is it possible to block an application from using the network? If yes, how? I read it's possible with iptables and with selinux... Also, what about creating a user who can't connect and run the application with that user?
View 7 Replies
When I'm logged into my account, I can't shut down the computer if someone else is also logged in unless I supply the root password. However, if I log out, I can shut down from GDM without being challenged, even though another person is logged in, which could cause problems if that person is in the middle of some work. Is there a way to password-protect the gdm shutdown function if people are logged in?
View 2 Replies View RelatedI went to print something and I get this message: Summary: SELinux is preventing access to files with the default label, default_t.
Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
This is the "alert" I've received from SElinux Alert Browser after closing "rythmbox" application that opened my CreativeZen mediaplayer:
Code:
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sys_ptrace capability
in dmesg it has:
[code]....
We are trying to define an appliance based on Suse for an application server and Web server Apache, so we would like to know configuration best practices for network and security, is there any paper/doc about best practices?
View 3 Replies View RelatedI have a problem as following: "using iptables to prevent IP spoofing".
View 4 Replies View RelatedI'd like to grant /usr/sbin/sendmail.sendmail "connectto" access to the unix_stream_socket /var/lib/imap/socket/lmtp.How do I do that?I want to eliminate error messages that keep appearing in my message log:
/var/log/messages:Jan 13 11:45:29 e setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from connectto access on the unix_stream_socket /var/lib/imap/socket/lmtp. For complete SELinux messages. run sealert -l 05df828f-4402-
[code]....
What methods exits to restrict which directories a user may browse on the filesystem. I want to prevent php scripts from being able to view system files. I've seen two solutions, but neither are satisfactory:Chrooting a directory that the script is in, but this requires that all the necessary php libraries/files are moved/copied into the right place relative to the chroot directory. I don't feel that I have the technical ability to achieve this.Putting php into safe mode and disabling *nasty* php functions. But this is ineffective if just one obscure *bad* php function is missed.
View 5 Replies View RelatedI'm trying to set up an unprivileged user on some field systems running 11.04 with the standard Gnome shell (rather than Unity), and ideally that user would not have access to the command line. The user can log in through GDM (but not the text consoles) with no password, so I need to provide the absolute minimum of privileges; basically the user should only be able to run one program.
I've already set the /desktop/gnome/lockdown/disable_command_line key with gconf-editor for that user, which successfully disabled the "Run Command" dialog. Unfortunately, even though the description of the key in gconf-editor says "prevents the user from accessing the terminal...", the terminal emulator is still accessible from the Applications menu, and I haven't been able to find a good way of disabling the terminal or removing it from the menu. The only thing that occurs to me is an ugly hack: replace the gnome-terminal binary with another that checks to make sure the user is not the unprivileged one and then starts gnome-terminal.
how the file is generated or what it contains is not important at this point.The important question is how to prevent the file from being downloaded and its contents from being displayed in the browser window?Since it is not recognized by the web browser so it is downloaded on the system. That way, what the script does is exposed to the outside world.Okay, I usually keep such scripts in../cgi-bin/. But for files (text files, in the example) which are being uploaded by a user should not be downloaded by another user.
View 10 Replies View RelatedI am trying to Setup citrix ICA client 9 on Ubuntu 9.04 Server. I installed it very easily and I am not getting any lib error also. But when I try to connect to the citrix server, it fails with a pop up saying "Error in Network Connection Network or Dialup connection may be preventing ......" This is driving me crazy from 3 days. My project is to check the feasiblity of a Linux desktop
View 1 Replies View RelatedDoes anyone know if it is possible to filter/block network traffic between internal hosts on a lan?
Eg. : Linux firewall/router ( 192.168.0.1) - LAN Default G/W - all internal > external traffic gets filtered.
How would you filter tcp/ICMP/UDP traffic from internal host a ( 192.168.0.2 ) to host b ( 192.168.0.3)
All the internal hosts have the linux f/w as the default gateway, and are all on the same /24 subnet.
I would like to know if I can filter traffic between internal hosts.
we're using Network Manager with vpnc plugin (cisco vpn).According to our IT policy, we'd like to prevent the users from saving the password.I've been trying to set the value via gconf as mandatory, but the setting is blatantly ignored:system/networking/connections/1/vpn/ipsec-secret-type...I set it on "ask" and mandatory.I'm quite sure that's the wrong key.
View 2 Replies View Relatedapplication to monitor application wise network usage?
View 3 Replies View RelatedHP 210 Mini
Fedora 14 xfce
2.6.35.11-83.fc14.x86_64
I have inserted my handy drive. However, when I right click and select unmount I get the following message:
An application is preventing the volume "New Volume" from being unmounted
So I try from the command line:
umount /dev/sdb1
And I get the following message:
umount: /media/New Volume: device is busy.
All I have done is copied some files to my handy drive. So I am not sure what process is keeping my handy drive busy.Is there any command that I can use to see what process of anything else is using the handy drive?
I have a laptop connected to the the net thru an adsl modem, when I switch off the laptop network interface,(thru system-config-network) the light of the laptop network card plugged in the router stays on ( green) where as in my pc, when i do the same thing , the light of my pc network card goes off in the modem
View 5 Replies View RelatedIs there a program that I can install that will display a visual/graphical representation of the local Network Topology?
