search for: enforce

...ems to do. > + *) > + let typ = read_selinux_config_key g "SELINUX" "disabled" in > + (* Do not attempt any relabelling if the SELinux is not "enforcing": > + * - in "permissive" mode SELinux is still running, however nothing is > + * enforced: this means labels can be wrong, and "it is fine" I don't think it's fine. As I showed here: https://www.redhat.com/archives/libguestfs/2020-June/msg00115.html in permissive mode labels are still being updated on disk. TBH I don't understand what you said here: https://...

...646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for pid=23387 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_smtp...

Hi, I would like to follow up on the previous thread[1], where there was a consensus to disallow merge commits in the llvm github repository, and start a discussion about how we should enforce this policy. Unfortunately, GitHub does not provide a convenient way to fully enforce this policy. We can enforce it for pull requests, but not for direct pushes to the master branch, so we will have to come up with our own solution if we want to completely prevent merge commits. I've spent s...

...*) > > + let typ = read_selinux_config_key g "SELINUX" "disabled" in > > + (* Do not attempt any relabelling if the SELinux is not "enforcing": > > + * - in "permissive" mode SELinux is still running, however nothing is > > + * enforced: this means labels can be wrong, and "it is fine" > > I don't think it's fine. As I showed here: > > https://www.redhat.com/archives/libguestfs/2020-June/msg00115.html > > in permissive mode labels are still being updated on disk. This is true for default l...

..., just like libselinux seems to do. + *) + let typ = read_selinux_config_key g "SELINUX" "disabled" in + (* Do not attempt any relabelling if the SELinux is not "enforcing": + * - in "permissive" mode SELinux is still running, however nothing is + * enforced: this means labels can be wrong, and "it is fine" + * - when "disabled" means SELinux is not running, so any relabelling + * is pointless (other than potentially fail due to an invalid + * SELINUXTYPE configuration) + *) + if typ <> "enforcing" then...

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

Hello, how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING? Thanks Walter

...me reason I can't seem to enable SELinux on this one host. Here's my SELinux config file: [root at beta-new:~] #cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted...

...ectory for our application. Passwords are stored in unicodePwd attribute, and our application resets passwords through LDAP (without the knowledge of the previous password, because it's an email-based reset). Unfortunately resetting it like this prevents the "password history" policy enforcement. This is a security problem that will come up on the first security audit. Microsoft recognised this is a problem and in Windows 2008 R2 SP1 introduced a supportedControl on RootDSE: LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later LDAP_SERVER_POLICY_HINTS_OID (1.2.840....

This is a pretty uncontroversial patch which just allows the selinux=? and enforcing=? flags on the kernel command line to be controlled. Currently libguestfs unconditionally passes selinux=0. By default this patch does the same thing, but allows programs to enable SELinux in the kernel and/or set it to enforcing mode. Rich. -- Richard Jones, Emerging Technologies, Red Hat

...k about it... > The longer you wait with changing these setups, the more problems you will hit in the future. > Not because im saying this.. Because > > Microsoft is enforcing more securitybut it's Microsoft that develop NetBIOS and LLMNR and if it's enforcing security should enforce these protocols or remove them from their OS isn't it? Any way I'll think about it. Thank you very much Piviul

...ists.llvm.org <mailto:lldb-dev at lists.llvm.org>> wrote: > > Hi, > > I would like to follow up on the previous thread[1], where there was a consensus > to disallow merge commits in the llvm github repository, and start a discussion > about how we should enforce this policy. > > Unfortunately, GitHub does not provide a convenient way to fully enforce this policy. > > > Why isn't this enforceable with a server-side pre-receive hook? GitHub[1] only supports pre-receive hooks in the 'Enterprise Server' plan, which is for se...

Hey All, I am testing PSO password policies and am having trouble getting the Maximum password age to be enforced. I have a test policy applied to a group and it does enforce complexity and Minimum password length but not the Maximum password age. Anyone using this setting for PSO's? Samba version 4.10.0-Ubuntu Password information for PSO 'TESTpolicy' Precedence (lowest is best): 10 Password...

...quota) as quota FROM virtual_mailbox WHERE username = '%u' I have set one of my users to have a quota of 1 (so one byte I believe) so it should be over the limit pretty much immediately. Looking at the logs I can see that the system is picking up on the quota limit but doesn't seem to enforce it. Apr 27 10:29:02 deliver(test at testdomain.com): Info: auth input: quota=maildir:storage=1 Apr 27 10:29:02 deliver(test at testdomain.com): Info: Quota root: name=storage=1 backend=maildir args= Any ideas? Am i missing something? -- View this message in context: http://old.nabble.com/Enforci...

My Samba v3.0.25b (in CentOS v5.1) has the smb.conf shown below. What I'm seeing is that "force create mode" is not enforced when accessed by a Linux CIFS client (Fedora 7). On the server, user steve has a home directory of /home/steve, and the public directory is /home/samba/public. The shares are mounted from the client fstab like this: //nemesis/steve /mnt/cifs/myhome cifs credentials=/etc/fstab.cifs 0 0...

...uxhint.com/git_merge_noff_option/ > > > > We've done both and I personally prefer the strict linear history by a > > lot. It's just much easier to understand a linear history. > > > > Agreed. Let's go with option #1. > > What is the practical plan to enforce the lack of merges? When we looked into this GitHub would not support this unless also forcing every change to go through a pull request (i.e. no pre-receive hooks on direct push to master were possible). Did this change? Are we hoping to get support from GitHub on this? We may write this rule in...

Hi, The Solaris password requirements like a. no empty password b. minimum 6 chars etc for a regualr user are not enforced when a password expired user is changing password at the SSH login prompt. The version of openSSH I am using is 3.8.1 and Solaris 8 is where the sshd is running. Is anybody aware of this problem? Is there some configuration option I can use to enforce these password requirements? If its a bug,...

...tly is the problem we're >> talking about, and how do we know it impacts ZFS? >> [Something more than a single one-liner in that bug report?] HFvs> Indeed, I only find that one line. I can try to find out. >> Is the extent of the issue that quotas won't work, while enforced from Samba >> against a ZFS volume? >> Can someone perhaps enlighten me? :) HFvs> The explaination is: I'll quote the whole thing, because it's useful. --- @JA That's because the concept of a btrfs "subvolume" completely breaks the POSIX idioms...

...ed on IRC whether this was possible, because I was unable to find this on the Wiki. It turns out there is a configuration switch called `disable_plaintext_auth', but looking at the description this only prevents people from using plain-text username/password authentication. It does not actually enforce TLS or SSL. My question: is there support to enforce TLS when people connect to non-SSL ports? If someone comes up with a solution, I'll add it to the SSL article on the Wiki. I'm using Dovecot 1.1.7, installed on a FreeBSD 6.4-STABLE system. Thanks! -- Ed Schouten <ed at 80386.nl&...

...gt; <cfe-dev at lists.llvm.org> wrote: > > > > Hi, > > > > I would like to follow up on the previous thread[1], where there was a > consensus > > to disallow merge commits in the llvm github repository, and start a > discussion > > about how we should enforce this policy. > > > > Unfortunately, GitHub does not provide a convenient way to fully enforce > this policy. > > We can enforce it for pull requests, but not for direct pushes to the > master branch, > > so we will have to come up with our own solution if we want to &g...