FC12 with recent updates The bugzilla I reported is fixed in selinux 3.6.32-66 and I have 3.6.32-56. I refreshed the repositories and looked for 66 and it is not listed. Question - how often does the policy changes get posted to the repositories ? And are the repositories the normal place to get the latest and greatest ?
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
I am trying to configure my live install of fedora so a PC on the same intranet can access it by hostname instead of by IP address.After I installed bind, I realized the man pages recommended against bind and said instead to enable SELinux named. I tried to guess what variables to set after googling and studying the documentation and coming up empty. I used getsebool -a, and tried turning one and all on.I test using:nslookup myhostname on the linux box, since if that is working it isnt surprising that the windows box cant see it. what buttons to push to enable SELinux named, as described in fedora 13 man page for bin slight correction, the man page is for named. It says to remove the bind-chroot and use SElinux to enable named. I think I also have to create a new zone. This seems akin to proving fermats last theorem but less rewarding. anyone know what keys to push for either. I did get system-config-selinux running. I thought it was in an infinite loop but it does *eventually* load a gui. Also if you set a boolean it will grab all CPU for a couple of minutes. (used top in another terminal).
I just upgraded from 11 to 12 and then installed the Nvidia proprietary drivers from RPMFusion. Initially glxinfo wouldn't work because SELinux was stopping it from using an executable stack. Since the Nvidia drivers are proprietary and a fix may not be provided, I allowed this access to glxinfo with chcon -t execmem_exec_t '/usr/bin/glxinfo'
However it looks like every program using glx-utils also needs these permissions - so far I allowed Xorg, compiz and the Firefox video plugin to execstack. Can anyone suggest a fix for this - preferably one that avoids execstack for all those apps since its a security risk. If not how do I create an SELinux policy to automatically grant apps execstack while they use glxinfo or other nVidia libraries but not at other times.
My organisation is running squirrelmail on a redhat server. When users are created , at that time the admin sets a password. Thereafter the user can login to his account using the password. But he can't change it as is the case with gmail or yahoo mail. Also the password for any account is known to the admin in addition to the user himself - a weak security arrangement !So what I wish to do is provide a way for users to change his password anytime he wants and also during the first login - as is normally done in banking sites, etc
Quote:One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites.Firefox users don?t have to do anything in order to gain this protection. Simply install Firefox 4 and you will instantly receive all of the benefits that Content Security Policy has to offer. Easy!
I have just installed tripwire. I have created a baseline db using the default policy file. Then I checked the output of the db to see what I did not have on my filesystem that db was searching for (according to the default policy when tripwire was installed), I then changed my default clear text policy file accordingly and used twadmin to generate a new tw.pol file.
Next I come grinding to a halt after this (assuming the next thing is to update the policy in tripwire right? )
I have tripwire 184.108.40.206 running on one of our servers on a daily basis, and I was curious to know if it is good practice to periodically update the policy file. The reason for my asking that is while the daily reports that I get indicate there have been changes to files on a daily basis, there are also files that have not been modified for over a month. My thinking is an update of the policy file will establish an updated baseline, and those files that have not been changed for so long will not be reported on until they get changed again.
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
We have enabled DOT1x security (8021x) in our wired network for testing purpose. but to get enable that facility our account should be a domain account so that it will get certifiy from the certificate server through RADIUS server. But in Fedora We are unable to get certified from the certificate server how ever if we are loging in through Root user or any local user in fedora we are able to get IP and able to work in net as well as connected to domain. but after loging off we are unable to login to domain account. I need to login throuhg Domain Account by using DOT1X security.
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
It took me a while to get VNC going. It was easier with FC8-10. Once I got finished and was actually able to log in and see my remote desktop I tried to add some software... virtualbox.When I double click on the RPM I get popup that states."The action could not be completed. Failed to install file. You do not have the necessary privileges to perform this action" When I close that dialogue another one pops up that states" "The action could not be completed." When I click on more details the dialogue states. "Policykit authorization failure" How can I make this work?
How can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access. OR Can we have multiple passwords to login via ssh ?My basic need is to have 2 levels of password.
I recently installed Deluge 1.2.0 from the following PPA:[URL]I using this on two different Linux computers. One is running Linux Mint 8 and the other is running Ubuntu Netbook Remix 9.10. The first time on either computer when I enable WebUI in the Deluge GUI it works fine. However if I ever disable it in plugins section I am subsequently unable to re-enable it (doesn't appear in the side panel again). Rebooting or reinstalling Deluge seems to have no effect.Is this a bug or am I doing something wrong?
I need to allow ICMP ping for one host only. I found out how to enable it to all hosts (ICMP Filtering, check ping) but I would like to reduce the scope to one host. I know I can add rules in the user_post script but I can't find the correct iptables command ...
Anyone can tell me how to enable and config auditd in linux kernel 2.6.9-5.EL. I have only found command auditd and auditctl in server that run kernel 2.6.9-5.EL. I ran auditd & and can saw auditd ran in my server. But I couldn't do anything with auditctl, no status, no rules, nothing :| . I tried to find audit.rules or auditd.conf but that nothing I can find.
Recently I installed vncserver (tigervnc) on my desktop. Ever since my computer refuses to shutdown normally. At shutdown the following message pops up: Quote: System policy prevents stopping the system when other users are logged in Then I have to enter the root password to shutdown. If I stop vncserver before, the computer shuts down normally.
I was wondering how to activate encryption on my home folder, like sugested when creating the first user? in 10.04Also, is it any good to use?It's a work computer with sometimes private documents (cv, docs, etc) and i would like to be sure no one can access it, even as root.
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535 code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?