DevHeads.net

Postings by Daniel J Walsh

pam_cgfs.so support for Fedora?

Has anyone looked at supporting pam_cgfs.so in Fedora.

This question was asked here.

<a href="https://github.com/containers/libpod/issues/1429" title="https://github.com/containers/libpod/issues/1429">https://github.com/containers/libpod/issues/1429</a>

In the OpenShift Origin/CRI-O/Kubernetes effort we have a dilemma.

Users of OpenSHift Origin require CRI-O 1.10 right now.  But Kubernetes
users want to try out the latest packages for kubernetes 1.11 which
would require CRI-O 1.11.  Origin might not be ready to move to
Kubernetes 1.11 for a while.

Bottom line we want to be able to ship CRI-0 1.10.* and CRI-O 1.11.*
releases in the same Fedora 28.

I believe this is what Modularity was designed to fix.

Can I do this with Modularity?  If I can how do I use fedpkg to make
this happen?

Dan

I would like to propose that we turn on XFS Reflink in Fedora 29 by default

We are adding some features to container projects for User Namespace
support that can take advantage of XFS Reflink.  I have talked to some
of the XFS Reflink kernel engineers in Red Hat and they have informed me
that they believe it is ready to be turned on by default.

I am not sure who in Red Hat I should talk to about this?

Wrote a new blog for OpenSource.Com on evolution of containers.

<a href="https://opensource.com/article/17/7/how-linux-containers-evolved" title="https://opensource.com/article/17/7/how-linux-containers-evolved">https://opensource.com/article/17/7/how-linux-containers-evolved</a>

If you like it, please social Media this message out.

Changing default "docker" storage to to Overlay2 in Fedora 26

Upstream docker is moving to overlay2 by default for its storage. We
plan on following suit. Their are some performance advantages of
overlay2 over devicemapper in memory sharing, which we would like to
take advantage of.

Modifying container storage for Fedora 26.

We would like to change the docker container storage to default to
Overlayfs2 in Fedora 26. But we have a problem on Atomic Host and
Fedora Server distributions.

Currently docker-storage-setup defaults to devicemapper and is hard
coded to setup a thinpool of 40% of remaining disk. Otherwise it sets
up loopback devices on the root file system. Devicemapper is nice
since it works with thinpools and can automatically expand the storage
if the disk space is getting used up.

Moving to Overlay, we can more easily use the root file system directly,
which would be fine for Fedora Workstation.

New Article on Future Docker Security.

<a href="http://opensource.com/business/15/3/docker-security-future" title="http://opensource.com/business/15/3/docker-security-future">http://opensource.com/business/15/3/docker-security-future</a>

I want to make Ryan Hallisey a co-maintainer of policycoreutils.

He is not currently in the packager list. But he does not have a
package that needs to be added to Fedora. He is just making changes to
policycoreutils?

What is the procedure to get him on the packager list for this package.

Dan

Time to start blogging on all of the new Security features in Fedora 21

If you have one, please send it to me with some explanation of what it
is and why it is important.

Anyone know how to get rsyslog to not use journald but to listen on /dev/log again.

We need this for running rsyslog within a docker container where
systemd/journald might not be running.

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1139734" title="https://bugzilla.redhat.com/show_bug.cgi?id=1139734">https://bugzilla.redhat.com/show_bug.cgi?id=1139734</a>

Docker problems with centos 6 image based on libselinux.

People are reporting problems in Fedora about using centos rhel6 images.

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1098120" title="https://bugzilla.redhat.com/show_bug.cgi?id=1098120">https://bugzilla.redhat.com/show_bug.cgi?id=1098120</a>

The problem is the libselinux in the centos image is reporting that
SELinux is enabled to processes running within the container. Tools
like useradd and groupadd to attempt to write to /proc/self/attr/* files
in order to setup proper labeling for SELinux. Since /proc is now
mounted read/only within the docker containers, the writes are denied
and useradd/groupadd fail.

I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to
work properly.

We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which docker containers do not need.

rpm -q --whatrequires systemd| wc -l
151

On rawhide I see 151 packages on my system which require systemd.

We have a couple of options we could add a package called fakesystemd
which provides a /usr/bin/systemctl that does nothing and does a
provides systemd in the specfile.

I want to turn on a part of the kernel to make SELinux checking more stringent.

I wrote a systemd unit file to enable it, and to allow a user to disable the
feature if he wants.

# cat /usr/lib/systemd/system/selinux-checkreqprot.service
[Unit]
Description=SELinux check actual protection flags applied by kernel, rather
than checking what application requested.

[Service]
Type=oneshot
RemainAfterExit=yes
Environment="CHECKREQPROT=0"
EnvironmentFile=-/etc/selinux/config
ExecStart=/bin/sh -c '/bin/echo $CHECKREQPROT > /sys/fs/selinux/checkreqprot'

I would like to enable this service on the post install of a initial install
of libselinux.

There used to be a way to minimize the address section on Thunderbird

This seems to have gone a way from Fedora 20/21 thunderbird.

rpm -q thunderbird
thunderbird-24.0-3.fc21.x86_64

Is this intended? Is this a bug? Is there a setting where I can turn this
back on?

Wasting this screen real estate on a small screen is painful.

I am thinking of adding compression to libselinux

Basically looking at compressing the policy file to shrink SELinux footprint
in the minimal install/cloud image.

Currently the policy modules (pp files) are shipped with bzip compression but
the actually policy file.

But the /etc/selinux/targeted/policy/policy.29 is not compressed. systemd and
load_policy use libselinux to read in the policy file and load it into the
kernel, so since systemd currently uses libxz, I figured this would be the
best solution to add libxz support to libselinux.

ls -l /etc/selinux/targeted/policy/policy.29*
- -rw-r--r--.

