DevHeads.net

Postings by Sean

Brasero/cdrecord/growisofs with selinux users confined to staff_u

Hello CentOS / RedHat / IBM folks!

I am wondering if I can get a communication channel opened with
someone who can affect changes win upstream RHEL? I don't have
support accounts with RHEL, and use CentOS almost exclusively. I did
have a direct email conversation with Mr. Daniel Walsh regarding these
problems, but his answer was to create custom policy to allow what's
being denied, as there is no risk to doing so by his analysis.

What is the proper place for GDM related dconf settings now?

Hello,

It seems that with CentOS 7.6 and Gnome 3.28, a clean install of a
Workstation package profile does not build the /etc/dconf/db/gdm.d/
directory tree. I have several desktops in operation which we
kickstart built with an older 7.3/4/5 version of CentOS as the base
install media. These all have a dconf directory for gdm, and I assume
a dconf profile directory for gdm as well (though I admit it always
worked so I never cared about looking for it).

Is it possible to simulate mod_ssl crl checks by hand?

Hi,

Question: How do I craft an `openssl verify` command to test
validating the client's ssl cert in a way mimics what apache is
actually doing based on the configuration directives in use?

I have been looking through the source code, but its been over 25
years since I studied Kernighan and Ritche in college and I'm
struggling to follow it through.

My assumption has been that `SSLCARevocationCheck chain` is equivalent
to `openssl verify -crl_check_all` whereas `SSLCARevocationCheck leaf`
is equivalent to `openssl verify -crl_check`, but this seems to be
complicated by the SSLCARevocationPat

Re: [CentOS] SElinux AVC signull

Hi Leon,

I don't have access to a CentOS 6.10 system handy, but it looks like a
policy issue. If I take you're ausearch output and pipe it to
audit2allow on my CentOS 7.6 system, I get the following:

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_script_t:process signull;

Noting that on my 7.6 system with selinux enforcing with selinux
policy packages at version 3.13.1-229, it notes that your denial would
not happen.

high kworker CPU usage in 3.10.0-957 w/ Xorg nouveau driver?

Hi all,

I have a number of Gnome/X desktop workstations with NVidia GeForce GT
1030 adapters, dual monitors, Core I7 3770 quad-core hyper-threaded
CPUs, with 32GB of RAM. Most (haven't checked them all yet) are
exhibiting problems that include significant sluggish-ness with mouse
movement and typing as well as screen rendering problems happening
since upgrading from kernel 3.10.0-862.14.4.el7.x86_64 to
3.10.0-957.1.3.el7.x86_64. The users have seen this behavior after
logging into Gnome, but with out any additional applications running
(Chrome/Firefox/LibreOffice, etc.).

NetworkManager, multiple IPs, and selinux...

Hello,

I was wondering if any one has seen issues with selinux name_bind denials
that result from having IP:PORT bindings for services to specific IP
addresses managed on an interface under NetworkManager's control?

I do realize that people will probably say stop using NetworkManager, and I
may, but the behavior is strange, and I'd like to have a better
understanding of what's going on.

The config is like so:

# nmcli c mod eth0 ipv4.addresses 192.168.1.10/24,192.168.1.11/24
# nmcli c down eth0
# nmcli c up eth0
# getenforce
Enforcing
# systemctl start httpd
<errors> permission denied bindi

Firefox 60.0.1.0 ESR Progress?

Is there a way to track CentOS's progress on RHSA-2018-2113?

<a href="https://access.redhat.com/errata/RHSA-2018:2113" title="https://access.redhat.com/errata/RHSA-2018:2113">https://access.redhat.com/errata/RHSA-2018:2113</a>

Thanks!

Will RHSA-2018:0980 hit Centos repos soon?

Hi all,

RH published the advisory 2 weeks ago, according to
<a href="https://access.redhat.com/errata/RHSA-2018:0980" title="https://access.redhat.com/errata/RHSA-2018:0980">https://access.redhat.com/errata/RHSA-2018:0980</a>. The main repo does not
appear to have the packages noted yet -
<a href="http://mirror.centos.org/centos/7/updates/x86_64/Packages/" title="http://mirror.centos.org/centos/7/updates/x86_64/Packages/">http://mirror.centos.org/centos/7/updates/x86_64/Packages/</a>

We've been waiting on a few of these bugs to be fixed for some time. I
don't mean to be impatient, just looking for an ETA.

Thanks for all the great work the team does!