Ask Your Question

domg472's profile - activity

2018-03-12 06:16:03 -0600 received badge  Good Answer (source)
2018-03-12 06:16:03 -0600 received badge  Nice Answer (source)
2016-09-06 07:02:52 -0600 received badge  Guru (source)
2016-09-06 07:02:52 -0600 received badge  Great Answer (source)
2015-04-01 14:39:24 -0600 received badge  Good Answer (source)
2014-04-18 06:16:58 -0600 received badge  Great Answer (source)
2014-04-18 06:16:58 -0600 received badge  Guru (source)
2014-03-30 21:07:05 -0600 received badge  Nice Answer (source)
2013-12-14 06:44:53 -0600 commented question xcf thumbnailer not working

Could also be SELinux policy issue since i suspect its covered by SELinux. Do the thumbnails generate in permissive mode? (e.g.) Reproduce thumbnail generation in permissive mode. If it works in permissive mode but not in enforcing mode then it is SELinux blocking. Let me know if that is the case so that i can provide further instructions

2013-12-05 10:38:40 -0600 commented answer selinux-policy-targeted update

It is not dangerous no, but it is not a real solution either. Sooner or later you may want to update the policy configuration. I cannot think of any other reason why updating policy would take so long. Maybe there is not enough RAM available.

2013-11-25 13:46:06 -0600 answered a question selinux-policy-targeted update

No, see if in /etc/selinux/semanage.conf this is set: "expand-check=0"

If its set to 1 or unset then things could take much longer

2013-11-25 13:31:42 -0600 answered a question User with uid lower than 1000 showing in GDM user list.

Set the login shell to /sbin/nologin so that gdm can determine that this is not a valid login user

2013-11-25 11:27:44 -0600 commented question ZFS Permission denied

Could be SELinux related.

Are there any AVC denials in your audit.log or dmesg when you boot up the system in permissive mode?

You can boot up in permissive mode by going into the grub menu, press e to edit the current kernel boot line, append "enforcing=0" then press F10 to boot

After you booted check dmesg for AVC denials: dmesg | grep -i denied, and check audit.log: "ausearch -m avc -ts today" zfs is not that well supported by SELinux, and/or zfs does not support SELinux that well, yet

2013-11-25 11:27:44 -0600 received badge  Commentator
2013-11-22 07:55:14 -0600 commented answer SElinux sandbox without audio (no sound)

This is not a issue with sandbox types i believe. It is an issue with how sandbox uses namespaces. I Think it cannot get to the pulseaudio socket in your home directory or something

2013-11-22 07:45:04 -0600 commented question User with uid lower than 1000 showing in GDM user list.

I am not suggesting this as a solution but if this is not a real user then also consider setting the login shell to /sbin/nologin. Maybe other atributes are also used to determine whether someone is a real user or a system user

2013-11-22 07:03:07 -0600 answered a question How to enable SELinux 'strict' or 'mls' policies on workstation?

The strict policy model no longer exists. These days the strict policy model is merged into the targeted policy model.

This means that the targeted policy model can be tuned to (roughly) the equivalent of the old strict policy model.

In a nutshell this can be done by associating your Linux identities with SELinux identities that are associated with roles that are associated with strict types (LOL)

After that you would disable both the unconfined, as well as the unconfineduser policy modules (in permissive mode), relabel the file system (restorecon -R -v -F /), and then reboot

As for the MLS policy model: I sincerely doubt that this policy model works on Fedora currently due to systemd. The security policy probably needs to be adjusted to the new system/session manager.

I do have some videos about MLS policy in RHEL6 (not so much on enabling it, but more on how to use it):

2013-11-14 02:06:55 -0600 received badge  Nice Answer (source)
2013-09-20 04:42:33 -0600 answered a question SElinux sandbox without audio (no sound)

As for the second part of your question:

I have just tested this: (sandbox -X -t sandbox_web_t gnome-mplayer test1.webm)

By default sound did not work due to the properties of sandbox technology.

However i managed to get it going by going to the mplayer preferences menu and select the actual audio output device rather than leaving it on "Default"


2013-09-15 21:15:55 -0600 received badge  Nice Answer (source)
2013-08-30 16:16:34 -0600 answered a question SELinux: allow a process to create any file in a certain directory

The name of the file is insignificant

You need to enclose the AVC denial(s) (Or if you do not know what a AVC denial is, and how to retrieve it enclose the whole setroubleshoot report)

These "reports" have all the information we need to suggest an informed solution, rather than speculating

2013-08-17 11:03:32 -0600 answered a question How to create shortcut in launcher?

