disable NetworkManager.service [sudo] password for cristi: rm '/etc/systemd/system/multi-user.target.wants/NetworkManager.service' rm '/etc/systemd/system/dbus-org.freedesktop.NetworkManager.service' [cristi@localhost network-scripts]$ sudo systemctl stop NetworkManager.service [cristi@localhost network-scripts]$ sudo systemctl enable network.service network.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig network on [cristi@localhost network-scripts]$ sudo systemctl start network.service [cristi@localhost network-scripts]$ route Kernel IP routing table Destination GatewayGenmask Flags Metric RefUse Iface default 10.0.2.2 0.0.0.0 UG0 00 p2p1 10.0.2.0 * 255.255.255.0 U 1 00 p2p1 link-local* 255.255.0.0 U 1002 00 p2p1 [cristi@localhost network-scripts]$ ping fw.xx.yy.ro PING fw.xx.yy.ro (193.x.y.253) 56(84) bytes of data. 64 bytes from fw.xx.yy.ro (193.x.y.253): icmp_seq=1 ttl=63 time=2.06 ms 64 bytes from fw.xx.yy.ro (193.x.y.253): icmp_seq=2 ttl=63 time=0.801 ms 64 bytes from fw.xx.yy.ro (193.x.y.253): icmp_seq=3 ttl=63 time=0.808 ms ^C --- fw.xx.yy.ro ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 0.801/1.223/2.061/0.593 ms [cristi@localhost network-scripts]$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s3 PEERROUTES="yes" IPV6INIT="yes" UUID="e4e1bc69-70c3-49d2-a991-68a8e7533485" IPV6_PEERDNS="yes" DEFROUTE="yes" PEERDNS="yes" IPV4_FAILURE_FATAL="no" HWADDR="08:00:27:88:5C:09" BOOTPROTO="dhcp" IPV6_DEFROUTE="yes" IPV6_AUTOCONF="yes" IPV6_FAILURE_FATAL="no" IPV6_PEERROUTES="yes" TYPE="Ethernet" ONBOOT="yes" NAME="enp0s3" [cristi@localhost network-scripts]$ Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: vlan doesn't work?
On Mon, 2013-06-10 at 18:04 +0200, Louis Lagendijk wrote: > On Sat, 2013-06-08 at 10:39 -0400, Tom Horsley wrote: > > I disabled NetworkManager, I enabled network, I copied in all my > > /etc/sysconfig/network-scripts/ifcfg-* files, but I don't get > > any networking on my fedora 19 install. > > > > I've got this box connected to a dd-wrt router doing > > tagged packets for vlan support, so the network setup > > is a tad complex :-). You can see the scripts here: > > > > http://home.comcast.net/~tomhorsley/game/isolate.html > > > > An ifconfig -a command doesn't show anything but lo > > and p6p1, none of my bridges or p6p1.1 and p6p1.3 > > vlans. > > > > Anyone know what might be missing that prevents this > > stuff from working? > VLAN=yes is missing in your ifcfg scripts > I am not sure whether you need it in both the main and vlan ifcfg files. > You may have to try to add it in both, but at least the vlan files need > it There are some related bugs already reported (https://bugzilla.redhat.com/show_bug.cgi?id=964139) Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 Final criteria revamp
On Mon, 2013-06-10 at 15:58 +, "Jóhann B. Guðmundsson" wrote: > And what I'm saying we should not blocking the release for that. > > We are first and foremost shipping our distribution to be used as > primary OS on our users HW just like any other OS does. > NO, you have not valid reasons to avoid "the requirement for sane multiboot behavior (sane being, it's possible and does no harm to the existing system)" as Chris Murphy stated. Fedora have to just install, work and do not harm. And NO, IT IS NOT A GOOD IDEA. The user have to be able to choose what and how to install on his PC. Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 Final criteria revamp
On Mon, 2013-06-10 at 11:05 -0400, Chris Murphy wrote: > It absolutely should block the release as there's no way to fix it after the > fact. Dropping the requirement for sane multiboot behavior isn't a good idea. > (Sane being, it's possible and does no harm to the existing system.) > +1 Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: How does grub2 know what to boot?
On Mon, 2013-06-10 at 10:25 -0400, Tom Horsley wrote: > I just installed f19 beta, and it overwrote my MBR with > grub2ness (as expected). > > But now I'm wondering - the actual installation of > f19 is entirely on /dev/sda2 (including the /boot > directory which is just a subdirectory of /, not > a separate partition). > > My old f18 /dev/sda3 partition is the only one marked > as "boot". > > So how the heck is grub2 locating and booting the > /dev/sda2 /boot stuff? Is there a pointer stashed in > the MBR telling it where to look? > > Just curious :-). Sometime back I had a similar problem and I discovered that my old grub install (other partition) was used. Do you mind to check? Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 Final criteria revamp
On Mon, 2013-06-10 at 08:38 -0400, Chris Murphy wrote: > On Jun 10, 2013, at 3:51 AM, Adam Williamson wrote: > > Could you take a look and see if it's better now, or > > still needs improving? > > Criterion reads: The installer must be able to install into free space > alongside an existing clean Windows installation and install a bootloader > which can boot into both Windows and Fedora. > There was a debate regarding dual boot (here is explained how to install the bootloader into the first sector of the partition) https://lists.fedoraproject.org/pipermail/users/2013-January/429440.html After all, why to get rid of this way of dual boot capability for non UEFI systems, for non encrypted dual boot? What is the big advantage to not have that? Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Sat, 2013-06-08 at 22:34 +0200, Lars Seipel wrote: > It took me a while to figure out you're not talking about Fedora > packages but RPMs/specfiles provided by some 3rd party. Please make this > a bit clearer next time. Well, our server is somehow similar to http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-fedora-18-x86_64 but we have a slightly different goal: The goal is to have completely virtual users and domains. We want minimum work to add/delete/invalidate users. This mail server does not care of /etc/passwd (no alias needed for every local user) and jim...@domain1.com != jim...@domain2.com != jim...@localws.mydomain.com This means creating a separate namespace for each domain, mail users stored in a database, mail addressed to the machine (even for users that do not exist!) may be managed, etc. We did this for F17, F18 and now F19. All these servers are working well (without selinux) but we want a simpler way to enable selinux for such installs. We want selinux=enabled because it is a valuable thing to have. It's not comfortable to build many dedicated modules (sometimes not even possible - is any dedicated directory advised to store them? /opt ? - no one wants to be a selinux guru just for that) so we asked help on this list. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
> > Anyways Crhitian, I have added the allow rules to the base policy to allow > > this. You can do this for now by executing > > > > # grep courier /var/log/audit/audit.log | audit2allow -M mycourier > > # semodule -i mycourier.pp Well, I tested as you advised but is much more to do. I did for courier-amavis-postfix: # grep courier /var/log/audit/audit.log | audit2allow -M mycourier # semodule -i mycourier.pp and also # grep /usr/sbin/amavi /var/log/audit/audit.log | audit2allow -M myamavis # semodule -i myamavis.pp # grep virtual /var/log/audit/audit.log | audit2allow -M myvirtual # semodule -i myvirtual.pp And now the mail server is working. But I use (as many others) fail2ban and this is not working until we do: # grep pidof /var/log/audit/audit.log | audit2allow -M mypidof # semodule -i mypidof.pp Now, with such/these modules in place, many tutorials from www.howtoforge.com are working with selinux enabled and many people are happy and fedora's users base is growing. The problem is that not many users want or can to debug and solve such things. It's simple but not for them. That's why I ask on this list to relax a little bit the rules and accept some little changes to default and let people use their desired software. Sometimes a very simple option can make miracles. And now a very very good thing: Fedora 19 seems to me a rock solid distribution! Congrats to all of you! Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Wed, 2013-06-05 at 07:57 -0500, Bruno Wolff III wrote: > On Wed, Jun 05, 2013 at 09:18:51 +0300, >Cristian Sava wrote: > >I will consider your suggestion but this may take time and testing. It > >is not for today or tomorrow and not all the people will agree with us. > >Courier is a robust and well working piece in a mail server so it's a > >much simpler solution to disable or even uninstall selinux (why don't we > >have an install time option do it). > >I like very much selinux (when there is a simple way to configure it) > >but I will not abandon courier just for that and many will agree with > >me. > > It might not even be a general Courier issue, but rather how it is > packaged for Fedora. wget https://sourceforge.net/projects/courier/files/authlib/0.65.0/courier-authlib-0.65.0.tar.bz2 wget https://sourceforge.net/projects/courier/files/imap/4.13/courier-imap-4.13.tar.bz2 and "rpmbuild -ta courier-authlib-0.65.0.tar.bz2" ... so the spec is the one provided. Check the vast majority of tutorials and you'll find that all begin with SELINUX=disabled and they rpmbuild courier in the same way. Courier must match the same scheme with postfix, amavisd-new, clamav, spamassasin (and all is working ok if selinux is disabled) so it's expected to not be so easy to rethink all these spec files to work with selinux. Do you know someone who did? Cristian Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Wed, 2013-06-05 at 09:41 -0400, Daniel J Walsh wrote:
> On 06/05/2013 01:59 AM, Cristian Sava wrote:
> > On Tue, 2013-06-04 at 11:40 -0400, Daniel J Walsh wrote:
> >> On 06/04/2013 05:06 AM, Cristian Sava wrote:
> >>> I am trying to activate selinux for my mailserver. It is F19
> >>> postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual
> >>> environment. All needed is stock or was packaged on F19 (rpmbuild -ta
> >>> ... / rpmbuild -ba ...) and all is working fine (selinux disabled). No
> >>> tar.gz directly installed. I am trying to fix things one by one. Any
> >>> advice is welcome. When receiving a message selinux complain
> >>> (permissive):
> >>>
> >>> SELinux is preventing /usr/sbin/courierlogger from getattr access on
> >>> the file /var/spool/authdaemon/pid.
