Fedora Security :: Can't Add Any Module
Aug 18, 2009I'm trying to add simple policy to system - Fedora 11 x86_64 updated.Where is my error? I can't add any module.
View 14 RepliesI'm trying to add simple policy to system - Fedora 11 x86_64 updated.Where is my error? I can't add any module.
View 14 RepliesModule xselinux appeared in new versions of XServer theoretically allows to use SELinux in order to improve security. First of all I'm interested in examples of the use of this module (configuration files and what functions it perform). Also interesting to know whether some user's actions with XServer can be restricted via xselinux module (e.g. screenshot prohibition).
View 11 Replies View RelatedI use iptables firewall (v1.4.1) installed on FC8. I'm trying to limit the inflow traffic for the port 1723 to certain MAC addresses. To experiment with the mac option, I've written the following iptables rule:
Quote:
iptables -A INPUT -m -mac --mac-source 10:08:08:08:08:10 -j ACCEPT
It didn't work. It gave me this error message:
Quote:
iptables v1.4.1: Couldn't load match `-mac':/usr/local/libexec/xtables/libipt_-mac.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Does that mean the mac module wasn't installed/enabled?
I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system. eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid.
I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet.
Below are the contents of my iptables file (I've ommited few entries for safty purpose).
# Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009
*filter
:INPUT ACCEPT [14274:3846787]
:FORWARD ACCEPT [4460:1241297]
:OUTPUT ACCEPT [16825:4872475]
code....
I am using the "extend" function of snmpd to run a script in order to extend a monitoring platform. This script being ran by snmpd needs to write to a file in /tmp for later parsing, but SELinux is stopping it from writing to the file under /tmp. The following two lines from my audit.log file show what is happening:
Code:
type=AVC msg=audit(1281516573.123:18422): avc: denied { write } for pid=6933 comm="test2.sh" name="tmp" dev=dm-0 ino=1474561 scontext=root:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
[Code]..
I'm trying to limit the number of the ICMP packets reaching my server, so I'm using the limit module of iptables, unfortunately it seems the limit I set is totally ignored as I can easily send tens of ICMP packets and get a reply in less than 0.3 second Quote:
m3xican@m3xtop:~$ sudo ping -i0 -c20 x.x.x.x 20 packets transmitted, 20 received, 0% packet loss, time 230ms
rtt min/avg/max/mdev = 184.969/185.895/189.732/1.301 ms, pipe 16, ipg/ewma 12.138/186.232 ms This is the rule I'm using to accept ICMP packets (default setting is DROP)
Code:
iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
And these are the kernel modules related to iptables
Code:
Module Size Used by
xt_limit 1382 0
[Code]...
So I installed pam-script
made this script:
Code:
#!/bin/bash
RFID_AUTH_SUCCESS=0
#Read the card
tag=`'/etc/rfid/RFID-login'`
code....
Code:
sudo test
It doesn't ask for my password and instantly authenticates as root!
if I run the above posted script manually, (cd into the dir and execute it), it works fine and produces the result 1 if positive and 0 if negative.
Whenever i copy ELF or BIN files from the filesystem of linux i must get permission denied. For this case i have gone through the linux security module but didn't get much help regarding the permission denied only in case of copy of ELF and BIN files from filesystem. how can i proceed in this. WORK DONE:
1. Downloaded linux-2.6.25.14
WORK NEEDS TO BE DONE:
1. compile the kernel with some modifications in linux security module to get the desired results but this time i am unaware of that.
My goal is this: Allow a user to connect to a server via SSH with any login name or password without checking to see if that account exists on that server. Their account would be captured by a universal account say, 'generic_user', and then they would be directed to one of my python scripts with the username and password they supplied for initial login. At this point my script would capture their SSHD process ID and allow/deny their existence based upon a MySQL/Subscription check.
