Re: Add extra generated RPM requires - how?

0 -a $RPM -eq 1 ] ; then # Only use good results for rpms r="$r\n$tmp_r" else r="$r\n$tgt" fi done echo -e $r | sort | uniq exit 0 -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

On Wednesday 18 November 2009 04:45:05 pm James Antill wrote: > On Wed, 2009-11-18 at 16:04 -0500, Steve Grubb wrote: > > > The problem is the *Default* not the fact that you can consciously > > > allow users to update without a password. > > > > And I wonder wha

Re: Local users get to play root?

s to update without a password. And I wonder what the audit trail will show? Does it show which user installed these packages? -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Broken dependencies script at it again

here. > -- > Jes > -- > fedora-devel-list mailing list > fedora-devel-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Steve Traylen -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Broken dependencies script at it again

age basis. > > > > -- > fedora-devel-list mailing list > fedora-devel-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Steve Traylen -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: rawhide report: 20091104 changes - excluding noarch packages

missing something here but if the architecture matters it's not a a noarch package by definition. > -- > fedora-devel-list mailing list > fedora-devel-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Steve Traylen -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: conflict between seedit <-> selinux-policy and qstat <-> torque-client

On Wed, Nov 4, 2009 at 4:43 PM, Rudolf Kastl wrote: > 2009/11/4 Steve Traylen : >> On Wed, Nov 4, 2009 at 4:33 PM, Rudolf Kastl wrote: >>> 2009/11/4 Steve Traylen : >>>> On Wed, Nov 4, 2009 at 4:11 PM, Rudolf Kastl wrote: >>>>> 2009/11/4 Jason L Tib

Re: conflict between seedit <-> selinux-policy and qstat <-> torque-client

On Wed, Nov 4, 2009 at 4:33 PM, Rudolf Kastl wrote: > 2009/11/4 Steve Traylen : >> On Wed, Nov 4, 2009 at 4:11 PM, Rudolf Kastl wrote: >>> 2009/11/4 Jason L Tibbitts III : >>>>>>>>> "ST" == Steve Traylen writes: >>>> >&

Re: conflict between seedit <-> selinux-policy and qstat <-> torque-client

On Wed, Nov 4, 2009 at 4:11 PM, Rudolf Kastl wrote: > 2009/11/4 Jason L Tibbitts III : >>>>>>> "ST" == Steve Traylen writes: >> >> ST> Would be happy for an alternatives solution. I have yet another >> ST> /usr/bin/qstat for a POSIX inter

Re: conflict between seedit <-> selinux-policy and qstat <-> torque-client

urrent list of conflicting packages, proposing > solutions, and working with FESCo in the case that those solutions are > not applied. > >  - J< > > -- > fedora-devel-list mailing list > fedora-devel-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-lis

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 11/02/2009 03:02 PM, Jesse Keating wrote: > On Mon, 2009-11-02 at 14:23 -0500, Steve Dickson wrote: >> I'm not sure about this... Actually I like the fact we can define a >> pseudo root other than '/'... which means you really want a live exported >> directo

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 10:34 AM, Steve Dickson wrote: > [With the next nfs-utils rawhide build, I will be flipping the ] > [switch that will cause all NFS client mounts to try NFS v4 first ] > [At the bottom of this email has the workarounds if this change does ] > [indeed cause pain ] > &

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 11/02/2009 10:41 AM, Doug Ledford wrote: > On 10/29/2009 11:17 AM, Steve Dickson wrote: >> >> >> On 10/28/2009 03:05 PM, Roland McGrath wrote: >>> It sounds like you are saying that there is no way to export the same >>> host filesystems with the same

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/29/2009 11:17 AM, Gregory Maxwell wrote: > On Mon, Oct 26, 2009 at 1:13 PM, Steve Dickson wrote: >> On a pre F-12 Server: >> 2) Added the '/ *(ro,fsid=0)' entry to the /etc/exportsfile and >> reset the exports with 'exportfs -arv' (see expor

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/28/2009 03:05 PM, Roland McGrath wrote: > It sounds like you are saying that there is no way to export the same > host filesystems with the same client-perceived names under v4 as was > being done before under v[23]. Is that really true? With Pre-F12 servers... Yeah... The V4 protocol re