> >>>
> >>> * Plugin catchall (100. confidence) suggests
> >>> ***
> >>>
> >>> If you believe that courierlogger should be allowed getattr access on
> >>> the pid file by default. Then you should report this as a bug. You can
> >>> generate a local policy module to allow this access. Do allow this
> >>> access for now by executing: # grep courierlogger
> >>> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
> >>>
> >>> Additional Information: Source Context
> >>> system_u:system_r:courier_authdaemon_t:s0 Target Context
> >>> system_u:object_r:courier_spool_t:s0 Target Objects
> >>> /var/spool/authdaemon/pid [ file ] Source courierlogger Source Path
> >>> /usr/sbin/courierlogger Port Host
> >>> s198.domain.xx Source RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
> >>> Target RPM Packages courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM
> >>> selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled True
> >>> Policy Type targeted Enforcing Mode Permissive Host
> >>> Name s198.domain.xx Platform Linux s198.domain.xx
> >>> 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC 2013 x86_64 x86_64
> >>> Alert Count 7 First Seen 2013-05-30 16:35:05 EEST
> >>> Last Seen 2013-06-04 11:30:02 EEST Local ID
> >>> 469bd394-ddfb-454b-89e0-5ea40c2cf36b
> >>>
> >>> Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc: denied
> >>> { getattr } for pid=461 comm="courierlogger"
> >>> path="/var/spool/authdaemon/pid" dev="dm-1" ino=1193281
> >>> scontext=system_u:system_r:courier_authdaemon_t:s0
> >>> tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
> >>>
> >>>
> >>> type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat
> >>> success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0
> >>> ppid=1 pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >>> sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=courierlogger
> >>> exe=/usr/sbin/courierlogger
> >>> subj=system_u:system_r:courier_authdaemon_t:s0 key=(null)
> >>>
> >>> Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
> >>>
> >>> [cristi@s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on
> >>> domain_fd_use --> on fips_mode --> on global_ssp --> on
> >>> gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content
> >>> --> on httpd_builtin_scripting --> on httpd_can_network_connect --> on
> >>> httpd_can_network_connect_db --> on httpd_enable_cgi --> on
> >>> httpd_enable_homedirs --> on httpd_graceful_shutdown --> on
> >>> httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on
> >>> httpd_use_gpg --> on kerberos_enabled --> on
> >>> logging_syslogd_can_sendmail --> on login_console_enabled --> on
> >>> mcelog_exec_scripts --> on mount_anyfile --> on nfs_export_all_ro -->
> >>> on nfs_export_all_rw --> on nscd_use_shm --> on openvpn_enable_homedirs
> >>> --> on postfix_local_write_mail_spool --> on
> >>> postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl
> >>> --> on privoxy_connect_any --> on saslauthd_read_shadow --> on
> >>> secadm_exec_content --> on selinuxuser_direct_
Re: F19-mailserver & selinux complains
On Wed, 2013-06-05 at 00:23 -0700, Adam Williamson wrote: > On Wed, 2013-06-05 at 09:18 +0300, Cristian Sava wrote: > > On Tue, 2013-06-04 at 08:08 -0700, Adam Williamson wrote: > > > On Tue, 2013-06-04 at 12:06 +0300, Cristian Sava wrote: > > > > I am trying to activate selinux for my mailserver. > > > > It is F19 postfix_courier_amavisd-new_clamav_squirrelmail install in a > > > > virtual environment. All needed is stock or was packaged on F19 > > > > (rpmbuild -ta ... / rpmbuild -ba ...) and all is working fine (selinux > > > > disabled). No tar.gz directly installed. > > > > I am trying to fix things one by one. Any advice is welcome. When > > > > receiving a message selinux complain (permissive): > > > > > > > > SELinux is preventing /usr/sbin/courierlogger from getattr access on the > > > > file /var/spool/authdaemon/pid. > > > > > > > > * Plugin catchall (100. confidence) suggests > > > > *** > > > > > > > > If you believe that courierlogger should be allowed getattr access on > > > > the pid file by default. > > > > Then you should report this as a bug. > > > > > > If I were you, I'd do that. > > > > > > Well no, that's a lie. If I were you I'd stop using Courier and start > > > using Dovecot, because it's better. From what I've seen, most people who > > > run IMAP servers made that switch already, which may explain why Courier > > > has apparently grown an SELinux issue you'd think would have been fixed > > > already. > > I will consider your suggestion but this may take time and testing. It > > is not for today or tomorrow and not all the people will agree with us. > > Courier is a robust and well working piece in a mail server so it's a > > much simpler solution to disable or even uninstall selinux (why don't we > > have an install time option do it). > > I like very much selinux (when there is a simple way to configure it) > > but I will not abandon courier just for that and many will agree with > > me. > > Sure, I didn't mean it that way, I just meant that it's probably worth > looking at other servers in general. I used Courier for years but > switched away a couple of years back; dovecot does quite a lot of things > better. Yes, you and Daniel are perfectly right but it's a future solution not the one for now. Avoiding courier if selinux is enabled is not always an option nor a complicate setting scheme for selinux. Maybe that's why so many people advice to disable selinux (not a good thing in my view, selinux is a must in many situations). Thank you for your answers. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Tue, 2013-06-04 at 08:08 -0700, Adam Williamson wrote: > On Tue, 2013-06-04 at 12:06 +0300, Cristian Sava wrote: > > I am trying to activate selinux for my mailserver. > > It is F19 postfix_courier_amavisd-new_clamav_squirrelmail install in a > > virtual environment. All needed is stock or was packaged on F19 > > (rpmbuild -ta ... / rpmbuild -ba ...) and all is working fine (selinux > > disabled). No tar.gz directly installed. > > I am trying to fix things one by one. Any advice is welcome. When > > receiving a message selinux complain (permissive): > > > > SELinux is preventing /usr/sbin/courierlogger from getattr access on the > > file /var/spool/authdaemon/pid. > > > > * Plugin catchall (100. confidence) suggests > > *** > > > > If you believe that courierlogger should be allowed getattr access on > > the pid file by default. > > Then you should report this as a bug. > > If I were you, I'd do that. > > Well no, that's a lie. If I were you I'd stop using Courier and start > using Dovecot, because it's better. From what I've seen, most people who > run IMAP servers made that switch already, which may explain why Courier > has apparently grown an SELinux issue you'd think would have been fixed > already. I will consider your suggestion but this may take time and testing. It is not for today or tomorrow and not all the people will agree with us. Courier is a robust and well working piece in a mail server so it's a much simpler solution to disable or even uninstall selinux (why don't we have an install time option do it). I like very much selinux (when there is a simple way to configure it) but I will not abandon courier just for that and many will agree with me. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19-mailserver & selinux complains
On Tue, 2013-06-04 at 11:40 -0400, Daniel J Walsh wrote:
> On 06/04/2013 05:06 AM, Cristian Sava wrote:
> > I am trying to activate selinux for my mailserver. It is F19
> > postfix_courier_amavisd-new_clamav_squirrelmail install in a virtual
> > environment. All needed is stock or was packaged on F19 (rpmbuild -ta ... /
> > rpmbuild -ba ...) and all is working fine (selinux disabled). No tar.gz
> > directly installed. I am trying to fix things one by one. Any advice is
> > welcome. When receiving a message selinux complain (permissive):
> >
> > SELinux is preventing /usr/sbin/courierlogger from getattr access on the
> > file /var/spool/authdaemon/pid.
