June 2016 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] SuSEfirewall2 und libvirt/kvm
by Christian 15 Jun '16

15 Jun '16

Hi, having a problem and hope someone can help ... All IPs are just examples Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM i.c.w libvirt. So far everything is working ... The physical interface 'eth0' is bound to 'br0'. Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW: 1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ... so far everything works, from outside. I am able to ping VM (5.6.7.8) from outside. SuSEfirewall2 is active on Host, on VM not yet ... finally I am not able to ping to outside on VM. If firewall on 'Host' is OFF and I start pinging on VM to outside, the ping works ... Even if I start the firewall on 'Host' the ping continues. But if I stop ping and start again the ping does not work anymore Sadly there are no DROPS in the LOG. It also does not matter if FW_FORWARD_ALLOW_BRIDGING is ON or OFF ... I tried to experiment a bit (added new vars ... functions) FW_FORWARD_EXT_TO_BRIDGED_VM="yes" FW_DEV_EXT_PHYS="eth0" FW_DEV_VM_PHYS="fw0" allow_ext_to_bridge() { local iptables case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in yes) ;; no) return ;; esac for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}" --physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT done } an iptables.save will show my stuff like the following ---snip--- -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT -A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT -A FORWARD -i br0 -j forward_ext ---snip--- hopefully someone can push me into the right direction ... Thank you -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 2

[opensuse-security] Apparmor suggestion to include more profiles
by Jean-Christophe Baptiste 03 Jun '16

03 Jun '16

Hello, It is a nice thing that openSUSE includes apparmor by default. I started to play with it on Leap 42.1. However, I feel it is a little short in term of profiles for the desktop (all profiles are server oriented). In comparison, I retrieved the profiles in Ubuntu : bzr co lp:apparmor-profiles They have some profiles for chromium, firefox, empathy, totem, thunderbird and evolution among others. Some big candidates are still missing though, like Wireshark. I feel such profiles are important, because these applications are rather exposed regarding modern threats. Do you think it would be legally possible to include them more or less as is in Leap 42.2 and all future releases? Or at least, is there any plan to develop more profiles for the desktop? Thank you in advance for your reply, Best regards, Jean-Christophe

8 19

Re: [opensuse-security] Question about Seccheck showing kernel tainted (and then not)
by stakanov＠freenet.de 03 Jun '16

