From dmitry at athabascau.ca Mon Nov 7 20:58:40 2011 From: dmitry at athabascau.ca (Dmitry Makovey) Date: Mon, 07 Nov 2011 13:58:40 -0700 Subject: RPM to include SELinux information? Message-ID: <201111071358.43513.dmitry@athabascau.ca> Hi, I'm trying to build RPM that deploys application into SELinux environment, for it to work I need to label $application_dir with httpd_sys_content_t so that httpd can read it. What is the best approach to this? Adding %postinst chcon -t httpd_sys_content_t $application_dir seems kind of hacky, are there any macros (like %attr) that could help? So far quick look at fedora and RH documents yeilded no results, I may have missed something though so please let me know if I did. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From lists at alderfamily.org Mon Nov 7 22:18:39 2011 From: lists at alderfamily.org (lists at alderfamily.org) Date: Mon, 7 Nov 2011 17:18:39 -0500 Subject: RPM to include SELinux information? In-Reply-To: <201111071358.43513.dmitry@athabascau.ca> References: <201111071358.43513.dmitry@athabascau.ca> Message-ID: <002201cc9d9b$34c773c0$9e565b40$@alderfamily.org> I know this doesn't answer your question regarding spec file contents; and I see your issue. But you might want to check out the "semanage" command. "chcon" isn't going to persist if selinux does a relabel (which happens regularly in some environments). You might want check out the section "5.7.2 Persistent Changes: semanage fcontext" here. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Beta-Security-Enhanced_Linux-en-US.pdf Steve Alder - RHCE -----Original Message----- From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Dmitry Makovey Sent: Monday, November 07, 2011 15:59 To: redhat-sysadmin-list at redhat.com Subject: RPM to include SELinux information? Hi, I'm trying to build RPM that deploys application into SELinux environment, for it to work I need to label $application_dir with httpd_sys_content_t so that httpd can read it. What is the best approach to this? Adding %postinst chcon -t httpd_sys_content_t $application_dir seems kind of hacky, are there any macros (like %attr) that could help? So far quick look at fedora and RH documents yeilded no results, I may have missed something though so please let me know if I did. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 From dmitry at athabascau.ca Mon Nov 7 23:10:53 2011 From: dmitry at athabascau.ca (Dmitry Makovey) Date: Mon, 07 Nov 2011 16:10:53 -0700 Subject: RPM to include SELinux information? In-Reply-To: <002201cc9d9b$34c773c0$9e565b40$@alderfamily.org> References: <201111071358.43513.dmitry@athabascau.ca> <002201cc9d9b$34c773c0$9e565b40$@alderfamily.org> Message-ID: <201111071610.57115.dmitry@athabascau.ca> On Monday, November 07, 2011, lists at alderfamily.org wrote: > I know this doesn't answer your question regarding spec file contents; and > I see your issue. But you might want to check out the "semanage" command. > "chcon" isn't going to persist if selinux does a relabel (which happens > regularly in some environments). > > You might want check out the section "5.7.2 Persistent Changes: semanage > fcontext" here. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/pdf/Secu > rity-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Beta-Security-Enhanced_Linux > -en-US.pdf thanks Steve! after a bit of browsing around I have compiled a list of resources (in case others are looking): * Fedora SELinux documentation * Fedora SELinux FAQ * Fedora's Adding SELinux support to your package * RedHat EL6 SELinux Guide * Daniel J Walsh Managing RedHat Enterprise Linux and what I get is that indeed, as you suggested "semanage fcontext" needs to be worked into the %post and %postun scriplets but it looks... not natural? After being able to do: %attr(755,user,group) /blah/foo adding "semanage fcontext" commands into %post* scriplets is virtually equal to replacement of %attr invocations with explicit chmod and chown in %post* sections :( Reading changelogs for rpm itself ( http://rpm.org/wiki/Releases/4.9.0#SELinuxpolicies ), it sounds like 4.9.0 introduces "...%sepolicy section" while deprecating "%policy". EL6 comes with rpm-4.8.x. A bit of poking shows: http://selinuxproject.org/page/RPM#.25policy_section Does it mean it's applicabe in EL6? SELinux Wiki is referencing Git repo but fails to mention what would be the corresponding version. Is it even advisable to use %[se]policy at all (if they are implemented) or should we use "crutches" in %post* sections? We're starting to switch over to SELinux enforcement so we've got quite a few packages to go through and would rather do it "right" and "portable" the first time. Offloading policy management to RPM rather than scripting things ourselves is something that would definitely help in the long run. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From cholam20 at yahoo.co.in Thu Nov 10 02:04:07 2011 From: cholam20 at yahoo.co.in (revathi ganesh) Date: Thu, 10 Nov 2011 07:34:07 +0530 (IST) Subject: try it out for yourself... Message-ID: <1320890647.75606.androidMobile@web137317.mail.in.yahoo.com>

Hello friend...