> >
> > * Plugin catchall (100. confidence) suggests
> > ***
> >
> > If you believe that courierlogger should be allowed getattr access on the
> > pid file by default. Then you should report this as a bug. You can generate
> > a local policy module to allow this access. Do allow this access for now by
> > executing: # grep courierlogger /var/log/audit/audit.log | audit2allow -M
> > mypol # semodule -i mypol.pp
> >
> > Additional Information: Source Context
> > system_u:system_r:courier_authdaemon_t:s0 Target Context
> > system_u:object_r:courier_spool_t:s0 Target Objects
> > /var/spool/authdaemon/pid [ file ] Source
> > courierlogger Source Path /usr/sbin/courierlogger Port
> > Host s198.domain.xx Source RPM Packages
> > courier-authlib-0.65.0-1.fc19.x86_64 Target RPM Packages
> > courier-authlib-0.65.0-1.fc19.x86_64 Policy RPM
> > selinux-policy-3.12.1-47.fc19.noarch Selinux Enabled True
> > Policy Type targeted Enforcing Mode
> > Permissive Host Name s198.domain.xx Platform
> > Linux s198.domain.xx 3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06 UTC
> > 2013 x86_64 x86_64 Alert Count 7 First Seen
> > 2013-05-30 16:35:05 EEST Last Seen 2013-06-04 11:30:02
> > EEST Local ID 469bd394-ddfb-454b-89e0-5ea40c2cf36b
> >
> > Raw Audit Messages type=AVC msg=audit(1370334602.277:26): avc: denied {
> > getattr } for pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid"
> > dev="dm-1" ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0
> > tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
> >
> >
> > type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat
> > success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0 ppid=1
> > pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 ses=4294967295 tty=(none) comm=courierlogger
> > exe=/usr/sbin/courierlogger subj=system_u:system_r:courier_authdaemon_t:s0
> > key=(null)
> >
> > Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
> >
> > [cristi@s198 ~]$ getsebool -a | grep " on" auditadm_exec_content --> on
> > domain_fd_use --> on fips_mode --> on global_ssp --> on
> > gluster_export_all_rw --> on gssd_read_tmp --> on guest_exec_content -->
> > on httpd_builtin_scripting --> on httpd_can_network_connect --> on
> > httpd_can_network_connect_db --> on httpd_enable_cgi --> on
> > httpd_enable_homedirs --> on httpd_graceful_shutdown --> on
> > httpd_mod_auth_pam --> on httpd_sys_script_anon_write --> on httpd_use_gpg
> > --> on kerberos_enabled --> on logging_syslogd_can_sendmail --> on
> > login_console_enabled --> on mcelog_exec_scripts --> on mount_anyfile -->
> > on nfs_export_all_ro --> on nfs_export_all_rw --> on nscd_use_shm --> on
> > openvpn_enable_homedirs --> on postfix_local_write_mail_spool --> on
> > postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl -->
> > on privoxy_connect_any --> on saslauthd_read_shadow --> on
> > secadm_exec_content --> on selinuxuser_direct_dri_enabled --> on
> > selinuxuser_execmod --> on selinuxuser_execstack --> on
> > selinuxuser_mysql_connect_enabled --> on selinuxuser_ping --> on
> > selinuxuser_rw_noexattrfile --> on selinuxuser_tcp_server --> on
> > spamassassin_can_network --> on spamd_enable_home_dirs --> on
> > squid_connect_any --> on staff_exec_content --> on sysadm_exec_content -->
> > on telepathy_tcp_connect_generic_network_ports --> on
> > unconfined_chrome_sandbox_transition --> on unconfined_login --> on
> > unconfined_mozilla_plugi
F19-mailserver & selinux complains
I am trying to activate selinux for my mailserver.
It is F19 postfix_courier_amavisd-new_clamav_squirrelmail install in a
virtual environment. All needed is stock or was packaged on F19
(rpmbuild -ta ... / rpmbuild -ba ...) and all is working fine (selinux
disabled). No tar.gz directly installed.
I am trying to fix things one by one. Any advice is welcome. When
receiving a message selinux complain (permissive):
SELinux is preventing /usr/sbin/courierlogger from getattr access on the
file /var/spool/authdaemon/pid.
* Plugin catchall (100. confidence) suggests
***
If you believe that courierlogger should be allowed getattr access on
the pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep courierlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextsystem_u:system_r:courier_authdaemon_t:s0
Target Contextsystem_u:object_r:courier_spool_t:s0
Target Objects/var/spool/authdaemon/pid [ file ]
Sourcecourierlogger
Source Path /usr/sbin/courierlogger
Port
Host s198.domain.xx
Source RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
Target RPM Packages courier-authlib-0.65.0-1.fc19.x86_64
Policy RPMselinux-policy-3.12.1-47.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModePermissive
Host Name s198.domain.xx
Platform Linux s198.domain.xx 3.9.4-300.fc19.x86_64
#1
SMP Fri May 24 22:17:06 UTC 2013 x86_64
x86_64
Alert Count 7
First Seen2013-05-30 16:35:05 EEST
Last Seen 2013-06-04 11:30:02 EEST
Local ID 469bd394-ddfb-454b-89e0-5ea40c2cf36b
Raw Audit Messages
type=AVC msg=audit(1370334602.277:26): avc: denied { getattr } for
pid=461 comm="courierlogger" path="/var/spool/authdaemon/pid" dev="dm-1"
ino=1193281 scontext=system_u:system_r:courier_authdaemon_t:s0
tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1370334602.277:26): arch=x86_64 syscall=fstat
success=yes exit=0 a0=3 a1=7fffc612b9d0 a2=7fffc612b9d0 a3=4 items=0
ppid=1 pid=461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=courierlogger
exe=/usr/sbin/courierlogger
subj=system_u:system_r:courier_authdaemon_t:s0 key=(null)
Hash: courierlogger,courier_authdaemon_t,courier_spool_t,file,getattr
[cristi@s198 ~]$ getsebool -a | grep " on"
auditadm_exec_content --> on
domain_fd_use --> on
fips_mode --> on
global_ssp --> on
gluster_export_all_rw --> on
gssd_read_tmp --> on
guest_exec_content --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_enable_cgi --> on
httpd_enable_homedirs --> on
httpd_graceful_shutdown --> on
httpd_mod_auth_pam --> on
httpd_sys_script_anon_write --> on
httpd_use_gpg --> on
kerberos_enabled --> on
logging_syslogd_can_sendmail --> on
login_console_enabled --> on
mcelog_exec_scripts --> on
mount_anyfile --> on
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nscd_use_shm --> on
openvpn_enable_homedirs --> on
postfix_local_write_mail_spool --> on
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
privoxy_connect_any --> on
saslauthd_read_shadow --> on
secadm_exec_content --> on
selinuxuser_direct_dri_enabled --> on
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> on
selinuxuser_ping --> on
selinuxuser_rw_noexattrfile --> on
selinuxuser_tcp_server --> on
spamassassin_can_network --> on
spamd_enable_home_dirs --> on
squid_connect_any --> on
staff_exec_content --> on
sysadm_exec_content --> on
telepathy_tcp_connect_generic_network_ports --> on
unconfined_chrome_sandbox_transition --> on
unconfined_login --> on
unconfined_mozilla_plugin_transition --> on
user_exec_content --> on
virt_use_usb --> on
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
[cristi@s198 ~]$
Do I miss something obvious?