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/28/2009 06:42 PM, Ray Van Dolson wrote: >>> If, for whatever reason, I need to export a file system that doesn't >>> live in /export, would I still be able to mount it? >> With the '/ *(ro,fsid=0)' entry, Yes, you would be able to mount other >> exported directories.. >> >> With the '/exp

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/27/2009 05:06 PM, Jason L Tibbitts III wrote: >>>>>> "SD" == Steve Dickson writes: > > SD> On the server (Which is suggested): Add the following entry to the > SD> /etc/exports file: > > SD> / *(ro,fsid=0) > > SD> Note:

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 04:06 PM, Frank Ch. Eigler wrote: > Steve Dickson writes: > >> [...] >>> Unfortunately, this sounds like "only". Is it out of the question to >>> make the client look for this case (an upgraded client in an existing >>> unupgrade

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/27/2009 02:33 PM, Roland McGrath wrote: >> But with with older releases I don't messing with people configuration >> files since I would not want to break an existing configuration... > > Still never suggested that. > >> Note, there is a number of people who are currently running with

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 02:11 PM, Roland McGrath wrote: >> That is one of the valid options, but I would think it would better if >> the server owner did that tweak, than an nfs-utils update, no? > > I'm not suggesting that you do an update that just tweaks config files in > %post or anything like that.

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 01:40 PM, Roland McGrath wrote: > At the least, there ought to be an F-11 update of whatever server-side > stuff needs to change (in the minimal way not touching non-v4 uses) to > make v4 exports work without temporary configuration hacks. IMHO if you > can't do anything better, you

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 01:34 PM, Frank Ch. Eigler wrote: > Steve Dickson writes: > >> On 10/26/2009 12:06 PM, Frank Ch. Eigler wrote: >>> Is this really "first" or rather "only"? Was there a conclusion about >>> whether the nfs client code would be ch

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 12:39 PM, Tom Lane wrote: > Steve Dickson writes: >> Because the mount command will try NFS v4 first, mounts to older Linux >> servers >> will start failing like: > > What happens with a mount to a UDP-only server? (or actually /net > automount is wh

Re: Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

On 10/26/2009 12:06 PM, Frank Ch. Eigler wrote: > Steve Dickson writes: > >> [With the next nfs-utils rawhide build, I will be flipping the ] >> [switch that will cause all NFS client mounts to try NFS v4 first ] >> [...] > > Is this really "first" o

Buyer Beware: A Major Change in NFS (in Rawhide) is about to happen

[With the next nfs-utils rawhide build, I will be flipping the ] [switch that will cause all NFS client mounts to try NFS v4 first ] [At the bottom of this email has the workarounds if this change does ] [indeed cause pain ] As part of the https://fedoraproject.org/wiki/Features/NFSv4Default featu

Re: Rawhide install nfs fails

On 10/24/2009 02:15 PM, Mike Chambers wrote: > I mirror rawhide on a F11 box, that I normally nfs mount from a rawhide > running system. Tried to do an nfs based install from rawhide 2 days > ago and it failed, but installing via http from outside source (I don't > have http setup on the box) work

Re: thunderbird upgrade - wtf?

On 10/13/2009 09:56 AM, Christopher Aillon wrote: > > Not everyone had issues with the indexing so that seemed to slip past > testing. It was a change, but didn't seem to disrupt things, so we let > it slide. Not to pile on, believe me I know painful change is... 8-) but... This new indexing is

Re: FESCo meeting summary for 2009-10-02

On Wednesday 07 October 2009 06:16:50 pm Matthias Clasen wrote: > On Wed, 2009-10-07 at 17:11 -0400, Steve Grubb wrote: > > On Friday 02 October 2009 01:56:21 pm Jon Stanley wrote: > > > Meeting summary > > > --- > > > * incomplete features (jds20

Re: FESCo meeting summary for 2009-10-02

-devel and apply the attached patch. Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Bug reporting URL field in packages

st} = http://bugzilla.redhat.com/ package%{name} = bacula --> %{bugreporthost}/%{name} --> http://bugzilla.redhat.com/bacula +1 on this. cheers, - steve -- random non tech spiel: http://lonetwin.blogspot.com/ tech randomness: http://lonehacks.blogspot.com/ what i'm