honestly this literally could be the best decision of your life
http://www.ezflash.cn/jump.php?revov&36mas=mail.com&36bupe=facebook.com&url=http://daily7-business.ru/profile
bye

-------------- next part -------------- An HTML attachment was scrubbed... URL: From dmitry at athabascau.ca Fri Nov 18 21:12:53 2011 From: dmitry at athabascau.ca (Dmitry Makovey) Date: Fri, 18 Nov 2011 14:12:53 -0700 Subject: RHEL6 as a NAS? Message-ID: <201111181412.56323.dmitry@athabascau.ca> Hi everybody, we're building our mini-NAS in-house appliance based on RHEL6. It's main purpose is to provide storage to test/devel servers/VMs. After attending LinuxCon in Vancouver it sounds like most places are using NFS as a "quick- fix". What I dislike about NFS idea so far is implementation of NFS4 hinges on kerberos availability (and I'd rather not poke there). We were considering iSCSI as well, but it sounded like it's not "prime-time ready" (?). Any other alternatives that are available on RH platform out-of-the-box without having to purchase separate license for clustering platform etc.? FCoE? Considering it's the test systems we're not too concerned at the moment about selection, but realistically we'd like to expand that experiment over into production one day so working with something fairly stable and expandable from start would be a bonus. P.S. Saw that RH purchased Gluster. Does it mean we may get gluster as part of RHEL subscription? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From root at nachtmaus.us Sat Nov 19 05:32:33 2011 From: root at nachtmaus.us (david klein) Date: Fri, 18 Nov 2011 23:32:33 -0600 Subject: RHEL6 as a NAS? In-Reply-To: <201111181412.56323.dmitry@athabascau.ca> References: <201111181412.56323.dmitry@athabascau.ca> Message-ID: You may find that FreeIPA in RHEL 6,2 is a pretty painless way to setup Kerberos, LDAP and NFSv4, and integrates them nicely. This would allow you to have the benefits of central authentication and secure filesystem export. The big difference between NFS and ISCSI is that NFS exports a filesystem, while ISCSI exports a raw disk slice or the virtual equivalent thereof. Both are ready for prime-time, though NFS has had a much longer history, so it is very mature. While NFS does not require Kerberos, it benefits *A* *LOT* from a centralized identity/authentication/authorization. -DTK On Fri, Nov 18, 2011 at 3:12 PM, Dmitry Makovey wrote: > > Hi everybody, > > we're building our mini-NAS in-house appliance based on RHEL6. It's main > purpose is to provide storage to test/devel servers/VMs. After attending > LinuxCon in Vancouver it sounds like most places are using NFS as a "quick- > fix". What I dislike about NFS idea so far is implementation of NFS4 > hinges on > kerberos availability (and I'd rather not poke there). We were considering > iSCSI as well, but it sounded like it's not "prime-time ready" (?). > > Any other alternatives that are available on RH platform out-of-the-box > without having to purchase separate license for clustering platform etc.? > FCoE? Considering it's the test systems we're not too concerned at the > moment > about selection, but realistically we'd like to expand that experiment over > into production one day so working with something fairly stable and > expandable > from start would be a bonus. > > P.S. > Saw that RH purchased Gluster. Does it mean we may get gluster as part of > RHEL > subscription? > > -- > Dmitry Makovey > Web Systems Administrator > Athabasca University > (780) 675-6245 > --- > Confidence is what you have before you understand the problem > Woody Allen > > When in trouble when in doubt run in circles scream and shout > http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 > > -- > redhat-sysadmin-list mailing list > redhat-sysadmin-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cholam20 at yahoo.co.in Mon Nov 21 18:30:24 2011 From: cholam20 at yahoo.co.in (revathi ganesh) Date: Tue, 22 Nov 2011 00:00:24 +0530 (IST) Subject: I AM FREE NOW... Message-ID: <1321900224.61957.androidMobile@web137308.mail.in.yahoo.com>

Hello!