C. Sava
--
test mailing list
test@lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - server, no graphics - time problem - the complete solution
On Tue, 2013-05-28 at 10:57 -0700, Adam Williamson wrote: > I don't recall seeing reports of anything in particular being changed in > this area. Are you sure this behaviour differs from previous releases? > -- I am saying that something similar to # cd /var/spool/postfix # mkdir etc # cd etc # cp /usr/share/zoneinfo/Europe/Bucharest localtime should be done as install part of postfix and also for date.timezone = "Europe/Bucharest" regardless of how much time was actually. That way we will avoid time zone problems on mail servers. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - server, no graphics - time problem - the complete solution
On Tue, 2013-05-28 at 12:33 +0300, Cristian Sava wrote: > Partial solution found: > > # cd /var/spool/postfix > # mkdir etc > # cd etc > # cp /usr/share/zoneinfo/Europe/Bucharest localtime > # postfix check > # postfix reload > We also need to edit php.ini and set date.timezone = "Europe/Bucharest" and # systemctl restart httpd.service Now all is working fine. F19 is still prerelease and such bugs are expected and that's why I report them. Hope this helps to fix for the final release. C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - server, no graphics - time problem - partial solution found
Partial solution found: # cd /var/spool/postfix # mkdir etc # cd etc # cp /usr/share/zoneinfo/Europe/Bucharest localtime # postfix check # postfix reload and the mail headers are now ok: Return-Path: X-Original-To: ph_mailad...@physics.xxx.yy Delivered-To: ph_mailad...@physics.xxx.yy Received: from localhost (unknown [127.0.0.1]) by physics.xxx.yy (Postfix) with ESMTP id 11C581E0095 for ; Tue, 28 May 2013 11:56:59 +0300 (EEST) X-Virus-Scanned: amavisd-new at localhost Received: from physics.xxx.yy ([127.0.0.1]) by localhost (physics.xxx.yy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AgDscSLn8TMG for ; Tue, 28 May 2013 11:56:53 +0300 (EEST) Received: from ns.central.xxx.yy (g129.central.xxx.yy [193.www.zzz.129]) by physics.xxx.yy (Postfix) with ESMTPS id 1593A1E0094 for ; Tue, 28 May 2013 11:56:53 +0300 (EEST) Received: from [193.www.zzz.194] (s194.central.xxx.yy [193.www.zzz.194]) by ns.central.xxx.yy (8.13.8/8.13.8) with ESMTP id r4S8mOLs011307 for ; Tue, 28 May 2013 11:48:24 +0300 Message-ID: <1369731412.11701.0.ca...@s194.central.xxx.yy> Subject: [Fwd: Re: F19 - server, no graphics - time problem] From: Cristian Sava To: ph_mailad...@physics.xxx.yy Date: Tue, 28 May 2013 11:56:52 +0300 Content-Type: multipart/mixed; boundary="=-XX34RGoQ0rDub4EPs5g1" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 [root@physics ~]# timedatectl Local time: Tue 2013-05-28 11:27:37 EEST Universal time: Tue 2013-05-28 08:27:37 UTC RTC time: Tue 2013-05-28 08:27:37 Timezone: Europe/Bucharest (EEST, +0300) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: yes Last DST change: DST began at Sun 2013-03-31 02:59:59 EET Sun 2013-03-31 04:00:00 EEST Next DST change: DST ends (the clock jumps one hour backwards) at Sun 2013-10-27 03:59:59 EEST Sun 2013-10-27 03:00:00 EET [root@physics ~]# systemctl status chronyd.service chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled) Active: active (running) since Mon 2013-05-27 18:43:22 EEST; 16h ago Main PID: 362 (chronyd) CGroup: name=systemd:/system/chronyd.service └─362 /usr/sbin/chronyd -u chrony May 27 18:43:22 physics.xxx.yy chronyd[362]: chronyd version 1.27 starting May 27 18:43:22 physics.xxx.yy chronyd[362]: Linux kernel major=3 minor=9 patch=4 May 27 18:43:22 physics.xxx.yy chronyd[362]: hz=100 shift_hz=7 freq_scale=1. nominal_tick=1 ...ll=2 May 27 18:43:22 physics.xxx.yy chronyd[362]: Frequency -3.964 +/- 3.425 ppm read from /var/lib/chrony/drift May 27 18:43:22 physics.xxx.yy systemd[1]: Started NTP client/server. May 27 18:43:35 physics.xxx.yy chronyd[362]: Selected source 89.36.197.2 May 27 18:44:41 physics.xxx.yy chronyd[362]: Selected source 91.207.120.6 May 27 18:46:51 physics.xxx.yy chronyd[362]: Selected source 93.190.144.19 Some problems still persist: 1) Squirrelmail still is displaying the wrong time (UTC instead of EEST). 2) The shown fix is not necessary if the graphical platform exist, so it's a bug somewhere. Already tried (as if chrooted) # cd /var/www # mkdir etc # cp /etc/localtime localtime # systemctl restart httpd.service but has no positive results. Any good idea? C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - server, no graphics - time problem
On Tue, 2013-05-28 at 05:16 +0800, Ed Greshko wrote: > On 05/28/13 00:09, Cristian Sava wrote: > > My F19 mail server shows messages with wrong time (UTC instead EEST), > > ntpd is enabled and is working. The date command is showing the correct > > time. Is it a bug somewhere or I am missing something? > > Any advice how to fix? > > I have not configured sendmail (assuming you're using that and not postfix) > but maybe you need to add the confTIME_ZONE directive to your sendmail.mc > file and recreate sendmail.cf? > Thank you for your suggestion but I use postfix+courier-imap+amavisd-new +clamav+spamassassin and no graphics installed on this box (I3-2120-8GB-ASRock_H67M-GE). Note that this identical configuration perfectly works on a virtual kvm-qemu with gnome interface (no bugs there, no problems at all). That is why I suspect a bug somewhere in amavisd-new clamav spamassassin chain in the absence of the graphical interface or I need to configure something that I don't know of. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 - server, no graphics - time problem
Hi all, My F19 mail server shows messages with wrong time (UTC instead EEST), ntpd is enabled and is working. The date command is showing the correct time. Is it a bug somewhere or I am missing something? Any advice how to fix? See the sample headers for a message: Return-Path: X-Original-To: ph_mailad...@physics.xxx.yy Delivered-To: ph_mailad...@physics.xxx.yy Received: from localhost (unknown [127.0.0.1]) by physics.xxx.yy (Postfix) with ESMTP id 21D741E0085 for ; Mon, 27 May 2013 15:49:16 + (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from physics.xxx.yy ([127.0.0.1]) by localhost (physics.xxx.yy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdKnk0LrHZYW for ; Mon, 27 May 2013 18:49:10 +0300 (EEST) Received: from ns.central.xxx.yy (g129.central.xxx.yy [zzz.www.vvv.129]) by physics.xxx.yy (Postfix) with ESMTPS id 942A41E0068 for ; Mon, 27 May 2013 18:49:10 +0300 (EEST) Received: from [zzz.www.vvv.194] (s194.central.xxx.yy [zzz.www.vvv.194]) by ns.central.xxx.yy (8.13.8/8.13.8) with ESMTP id r4RFeo7I024887 for ; Mon, 27 May 2013 18:40:50 +0300 Message-ID: <1369669750.3121.1.ca...@s194.central.xxx.yy> Subject: [Fwd: Corectii privind adresa privind solicitarea de informatii.] From: Cristian Sava To: ph_mailad...@physics.xxx.yy Date: Mon, 27 May 2013 18:49:10 +0300 Content-Type: multipart/mixed; boundary="=-nHKsl4yHLYYkAaTvg3ls" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 - How to use alias network interface? how to add static routes? - How I solved this
