On Fri, Jun 07, 2013 at 05:24:30PM -0400, Steve Grubb wrote:
> Hmm...sounds like kernel change. But in the meantime, most of the offenders I
> see seem to have something to do with loading icons:
Sounds like code that doesn't differentiate between files that are in
user-local directories and sy
On Fri, Jun 07, 2013 at 07:03:24PM -0600, Stephen John Smoogen wrote:
> On 7 June 2013 12:29, Matthew Garrett wrote:
> > So why not add a mechanism to permit applications to indicate that
> > certain accesses they make should be ignored by audit?
> >
> Just so people know, this is like one of the
On Fri, 2013-06-07 at 21:53 +0200, Michał Piotrowski wrote:
> That was simple...
>
> sudo systemctl enable mysqld.service
> ln -s '/usr/lib/systemd/system/mysqld.service'
> '/etc/systemd/system/multi-user.target.wants/mysqld.service'
>
>
> But why update removed this service from multi-user.targ
On Fri, Jun 07, 2013 at 06:55:46PM +0200, Lennart Poettering wrote:
> User "simo" creates /dev/shm/1000/ even though 1000 is the UID of user
> "lennart". Lennart can never start PA again, ever. And can't do anything
> about it, because "simo" is in control, and /dev/shm is sticky.
For /run we crea
On Friday, June 07, 2013 05:02:41 PM Colin Walters wrote:
> On Fri, 2013-06-07 at 22:14 +0200, Miloslav Trmač wrote:
> > On Fri, Jun 7, 2013 at 10:05 PM, Colin Walters wrote:
> > > On Fri, 2013-06-07 at 20:42 +0100, Matthew Garrett wrote:
> > >> Without further analysis, it doesn't tell us much. D
On Fri, Jun 07, 2013 at 04:06:30PM -0400, Steve Grubb wrote:
> Which is a bad patterm. O_NOATIME requires CAP_FOWNER
Documentation disagrees:
EPERM The O_NOATIME flag was specified, but the effective user ID of
the caller did not match the owner of the file and the caller
On Fri, 2013-06-07 at 22:14 +0200, Miloslav Trmač wrote:
> On Fri, Jun 7, 2013 at 10:05 PM, Colin Walters wrote:
> > On Fri, 2013-06-07 at 20:42 +0100, Matthew Garrett wrote:
> >
> >> Without further analysis, it doesn't tell us much. Does the code attempt
> >> to open a file O_NOATIME and then fa
On Fri, Jun 07, 2013 at 10:14:36PM +0200, Miloslav Trmač wrote:
> (IMHO only very special applications should use O_NOATIME; if it is
> not predictable which accesses do/don't update atime, the field
> completely loses its value.
It's already not especially predictable - we've been using relatime
On 6/7/13 3:06 PM, Steve Grubb wrote:
> On Friday, June 07, 2013 08:42:09 PM Matthew Garrett wrote:
>> On Fri, Jun 07, 2013 at 03:35:28PM -0400, Steve Grubb wrote:
>>> So far, the discussion has focused on pulseaudio. But what about the
>>> O_NOATIME issue?
>>
>> Without further analysis, it doesn'
On Fri, Jun 7, 2013 at 10:05 PM, Colin Walters wrote:
> On Fri, 2013-06-07 at 20:42 +0100, Matthew Garrett wrote:
>
>> Without further analysis, it doesn't tell us much. Does the code attempt
>> to open a file O_NOATIME and then fall back to trying it without?
>
> It's likely:
> https://bugzilla.g
On Friday, June 07, 2013 08:42:09 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 03:35:28PM -0400, Steve Grubb wrote:
> > So far, the discussion has focused on pulseaudio. But what about the
> > O_NOATIME issue?
>
> Without further analysis, it doesn't tell us much. Does the code attempt
> to
On Fri, 2013-06-07 at 20:42 +0100, Matthew Garrett wrote:
> Without further analysis, it doesn't tell us much. Does the code attempt
> to open a file O_NOATIME and then fall back to trying it without?
It's likely:
https://bugzilla.gnome.org/show_bug.cgi?id=680326
Code:
https://git.gnome.org/brow
On Fri, Jun 07, 2013 at 03:35:28PM -0400, Steve Grubb wrote:
> So far, the discussion has focused on pulseaudio. But what about the
> O_NOATIME
> issue?