03 Jun '16

> -----Ursprüngliche Nachricht----- > Von: Marcus Meissner > Gesendet: Fr. 03.06.2016 10:11 > An: stakanov(a)freenet.de > Kopie: opensuse-security(a)opensuse.org > Betreff: Re: [opensuse-security] Question about Seccheck showing kernel tainted (and then not) > > On Fri, Jun 03, 2016 at 09:15:48AM +0200, stakanov(a)freenet.de wrote: >> Question about SecCheck: >> Two days ago I did get a curious outcome, saying: >> >> >> - kernel.tainted = 0 >> + kernel.tainted = 52 >> >> And they day after: >> >> >> - kernel.tainted = 512 >> + kernel.tainted = 0 >> >> >> So the question I have is: how can a kernel be marked "tainted" and the day after > "untainted"? >> I since I did not AFAIK install something that taints, is that provoked by a patch? Or do I maybe have a > hardware problem (memory?) > > 52 is 0x34, which I think would be TAINT_CPU_OUT_OF_SPEC / TAINT_MACHINE_CHECK / TAINT_BAD_PAGE > 512 is 0x200, which would be TAINT_WARN > > Is there something in "dmesg" ? > > Usually tainted woule go down to 0 only on reboots btw. > > Ciao, Marcus > -- > To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org > To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org > > > > -----Ursprüngliche Nachricht Ende----- Hello Marcus and thank you for the reply. It is actually both time 512 (the one "2" got lost in copy paste I guess, sorry for that). The only warnings I find in dmesg are ACPI related: [ 25.422233] ACPI Warning: SystemIO range 0x0000000000001028-0x000000000000102F conflicts with OpRegion 0x0000000000001000-0x000000000000107F (_SB_.PCI0.LPC_.PMIO) (20150410/utaddress-254) [ 25.422245] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver [ 25.422249] ACPI Warning: SystemIO range 0x00000000000011C0-0x00000000000011CF conflicts with OpRegion 0x0000000000001180-0x00000000000011FF (_SB_.PCI0.LPC_.LPIO) (20150410/utaddress-254) [ 25.422254] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver [ 25.422256] ACPI Warning: SystemIO range 0x00000000000011B0-0x00000000000011BF conflicts with OpRegion 0x0000000000001180-0x00000000000011FF (_SB_.PCI0.LPC_.LPIO) (20150410/utaddress-254) [ 25.422261] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver [ 25.422263] ACPI Warning: SystemIO range 0x0000000000001180-0x00000000000011AF conflicts with OpRegion 0x0000000000001180-0x00000000000011FF (_SB_.PCI0.LPC_.LPIO) (20150410/utaddress-254) [ 25.422267] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver [ 25.422268] lpc_ich: Resource conflict(s) found affecting gpio_ich and [ 0.000000] ACPI: RSDP 0x00000000000F68E0 000024 (v02 LENOVO) [ 0.000000] ACPI: XSDT 0x00000000BB3F098C 000094 (v01 LENOVO TP-6Q 00001400 LTP 00000000) [ 0.000000] ACPI: FACP 0x00000000BB3F0B00 0000F4 (v04 LENOVO TP-6Q 00001400 LNVO 00000001) [ 0.000000] ACPI BIOS Warning (bug): 32/64X length mismatch in FADT/Pm1aControlBlock: 16/32 (20150410/tbfadt-623) [ 0.000000] ACPI BIOS Warning (bug): Invalid length for FADT/Pm1aControlBlock: 32, using default 16 (20150410/tbfadt-704) [ 0.000000] ACPI: DSDT 0x00000000BB3F0E6B 00DE88 (v01 LENOVO TP-6Q 00001400 MSFT 03000001) [ 0.000000] ACPI: FACS 0x00000000BB2E7000 000040 [ 0.000000] ACPI: FACS 0x00000000BB2E7000 000040 [ 0.000000] ACPI: SSDT 0x00000000BB3F0CB4 0001B7 (v01 LENOVO TP-6Q 00001400 MSFT 03000001) [ 0.000000] ACPI: ECDT 0x00000000BB3FECF3 000052 (v01 LENOVO TP-6Q 00001400 LNVO 00000001) [ 0.000000] ACPI: APIC 0x00000000BB3FED45 000084 (v01 LENOVO TP-6Q 00001400 LNVO 00000001) [ 0.000000] ACPI: MCFG 0x00000000BB3FEE01 00003C (v01 LENOVO TP-6Q 00001400 LNVO 00000001) [ 0.000000] ACPI: HPET 0x00000000BB3FEE3D 000038 (v01 LENOVO TP-6Q 00001400 LNVO 00000001) [ 0.000000] ACPI: ASF! 0x00000000BB3FEF34 0000A4 (v16 LENOVO TP-6Q 00001400 PTL 00000001) [ 0.000000] ACPI: BOOT 0x00000000BB3FEFD8 000028 (v01 LENOVO TP-6Q 00001400 LTP 00000001) [ 0.000000] ACPI: SSDT 0x00000000BB2E590A 00085B (v01 LENOVO TP-6Q 00001400 INTL 20050513) [ 0.000000] ACPI: TCPA 0x00000000BB38B000 000032 (v02 PTL CRESTLN 06040000 00005A52) [ 0.000000] ACPI: DMAR 0x00000000BB381000 0000B8 (v01 INTEL CP_DALE 00000001 INTL 00000001) [ 0.000000] ACPI: SSDT 0x00000000BB379000 0009F1 (v01 PmRef CpuPm 00003000 INTL 20060912) [ 0.000000] ACPI: SSDT 0x00000000BB378000 000259 (v01 PmRef Cpu0Tst 00003000 INTL 20060912) [ 0.000000] ACPI: SSDT 0x00000000BB377000 00049F (v01 PmRef ApTst 00003000 INTL 20060912) Related? I see them always, normally I do not get the kernel tainted output in seccheck though. The second about FADT I see it the first time though. In case, should I simply ignore (since if I well understand that is a bug in my BIOS)? BTW, thank you for the reply PS. I am searching for a good documentation for seccheck. Do you have any source to share? Thanks in advance. --- Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! https://email.freenet.de/mail/Uebersicht?epid=e9900000451 -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] Question about Seccheck showing kernel tainted (and then not)
by stakanov＠freenet.de 03 Jun '16

03 Jun '16

Question about SecCheck: Two days ago I did get a curious outcome, saying: - kernel.tainted = 0 + kernel.tainted = 52 And they day after: - kernel.tainted = 512 + kernel.tainted = 0 So the question I have is: how can a kernel be marked "tainted" and the day after "untainted"? I since I did not AFAIK install something that taints, is that provoked by a patch? Or do I maybe have a hardware problem (memory?) Thank you --- Mail & Cloud Made in Germany mit 3 GB Speicher! https://email.freenet.de/mail/Uebersicht?epid=e9900000450 -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1