On Tue, 2013-05-21 at 12:20 +0300, Cristian Sava wrote: > On Tue, 2013-05-21 at 09:21 +0300, Cristian Sava wrote: > > Hi all, > > I need to have alias network interfaces. > > What is the desired way to do this in F19? > > > > My actual setup (without alias): > > [root@physics sysconfig]# ls network-scripts/ifcfg-* > > network-scripts/ifcfg-enp4s0 network-scripts/ifcfg-enp5s0 > > network-scripts/ifcfg-lo > > [root@physics sysconfig]# cat network-scripts/ifcfg-enp4s0 > > TYPE=Ethernet > > #BOOTPROTO=dhcp > > BOOTPROTO=none > > DEFROUTE=yes > > IPV4_FAILURE_FATAL=no > > IPV6INIT=yes > > IPV6_AUTOCONF=yes > > IPV6_DEFROUTE=yes > > IPV6_PEERDNS=yes > > IPV6_PEERROUTES=yes > > IPV6_FAILURE_FATAL=no > > NAME=enp4s0 > > UUID=4fd3476d-2423-4c26-99f9-28b5f6d18b05 > > ONBOOT=yes > > HWADDR=00:08:54:41:46:01 > > PEERDNS=yes > > PEERROUTES=yes > > IPADDR=172.16.0.1 > > PREFIX=16 > > [root@physics sysconfig]# cat network-scripts/ifcfg-enp5s0 > > DOMAIN="central.ucv.ro" > > IPV6_PEERDNS="yes" > > IPV6INIT="yes" > > UUID="df0a5629-9f3f-4c85-a5c0-ad72e8f6" > > IPADDR0="193.x.y.130" > > DNS1="193.x.y.254" > > PREFIX0="26" > > DEFROUTE="yes" > > IPV4_FAILURE_FATAL="yes" > > HWADDR="00:25:22:F9:71:3D" > > BOOTPROTO="none" > > IPV6_DEFROUTE="yes" > > GATEWAY0="193.x.y.129" > > IPV6_AUTOCONF="yes" > > IPV6_FAILURE_FATAL="no" > > IPV6_PEERROUTES="yes" > > TYPE="Ethernet" > > ONBOOT="yes" > > NAME="enp5s0" > > [root@physics sysconfig]# cat iptables > > # Custom file edited on 15-May-2013 > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -i lo -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 25 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 110 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 143 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT > > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 465 -j ACCEPT > > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 587 -j ACCEPT > > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 993 -j ACCEPT > > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 995 -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 2307 -j ACCEPT > > -A INPUT -p udp --dport 6277 -j ACCEPT > > -A INPUT -p udp --dport 24441 -j ACCEPT > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -j ACCEPT > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > COMMIT > > # Completed on 2013-05-20 15:23 > > *nat > > :PREROUTING ACCEPT [0:0] > > :POSTROUTING ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > -A POSTROUTING -s 172.16.0.0/16 -o p5p1 -j SNAT --to-source > > 193.231.40.130 > > COMMIT > > [root@physics sysconfig]# route > > Kernel IP routing table > > Destination Gateway GenmaskFlags Metric Ref Use Iface > > default g129.xxx.yyy0.0.0.0 UG0 00 p5p1 > > 193.x.y.128 * 255.255.255.192 U 0 00 p5p1 > > 172.16.0.0 * 255.255.0.0 U 0 00 p4p1 > > [root@physics sysconfig]# > > > > I need some addresses from local to be accessible from outside, so alias > > interface is needed. Not any local device knows other than basic > > routing. That is why I need another subnet, so alias. > > Let's say 193.x.y.162 from (placed) local visible from outside. > > (I can do it with F18/Centos, etc.) > > What is the desired/proposed way in F19? > > Using network instead NM failed (no name resolution) in my testing. Do I > > miss something? May I hope/wait for a fix in F19? > > Why the interface name is p5p1 and p4p1, different from ifcfg-enp5s0 > > etc.? Is anywhere explained this? > > In F18 docs there was a promise to have to choose between firewalld and > > iptables, not implemented until now (can be manually done but it is not > > trivial for a
Re: F19 - How to use alias network interface? how to add static routes?
On Tue, 2013-05-21 at 09:21 +0300, Cristian Sava wrote: > Hi all, > I need to have alias network interfaces. > What is the desired way to do this in F19? > > My actual setup (without alias): > [root@physics sysconfig]# ls network-scripts/ifcfg-* > network-scripts/ifcfg-enp4s0 network-scripts/ifcfg-enp5s0 > network-scripts/ifcfg-lo > [root@physics sysconfig]# cat network-scripts/ifcfg-enp4s0 > TYPE=Ethernet > #BOOTPROTO=dhcp > BOOTPROTO=none > DEFROUTE=yes > IPV4_FAILURE_FATAL=no > IPV6INIT=yes > IPV6_AUTOCONF=yes > IPV6_DEFROUTE=yes > IPV6_PEERDNS=yes > IPV6_PEERROUTES=yes > IPV6_FAILURE_FATAL=no > NAME=enp4s0 > UUID=4fd3476d-2423-4c26-99f9-28b5f6d18b05 > ONBOOT=yes > HWADDR=00:08:54:41:46:01 > PEERDNS=yes > PEERROUTES=yes > IPADDR=172.16.0.1 > PREFIX=16 > [root@physics sysconfig]# cat network-scripts/ifcfg-enp5s0 > DOMAIN="central.ucv.ro" > IPV6_PEERDNS="yes" > IPV6INIT="yes" > UUID="df0a5629-9f3f-4c85-a5c0-ad72e8f6" > IPADDR0="193.x.y.130" > DNS1="193.x.y.254" > PREFIX0="26" > DEFROUTE="yes" > IPV4_FAILURE_FATAL="yes" > HWADDR="00:25:22:F9:71:3D" > BOOTPROTO="none" > IPV6_DEFROUTE="yes" > GATEWAY0="193.x.y.129" > IPV6_AUTOCONF="yes" > IPV6_FAILURE_FATAL="no" > IPV6_PEERROUTES="yes" > TYPE="Ethernet" > ONBOOT="yes" > NAME="enp5s0" > [root@physics sysconfig]# cat iptables > # Custom file edited on 15-May-2013 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 25 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 110 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 143 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 465 -j ACCEPT > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 587 -j ACCEPT > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 993 -j ACCEPT > #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 995 -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 2307 -j ACCEPT > -A INPUT -p udp --dport 6277 -j ACCEPT > -A INPUT -p udp --dport 24441 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j ACCEPT > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on 2013-05-20 15:23 > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A POSTROUTING -s 172.16.0.0/16 -o p5p1 -j SNAT --to-source > 193.231.40.130 > COMMIT > [root@physics sysconfig]# route > Kernel IP routing table > Destination Gateway GenmaskFlags Metric Ref Use Iface > default g129.xxx.yyy0.0.0.0 UG0 00 p5p1 > 193.x.y.128 * 255.255.255.192 U 0 00 p5p1 > 172.16.0.0 * 255.255.0.0 U 0 00 p4p1 > [root@physics sysconfig]# > > I need some addresses from local to be accessible from outside, so alias > interface is needed. Not any local device knows other than basic > routing. That is why I need another subnet, so alias. > Let's say 193.x.y.162 from (placed) local visible from outside. > (I can do it with F18/Centos, etc.) > What is the desired/proposed way in F19? > Using network instead NM failed (no name resolution) in my testing. Do I > miss something? May I hope/wait for a fix in F19? > Why the interface name is p5p1 and p4p1, different from ifcfg-enp5s0 > etc.? Is anywhere explained this? > In F18 docs there was a promise to have to choose between firewalld and > iptables, not implemented until now (can be manually done but it is not > trivial for anyone). > > C. Sava Using this working setup, without graphical environment: How do I add routes (without alias)? [root@physics network-scripts]# cat route-enp4s0 193.x.y.142/32 dev p4p1 193.x.y.143/32 dev p4p1 It is not working , nor renaming to route-p4p1 I want these addresses just behind p4p1 interface, no gateway between. Equivalent to: route add -host 193.x.y.142 dev p4p1 that is working ok on F19. Back to rc.local? What if I want bridging (but do not expect me to setup a kvm-qemu virtual machine with F18/Centos to workaround this alias problem)? Is this how F19-beta will be? C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 - How to use alias network interface?