Without further analysis, it doesn't tell us much. Does the code attempt
to open a file O_NOATIME and then fall back to trying it without?
-
On Friday, June 07, 2013 07:29:56 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> > The point is that we are simply throwing ideas off the wall as an aid in
> > finding a way to solve the issue for all.
>
> So why not add a mechanism to permit applications
Miloslav Trmač (m...@volny.cz) said:
> On Fri, Jun 7, 2013 at 8:39 PM, Bill Nottingham wrote:
> > Any reason we don't run with namespaced /dev/shm vis-a-vis private /tmp?
>
> Private /tmp is optional and not enabled for users sessions by
> default. For namespaced /dev/shm to impact pulseaudio,
On Fri, Jun 07, 2013 at 08:38:56PM +0200, Miloslav Trmač wrote:
> On Fri, Jun 7, 2013 at 8:29 PM, Matthew Garrett wrote:
> > So why not add a mechanism to permit applications to indicate that
> > certain accesses they make should be ignored by audit?
>
> Because it would be primarily useful to th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri 07 Jun 2013 08:29:57 PM CEST, Björn Esser wrote:
>>
>> Are you also interested to review bugs in RPMFusion ? :)
>
> Why not? Sure :) Where to apply for packager-status in rpmfusion?
Great !
https://bugzilla.rpmfusion.org/show_bug.cgi?id=2531
I
On Fri, Jun 7, 2013 at 8:39 PM, Bill Nottingham wrote:
> Any reason we don't run with namespaced /dev/shm vis-a-vis private /tmp?
Private /tmp is optional and not enabled for users sessions by
default. For namespaced /dev/shm to impact pulseaudio, it would have
to be applied automatically to eve
Lennart Poettering (mzerq...@0pointer.de) said:
> Yes, it is.
>
> POSIX shared memory doesn't define any useful scheme for automatic
> removing of shared memory segments from /dev/shm after use. Hence, in
> order to make sure that left-over segments don't fill up /dev/shm
> forever PA will try to
On Fri, Jun 7, 2013 at 8:29 PM, Matthew Garrett wrote:
> So why not add a mechanism to permit applications to indicate that
> certain accesses they make should be ignored by audit?
Because it would be primarily useful to the attackers' applications.
Or am I missing something? (BTW, audit already
On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> The point is that we are simply throwing ideas off the wall as an aid in
> finding a way to solve the issue for all.
So why not add a mechanism to permit applications to indicate that
certain accesses they make should be ignored by au
Summary of changes:
8272c4e... - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass (*)
6e82801... Update to 0.73 (*)
(*) This commit already existed in another branch; no separate mail sent
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing
On Fri, Jun 7, 2013 at 6:55 PM, Lennart Poettering wrote:
>
> Well, you know, this problem isn't new. Some SELinux AVCs can be set to
> ignored for precisely reasons like this one, because it is common that
> things like these happen: accesses which fail where that is
> expected.
Well, whether i
On Fri, 2013-06-07 at 18:55 +0200, Lennart Poettering wrote:
> On Fri, 07.06.13 12:42, Simo Sorce (s...@redhat.com) wrote:
>
> > On Fri, 2013-06-07 at 18:21 +0200, Lennart Poettering wrote:
> > > On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> > >
> > > > > > > POSIX shared memor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri 07 Jun 2013 07:20:03 PM CEST, Björn Esser wrote:
> Hi there!
>
> Anybody interested in review swaps? I currently have two simple
> review-bugs open waiting to be reviewed:
>
> git-extras - Little git extras
> https://bugzilla.redhat.com/
On Friday, June 07, 2013 06:21:00 PM Lennart Poettering wrote:
> On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> > > > > POSIX shared memory doesn't define any useful scheme for automatic
> > > > > removing of shared memory segments from /dev/shm after use. Hence,
> > > > > in
> >
On Fri, 07.06.13 12:42, Simo Sorce (s...@redhat.com) wrote:
> On Fri, 2013-06-07 at 18:21 +0200, Lennart Poettering wrote:
> > On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> >
> > > > > > POSIX shared memory doesn't define any useful scheme for automatic
> > > > > > removing of
On Fri, 2013-06-07 at 18:21 +0200, Lennart Poettering wrote:
> On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
>
> > > > > POSIX shared memory doesn't define any useful scheme for automatic
> > > > > removing of shared memory segments from /dev/shm after use. Hence, in
> > > > > ord
On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> > > > POSIX shared memory doesn't define any useful scheme for automatic
> > > > removing of shared memory segments from /dev/shm after use. Hence, in
> > > > order to make sure that left-over segments don't fill up /dev/shm
> > > >
On Friday, June 07, 2013 05:48:39 PM Lennart Poettering wrote:
> On Fri, 07.06.13 11:44, Steve Grubb (sgr...@redhat.com) wrote:
> > 88 times? Something changed. It didn't used to be this bad. Its doing this
> > over and over on the same file it was denied access on previously.