Anyone bought the CLover sunbook and made Fedora run on it.

I have dreamed for years of buying a laptop that I can actually use outside,
but I don't want to run Windows on it.

It is a little steep at 700 + 75 for ssd.

<a href="http://www.sunbook.us/?gclid=CPe1_ZPWqbcCFQdk7Aod9AMA0g" title="http://www.sunbook.us/?gclid=CPe1_ZPWqbcCFQdk7Aod9AMA0g">http://www.sunbook.us/?gclid=CPe1_ZPWqbcCFQdk7Aod9AMA0g</a>

Does -devel package name only indicate "C" development packages?

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=962081" title="https://bugzilla.redhat.com/show_bug.cgi?id=962081">https://bugzilla.redhat.com/show_bug.cgi?id=962081</a>

I have a request to change the name of selinux-policy-devel to
selinux-policy-devel-support, since

"everywhere else in the distro -devel means just header files in c and not any
other development tools and we have several scripts that assume that's the case."

selinux-policy-devel contains interface files and tools required to build
selinux-policy.

Each Fedora release I do series of blog on New Security Feature coming in the next Fedora.

I need ideas for what to write about in Fedora 19. Could people send some to me.

If you google "security features site:danwalsh.livejournal.com" you will see
a lot of the past blogs.

Things I have covered in the past in addition to SELinux advances, systemd
improvements, journald, kerberos moving the cache, FreeIPA integration with
ActiveDirectory, audit improvement, libvirt/containers ...

Thanks.

Orphaning libmatchbox

Since sandbox has moved over to use openbox. (Someday I dream of it using
gnome-shell)

I no longer need libmatchbox, and since I believe sandbox was the last app to
require it, we could probably retire the package, unless anyone else needs it.

Is there a reason we do not turn on the file system hardlink/symlink protection in Rawhide?

sysctl -a | grep protected
fs.protected_hardlinks = 0
fs.protected_symlinks = 0

Customizing Firefox Search.

Any know of a way to build a customized search into firefox. Basically I want
to setup a search pull down which is hard coded to a particular site.

For example, add a menu item called
MyBlog

And what ever I put into the search window ends up going to google as

$SEARCHTEXT site:danwalsh.livejournal.com

Anyone have any idea why apps are starting to search /proc/sys/vm?

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=863258" title="https://bugzilla.redhat.com/show_bug.cgi?id=863258">https://bugzilla.redhat.com/show_bug.cgi?id=863258</a>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=863257" title="https://bugzilla.redhat.com/show_bug.cgi?id=863257">https://bugzilla.redhat.com/show_bug.cgi?id=863257</a>

As we develop SELinux we are adding new labels to homedir content

We have added file trans by name rules to policy to fix a lot of
files/directories being created with the correct label.

We have problems on Distribution updates (F16-F17) though, where there is a
files/directories in the homedir that are mislabeled.

We have "restorecond -u" which we run in F15/F16 which examines the homedir
and fixes any files directories it finds mislabeled in ~.

On F16 and F17 I am seeing lots of apps requiring access to /sys/devices/system/cpu/online

Anyone know what library is causing this?

type=AVC msg=audit(1322851411.945:2185): avc: denied { read } for
pid=1499 comm="dbus-daemon" name="online" dev=sysfs ino=34
scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=PATH msg=audit(1322851411.945:2185): item=0
name="/sys/devices/system/cpu/online" inode=34 dev=00:10 mode=0100444
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0

I am running a rather locked down environment

I do not allow services to run on my desktop to listen on networks,
using SELinux user staff_t in rawhide.

Proposing Fedora Feature for private /tmp and /var/tmp for all systemd services in Fedora 17.

It seems to be a weekly occurrence of a new CVE for some app that uses
/tmp insecurely.

I have been on a crusade for years to stop privileged services from
using /tmp and /var/tmp. These services can be potentially be
interfered by unprivileged users, potentially leading to process
escalation. The only server applications that need to use /tmp
should be for communicating with users.

Did gtkhtml2 package disappear?

policycoreutils has broken dependencies in the rawhide tree:
On x86_64:
policycoreutils-gui-2.1.5-2.fc17.x86_64 requires gtkhtml2
On i386:
policycoreutils-gui-2.1.5-2.fc17.i686 requires gtkhtml2
Please resolve this as soon as possible.

Could I get a proven tester to test these packages so I can release them to F16.

checkpolicy-2.1.3-1.fc16
policycoreutils-2.1.4-2.fc16
libsemanage-2.1.2-1.fc16
libselinux-2.1.4-2.fc16
libsepol-2.1.1-1.fc16

This is a little test program that will take

This program takes three inputs.

The executable that init will exec.
The directory where the executable would create the object. (fifo_file,
sock_file, file ...)
The "type" of the object to be created

In order to test this, you need to tell setsockcon the context to run as.

/var/run/avahi-daemon sock_file
/usr/sbin/avahi-daemon system_u:system_r:avahi_t:s0
system_u:object_r:avahi_var_run_t:s0

/var/run file
/usr/sbin/httpd system_u:system_r:httpd_t:s0
system_u:object_r:httpd_var_run_t:s0

Question on SELinux AVC messages with systemd.

I am noticing the following in F14

type=1400 audit(1279559591.480:31): avc: denied { read } for pid=526
comm="udevd" name="/" dev=autofs ino=9519
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=1400 audit(1279559595.968:35): avc: denied { read } for pid=880
comm="blkid" name="/" dev=autofs ino=9522
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=AVC msg=audit(1279559629.289:59): avc: denied { read } for
pid=2013 comm="vgchange" name="/" dev=autofs ino=9522
scontext=system_u