PolicyKitOne or consolehelper for command line tool ?

much about the PolicyKit framework itself, but little that i know, had me believing that PolicyKit is more of a Gnome (or rather a freedesktop thing). In any case, an introduction/doc of the /current/ state of PolicyKit too would help. cherrs, - steve [1] http://www.draisberghof.de/usb_

Re: NFS and slow boot

On 10/02/2009 02:13 PM, Valent Turkovic wrote: > Hi, > I'm building custom Fedora remix with some packages from RPMFusion and > updated Fedora packages. Last Live USB image I created booted really slow > (over 5 minutes). I tracked down the issue to nfs service. Even when this > ISO image is used

Re: Switching to Native Upstart Scripts?

ked, they still have not specified an audit facility. They have one for syslog, but not audit. And yes this matters. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Buyer Beware: A Major Change in NFS is about to happen

On 10/01/2009 05:34 AM, Matej Cepl wrote: > Steve Dickson, Wed, 30 Sep 2009 15:41:51 -0400: >> Maybe removing the "Final Development" part and replace it with >> something like "Beta Freeze (Bug Fixes ONLY)" might have helped. > > Well my problem with

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 03:18 PM, Bill Nottingham wrote: > Steve Dickson (ste...@redhat.com) said: >> Right or wrong.. I took "Final Feature Freeze" as the last chance >> of getting a feature into F12.. And I will be the first to admit I >> do not read all the rule and re

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 01:47 PM, Paul W. Frields wrote: > On Wed, Sep 30, 2009 at 01:11:56PM -0400, Steve Dickson wrote: >> After further review... by a number of people, its been decided >> the /etc/nfsmount.conf file will be installed with the default >> protocol version set to v

Re: Buyer Beware: A Major Change in NFS is about to happen

After further review... by a number of people, its been decided the /etc/nfsmount.conf file will be installed with the default protocol version set to v3. This will stop the mount failures with older Linux servers but make it very easy to make v4 the default version. A nice compromise, IMHO...

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 11:07 AM, Howard Wilkinson wrote: With version 4 there is this concept of a pseudo root. Which meanings one can define, through exports, what the root of an export can be. Which is a good idea because you can define /export as the root, and nothing above /export ca

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 09:59 AM, Gregory Maxwell wrote: > On Tue, Sep 29, 2009 at 9:42 PM, Chris Adams wrote: >> Once upon a time, Steve Dickson said: >>> On the server (Which is suggested): >>>* Add the following entry to the /etc/exports file: >>> / *(ro,fs

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 07:05 AM, Andrew Haley wrote: >>> I can't see how it would cause a mount storm: all you'd be doing is >>> issuing a mount request twice, once in each protocol. >> Times 1000 very 5 seconds... > > So 2000 every 5 seconds as opposed to 1000 every 5 seconds. This is > surely better

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 07:22 AM, Howard Wilkinson wrote: > Steve, > > just for clarity what you are actually saying is that. > On Tue, 2009-09-29 at 22:45 -0400, Steve Dickson wrote: >> On 09/29/2009 09:42 PM, Chris Adams wrote: >>> Once upon a time, Steve Dickson said: &

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 06:18 AM, Andrew Haley wrote: > Steve Dickson wrote: >> >> On 09/30/2009 04:53 AM, Andrew Haley wrote: >>> Steve Dickson wrote: >>>> On 09/29/2009 10:10 PM, Jeremy Katz wrote: >>>>> On Tue, Sep 29, 2009 at 8:15 PM, Steve Dickso

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/30/2009 04:53 AM, Andrew Haley wrote: > Steve Dickson wrote: >> On 09/29/2009 10:10 PM, Jeremy Katz wrote: >>> On Tue, Sep 29, 2009 at 8:15 PM, Steve Dickson wrote: >>>>> My main concern is with installer, installing from NFS shares from older >>>

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 10:10 PM, Jeremy Katz wrote: > On Tue, Sep 29, 2009 at 8:15 PM, Steve Dickson wrote: >>> My main concern is with installer, installing from NFS shares from older >>> servers, say RHEL5. How will anaconda handle mounting? Will there be >>> odd error