The part I'm having trouble with is with PAM and allowing the user to login with any credentials and be successfully authenticated under the generic account. Beyond that, everything is great.
internal system mail revealed an error. Part of the mail is the below:
Feb 25 00:00:01 mbdba crond[1025]: PAM (system-auth) illegal module type: ccount
Feb 25 00:00:01 mbdba crond[1027]: PAM (system-auth) illegal module type: ccount
Feb 25 00:01:01 mbdba crond[1122]: PAM (system-auth) illegal module type: ccount
Feb 25 00:02:01 mbdba crond[1152]: PAM (system-auth) illegal module type: ccount
Feb 25 00:04:01 mbdba crond[1275]: PAM (system-auth) illegal module type: ccount
Feb 25 00:06:01 mbdba crond[1397]: PAM (system-auth) illegal module type: ccount
i have check /etc/pam.d/system-auth for the "ccount" entry, but it does not exist. "ccount" existed before in /etc/pam.d/system-auth but i managed to change it back to "account." i have grepd for the "ccount" string in all files under /etc/pam.d and i was not able to find it.
it seems that the system-auth is not able to take the now "account" string insted of "ccount" altough i have restarted crond
here is my system-auth file on the affected server:
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
code....
Trying to install the Suhosin module with the php 5.2.9 c5-testing repo...it won't run with the php 5.2.9 testing build (there isn't an updated suhosin package against the 5.2.9 build)
PHP Warning: PHP Startup: suhosin: Unable to initialize module
Module compiled with module API=20050922, debug=0, thread-safety=0
PHP compiled with module API=20060613, debug=0, thread-safety=0
What's the best way to handle this from an admin best practices standpoint? I want to do everything possible to keep the suhosin module tracked by yum for future updating etc. Is it best to try to find a suhosin rpm that is built for 5.2.9 and install it with yum localinstall? If not, if I build the module myself, what's the best path to keeping yum/rpm in the loop on this install for future updating via yum?
When opening gedit as a user I get the following message
Gkt-message: Failed to load module "'pk-gtk-module"
If I try to open gedit as root I get the same message but with other messages. These are shown in the attached file. gtk.txt
This is on an upgraded machine using the preupgrade method. The same has happened on two machines upgraded from F14 to F15 the same way. 64 bit systems.
How to clean this up so the messages do no appear?
I am using Redhat linux 5 version 2.6.18-164.e15 with platform i686. I need to add ntfs module. I execute following command
#modprobe ntfs
but it say FATAL: Module ntfs is not found.
How can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies View RelatedWe are trying to implement a firewall as kernel module through netfilter hooking (in C). In the following code we are allowing only TCP traffic. Source port number and destination port number are printed for every TCP packet. On execution, this code prints wrong port numbers. This is the first time we are using skb_transport_header function for accessing tcp headers.
We verified port numbers being printed by firewall through NFS traffic. On the same machine where firewall is running, we hosted an NFS server. An NFS client (from a different system) puts a file in exported mount. Firewall is able to capture packets for this file transfer but port numbers printed are wrong. It prints '69' for source portnumber (whereas ethereal capture shows it as 790) and prints '553231' for destination port (whereas for nfs version 4 it has to be 2049).
[Code]....
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
I've been unable to boot into x using the real-time kernel from CCRMA at home. I get the error "Failed to load module "nvidia" (module-specific error,0) no drivers available. I'm using the driver from Nvidia. I know that this is not an official Fedora kernel and I should be bothering CCRMA about this, but in the mean time could I edit the entry in grub.conf so that it will use the Nouveau driver for that kernel only? That way I could "dual-boot", and just use the rt kernel when I want to use audio software and don't need 3d graphics.
View 5 Replies View RelatedI get the following message in /var/log/secure: Nov 15 09:27:21 su: Deprecated pam_stack module called from service "su-l"
I have done some research and it seems I need to get rid of pam_stack.so in /etc/pam.d/su but I can't find out what to use in its place.
Below is a copy of my /etc/pam.d/su file:
Code:
From what I understand, I need to replace the line "auth required pam_stack.so service=system-auth" with "auth include system-auth"
My problem is how do I then go about limiting access to su based on group membership without pam_stack.so?
I am trying to install a Sunix 4018T dual parallel port card on a pc with Mandriva Linux 2010.1: Dealer told me that linux has driver for this card already so I inserted it and turned on my pc. Unfortunately when I try to install my Okidata ML320, cups it's not showing any parallel ports. I try to update all the system with last patches and packages :I tested the card on a pc with windows xp, installed my printer and it works perfectly.
View 3 Replies View RelatedWhen I try to load the Realtek 8187 modules to kernel using the ./wlan1up command, I get the following error:
[root@localhost rtl8187_linux_26.1025.0328.2007]# ./wlan1up
insmod: error inserting 'ieee80211_crypt-rtl.ko': -1 File exists
[code]...