Hi all, I need to have alias network interfaces. What is the desired way to do this in F19? My actual setup (without alias): [root@physics sysconfig]# ls network-scripts/ifcfg-* network-scripts/ifcfg-enp4s0 network-scripts/ifcfg-enp5s0 network-scripts/ifcfg-lo [root@physics sysconfig]# cat network-scripts/ifcfg-enp4s0 TYPE=Ethernet #BOOTPROTO=dhcp BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no NAME=enp4s0 UUID=4fd3476d-2423-4c26-99f9-28b5f6d18b05 ONBOOT=yes HWADDR=00:08:54:41:46:01 PEERDNS=yes PEERROUTES=yes IPADDR=172.16.0.1 PREFIX=16 [root@physics sysconfig]# cat network-scripts/ifcfg-enp5s0 DOMAIN="central.ucv.ro" IPV6_PEERDNS="yes" IPV6INIT="yes" UUID="df0a5629-9f3f-4c85-a5c0-ad72e8f6" IPADDR0="193.x.y.130" DNS1="193.x.y.254" PREFIX0="26" DEFROUTE="yes" IPV4_FAILURE_FATAL="yes" HWADDR="00:25:22:F9:71:3D" BOOTPROTO="none" IPV6_DEFROUTE="yes" GATEWAY0="193.x.y.129" IPV6_AUTOCONF="yes" IPV6_FAILURE_FATAL="no" IPV6_PEERROUTES="yes" TYPE="Ethernet" ONBOOT="yes" NAME="enp5s0" [root@physics sysconfig]# cat iptables # Custom file edited on 15-May-2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 25 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 110 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 143 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 465 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 587 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 993 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 995 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 2307 -j ACCEPT -A INPUT -p udp --dport 6277 -j ACCEPT -A INPUT -p udp --dport 24441 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on 2013-05-20 15:23 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 172.16.0.0/16 -o p5p1 -j SNAT --to-source 193.231.40.130 COMMIT [root@physics sysconfig]# route Kernel IP routing table Destination Gateway GenmaskFlags Metric Ref Use Iface default g129.xxx.yyy0.0.0.0 UG0 00 p5p1 193.x.y.128 * 255.255.255.192 U 0 00 p5p1 172.16.0.0 * 255.255.0.0 U 0 00 p4p1 [root@physics sysconfig]# I need some addresses from local to be accessible from outside, so alias interface is needed. Not any local device knows other than basic routing. That is why I need another subnet, so alias. Let's say 193.x.y.162 from (placed) local visible from outside. (I can do it with F18/Centos, etc.) What is the desired/proposed way in F19? Using network instead NM failed (no name resolution) in my testing. Do I miss something? May I hope/wait for a fix in F19? Why the interface name is p5p1 and p4p1, different from ifcfg-enp5s0 etc.? Is anywhere explained this? In F18 docs there was a promise to have to choose between firewalld and iptables, not implemented until now (can be manually done but it is not trivial for anyone). C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 (au jour) - Missing /etc/sysconfig/network still causes problems
On Mon, 2013-05-20 at 17:07 +0300, Cristian Sava wrote: > Hi, all > > I reported here > http://lists.fedoraproject.org/pipermail/test/2013-May/115379.html > the missing /etc/sysconfig/network causing problems to amavis (solved in > amavis). > Now NetworkManager ignore ip_forward and I switched to network > (NM_CONTROLLED=no). > No network after "systemctl restart network.service" due to ifcfg-ipv6 > bug in line 56. > This line is ". /etc/sysconfig/network" (and maybe other places are > similar). > I lost the network and again I had to fix this by hand > I had to change the interface name from enp4s0 (NM) to p4p1 (network) > and enp5s0 to p5p1. WHY THIS??? > Fixing this gave me back the network, relaying is ok, but still not > having DNS. > Still debugging. > Any clever advice? Giving up. Revetring all to NM and all is ok, with IP FORWARDING (/proc/sys/net/ip_forward = 1). I do not understand why initially it did not work (I only copied back the configuration files, nothing more - those saved as not working) Now I have a full functional F19 mail server, antivirus & antispam, web interface, dhcpd. F19 seem to be ok. Still /etc/sysconfig/network bug remain here and there - may cause future problems. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 (au jour) - Missing /etc/sysconfig/network still causes problems
Hi, all I reported here http://lists.fedoraproject.org/pipermail/test/2013-May/115379.html the missing /etc/sysconfig/network causing problems to amavis (solved in amavis). Now NetworkManager ignore ip_forward and I switched to network (NM_CONTROLLED=no). No network after "systemctl restart network.service" due to ifcfg-ipv6 bug in line 56. This line is ". /etc/sysconfig/network" (and maybe other places are similar). I lost the network and again I had to fix this by hand I had to change the interface name from enp4s0 (NM) to p4p1 (network) and enp5s0 to p5p1. WHY THIS??? Fixing this gave me back the network, relaying is ok, but still not having DNS. Still debugging. Any clever advice? C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 missing "clamupdate" user/group warnings ... future problems - and a fix
> and I do not see the reason why UID=992 GID=989 for clamupdate > On the other install, real box without graphics install, such thing > fail, so my hand fix with UID=992 and GID=992. > Hope this helps. > Sorry for this mistake. On the working install (F19 alpha & updates) we have [root@s198 ~]# cat /etc/group | grep 992 ccache:x:992: So was used GID=989 but now (F19 beta1 TC4 & updates, without graphics) we hava: [root@physics ~]# cat /etc/group | grep ccache ccache:x:996: [root@physics ~]# so GID=989 is not necessary anymore. The group clamupdate must be created before the user clamupdate. This seem to fail. C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 missing "clamupdate" user/group warnings ... future problems - and a fix
On Fri, 2013-05-17 at 21:36 +0100, Sérgio Basto wrote: > On Sex, 2013-05-17 at 17:03 +0300, Cristian Sava wrote: > > On Fri, 2013-05-17 at 15:59 +0300, Cristian Sava wrote: > > > Installing F19 mail server ... "clamupdate" user/group problem: > > > > > > [root@physics ~]# yum install amavisd-new spamassassin clamav > > > clamav-data clamav-server clamav-server-sysvinit clamav-update unzip > > > bzip2 pax > > > > > > ... > > > Running transaction check > > > Running transaction test > > > Transaction test succeeded > > > Running transaction > > > Installing : perl-Sys-Syslog-0.32-1.fc19.x86_64 1/114 > > > Installing : perl-LWP-MediaTypes-6.02-2.fc19.noarch 2/114 > > > Installing :perl-NetAddr-IP-4.068-1.fc19.x86_64 3/114 > > > Installing : perl-XML-SAX-Base-1.08-7.fc19.noarch 4/114 > > > Usage: groupadd [options] GROUP > > > > > > Options: > > > -f, --force exit successfully if the group already > > > exists, > > > and cancel -g if the GID is already used > > > -g, --gid GID use GID for the new group > > > -h, --helpdisplay this help message and exit > > > -K, --key KEY=VALUE override /etc/login.defs