Hacker Newsnew | past | comments | ask | show | jobs | submit | yrro's commentslogin

Debian builds Exim against GnuTLS because OpenSSL used to use a license with an advertising clause, making it incompatible with the GPLd Exim.

Since OpenSSL 3 is now available under a GPL-compatible license, I think it's long past time to switch. But judging by the sorry state of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446036 I don't think it's going to happen any time soon.


Ask the CA/Browser forum what they will insist upon


FYI RHEL's SELinux policy blocks AF_ALG socket creation for confined services out of the box. But disabling via RestrictAddressFamilies= unit option, or initcall_blacklist= kernel parameter, seems to be a good mitigation for unconfined services, users and containers.


They've bumped the severity and 8/9/10 are now 'affected'. Hope a patch comes soon!


Have you got any info about this. 'seinfo -c' shows there is an alg_socket class. I presume this permission is required to be able to create an AF_ALG socket:

    $ sesearch -A -c alg_socket -p createallow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
    allow container_device_plugin_init_t container_device_plugin_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_plugin_t container_device_plugin_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_t container_device_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_engine_t container_engine_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_init_t container_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_kvm_t container_kvm_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logreader_t container_logreader_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logwriter_t container_logwriter_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_userns_t container_userns_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow openshift_app_t openshift_app_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow openshift_t openshift_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow spc_t unlabeled_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow staff_t staff_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };
    allow sysadm_t sysadm_t:alg_socket { accept append bind connect create getopt ioctl listen lock read setattr setopt shutdown write };
    allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
    allow user_t user_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };
... that's a lot of domains, including container_t and user_t; and obviously anything unconfined_t can't be expected to be restricted.

(Maybe you & others are specifically thinking of Android's policy?)


sorry yeah, I saw not exploitable on Android and thought most SELinux would be ok. Not super sure on this case what the surface is


... and that is why all 'modern' software is incredibly memory and CPU intensive...


But when things go wrong, you can usually find some random json file and adjust it :)


Take it from someone who saw it when it first aired on standard definition analogue TV: it doesn't really matter all that much. The performance of the actors and the story is what's important!


That’s fair but from what I understand, inaccurate ratios could hide a lot of crucial detail

https://www.insidehook.com/television/seinfeld-netflix-aspec...


A _real_ web site!

When I first returned to it rewatching B5 a couple of years ago, I actaully found it difficult to navigate. It took me a while to realise that my brain was parsing the block of navigation buttons at the centre top of the screen as a banner ad and filtering it out!


The "TKO" 'A' plot is silly but it has one of the most moving and memorable 'B' plots of the series!


Agreed! In fact it is kindof annoying. Every set of orderable elements has a worst element, therefore every show has some bad episodes. You want to tell new viewers to just skip those episodes if they want, but it’s practically impossible with B5. If you skip TKO because part of it is cliche then you also miss the essential key to understanding Ivanova.


Both were pretty meh IMO.


This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.


Funny that since the IE engine was plastered all over the place. Only 98lite could avoid it.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: