Open Source Software and Linux


November 20, 2008  12:28 AM

Take a break, read some Thanksgiving humor

John Little Profile: Xjlittle

Having had a tough couple of weeks at work I came home tonight thinking “I need something funny in my so called life”. At work it seems to be on thing after another and not much better at home. In short I’m tired as many people who work in IT can become.

After thinking about it for awhile the thought crossed my mind “hey it’s almost Thanksgiving..there’s got to be something funny out there about that”. So I went searching. I found many funny things about the Thanksgiving holiday. I kept coming back to this one though. I don’t know why-maybe because it sounds a little like my family life. Anyway here it is and I hope that you enjoy it as much as I did..

Dining Without Martha Stewart

Martha Stewart will not be dining with us this Thanksgiving. I’m telling you in advance, so don’t act surprised. Since Ms. Stewart won’t be coming, I’ve made a few small changes:

1. Our sidewalk will not be lined with homemade, paper bag luminaries. After a trial run, it was decided that no matter how cleverly done, rows of flaming lunch sacks do not have the desired welcoming effect.

2. Once inside, our guests will note that the entry hall is not decorated with the swags of Indian corn and fall foliage I had planned to make. Instead, I’ve gotten the kids involved in the decorating by having them track in colorful autumn leaves from the front yard. The mud was their idea.

3. The dining table will not be covered with expensive linens, fancy china, or crystal goblets. If possible, we will use dishes that match and everyone will get a fork. Since this IS Thanksgiving, we will refrain from using the plastic Peter Rabbit plate and the Santa napkins from last Christmas.

4. Our centerpiece will not be the tower of fresh fruit and flowers that I promised. Instead we will be displaying a hedgehog-like decoration hand-crafted from the finest construction paper. The artist assures me it is a turkey.

5. We will be dining fashionably late. The children will entertain you while you wait. I’m sure they will be happy to share every choice comment I have made regarding Thanksgiving, pilgrims and the turkey hotline. Please remember that most of these comments were made at 5:00 a.m. upon discovering that the turkey was still hard enough to cut diamonds. As accompaniment to the children’s recital, I will play a recording of tribal drumming. If the children should mention that I don’t own a recording of tribal drumming, or that tribal drumming sounds suspiciously like a frozen turkey in a clothes dryer, ignore them. They are lying.

6. We toyed with the idea of ringing a dainty silver bell to announce the start of our feast. In the end, we chose to keep our traditional method. We’ve also decided against a formal seating arrangement. When the smoke alarm sounds, please gather around the table and sit where you like. In the spirit of harmony, we will ask the children to sit at a separate table … in a separate room … next door.

7. Now, I know you have all seen pictures of one person carving a turkey in front of a crowd of appreciative onlookers. This will not be happening at our dinner. For safety reasons, the turkey will be carved in a private ceremony. I stress “private” meaning: Do not, under any circumstances, enter the kitchen to laugh at me. Do not send small, unsuspecting children to check on my progress. I have an electric knife. The turkey is unarmed. It stands to reason that I will eventually win. When I do, we will eat.

8. I would like to take this opportunity to remind my young diners that “passing the rolls” is not a football play. Nor is it a request to bean your sister in the head with warm tasty bread.

9. Oh, and one reminder for the adults: For the duration of the meal, and especially while in the presence of young diners, we will refer to the giblet gravy by its lesser-known name: Cheese Sauce. If a young diner questions you regarding the origins or type of Cheese Sauce, plead ignorance. Cheese Sauce stains.

10. Before I forget, there is one last change. Instead of offering a choice among 12 different scrumptious desserts, we will be serving the traditional pumpkin pie, garnished with whipped cream and small fingerprints. You will still have a choice; take it or leave it.

Found at this website.
-j

November 17, 2008  6:32 PM

Setting up your firewall on domU with iptables

John Little Profile: Xjlittle

As discussed in an earlier post you must first hide your NIC from dom0 to set up your iptables firewall on your domU. After you have successfully hidden the NIC from dom0 then we can proceed to our domU firewall setup.

