Re: firewalld this doesn't seem right....
by Ed Greshko
On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
> On 10/01/2012 07:34 PM, Ed Greshko wrote:
> > On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
> >> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com> wrote:
> >>> I just started playing around with firewalld and I found something that
> >>> doesn't seem right to me.
> >>>
> >>> If any user starts firewall-applet and then selects "Block all network
> >>> traffic" it will do as asked without any prompt for root's password or
> >>> any other authentication.
> >>>
> >>> This seems crazy to me.
> >> Does the opposite work? Can the person turn off the firewall?
> >>
>
> > I imagine that the on/off setting is what is labeled "Shields UP". Not
> > sure of their jargon. But, here is the "strange" thing.
>
> > When the applet is started the "Shields UP" is unchecked. But, for sure
> > the firewall is running.
>
> > If you check the box, you get an authentication dialog. If you hit
> > "cancel" I would expect the box to remain unchecked. However, it switches
> > to being checked....even though nothing is done.
>
> > Checking the box and providing the root password results in a error message
> > (iptables: Invalid argument) in the terminal where the applet was started
> > as well as an selinux AVC denial.
>
> > Uggh...
>
> What is the SELinux denial?
type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
11 years, 6 months
Problems that sound to me really chinese
by Zoltan Hoppar
Hi
I have noticed lately as the new kernels are arriving, that randomly
freezing out my touchpad, and makes my laptop partially unusable. I
have checked the messages file in var/log and I have found some
interesting repeating problem in log. Please help me in feedback witch
one can cause inside my machine problems... I have few suspects, so
let me list it here. The question is the same these are known bugs, or
not bugs, just I can't read and fix them?
1. suspect - How can I handle this, and set apic to 500? My CPU is AMD
MII-320, dual core.
[Firmware Bug]: cpu 1, try to use APIC500 (LVT offset 0) for vector
0x400, but the register is already in use for vector 0xf9 on another
cpu
kernel: [11175.283803] perf: IBS APIC setup failed on cpu #1
2. suspect - Upowerd
upowerd[884]: (upowerd:884): GLib-CRITICAL **: g_ascii_strcasecmp:
assertion `s1 != NULL' failed
3. suspect - systemd
TIFIER=systemd[1]: Reloading.
TIFIER=systemd[1]: Cannot create mount unit for API file system
/sys/kernel/security. Refusing.
4. suspect - udevd - this is message is fills the log file mostly.
udevd[3337]: specified group 'plugdev' unknown
Help....
Thanks,
Zoltan
--
PGP: 06853DF7
11 years, 6 months
Setting fonts for Xterm from Xresources
by Marco Guazzone
Hello,
I'm running Fedota 17 x86_64.
I have problems to set the font type to be used in XTerm from Xresources:
I edited my ~/.Xresources in order to set the font face (resource
"faceName") and size (resource "faceSize").
Here below is the output of "xrdb -query -all":
--- [out] ---
XTerm*background: #ffffff
XTerm*color0: #000000
XTerm*color1: #a31515
XTerm*color10: #fd9b43
XTerm*color11: #00af00
XTerm*color12: #335d85
XTerm*color14: #389fa0
XTerm*color15: #4daca3
XTerm*color2: #1c9075
XTerm*color3: #0000ff
XTerm*color4: #008000
XTerm*color5: #963c59
XTerm*color6: #2b91af
XTerm*color7: #00ff00
XTerm*color8: #ff0000
XTerm*color9: #d25f50
XTerm*faceName: "Inconsolata"
XTerm*faceSize: 12
XTerm*foreground: #000000
XTerm*geometry: 80x24
XTerm*loginShell: true
XTerm*renderFont: true
XTerm*saveLines: 2000
XTerm*scrollBar: false
XTerm*visualBell: true
XTerm.color13: #d53d7a
Xft.antialias: 1
Xft.dpi: 96
Xft.hinting: 1
Xft.hintstyle: hintmedium
Xft.rgba: none
--- [/out] ---
As you can see, I specified the "Inconsolata" font for the resource
"faceName". However, XTerm seems to ignore it (yes, the font has been
installed from Fedora repo). I have also tried with other fonts, but I
obtain the same result.
If instead I specify the font from the command line (option "-fa"), it works.
Where am I wrong?
Thank you so much for your help.
Best,
-- Marco
11 years, 6 months
Choosing window manager for fc17
by Alex
Hi,
Some time ago I installed fc15 with gnome3 in fallback mode, I believe
it was called? Anyway, I'm working on migrating to fc17, and would
like to get an idea of other window managers that might now be
available, since from what I hear, gnome3 still sucks.
I'll probably install fc17 in a vm first to play around for a while,
so thought someone might know of a resource that describes the latest
window managers?
I have an ATI Radeon HD 5760, I believe. How well supported is that
now? I'm upgrading primarily because I can't get the HDMI output to
work on fc15, and really hope it's progressed since then.
I've searched for a window manager HOWTO, but haven't been able to
find much, so any pointers would be greatly appreciated.
Thanks,
Alex
11 years, 6 months
RE: att-uverse new, can't access internet
by Jackson Byers
what do you mean by stale DNS? how to tell
ping 8.8.8.8 fails...
56(84) bytes of data
from 192.168.2.8.....destination host unreachable
resolv.conf looks normal to me, been using it for a long time
generated by network manager
search pacbell.net
nameserver 206.13.31.12
nameserver 68.94.156.1
I don't have em1
not using wless on f16box
ifconfig eth0
eth0 linkcap erhernet ,, HWaddr: ....
inet addr… 192.168.2.8 bcast 192.168.2.255 mask 255.255.255.0
UP..
errors 0
interrupts 20
--------
the only new info:
the imac now is running internet access ethernet , prev was on airport wless''
so, as of now, the imac seems to have survived the switch to att-uverse
which suggests f16 should be able to do also
but I have no clue
f16box still no internet
att today gave a runaround:
one tech said their normal support cant help at all w linux,
but for a one time charge $49, they could get me to
a support specialist,
after much crap on telephone finally get to this specialist,
he said they can't deal with linux either.
He 'thinks' we can get our $49 back.
please excuse sloppy format,
very painful transcribing f16 responses to paper,
then going back to wife's office, manually typing in
Jack
11 years, 6 months
Medical software
by Junayeed Ahnaf
Hello, I'm searching for a medical management software which has some basic config: 1. Will store the data on offline, using libreoffice database perhaps.2. Will be able to assign a token number against X Ray, CT scan report.3. Will be able to lookup from another connected PC. 4. Can store some template prescription which can be worked on using the software.5. Has to be free. Can anyone name one please? Junayeed Ahnaf Nirjhor
11 years, 7 months
Change default app. -
by Bob Goodwin
How do I change the default application for playing a video file
received from an iPhone [.mov]?
Presently I have to save it and play with vlc which works perfectly.
Something called "Parole" is all that is offered and I have never
succeeded in playing anything using it, considering just removing
it. Google describes methods for setting the default but they don't
seem applicable to XFCE and F-17/64.
Thanks,
Bob
--
http://www.qrz.com/db/W2BOD
box9
11 years, 7 months
selinux blocking ganglia-web
by Kevin H. Hobbs
I just replaced the machine that runs ganglia.
httpd is being prevented from connecting to gmond.
All that is displayed is:
There was an error collecting ganglia data (127.0.0.1:8652): fsockopen
error: Permission denied
There's a message in /var/log/messages that blames selinux every time I
load the page.
and sealert says that I could change the behavior by setting
allow_ypbind or httpd_can_network_connect
allow httpd_t unreserved_port_t:tcp_socket name_connect;
I can see how letting httpd make arbitrary connections is bad, so how
can I punch a hole in the rule just for ganglia?
11 years, 7 months
Can't read Dovecot inbox!
by Arthur Dent
Hello,
I have just run yum update on my F17 server and it updated amongst other
things selinux and dovecot (and a new kernel).
I have rebooted, yet I cannot now ssh into it from outside my network, I
can't get mail from outside my network (accessing the dovecot IMAP
server running on the box) and from within my network I can access using
(for example) my Evolution client, all the folders which are held under
~/mail (and into which procmail filters stuff), but I CANNOT access the
INBOX (/var/spool/mail/mark).
In Evolution, I can see the mail that was there, but if I click on any
of the emails it refuses to display the email.
There were some of these in /var/log/dovecot:
========================================8<=============================
Sep 30 14:25:37 imap-login: Warning: Auth process not responding, delayed sending greeting: user=<>, rip=192.168.2.4, lip=192.168.2.2, TLS, session=<PbZ2OevKiADAqAIE>
Sep 30 14:25:57 imap-login: Error: Timeout waiting for handshake from auth server. my pid=1405, input bytes=0
Sep 30 14:25:57 imap-login: Info: Disconnected: Auth process broken (disconnected before greeting, waited 30 secs): user=<>, rip=192.168.2.4, lip=192.168.2.2, TLS, session=<BIJ2OevKhwDAqAIE>
Sep 30 14:25:57 imap-login: Error: Timeout waiting for handshake from auth server. my pid=1406, input bytes=0
Sep 30 14:25:57 imap-login: Info: Disconnected: Auth process broken (disconnected before greeting, waited 30 secs): user=<>, rip=192.168.2.4, lip=192.168.2.2, TLS, session=<PbZ2OevKiADAqAIE>
========================================8<=============================
But the most recent attempt to login with Evolution simply produced
this:
========================================8<=============================
Sep 30 14:57:34 imap-login: Info: Login: user=<helena>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.2, mpid=2264, TLS, session=<C2XAq+vKlgDAqAIE>
Sep 30 14:57:34 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.2, mpid=2265, TLS, session=<WnHAq+vKlQDAqAIE>
========================================8<=============================
Which seems OK
doveconf -n shows:
========================================8<=============================
# doveconf -n
# 2.1.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.5.4-2.fc17.i686.PAE i686 Fedora release 17 (Beefy
Miracle)
disable_plaintext_auth = no
log_path = /var/log/dovecot
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
========================================8<=============================
Help! What do I do - I need to be able to access my mail!
Thanks in advance
Mark
11 years, 7 months
Re: A note on youtube-dl
by Marko Vojinovic
On Monday, 1. October 2012. 8.50.53 Reindl Harald wrote:
> Am 01.10.2012 03:11, schrieb Marko Vojinovic:
> > Ok, folks, look, the file-in-/tmp method doesn't work for some time now,
> > since the flash plugin used to delete the file as soon as it was created
> > (and before any data has been copied into it). The way to go then is to
> > grep the output of ps to find the PID of the flash plugin, then go into
> > the /proc/PID/fd, dig out the file descriptor of the deleted file
> > containing the video, then copy it somewhere else. That's what the script
> > does, or at least used to do.
> what the hell - why should youtube-dl touch flash or a webbrowser?
> how would this work without X11 in a terminal?
> hint: it would not
>
> youtube-dl is a STANDALONE script and that is why it needs
> to get updated after changes in the way youtube works
Yes, you are right, sorry, the script isn't doing what I described, it's more
involved.
But my point was that manually copying the file from /tmp doesn't work either,
and one needs to dig deep in order to steal the file from the flash plugin.
Best, :-)
Marko
11 years, 7 months
