similar to: Selinux policy for puppet

Hello List, i''m running into an issue with puppet where I don''t know how to solve correctly. We''re managing applications and our monitoring (nagios) using puppet using the following schema: class nagios { // ensure nrpe ist installed // export a host definition nagios::check { ''ping'': } nagios::check { ''load'': } ...

I have a recipe that I''m ensuring that I remove rpms that may be installed by CentOS/RHEL before I install the MySQL.com rpms. the recipe and logs are listed below. For testing I have mysql-* rpms already installed. Is there a method to force specific order to run the recipe? What am I doing wrong? # install mysql rpms (not CentOS/RHEL vesions) # PROCESS: # - removes any CentOS/RHEL

Hi there, We have a fake environment in which we test software and config before rolling it out to prod. Here, we have a fake puppetmasterd running, serving the new config under test. But we''re having trouble with certificates. It is possible to specify via config what fqdn the puppet ca should use for itself? We need this to be a different (faked) fqdn than the real name of the

Hello, Our mail server is running CentOS 5.3. I configured postfix with maildrop as the MDA. I had to deal with a strange issue : a user sent an email to an alias, which resolves into several internal addresses. One of these addresses had its mbox filled up (reached the mailbox_size_limit); so maildrop reported a 0x19 error code to postfix, who kept the mail in its queue, and repeatedly resent

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all We''re currently looking at the next release of Facter and the future direction of the tool. I''d like to try and prompt some discussions on facter and what people want from it. As a starter here''s some (although not all) of the ideas we''ll be working through: 1. Namespaces - add a namespace or tiered

Hi puppet masters, while working on my site I came across a requirement that might be helpful for others as well.... With the aim of confining human errors as much as possible, I thought that it would be nice to have yum repositories disabled so that specific repositories could be enabled for certain packages. This is easily implementable via command-line, but I found that the

hi guys, shellinabox, do you use it? I in pretty vanilla setup get selinux denials and cannot login. Selinux says: #============= unconfined_service_t ============== #!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition; but that does not seem right to me, to allow such a

Hello, This is somehow off-topic, since the problem appears on a modified CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and I'm not able to understand them. From audit2why : type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for pid=12399 comm="restore" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

hi, Whats the 'robust' way to make sure email to a specific destination is only accepted if it came over the localhost:25 or /usr/sbin/sendmail route ? anything else should get a 5xx error. Emails to other destinations should remain unaffected. Using postfix/c4. Had a look around, and header_checks might be one way to go. -- Karanbir Singh : http://www.karan.org/ : 2522219 at icq

I'm currently porting the public and free parts of Red Hat Documentation to CentOS. Being unable to do anything graphics-related, I need someone to provide the following images: logo.svg 300x140 CentOS Logo image_left.png 124x39 CentOS Logo image_right.png 120x41 CentOS Documentation Logo (to be designed) Thank you! Regards, Andreas -- Solvention Ltd. & Co. KG Egermannstr. 6-8 53359

I am trying to hwclock to set the time. (hwclock -w) this is what I get on standard 5.2 x86_64. hwclock --debug hwclock from util-linux-2.13-pre7 hwclock: Open of /dev/rtc failed, errno=19: No such device. No usable clock interface found. Cannot access the Hardware Clock via any known method. [root at devcentos5x64 src]# ls -l /dev/rtc crw------- 1 root root 10, 135 Feb 6 13:32 /dev/rtc Any

Me again! I have a recipe that looks like: class postgresql { file { pg_hba_conf: name => "/var/lib/pgsql/data/pg_hba.conf", source => "puppet://puppetmaster/files/workstations/common/var/lib/pgsql/data/pg_hba.conf", owner => postgres, group => postgres, mode => 600, subscribe => [ Package[postgresql] ],

[Moving this to the libguestfs mailing list] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: > >> Secondly we prevent even unconfined_t from putting down labels on the > >>

When does echo 0 > /selinux/inforce need to be used? I.e., where is selinux enforcing itself on the system to protect it? When I do yum install of some package, it seems to work (not being blocked). When would doing something not work because selinux is watching it (or whatever that process is doing)? Thanks, -wes

These commands let you set and get the SELinux context of the daemon and all operations in the API and processes run from the daemon: $ ./fish/guestfish --ro -a /dev/mapper/vg_trick-F11x64 \ selinux 1 : \ run : \ mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy" : \ getcon : \ setcon "system_u:system_r:unconfined_t:s0" : \ getcon

Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy: #============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write }; which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is

With a recent update of CentOS4, su's behavior has changed, in that after prompting for password, also prompts for (selinux?) context. I'm seeing something like: $ su Password: Your default context is root:system_r:unconfined_t. Do you want to choose a different one? [n] kde's kdesu barfs on this second prompt. Any way to disable this second prompt? -- Rex

hi i just installed my system then shutit down. after booting it up i can't login to root so i did a linux rescue with the CD and when i tried to type passwd this error message appear? "user_u:system_r:unconfined_t is not authorized to change the password of root" -- Regards, Mark Quitoriano, CCNA Fan the flame... http://www.spreadfirefox.com/?q=user/register&r=19441

The file{} type can do all of the following: * manage single files * manage directories * manage symlinks * manage recursive file copies The intersection of all these bits of functionality makes it difficult to understand exactly what is going on when you''re new to Puppet, and even experienced users often don''t know how combining symlinks/content management is going to work.

This is continuing/summarising a rather long discussion that happened on IRC ... We talked to some SELinux experts about what was required to make SELinux work with libguestfs, and it seems reasonably simple to load the policy from the guest filesystem. All that needs to be done is to mount the guest disks up and then run: sh "/usr/sbin/load_policy -i" That command also mounts up