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 09:21 PM, Toshio Kuratomi wrote: > One thing I think is unclear this cycle is the usage of the word "Beta". > It's been said many times that beta is not really beta but actually > final freeze. For instance: "If all goes as planned the Beta > (previously known as "Final Development"

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 09:42 PM, Chris Adams wrote: > Once upon a time, Steve Dickson said: >> On the server (Which is suggested): >>* Add the following entry to the /etc/exports file: >> / *(ro,fsid=0) Note: 'fsid=0' is explained in the exports(5) man pages. >

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 08:17 PM, John Poelstra wrote: >>> [...snip...] >>> >>> I want to be perfectly clear that I'm not sounding an "all clear" on >>> this by any means. If your answer here means that this change hasn't >>> been thoroughly tested, you're going to have a hard time convincing >>> anyone tha

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 07:52 PM, Mike McGrath wrote: >> By no means did I interpret that at all... but here lies the >> problem... I had no idea I would have to convenience *anybody* >> of *anything* because I thought I made the dead line... again all >> following was the schedule in: >> >> http:/

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 07:29 PM, Jesse Keating wrote: > On Tue, 2009-09-29 at 19:16 -0400, Paul W. Frields wrote: >>>> I think that what we need, Steve, is some sort of information >> about >>>> what testing has happened up to this point that satisfies FESCo >>

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 07:16 PM, Paul W. Frields wrote: > On Tue, Sep 29, 2009 at 07:12:03PM -0400, Steve Dickson wrote: >> On 09/29/2009 06:55 PM, Paul W. Frields wrote: >>> On Tue, Sep 29, 2009 at 06:21:35PM -0400, Steve Dickson wrote: >>>> >>>> >>>>

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 06:55 PM, Paul W. Frields wrote: > On Tue, Sep 29, 2009 at 06:21:35PM -0400, Steve Dickson wrote: >> >> >> On 09/29/2009 06:13 PM, Jesse Keating wrote: >>> On Tue, 2009-09-29 at 17:52 -0400, Steve Dickson wrote: >>>> I thought today was t

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 06:13 PM, Jesse Keating wrote: > On Tue, 2009-09-29 at 17:52 -0400, Steve Dickson wrote: >> I thought today was the dead line... >> >> http://www.linux-archive.org/fedora-development/372823-all-features-need-100-beta-freeze-2009-09-29-a.html >> > &

Re: Buyer Beware: A Major Change in NFS is about to happen

On 09/29/2009 05:43 PM, Jesse Keating wrote: > On Tue, 2009-09-29 at 17:33 -0400, Steve Dickson wrote: >> Buyer Beware: A Major Change in NFS is about to happen > > Which means you're about a month too late in making it for Fedora 12. > Please reconsider making this

Buyer Beware: A Major Change in NFS is about to happen

Hello, As part of the https://fedoraproject.org/wiki/Features/NFSv4Default feature I am one commit away from changing the default protocol version NFS will be using (or at least trying to use). What does this means to you? Hopefully nothing! In theory this should be a very seamless transition b

Re: Xinetd resurrection

On Saturday 19 September 2009 07:25:13 pm Matej Cepl wrote: > Steve Grubb, Fri, 18 Sep 2009 08:24:18 -0400: > > I also think that the reason xinetd came into existence in the first > > place has long since passed. > > Do you think that Fedora should humbly return with a cap i

Re: selinux hasn't been running for over a week

On Friday 18 September 2009 12:39:57 pm Tomasz Torcz wrote: > On Fri, Sep 18, 2009 at 12:03:05PM -0400, Steve Grubb wrote: > > On Thursday 17 September 2009 05:29:02 pm Steve Grubb wrote: > > > If selinux is not disabled and it does not become permissive or > > > enfor

Re: selinux hasn't been running for over a week

On Thursday 17 September 2009 05:29:02 pm Steve Grubb wrote: > If selinux is not disabled and it does not become permissive or enforcing, > it has to get logged and optionally shutdown the system. > > Aside from no logging, any ideas why selinux no longer works? A few minutes ago,