Yes, You can create a ".desktop" file in "~/.local/share/applications", then the specified "Icon" Should show up in the Gnome Shell Menu ( You may, or may not need to reload the shell: "alt-F2, r <enter>" )

This is for example my "Unreal Tournament 2004" launcher:

$ cat ~/.local/share/applications/ut2004.desktop
[Desktop Entry]
Name=Unreal Tournament 2004
Comment=Unreal Tournament 2004

Or my "Armory" Launcher:

$ cat ~/.local/share/applications/armory.desktop
[Desktop Entry]
Name=Bitcoin Armory
Comment=Bitcoin Armory
Exec=python /home/joe/Git/BitcoinArmory/

etcetera etcetera

2013-08-16 14:34:20 -0600 answered a question Dual video card multiseat on Fedora 19. Any pointer?

Multi-Seat on Linux

It has been a while since i last played with Multi Seat (GDM was not playing very nice then), But this article should cover the basics

2013-08-15 10:37:44 -0600 commented answer mp-bios bug: 8254 not connected

Nope, The Kernel Package Post Install Script Takes Care of that i think

2013-08-14 08:09:40 -0600 answered a question mp-bios bug: 8254 not connected

You mean: "noapic inside the quotes in the GRUB_CMDLINE", in /etc/default/grub?

If true, then you are additionally required to commit the changes with the grub2-mkconfig utility

For example, on my non-EFI system, i would:

grub2-mkconfig -o /boot/grub2/grub.cfg

You might want to back up the existing grub.cfg first, just in case anything goes wrong

2013-08-14 06:09:37 -0600 answered a question Openvpn and selinux issues

The problem is That you are trying overwrite the existing openvpn policy module by naming your policy module the same, and trying to install it.

Good Thing it fails ;)

The issue in more details is the following:

You require type openvpn_t in your openvpn policy module Your module uses the same name "openvpn" as the existing openvpn policy module

So you are effectively trying to overwrite the openvpn module with a module that actually depends on a type declared in that module by trying to install it

So semodule fails and says, The type used in this module is not available ( and that true because you are trying to overwrite the module that has it declared )

The solution is to use a unique name for your module, for example:


echo "avc:  denied  { relabelfrom } for pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket" | audit2allow -M myopenvpn; sudo semodule -i myopenvpn.pp
2013-08-07 07:09:20 -0600 received badge  Nice Answer (source)
2013-04-17 07:50:34 -0600 answered a question HDMI problem audio AMD FirePro M5950, Fedora 18

See here if your card supports HD Audio:

if it does then append: "" to the kernel command line in grub by editing the /etc/default/grub file. Here i how mine looks:

GRUB_CMDLINE_LINUX=" $([ -x /usr/sbin/rhcrashkernel-param ] && /usr/sbin/rhcrashkernel-param || :) rd.luks=0 vconsole.keymap=us rhgb quiet enablemodulesig=1 intel_iommu=on kvm-intel.nested=1"

then use grub2-mkconfig (grub2-mkconfig -o /boot/grub2/grub.cfg) to commit the changes the grub.cfg config file

note: This example is for non-uefi systems, see:

2013-02-20 08:38:33 -0600 received badge  Good Answer (source)
2013-02-20 08:38:33 -0600 received badge  Nice Answer (source)
2013-02-16 07:55:14 -0600 answered a question KVM- Device 'pci-assign' could not be initialized

There is a bug in there (which should be fixed soon ive been told)

Until then one is required to change the following options in /etc/libvirt/qemu.conf:

# The user ID for QEMU processes run by the system instance.
user = "root"

# The group ID for QEMU processes run by the system instance.
group = "root"


# If clear_emulator_capabilities is enabled, libvirt will drop all
# privileged capabilities of the QEmu/KVM emulator. This is enabled by
# default.
# Warning: Disabling this option means that a compromised guest can
# exploit the privileges and possibly do damage to the host.
clear_emulator_capabilities = 0

Note: This will make your guest run as root with all its capabilities (insecure)

2013-02-01 04:47:48 -0600 commented question Streaming radios stop in Fedora18

What is your distributions' architecture? x8664 or i686? You seem to have been making a little mess by installing both i686 packages as well as x8664 packages

2013-01-20 10:27:42 -0600 answered a question How to disable password quality check in Fedora 18

The authentication program, which can be found in "Activities" -> "Show applications" -> "authentication", allows one to change some settings with regard to password requirements in the "Password options" tab.

However, i was not able to find any settings with regard to dictionary passwords.