Can someone tell me how to correct the "Invalid module format"? I hope that correcting the "Invalid module format" error, I will not have the "Unknown symbol in module" error.
Note: I am using wlan1 for this module as I previously am online with the wlan0 network.The same error occurs if I use ./wlan0up.
I'm trying to enable the rewrite module in apache, to enabled the module I followed the last entry in the fist page this thread:[URL]...When I restart the apache all works fine, so I supose it's enabled
Now I create .htaccess in my apache folder (/home/user/apache), and I write this:
Code:
RewriteEngine On
RewriteRule ^link([^/]*).html$ test.php?link=$1 [L]
And I try to execute this: ./.htaccess, I have this mistakes:
Code:
./.htaccess: 1: RewriteEngine: not found
./.htaccess: 2: Syntax error: "(" unexpected
What are I doing wrong?
Code:
nits@nits-desktop:/mnt/Storage/Tors/Incomp$ btdownloadcurses --check_hashes 1 filename.torrent
/usr/lib/python2.6/dist-packages/BitTorrent/Storage.py:4: DeprecationWarning: the sha module is deprecated; use the hashlib module instead from sha import sha
These errors occurred during execution:
[09:37:48] IOError - [Errno 5] Input/output error
Got this error when I tried hash checking, was downloading the file using rtorrent when there was a sudden powercut and my system shutdown abruptly, tried restarting the torrent and kept encountering problems while restarting.
I want to add some code in existing linux2.6.33.2 to enhance kernelI want to know how to start and where to add code.
View 2 Replies View RelatedI need to install module u32 into the netfilter module for kernel 2.6.27.
I did not see the source code in the kernel version I have. where can I find the code for U32 module.
I have checked "netfilter.org" and looks like POM is discontinued. Is the u32 module committed to kernel version 2.6.27 or need to patch it. If yes, where can I find the patch?
I building the kernel for a MIPS processor.
OK Trying a fresh install of bnome openSuse, and I have certainly screwwed something up again and hope I don't have to reinstall again., arghhhh! Tomboy won't open, even after reinstallation, and below is the error, but first, as well I can't open my .odt file with openoffice writer!
now the error... #tomboy Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so: cannot open shared object file: No such file or directory Gtk-Message: Failed to load module "gnomebreakpad": libgnomebreakpad.so: cannot open shared object file: No such file or directory ...and lots more
I am interested in using fortran and an external library called matio used to save arrays to matlab .mat files. I have installed the matio and matio-dev packages from synaptics but i cannot compile a code receiving an error Code: christos@christos-laptop:~/Desktop$ gfortran -o test test.f90 -lmatio -lz test.f90:2.13: USE MATIO 1
Fatal Error: Can't open module file 'matio.mod' for reading at (1): No such file or directory How can i load a module in order to use it in fortran through the GCC compiler?
i installed firefox 4 and removed the old 3.X version. did a general update that my computer showed me was available then i noticed the first problem. firefox 4 would not launch when i clicked it, it would only launch when i clicked the gnome 3 applications button and then clicked and dragged the firefox logo to the desktop, then it opened. the second problem i am now having which at the moment is more bothersome is that after i closed the lid to my laptop and opened it up again after a while and logged back in and noticed that the ENTIRE gnome 3 environment was gone. no panel no menu nothing just the desktop and a few desktop icons. i tried the command "yum install gnome-shell" but it just sed that gnome 2.31.5-7 .fc14.i686 was already installed so it wasnt gonna do anything, then i tried the "gnome-shell --replace" command and it just said
failed to load "canberra-gtk-module": libcanberra-gtk-module no such file or directory.
I've installed openSuse 11.4 server-mode (text only) on my desktop, and I'm trying to configure IceWM so i'll eventually have it set up so it always boots into text only mode, but I could be able to quickly start icewm via the command line.using Yast, I installed the Xorg server, and icewm.when I type X, the screen goes black and it just doesn't seem to do anythingI found if I hit ctrl+alt+f1 it kinda puts me back into text only mode, but I can't put in commands anymore. The last thing it says on the screen is:
Failed to load module "fglrx" (module does not exist, 0)
I've goggled that error message and the discussions that popped up around it made no sense to me at all. I've never configured X from scratch before, can someone point me towards a tutorial or something?
love security/pentest tools. This script adds ALL the tools from the Security Spin, plus Metasploit. Feel free to modify it if need be.
View 12 Replies View Relatedthis is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....