View 2 Replies View Relatedhow efficient and effective are these snort, argus, ossec etc etc for an organization having 3500 PC Network, connected through 700+ Cisco Devices (Layer 2 and Layer 3), and scattered on 130 different sites (geographically)? what should be the combination of products and what should be the architecture for an efficient forensics activity?
View 2 Replies View Relatedjust a quick question: I have an external HD with 2 partitions, one ext3 and one FAT32.When I plug in the HD both partitions get automatically mounted, but as I only use I use the FAT32 partition to transfer data from/to Windows machines (which does not happen so often) I would like only the ext3 partition to be mounted automatically.
View 2 Replies View RelatedI'm using the Fedora Eee kernel for Fedora 12 (it's an unofficial kernel for the Eee PC), and want to update my system (I just set it up today). How can I update via command line and prevent an update to the default kernel?
View 1 Replies View RelatedI have a virtualbox installation, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G). So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H? I've been reading route and arp manuals all day, but I can't seem to figure anything on this - mainly because arp and route don't know about host/guest processes, and I guess weren't designed with this in mind...
I'm running F13 with KDE 4.4.4 on my desktop PC. A few months ago I had occasion to run Kalarm (invoked via "Kickoff" app launcher). Ever since that time, the Kalarm icon appears in my KDE "system tray" after I login. I power down my PC when I'm finished using it for the day.In an effort to get rid of the Kalarm icon, I changed my KDE "session manager" (System settings -> Advanced -> Session Manager) settings to: "on login: start with an empty session". But the Kalarm icon still appears in my "system tray" after the next reboot/login.I've also tried right-clicking on the Kalarm icon and selecting "quit". The icon still re-appears after the next reboot/login.Why didn't the session manager setting: "on login: start with an empty session" get rid of the Kalarm icon?
View 2 Replies View RelatedI'm having trouble booting after a recent bunch of updates (haven't been able to boot F12 from hard disk for a couple of days). The boot process gets as far as "NetworkManager daemon [OK]", then just stops. I get this for all 3 kernels that I can choose from the grub menu (2.6.32.16-141, 2.6.32.14-127, 2.6.32.12-115)Mounting the hard drive with a liveUSB, a quick inspection of /var/log/messages reveals that things go smoothly until: etc. until I hit the power button.I ought to mention that I wireless card that requires the Realtek RTL8192SE driver, which requires
Code:
sudo su
make
[code]....
I have a 2 monitor configuration, with the second monitor uses exclusively for mythtv. When I'm not actually watching tv or a muvie or watching visualizations with music playing, I actually use the machine for more productive uses. As the result the second monitor is typically not turned on, might have something to do the the fact it's a crt design, consumes a fair bit of power and does a good job keeping the media room overly warm.
The question is, does Fedora 11 or newer have a means to prevent applications from opening on the second monitor? I've checked the obvious places and nothing jumps out .
btw: According to the nvidia x server settings control panel the second monitor is set up as in twinview mode. This mode was chosen to allow the gpu to do most of the video decoding tasks using vdupau or something as I recall.
I just downloaded Fedora 15 desktop to a USB device. I am able to boot to the device and load the desktop with errors.I receive the following:
SeLinus is preventing /usr/Libexec/colord from getting access on the blk_file /dev/dm-0
Plugin: catchall
Source Process: /usr/libexec/colord
Attempted: getattr
On this blk_file: /dev/dm-0
I also am not able to use my wireless network. This is being booted on a Dell Inspiron 1545 Vista Sp2 system with 4 gb or RAM.The wireless network connection works fine with Vista.
- Newly installed Fedora 14- Firefox 3.6.12- All latest Fedora updates installed- Denial occured after the installation of jre1.6.0_22 from here - Linux (self-extracting file) and creating symbolic links as follows;
Code:
[root@Freedom opt]# ln -s /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/
Code:
[code]....
My Fedora box is giving me an SELinux security error:
Code: Summary:
SELinux is preventing the samba daemon from reading users' home directories.
Detailed Description:
SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals an intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)
Allowing Access: If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
Fix Command:
setsebool -P samba_enable_home_dirs=1
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /home/micah [ dir ]
Source smbd
[code]....
I am currently running a 64-bit Fedora 14 server which hosts a game server, a voice server, and remote desktop functionality, each on a distinct TCP port. I am currently using the built-in firewall to deny all traffic other than ICMP ping/pong and TCP traffic on those specific ports.I am looking for a graphical application which will let me monitor any connections being made to my server in order to keep an eye out for possible security concerns. To be more specific, I'd like to be able to see the source IP addresses, TCP/UDP ports, and individual bandwidth in use by external connections being made to the server, along with any other information that might be helpful in identifying a possible intrusion attempt.
View 3 Replies View RelatedI am getting no packages listed in Gnome application manager gpk-application 2.27.2. I have tried 'yum clean all' and get the following error messages.
View 3 Replies View RelatedTo avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
View 3 Replies View Related