You must first decide which domU that you are going to use for a firewall. Personally I prefer my firewall domU to have nothing on it but iptables. I can then use POSTROUTING and PREROUTING to nat my outbound packets and redirect the new inbound packets to their correct destinations. After you have your domU built and working properly you need to make the following entry into the configuration file:

name = "fw0"
uuid = "203e2874-a08b-4065-7155-cdad1b5b7341"
maxmem = 256
memory = 256
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ "type=vnc,vncunused=1,keymap=en-us" ]
disk = [ "phy:/dev/linux-virtuals/secure,xvda,w" ]
vif = [ "mac=00:16:3e:36:73:82,bridge=xenbr0" ]
pci = [ '01:02.0' ] =====Should be the same as obtained from your lspci command

Now start your domU. You should see a second interface, eth1, show up when you use ifconfig. There is no need to build an ifcfg-eth1 file for this as the operating system will take care of it for you. This is the interface that is connected to your DSL\Cable connection to the internet. Make sure that you have a cable plugged into the physical interface that [ ’01:02.0′ ] represents and the other end into your Cable or DSL modem. You should see that it gets a publicly routed interface like this:

[root@fw0 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:36:73:82
inet addr:172.16.0.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe36:7382/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37856 errors:0 dropped:0 overruns:0 frame:0
TX packets:27763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7935825 (7.5 MiB) TX bytes:11696196 (11.1 MiB)

eth1 Link encap:Ethernet HWaddr 00:0E:0C:80:22:B8
inet addr:76.252.xxx.xxx Bcast:76.252.xxx.xxx Mask:255.255.255.0 ===This is the routable IP
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28701 errors:0 dropped:0 overruns:0 frame:0
TX packets:28332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11911130 (11.3 MiB) TX bytes:7313287 (6.9 MiB)
Base address:0xb400 Memory:fea40000-fea60000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89159 (87.0 KiB) TX bytes:89159 (87.0 KiB)

[root@fw0 ~]#

The x’s are place in the last two octets for security reasons. However you can see by the first two octets that this is a publicly routable interface that got it’s address from my ISP provider.

Now to get your machines on your LAN out to the internet two things must happen. Their default gateway must be set to the ip address of eth0 on your domU. In my case this is 172.16.0.254. This is quite simple if you are using DHCP. Just make an entry like this into the dhcpd.conf file:

subnet 172.16.0.0 netmask 255.255.0.0 {
range 172.16.0.111 172.16.0.150;
option routers 172.16.0.254;=====set this option for your default gateway
option broadcast-address 172.16.255.255;
default-lease-time 259200;
max-lease-time 604800;
option domain-name-servers 172.16.0.205, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
}

If you’re not using DHCP then you can make an entry either into /etc/sysconfig/network or /etc/sysconfig/network-scripts/ifcfg-eth* where the * is replaced by whatever your interface number is:

GATEWAY=172.16.0.254

Once that is done now we need to set up our masquerade so that our outbound packets are nat’d and we can browse the internet. On the firewall machine issue the following commands:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
service iptables save
service iptables restart

There you have it. Your domU is now connected to the internet, firewalling your network and allowing your internal machines on your LAN to browse the internet. This setup was done on CentOS 5.2 with the native virtualization that is built in.

-j


November 16, 2008  10:12 PM

Set your hardware and system clocks with the date and hwclock commands

John Little Profile: Xjlittle

Today we’re looking at the date and hwclock commands to set your system and hardware clocks.

Have you ever put a server into production only to realize that you had not set the hardware clock to UTC or any other time? When you’ve already put the machine into production it’s pretty difficult to go to your manager and tell him that you need to shut the machine down to set the hardware clock. Using the date and hwclock commands will allow you to set both clocks with shutting down you machine.

Computer systems, administrators and users all rely on the correct date and time to function properly or make their jobs go smoother. The system uses cron to execute programs at a certain time. As an administrator you need the correct time when checking logs and looking for problems. If the system clock is off see how long it takes your users to start calling about incorrect dates and times on their documents. In short things are not going to go smoothly if the date and time is wrong on the system.