defaults > > > -o, --non-unique allow to create groups with duplicate > > > (non-unique) GID > > > -p, --password PASSWORD use this encrypted password for the new > > > group > > > -r, --system create a system account > > > -R, --root CHROOT_DIR directory to chroot into > > > > > > useradd: group 'clamupdate' does not exist > > > Installing : clamav-filesystem-0.97.8-1.fc19.noarch5/114 > > > warning: user clamupdate does not exist - using root > > > warning: group clamupdate does not exist - using root > > > Installing : clamav-data-0.97.8-1.fc19.noarch 6/114 > > > warning: user clamupdate does not exist - using root > > > warning: group clamupdate does not exist - using root > > > warning: user clamupdate does not exist - using root > > > warning: group clamupdate does not exist - using root > > > Installing : clamav-lib-0.97.8-1.fc19.x86_64 7/114 > > > Installing : clamav-server-0.97.8-1.fc19.x86_648/114 > > > Installing : perl-Module-Runtime-0.013-4.fc19.noarch 9/114 > > > Installing : perl-Try-Tiny-0.12-2.fc19.noarch 10/114 > > > Installing : perl-Module-Implementation-0.06-6.fc19.noarch11/114 > > > Installing : perl-Params-Validate-1.07-2.fc19.x86_64 12/114 > > > ... > > > Installing : amavisd-new-2.8.0-5.fc19.noarch 110/114 > > > Installing : clamav-server-sysvinit-0.97.8-1.fc19.noarch 111/114 > > > Installing : clamav-0.97.8-1.fc19.x86_64 112/114 > > > Installing : clamav-update-0.97.8-1.fc19.x86_64 113/114 > > > /usr/bin/chown: invalid group: ‘root:clamupdate’ > > > Installing : pax-3.4-15.fc19.x86_64 114/114 > > > .. > > > Complete! > > > [root@physics ~]# > > > > > > And: > > > > > > [root@physics ~]# /usr/bin/freshclam > > > WARNING: Can't get information about user clamupdate. > > > > > > freshclam does not update the virus list but the server is still > > > working. > > > Until now we had: > > > > > > [cristi@s198 ~]$ sudo cat /etc/passwd | grep clamupdate > > > clamupdate:x:992:989:Clamav database update > > > user:/var/lib/clamav:/sbin/nologin > > > [cristi@s198 ~]$ > > > > > > > [root@physics etc]# groupadd clamupdate -g 992 > > [root@physics etc]# useradd clamupdate -u 992 -g 992 -s /sbin/nologin -c > > "Clamav database update user" -M -d /var/lib/clamav > > [root@physics lib]# ls -l | grep clam > > drwxr-xr-x 2 root root4096 May 17 14:14 clamav > > [root@physics lib]# chown clamupdate:clamupdate clamav > > [root@physics lib]# ls -l | grep clam > > drwxr-xr-x 2 clamupdate clamupdate 4096 May 17 14:14 clamav > > [root@physics lib]# > > > > [root@physics clamav]# /usr/bin/freshclam > > ClamAV update process started at Fri May 17 16:55:08 2013 > >
Re: F19 missing "clamupdate" user/group warnings ... future problems - and a fix
On Fri, 2013-05-17 at 15:59 +0300, Cristian Sava wrote: > Installing F19 mail server ... "clamupdate" user/group problem: > > [root@physics ~]# yum install amavisd-new spamassassin clamav > clamav-data clamav-server clamav-server-sysvinit clamav-update unzip > bzip2 pax > > ... > Running transaction check > Running transaction test > Transaction test succeeded > Running transaction > Installing : perl-Sys-Syslog-0.32-1.fc19.x86_64 1/114 > Installing : perl-LWP-MediaTypes-6.02-2.fc19.noarch 2/114 > Installing :perl-NetAddr-IP-4.068-1.fc19.x86_64 3/114 > Installing : perl-XML-SAX-Base-1.08-7.fc19.noarch 4/114 > Usage: groupadd [options] GROUP > > Options: > -f, --force exit successfully if the group already > exists, > and cancel -g if the GID is already used > -g, --gid GID use GID for the new group > -h, --helpdisplay this help message and exit > -K, --key KEY=VALUE override /etc/login.defs defaults > -o, --non-unique allow to create groups with duplicate > (non-unique) GID > -p, --password PASSWORD use this encrypted password for the new > group > -r, --system create a system account > -R, --root CHROOT_DIR directory to chroot into > > useradd: group 'clamupdate' does not exist > Installing : clamav-filesystem-0.97.8-1.fc19.noarch5/114 > warning: user clamupdate does not exist - using root > warning: group clamupdate does not exist - using root > Installing : clamav-data-0.97.8-1.fc19.noarch 6/114 > warning: user clamupdate does not exist - using root > warning: group clamupdate does not exist - using root > warning: user clamupdate does not exist - using root > warning: group clamupdate does not exist - using root > Installing : clamav-lib-0.97.8-1.fc19.x86_64 7/114 > Installing : clamav-server-0.97.8-1.fc19.x86_648/114 > Installing : perl-Module-Runtime-0.013-4.fc19.noarch 9/114 > Installing : perl-Try-Tiny-0.12-2.fc19.noarch 10/114 > Installing : perl-Module-Implementation-0.06-6.fc19.noarch11/114 > Installing : perl-Params-Validate-1.07-2.fc19.x86_64 12/114 > ... > Installing : amavisd-new-2.8.0-5.fc19.noarch 110/114 > Installing : clamav-server-sysvinit-0.97.8-1.fc19.noarch 111/114 > Installing : clamav-0.97.8-1.fc19.x86_64 112/114 > Installing : clamav-update-0.97.8-1.fc19.x86_64 113/114 > /usr/bin/chown: invalid group: ‘root:clamupdate’ > Installing : pax-3.4-15.fc19.x86_64 114/114 > .. > Complete! > [root@physics ~]# > > And: > > [root@physics ~]# /usr/bin/freshclam > WARNING: Can't get information about user clamupdate. > > freshclam does not update the virus list but the server is still > working. > Until now we had: > > [cristi@s198 ~]$ sudo cat /etc/passwd | grep clamupdate > clamupdate:x:992:989:Clamav database update > user:/var/lib/clamav:/sbin/nologin > [cristi@s198 ~]$ > [root@physics etc]# groupadd clamupdate -g 992 [root@physics etc]# useradd clamupdate -u 992 -g 992 -s /sbin/nologin -c "Clamav database update user" -M -d /var/lib/clamav [root@physics lib]# ls -l | grep clam drwxr-xr-x 2 root root4096 May 17 14:14 clamav [root@physics lib]# chown clamupdate:clamupdate clamav [root@physics lib]# ls -l | grep clam drwxr-xr-x 2 clamupdate clamupdate 4096 May 17 14:14 clamav [root@physics lib]# [root@physics clamav]# /usr/bin/freshclam ClamAV update process started at Fri May 17 16:55:08 2013 main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) Downloading daily-17145.cdiff [100%] .. Downloading daily-17229.cdiff [100%] daily.cld updated (version: 17229, sigs: 1272216, f-level: 63, builder: neo) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: 214, sigs: 41, f-level: 63, builder: neo) Database updated (2316644 signatures) from database.clamav.net (IP: 195.30.97.3) [root@physics clamav]# ls -l total 108224 -rw-r--r-- 1 clamupdate clamupdate60125 May 17 16:56 bytecode.cvd -rw-r--r-- 1 clamupdate clamupdate 79996928 May 17 16:55 daily.cld -rw-r--r-- 1 clamupdate clamupdate 30750647 Jun 16 2012 main.cvd -rw--- 1 clamupdate clamupdate 52 May 17 16:56 mirrors.dat [root@physics clamav]# The server is working ok. I used uid:gid = 992:992 instead of 992:989 (989 seem wrong to me). Someone else with a better fix? C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 missing "clamupdate" user/group warnings ... future problems?