>
> Actually all lib
I'm not directly using these right now, and am trying to focus on gcc
work, so I've orphaned the following:
* perl-Class-CSV
* python-numarray in EPEL5
* python-pefile
* python-sqlparse
* python-subprocess32
* python3-cherrypy
* python3-postgresql
--
devel mailing list
devel@lists.fedoraproject
On Fri, 07.06.13 11:44, Steve Grubb (sgr...@redhat.com) wrote:
> 88 times? Something changed. It didn't used to be this bad. Its doing this
> over and over on the same file it was denied access on previously.
Actually all libpulse clients do this.
> > POSIX shared memory doesn't define any usef
On Fri, 2013-06-07 at 17:14 +0200, Lennart Poettering wrote:
> On Fri, 07.06.13 09:50, Steve Grubb (sgr...@redhat.com) wrote:
>
> > Let's look at one of these pule-shm events:
> > # ausearch --start today -k access -f pulse-shm -i --just-one
> >
> > type=PATH msg=audit(06/07/2013 07:13:46.377
https://fedorahosted.org/389/ticket/47383
https://fedorahosted.org/389/attachment/ticket/47383/0001-Ticket-47383-connections-attribute-in-cn-snmp-cn-mon.patch
--
Mark Reynolds
Red Hat, Inc
mreyno...@redhat.com
--
389-devel mailing list
389-de...@lists.fedoraproject.org
https://admin.fedoraproje
On Friday, June 07, 2013 05:14:30 PM Lennart Poettering wrote:
> On Fri, 07.06.13 09:50, Steve Grubb (sgr...@redhat.com) wrote:
> > Let's look at one of these pule-shm events:
> > # ausearch --start today -k access -f pulse-shm -i --just-one
> >
> > type=PATH msg=audit(06/07/2013 07:13:46.377:
On Fri, 07.06.13 09:50, Steve Grubb (sgr...@redhat.com) wrote:
> Let's look at one of these pule-shm events:
> # ausearch --start today -k access -f pulse-shm -i --just-one
>
> type=PATH msg=audit(06/07/2013 07:13:46.377:215) : item=0 name=/dev/shm/pulse-
> shm-3756395503 inode=25089 dev=00:1
Hello,
Every now and then I look at the distribution to see that from an auditing
perspective the OS is nicely behaving in the absence of intrusion. Meaning we
are not getting audit events unnecessarily. One of the typical rules required
by the DISA STIG is to watch for file access being denied
On Fri, Jun 7, 2013 at 2:06 AM, Troy Dawson wrote:
> Is there an official Fedora way for telling is something is hardened
> correctly?
> I'm working on hardening mongodb, and I think I have it right, but I'd
> really like to check.
>
> I was given a couple of scripts, which had dependencies not in
Compose started at Fri Jun 7 08:15:02 UTC 2013
Broken deps for x86_64
--
[bind10]
bind10-1.0.0-3.fc20.i686 requires liblog4cplus-1.1.so.5
bind10-1.0.0-3.fc20.x86_64 requires liblog4cplus-1.1.so.5()(64bit)
bind10-dhcp-
commit 980187ea2a038f8f945390cc0aa7e6e79d6a4815
Author: Petr Písař
Date: Fri Jun 7 11:19:38 2013 +0200
3.26 bump
.gitignore |1 +
perl-Locale-Codes.spec |5 -
sources|2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/.gitig
On Thu, 6 Jun 2013, Troy Dawson wrote:
Is there an official Fedora way for telling is something is hardened
correctly?
I'm working on hardening mongodb, and I think I have it right, but I'd really
like to check.
I use https://nohats.ca/checksec.sh
Paul
--
devel mailing list
devel@lists.fedo
41 matches
Mail list logo