Re: selinux hasn't been running for over a week

t; permissive mode. > > > > And if chroot fails, we need to handle it. > > This will probably crash anyways In the code I looked at, only if it returned 3... -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux hasn't been running for over a week

so it can be debugged. > Load_policy will exit with 0 on success or 2 on failure and SELinux in > permissive mode. And if chroot fails, we need to handle it. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Xinetd resurrection

On Friday 18 September 2009 08:34:03 am Ralf Ertzinger wrote: > Hi. > > On Fri, 18 Sep 2009 08:24:18 -0400, Steve Grubb wrote: > > I also think that the reason xinetd came into existence in the first > > place has long since passed. The original intent was to save memory >

Re: Xinetd resurrection

reduced. They want a smaller, leaner xinetd. Good Luck... -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux hasn't been running for over a week

gain. relabeling is totally different than the system not having it enabled at all when its supposed to. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux hasn't been running for over a week

et = 3. What if the return code was 1 indicating a failure? How do you look at what's supposed to be in the initrd to see if something is wrong inside it? I opened a bz 524113 for this. But I'm surprised this wasn't mentioned on the list before. :) -Steve -- fedora-devel-

selinux hasn't been running for over a week

s not become permissive or enforcing, it has to get logged and optionally shutdown the system. Aside from no logging, any ideas why selinux no longer works? Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: what features are required in Fedora kernel

running as root. Iptables is needed to block this access. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: clang static analyzer: use it!

t the build instructions for clang, it seems like it would naturally fit as a subpackage for llvm. So, getting it into Fedora should not be too much to do since llvm is already approved. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Orphaning packages

On Friday 21 August 2009 04:34:24 pm Aurelien Bompard wrote: > - ulogd -- The userspace logging daemon for netfilter I'm taking this one. Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: soname number bump for audit-libs

On Monday 10 August 2009 12:32:10 pm Steve Grubb wrote: > I wanted to let everyone know that I will be pushing audit-2.0 into rawhide > in the next day or two. It will change the version number of libaudit. The > following packages are known to have dependencies on audit-libs: Jus

Re: rawhide report: 20090819 changes

On Wednesday 19 August 2009 08:40:52 am Rawhide Report wrote: > Compose started at Wed Aug 19 06:15:07 UTC 2009 > > New package Does this large list mean that the Alpha freeze is lifted? -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.co

Re: Lower Process Capabilities

On Friday 14 August 2009 06:05:06 pm Serge E. Hallyn wrote: > Quoting Steve Grubb (sgr...@redhat.com): > > On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote: > > A sample srpm can be found here for anyone wanting to try it out before > > alpha is unfrozen. > > &

Re: Lower Process Capabilities

uction in scope - other than what I have time to actually work on. If I can fix dhcp, that is a major win. That is the item that stands out as the biggest problem when running netcap. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listin

Re: Lower Process Capabilities

On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote: > What can be done is that we program the application to drop some of the > capabilities so that its not all powerful. There's just one flaw in this > plan. The directory for /bin is 0755 root root. So, even if we drop all >

Re: soname number bump for audit-libs

On Monday 10 August 2009 02:02:47 pm Jason L Tibbitts III wrote: > >>>>> "SG" == Steve Grubb writes: > > SG> It would have been in before feature freeze if sc-audit hadn't > SG> gotten stuck in package review. > > A couple of points here, sin

Re: soname number bump for audit-libs

se the _data equivalent function and use the audit_rule_data structure to hold your rules. The gain is that we want to clean up/deprecate the old kernel API somewhere around 2.6.36 and need user space to quit using it asap. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com ht

Re: soname number bump for audit-libs

es this a very real > possibility. OK, fine. I'll wait until after the Alpha freeze is over. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

soname number bump for audit-libs

rather me not touch your package, just let me know. Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: openssh-blacklist - careless waste of space.

package. I think the definitions could be created by a script, but will take some time to generate. Maybe adding a generator for people not connected would let them recreate the content? But a 800Mb package is bigger than the livecd. -Steve -- fedora-devel-list mailing list fedora-d

Re: Lower Process Capabilities

> > allowed to do. > > This has little to do with what Steve is trying to do. Right. All I am doing at this point is going over the daemons running as root and patching them to lower their capabilities. With libcap-ng, its generally 2-3 lines of code. As for directory perms...I