Installing F19 mail server ... "clamupdate" user/group problem: [root@physics ~]# yum install amavisd-new spamassassin clamav clamav-data clamav-server clamav-server-sysvinit clamav-update unzip bzip2 pax ... Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : perl-Sys-Syslog-0.32-1.fc19.x86_64 1/114 Installing : perl-LWP-MediaTypes-6.02-2.fc19.noarch 2/114 Installing :perl-NetAddr-IP-4.068-1.fc19.x86_64 3/114 Installing : perl-XML-SAX-Base-1.08-7.fc19.noarch 4/114 Usage: groupadd [options] GROUP Options: -f, --force exit successfully if the group already exists, and cancel -g if the GID is already used -g, --gid GID use GID for the new group -h, --helpdisplay this help message and exit -K, --key KEY=VALUE override /etc/login.defs defaults -o, --non-unique allow to create groups with duplicate (non-unique) GID -p, --password PASSWORD use this encrypted password for the new group -r, --system create a system account -R, --root CHROOT_DIR directory to chroot into useradd: group 'clamupdate' does not exist Installing : clamav-filesystem-0.97.8-1.fc19.noarch5/114 warning: user clamupdate does not exist - using root warning: group clamupdate does not exist - using root Installing : clamav-data-0.97.8-1.fc19.noarch 6/114 warning: user clamupdate does not exist - using root warning: group clamupdate does not exist - using root warning: user clamupdate does not exist - using root warning: group clamupdate does not exist - using root Installing : clamav-lib-0.97.8-1.fc19.x86_64 7/114 Installing : clamav-server-0.97.8-1.fc19.x86_648/114 Installing : perl-Module-Runtime-0.013-4.fc19.noarch 9/114 Installing : perl-Try-Tiny-0.12-2.fc19.noarch 10/114 Installing : perl-Module-Implementation-0.06-6.fc19.noarch11/114 Installing : perl-Params-Validate-1.07-2.fc19.x86_64 12/114 ... Installing : amavisd-new-2.8.0-5.fc19.noarch 110/114 Installing : clamav-server-sysvinit-0.97.8-1.fc19.noarch 111/114 Installing : clamav-0.97.8-1.fc19.x86_64 112/114 Installing : clamav-update-0.97.8-1.fc19.x86_64 113/114 /usr/bin/chown: invalid group: ‘root:clamupdate’ Installing : pax-3.4-15.fc19.x86_64 114/114 .. Complete! [root@physics ~]# And: [root@physics ~]# /usr/bin/freshclam WARNING: Can't get information about user clamupdate. freshclam does not update the virus list but the server is still working. Until now we had: [cristi@s198 ~]$ sudo cat /etc/passwd | grep clamupdate clamupdate:x:992:989:Clamav database update user:/var/lib/clamav:/sbin/nologin [cristi@s198 ~]$ C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 amavis not starting
On Fri, 2013-05-10 at 10:35 -0700, Adam Williamson wrote:
> On Fri, 2013-05-10 at 09:44 -0700, Adam Williamson wrote:
> > On Fri, 2013-05-10 at 13:28 +0300, Cristian Sava wrote:
> > > Hi all,
> > >
> > > Amavis does not start because it does not find /etc/sysconfig/network
> > > # yum install amavis
> > > # systemctl start amavis.service
> > > ...
> > > # journalctl -xn
> > > ...
> > > /etc/rc.d/init.d/amavisd: line 16: /etc/sysconfig/network: No such file
> > > or directory
> > >
> > > I am testing a postfix based mailserver on F19 updated. All is working
> > > well until I add amavis. Any advice?
> >
> > Well, let's take a look:
> >
> > # Source networking configuration.
> > . /etc/sysconfig/network
> >
> > OK...but why does it want to do that? Hmm. All I see is:
> >
> > ## Check that networking is up.
> > #[ ${NETWORKING} = "no" ] && exit 0
> >
> > But that's commented out upstream. So...why bother
> > sourcing /etc/sysconfig/network at all?
> >
> > I think fixing this is as simple as commenting that line out of the init
> > script, and we should do that in the package and send it upstream.
>
> https://admin.fedoraproject.org/updates/amavisd-new-2.8.0-5.fc19
> --
> Adam Williamson
> Fedora QA Community Monkey
> IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
> http://www.happyassassin.net
>
Thank you very much for your help.
I tested and it is working as expected. Congrats!
Great work for Fedora developers team!
C. Sava
--
test mailing list
test@lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
Re: F19 amavis not starting
On Fri, 2013-05-10 at 13:28 +0300, Cristian Sava wrote: > Hi all, > > Amavis does not start because it does not find /etc/sysconfig/network > # yum install amavis > # systemctl start amavisd.service > ... > # journalctl -xn > ... > /etc/rc.d/init.d/amavisd: line 16: /etc/sysconfig/network: No such file > or directory > > I am testing a postfix based mailserver on F19 updated. All is working > well until I add amavis. Any advice? I ask for something else than # echo "NETWORKING=yes" > /etc/sysconfig/network (this trivial fix is working) Thank you, C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F19 amavis not starting
Hi all, Amavis does not start because it does not find /etc/sysconfig/network # yum install amavis # systemctl start amavis.service ... # journalctl -xn ... /etc/rc.d/init.d/amavisd: line 16: /etc/sysconfig/network: No such file or directory I am testing a postfix based mailserver on F19 updated. All is working well until I add amavis. Any advice? Thank you, C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F18, F19 webalizer problem?
On Fri, 2013-04-26 at 08:30 -0500, Chris Adams wrote: > Once upon a time, Jonathan Kamens said: > > This, however, is fine: > > > > [ "$WEBALIZER_CRON" != yes ] > > > > because the quotes ensure that the statement will be evaluated with an > > expression to the left of the != even if the expression is just an empty > > string. > > > > This is fine too: > > > > [ z$WEBALIZER_CRON != zyes ] > > > > because if the variable is empty, the expression to the left will be "z" > > rather than an empty string. > > The reason some use a combination of quotes and a leading character is > for testing user-provided input. It shouldn't matter in this case, but > it is just a little bit more defensive programming. > > The problem if you are testing a user-provided variable is that they > could give input that starts with a dash, a close bracket, etc., and > that would screw up the test. Putting a character at the start protects > against that. > > Also, always quoting the variable is good programming practice; it could > have whitespace in it, in which case the non-quoted version would expand > to multiple tokens (and again break). > > So, still today, the best defensive way is: > >[ "z$WEBALIZER_CRON" != zyes ] > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. Good to know. Thank you very much, C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: F18, F19 webalizer problem?
On Fri, 2013-04-26 at 09:09 -0400, Jonathan Kamens wrote: > On 04/26/2013 08:58 AM, Cristian Sava wrote: > > Webalizer is enabled via /etc/sysconfig/webalizer but I don't understand > > why /etc/cron.daily/00webalizer has this line: > > > > [ "z$WEBALIZER_CRON" != "zyes" ] && exit 0 > > > > that I think it should be (and it is working this way) > > > > [ "$WEBALIZER_CRON" != "yes" ] && exit 0 > > > > What is the mistery? > > > The two versions you quoted are functionally equivalent on Linux. If > there's a z before the variable expansion and a z before the word > "yes", then the two z's cancel out and don't affect the string > comparison. > > As for why they are there, it's an old shell programmers' trick to > avoid causing syntax errors when doing string comparisons to empty > strings. Let me explain... > > If you do this: > > [ $WEBALIZER_CRON != yes ] > > and the variable WEBALIZER_CRON is empty, then the command above will > result in an error, because when it's evaluated, it will look to the > shell as if there is nothing to the left of the '!=' and therefore > there's a missing expression in the statement. > > This, however, is fine: > > [ "$WEBALIZER_CRON" != yes ] > > because the quotes ensure that the statement will be evaluated with an > expression to the left of the != even if the expression is just an > empty string. > > This is fine too: > > [ z$WEBALIZER_CRON != zyes ] > > because if the variable is empty, the expression to the left will be > "z" rather than an empty string. > > It's unnecessary to use both the quotes and the extra character on > both sides of the expression. I'm not sure, but I think it may have > been necessary to use both at some point in the past, because I think > the middle example above, with just the quotes, might actually have > been buggy in some old versions of the "test" program that evaluates > such expressions. This caused shell programmers to get into the habit > of using both the quotes and the extra character. I doubt it's been > necessary to do that for many years, though for all I know webalizer > may support some UNIX versions that are so old that they still have > problems in this area. Given that possibility, there's certainly no > harm in writing the test the way it's written in the file you looked > at. > > jik > Thank you very much for your explanation, C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F18, F19 webalizer problem?
Hi all, Webalizer is enabled via /etc/sysconfig/webalizer but I don't understand why /etc/cron.daily/00webalizer has this line: [ "z$WEBALIZER_CRON" != "zyes" ] && exit 0 that I think it should be (and it is working this way) [ "$WEBALIZER_CRON" != "yes" ] && exit 0 What is the mistery? C.Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
F16 = very good!
Hi all, I tried to see how would be F15_x32 to F16_x64_RC4 upgrade. I expected to fail but it would be nice for average user to see a warning, an explanation. He does not know why it has failed. Warn him: x32 cannot be upgraded to x64. All was ok on testing F16_x64_RC4 on virtual machine (qemu) and on Intel I5 760 and AMD 3500+ (old sk939). Congratulations for all of you. Very well done! C. Sava -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