The most likely scenario is that your system clock is off because it is relying on your hardware clock for the correct time. Here is how we correct this. First you need to set the correct time for the system with the date command. Type the date command to see the date and time format of the string:

[root@virtual-host ~]# date
Sun Nov 16 16:51:53 EST 2008
[root@virtual-host ~]#

We want to use this exact type of string to set our system clock:

date --set=Sat Nov 15 18:49:00 EST 2008

Ok now we are going to set our hardware clock to this date:

hwclock --systohc --utc

That’s it. Now your hardware clock is set and your system clock can now keep the correct time by referring to it. You can also set your system clock from your hardware clock with the following command:

hwclock --hctosys

Both of these can be particularly important if you are trying to set up the ntp daemon to an internet time source and your system clock is off by more than a 1000 seconds. The ntp daemon will not work under these conditions so you must correct them.

Hope this helps you keep your systems on time!

-j


November 14, 2008  3:26 PM

Application Whitelisting for Window..or is it SELinux

John Little Profile: Xjlittle

I recently read an article in eWeek that talked extensively about Application Whitelisting. The more of the article that I read this seems to be nothing more than SELinux on Windows.

The Windows people are looking to lock down their machines because of the horrendous numbers of viruses, trojans and other malware that attacks them. Apparently user education, anti-virus and anti-whatever just is not getting the job done.

Windows machines in the past have used the traditional methods for fighting malware. Anti-virus tracks and quarantines certain bits that are known malware problems. This is known as blacklisting. Whitelisting is the process by where certain executables are approved to run on a certain machine.

Now let’s have a look at SELinux which was first implemented by Red Hat several years ago. While Linux in general does not have a problem with malware an unprotected machine could get hacked and unwanted applications installed. Red Hat wanted a way to stop this type of intrusion. Let’s look a little deeper how this came into play.

SELinux was originally a development project from the National Security Agency (NSA )[19] and others. It is an implementation of the Flask operating system security architecture.[20]The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM ) framework. SELinux motivated the creation of LSM, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into the kernel.

You can see the rest of the article here

So here we have a security application mostly developed by the NSA.

Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.

Now let’s look at how SELinux runs under Red Hat and any other *nix that uses it. Red Hat uses what is called a target policy for SELinux. SELinux creates what are known as domains. Each daemon has it’s own domain. Every daemon on the system runs under the unconfined_t domain except for those that have targeted specific domains. Daemons that run under the unconfined_t domain fall back to using standard Linux security. As an example the http and ntp daemons run under the targeted policy by default and are therefore protected. If you haven’t experienced what happens under this protection, if one of the binaries or configuration files get put into the wrong context the daemon will not start.

This should be starting to sound familiar to the definition of Application Whitelisting above. It will be interesting to see if the Windows shops buy into this method of protection. I also expect some announcement from Microsoft or some other big firm how they have developed this new concept and are providing it as a tool to protect Window applications. I wonder how much the licensing fee and yearly maintenance will be on that…

-j


November 12, 2008  9:39 PM

Which procesors support hardware assisted virtualization?

John Little Profile: Xjlittle

Today as I was looking for a new workstation it occurred to me that I didn’t know which of them had the HVM or hardware assisted technology that I require. As an administrator I like to have this technology on my workstation so that I can test various builds, updates and so on before putting them into production. Since I run CentOS 5 with Xen on my workstation and have to occasionally test something with a Windows machine, I require the HVM technology.

And so began my hunt for what I knew would be a valid source of lists for the processors that have this technology. I could then pick my machine based on the processors in this list.

Finding this list was unbelievably difficult. Remember I said that I wanted a valid list. I did all sorts of google searches with every keyword that I could think of all to no avail. After an hour or so of this I decided to have a look on Intel’s site. About 30 minutes later I had what I wanted.

For the Intel processors you can go to this page. Here you will see two tabs. Click on the tab “View Processor Number Details”. On this tab you will see a table titled “Select Processor Brand”. After clicking on one of the processor brands another table will come up. Find the column that says Intel VT and Voila! you have found what you are looking for. If the processor listed has a check in this column then it is capable of hardware assisted virtualization.

Here is a screen shot of the last screen that I mentioned above.
Intel VT
As you can see from the top of the screen shot we are looking at the Intel Core 2 Extreme Processor. Now look across the columns until you see Intel VT. Any of the processors listed in the first column that have a checkmark in the Intel VT column will support HVM technology.

