I have in /etc/selinux/config:
Code:
SELINUX=enforcing
SELINUXTYPE=mls
Do I have MLS enabled? I can't use Selinux commands. I thought MLS is sort of package to Selinux. I fallowed this:
Code:
[code].....
FC12 with recent updates The bugzilla I reported is fixed in selinux 3.6.32-66 and I have 3.6.32-56. I refreshed the repositories and looked for 66 and it is not listed. Question - how often does the policy changes get posted to the repositories ? And are the repositories the normal place to get the latest and greatest ?
View 2 Replies View RelatedI need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
View 2 Replies View RelatedTried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
I am trying to configure my live install of fedora so a PC on the same intranet can access it by hostname instead of by IP address.After I installed bind, I realized the man pages recommended against bind and said instead to enable SELinux named. I tried to guess what variables to set after googling and studying the documentation and coming up empty. I used getsebool -a, and tried turning one and all on.I test using:nslookup myhostname on the linux box, since if that is working it isnt surprising that the windows box cant see it. what buttons to push to enable SELinux named, as described in fedora 13 man page for bin slight correction, the man page is for named. It says to remove the bind-chroot and use SElinux to enable named. I think I also have to create a new zone. This seems akin to proving fermats last theorem but less rewarding. anyone know what keys to push for either. I did get system-config-selinux running. I thought it was in an infinite loop but it does *eventually* load a gui. Also if you set a boolean it will grab all CPU for a couple of minutes. (used top in another terminal).
View 5 Replies View RelatedI just upgraded from 11 to 12 and then installed the Nvidia proprietary drivers from RPMFusion. Initially glxinfo wouldn't work because SELinux was stopping it from using an executable stack. Since the Nvidia drivers are proprietary and a fix may not be provided, I allowed this access to glxinfo with chcon -t execmem_exec_t '/usr/bin/glxinfo'
However it looks like every program using glx-utils also needs these permissions - so far I allowed Xorg, compiz and the Firefox video plugin to execstack. Can anyone suggest a fix for this - preferably one that avoids execstack for all those apps since its a security risk. If not how do I create an SELinux policy to automatically grant apps execstack while they use glxinfo or other nVidia libraries but not at other times.
My organisation is running squirrelmail on a redhat server. When users are created , at that time the admin sets a password. Thereafter the user can login to his account using the password. But he can't change it as is the case with gmail or yahoo mail. Also the password for any account is known to the admin in addition to the user himself - a weak security arrangement !So what I wish to do is provide a way for users to change his password anytime he wants and also during the first login - as is normally done in banking sites, etc
View 14 Replies View RelatedQuote:One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites.Firefox users don?t have to do anything in order to gain this protection. Simply install Firefox 4 and you will instantly receive all of the benefits that Content Security Policy has to offer. Easy!
I have just installed tripwire. I have created a baseline db using the default policy file. Then I checked the output of the db to see what I did not have on my filesystem that db was searching for (according to the default policy when tripwire was installed), I then changed my default clear text policy file accordingly and used twadmin to generate a new tw.pol file.
Next I come grinding to a halt after this (assuming the next thing is to update the policy in tripwire right? )
Code:
I have tripwire 2.4.1.2 running on one of our servers on a daily basis, and I was curious to know if it is good practice to periodically update the policy file. The reason for my asking that is while the daily reports that I get indicate there have been changes to files on a daily basis, there are also files that have not been modified for over a month. My thinking is an update of the policy file will establish an updated baseline, and those files that have not been changed for so long will not be reported on until they get changed again.
View 1 Replies View RelatedMy newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
View 11 Replies View RelatedWe have enabled DOT1x security (8021x) in our wired network for testing purpose. but to get enable that facility our account should be a domain account so that it will get certifiy from the certificate server through RADIUS server. But in Fedora We are unable to get certified from the certificate server how ever if we are loging in through Root user or any local user in fedora we are able to get IP and able to work in net as well as connected to domain. but after loging off we are unable to login to domain account. I need to login throuhg Domain Account by using DOT1X security.
View 1 Replies View Related1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
View 3 Replies View RelatedIt took me a while to get VNC going. It was easier with FC8-10. Once I got finished and was actually able to log in and see my remote desktop I tried to add some software... virtualbox.When I double click on the RPM I get popup that states."The action could not be completed. Failed to install file. You do not have the necessary privileges to perform this action" When I close that dialogue another one pops up that states" "The action could not be completed." When I click on more details the dialogue states. "Policykit authorization failure" How can I make this work?
View 1 Replies View RelatedI just updated my system via yum and got an odd output after selinux-policy-targeted package finished updating.
Code:
Updating : selinux-policy-3.6.32-89.fc12.noarch 14/80
Updating : selinux-policy-targeted-3.6.32-89.fc12.noarch 15/80
/etc/mock/koji* /etc/rc.d/init.d/dirsrv* /srv/git* /usr/autodesk/maya2010-x64/lib /usr/lib{64,}/nagios/plugins/check_mailq /usr/sbin/ns-slapd /usr/share/e16/misc* /usr/share/shorewall/compiler.pl /var/cache/cgit* /var/lib/git* /var/lib/koji* /var/www/git/gitweb.cgi /var/www/git/gitweb.cgi
Does anyone knows what that means?
How to recompile squid under fedora 13 to insert this arguments ---> --enable-storeio=diskd,coss
View 2 Replies View RelatedI am using RHEL 5, how to enable ACl in /etc/fstab
View 2 Replies View RelatedHow can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access.
OR
Can we have multiple passwords to login via ssh ?My basic need is to have 2 levels of password.
I recently installed Deluge 1.2.0 from the following PPA:[URL]I using this on two different Linux computers. One is running Linux Mint 8 and the other is running Ubuntu Netbook Remix 9.10. The first time on either computer when I enable WebUI in the Deluge GUI it works fine. However if I ever disable it in plugins section I am subsequently unable to re-enable it (doesn't appear in the side panel again). Rebooting or reinstalling Deluge seems to have no effect.Is this a bug or am I doing something wrong?
View 3 Replies View RelatedHow to enable ipv6 in snort. I read that it must compilate with --enable-ipv6 but still don't know how?
View 2 Replies View Relatedhow to enable direct login of root via ssh?I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location.
View 14 Replies View RelatedI need to allow ICMP ping for one host only. I found out how to enable it to all hosts (ICMP Filtering, check ping) but I would like to reduce the scope to one host. I know I can add rules in the user_post script but I can't find the correct iptables command ...
View 4 Replies View RelatedI am trying to learn how a buffer overflow works, but I need to have an executable stack for it to work. How do i enable this for an individual program? I am using Arch linux and X86_64 btw
View 3 Replies View RelatedAnyone can tell me how to enable and config auditd in linux kernel 2.6.9-5.EL. I have only found command auditd and auditctl in server that run kernel 2.6.9-5.EL. I ran auditd & and can saw auditd ran in my server. But I couldn't do anything with auditctl, no status, no rules, nothing :| . I tried to find audit.rules or auditd.conf but that nothing I can find.
View 1 Replies View RelatedI am using Fedora 14. By default Security Enhanced Linux is enabled in Fedora 14. Now is there any way to disable it by command line and then again enable it through command line.
View 3 Replies View RelatedRecently I installed vncserver (tigervnc) on my desktop. Ever since my computer refuses to shutdown normally. At shutdown the following message pops up: Quote: System policy prevents stopping the system when other users are logged in Then I have to enter the root password to shutdown. If I stop vncserver before, the computer shuts down normally.
[Code]....
I was wondering how to activate encryption on my home folder, like sugested when creating the first user? in 10.04Also, is it any good to use?It's a work computer with sometimes private documents (cv, docs, etc) and i would like to be sure no one can access it, even as root.
View 3 Replies View RelatedI have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
I'm using Debian Squeeze.
When I invoke apt-cache policy , for example , apt-cache policy zlib1g.
I get the output like:
Code:
And below the line "Version table:" , there is installed package version. I assume 1:1.2.3.4.dfsg-3 is version("epoch"+"upstream version"+"debian revision"), but what does the next "0" means?