i get to work around my own schedule
http://030829f.netsolhost.com/profile/41ShaunWhite/
talk to you later

-------------- next part -------------- An HTML attachment was scrubbed... URL: From dmitry at athabascau.ca Wed Nov 23 17:28:47 2011 From: dmitry at athabascau.ca (Dmitry Makovey) Date: Wed, 23 Nov 2011 10:28:47 -0700 Subject: RHEL6 as a NAS? In-Reply-To: References: <201111181412.56323.dmitry@athabascau.ca> Message-ID: <201111231028.51009.dmitry@athabascau.ca> On Friday, November 18, 2011, david klein wrote: > You may find that FreeIPA in RHEL 6,2 is a pretty painless way to setup > Kerberos, LDAP and NFSv4, and integrates them nicely. This would allow you > to have the benefits of central authentication and secure filesystem > export. > > The big difference between NFS and ISCSI is that NFS exports a filesystem, > while ISCSI exports a raw disk slice or the virtual equivalent thereof. > Both are ready for prime-time, though NFS has had a much longer history, so > it is very mature. > > While NFS does not require Kerberos, it benefits *A* *LOT* from a > centralized identity/authentication/authorization. considering we have no user accounts on machines and that space will mostly be used by services - central auth is no priority. What we're really shooting for is speed and some level of security (encryption?). -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From grants at al.com.au Fri Nov 25 05:30:54 2011 From: grants at al.com.au (Grant Street) Date: Fri, 25 Nov 2011 16:30:54 +1100 Subject: RHEL6 as a NAS? In-Reply-To: <201111231028.51009.dmitry@athabascau.ca> References: <201111181412.56323.dmitry@athabascau.ca> <201111231028.51009.dmitry@athabascau.ca> Message-ID: <4ECF280E.5000409@al.com.au> On 11/24/2011 04:28 AM, Dmitry Makovey wrote: > On Friday, November 18, 2011, david klein wrote: >> You may find that FreeIPA in RHEL 6,2 is a pretty painless way to setup >> Kerberos, LDAP and NFSv4, and integrates them nicely. This would allow you >> to have the benefits of central authentication and secure filesystem >> export. >> >> The big difference between NFS and ISCSI is that NFS exports a filesystem, >> while ISCSI exports a raw disk slice or the virtual equivalent thereof. >> Both are ready for prime-time, though NFS has had a much longer history, so >> it is very mature. >> >> While NFS does not require Kerberos, it benefits *A* *LOT* from a >> centralized identity/authentication/authorization. > > considering we have no user accounts on machines and that space will mostly be > used by services - central auth is no priority. What we're really shooting for > is speed and some level of security (encryption?). > For VM's Have you thought of putting the Disk files (vmdk's) on NFS? In a virtualisation standpoint it makes a lot of sense. * benefit from host's file cache * vmdk's are stored on a FS that can be managed remotely if needed * Can be used as a simple "clustered" storage compatible for migrating vm's from one host to another. * VM's can be easily moved from one host/cluster to another * don't need to bother about LUN's, WWN, etc etc * NFS is tolerant of brief network pauses because it uses TCP. we are able to keep VM's running while our core switch reboots and the VM's just pause their IO. HTH