Re: Lower Process Capabilities

ch processes (sshd, login, ...) would fail. There is also the argument that what we've been teaching people for years is that SE Linux strips away privileges and doesn't grant them. Changing the model would be somewhat confusing. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Lower Process Capabilities

On Monday 27 July 2009 09:11:33 am Serge E. Hallyn wrote: > Quoting Steve Grubb (sgr...@redhat.com): > > On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote: > > > > I trust you meant to write 0555? > > > > > > No, I really mean 005 so that root daemons are

Re: Lower Process Capabilities

On Sunday 26 July 2009 09:01:14 pm Tom Lane wrote: > 0005 is certainly not meaningfully more secure than 0555. There are some secrets in files that semi-trusted root apps should not have access to. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.

Re: Lower Process Capabilities

On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote: > > I trust you meant to write 0555? > > No, I really mean 005 so that root daemons are using public permissions. > Admins of course have DAC_OVERRIDE and can do anything. Try the script in a > VM and tell me if there are an

Re: Lower Process Capabilities

On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote: > Steve Grubb writes: > > The directory for /bin is 0755 root root. So, even if we drop all > > capabilities, the root acct can still trojan a system. > > > > If we change the bin directory to 005, then root cannot

Lower Process Capabilities

ve on a VM before posting so that you can assure yourself that everything still works. :) Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

n't think I explained it well. I was thinking what if you had this rule: -A INPUT -Z cups_t -j ACCEPT and then cups was compromised and started listening on port 80. Since the above rule has no port restrictions and cups is allowed to accept connections, would cups now be able to start serving web pages? -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: RFE: FireKit

ose ports and allow traffic. > 2- Monitors as new daemons/applications that listen on non lo interfaces > are started, checks if iptables is currently blocking them, and if so, > warns the user that application X is currently blocked by the firewall This part I like. -Steve -- fedor

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

need to log AVCs. I would recommend leaving IPTables as is. Its working great at what its designed to do. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: prelink: is it worth it?

f There are more examples like this. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: unable to include capability.h

found here: http://people.redhat.com/sgrubb/libcap-ng/ I'll be setting up a Fedora 12 project in the next few days to drop privs everywhere. -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Maintainer Responsibilities

On Wednesday 03 June 2009 04:57:32 pm Kevin Kofler wrote: > Steve Grubb wrote: > > And then should the bug be closed hoping that one day you pull in a > > package that solves the user's problem? > > If the bug is fixed upstream, the Fedora report can be reopened with a

Re: Maintainer Responsibilities

ed that the fix is in Fedora? If the bug is severe enough, shouldn't the upstream commit be applied to Fedora's package and the package pushed out for testing? Is all this going to happen if the bug is closed? -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com

Re: Maintainer Responsibilities

On Tuesday 02 June 2009 11:09:49 pm Ralf Corsepius wrote: > Kevin Kofler wrote: > > Steve Grubb wrote: > >> I don't want to start a long thread, but just to ask a couple questions > >> for my own clarification. Does a maintainer's responsibilities end with &g

Re: Maintainer Responsibilities

On Tuesday 02 June 2009 07:34:17 pm Kevin Kofler wrote: > Steve Grubb wrote: > > I don't want to start a long thread, but just to ask a couple questions > > for my own clarification. Does a maintainer's responsibilities end with > > packaging bugs? IOW, if there is a

Maintainer Responsibilities

ptable for them to close the bug and say talk to upstream? Do we want those bugs open to track when the bug is fixed in the distro? I'll accept whatever the answer is, I'm just curious. Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.

Re: rawhide e2fsprogs & yum

-qf does show that /lib/libcom_err.so.2 is owned by e2fsprogs-1.38-1.i386. -Steve __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

rawhide e2fsprogs & yum

i386 >libcom_err.so.2 is needed by (installed) cyrus-sasl-2.1.21-10.i386 >libcom_err.so.2 is needed by (installed) cyrus-sasl-gssapi-2.1.21-10.i386 >libcom_err.so.2 is needed by (installed) pam_krb5-2.2.6-2.2.i386 >libuuid.so.1 is needed by (instal