I spent some time on AMD’s website looking for the same thing. Unfortunately I did not find one. If I do I will post it here.

-j


November 12, 2008  3:08 AM

Finally, Virtualization testing for Xen, ESX, Hyper-V and more

John Little Profile: Xjlittle

Information Week has announced a test among several virtual machine vendors including Citrix, ESX, Microsoft’s Hyper-V, Parallels and Virtual Iron.

This comparison is what Information Week calls a rolling review. This is where, over a period of time, all of the products are pitted against one another.

The testing starts from bare metal and includes four VM Hosts. Two are on identical high end servers newly purchased and two on lesser powered servers that have been repurposed for virtual host use.

The evaluation will consist of each vendor’s ease of setup, configuration, data and network connectivity. Conversion tools supplied by each of the vendors will be used to migrate real world servers running Windows 2000, 2003, 2008, Windows XP, and Debian Linux.

The first reviews will begin with Citrix XenServer. Identical runs of Microsfts’ Hyper-V and VMWare’s ESX server will follow. After these tests are completed Information Week’s Lab will provide a comprehensive overview of the smaller vendors. Following the testing a comprehensive wrapup detailing the features, performance, and price differences among the different Virtualization Vendors will be provided.

Follow the results of the rolling review here.

-j


November 11, 2008  2:59 AM

CentOS 5 and pciback aka hiding pci card from Xen DOM0

John Little Profile: Xjlittle

I just recently spent more hours than I care to think about getting a NIC in Xen Dom0 hidden and passed to a DomU via pciback in CentOS 5.

Lesson number 1: pciback or pciback.hide is now a module. Putting it on GRUB’s kernel line is no longer sufficient.

Lesson number 2: If you NIC module does not load until late in the boot process either use another one or put it in your initrd. Davicom cards are a good example of this. Use an Intel.

Lesson number 3: Much of the information that you find online about what to put in your /etc/modprobe.config incorrect.

So now that we’ve covered all of that here is what you need to do to use pciback in CentOS 5.

Step 1. Put the following and only the following in your /etc/modprobe.conf:

options pciback hide=(01:06.0)

The numbers that you see there are found by running lspci |grep ethernet (or whatever you want to hide such as vga, usb, etc).

[root@virtual-host xen]# lspci |grep -i ethernet
01:02.0 Ethernet controller: Davicom Semiconductor, Inc. 21x4x DEC-Tulip compatible 10/100 Ethernet (rev 31)
01:06.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)
[root@virtual-host xen]#

Now you need to create a new initrd image. Before doing so make a backup copy of the one that you are currently using. Then create a new initrd so that the pciback module is loaded early on.

mkinitrd -f --preload=pciback /boot/initrd-$(uname -r).img $(uname -r)

This will place the new initrd into your boot directory and overwrite the old one.

Moving on to the /etc/xen directory we have a little work do here. In the domU config file make two entries like the following:

pci = [ "01:06.0"]
vif = [ '' ]

Now open /etc/xen/xend-pci-permissive.sxp and make an entry like the following:

(unconstrained_dev_ids
#('0123:4567:89AB:CDEF')
('8086:100e') ##Everything but this entry is already in here for an example.
)

You get the 8086:100e number from running lspci -n:

[root@virtual-host xen]# lspci -n
00:00.0 0600: 8086:254c (rev 01)
00:00.1 ff00: 8086:2541 (rev 01)
00:1d.0 0c03: 8086:2482 (rev 02)
00:1d.1 0c03: 8086:2484 (rev 02)
00:1e.0 0604: 8086:244e (rev 42)
00:1f.0 0601: 8086:2480 (rev 02)
00:1f.1 0101: 8086:248b (rev 02)
00:1f.3 0c05: 8086:2483 (rev 02)
01:02.0 0200: 1282:9102 (rev 31)
01:04.0 0300: 1002:4752 (rev 27)
01:06.0 0200: 8086:100e (rev 02)
As you can see those number match up with the 01:06.0 number that we used in modprobe.conf and the domU config file.

Now if all has gone well you should see that your domU has direct access to the pci card and that dom0 no longer attempts to use it. This can be confirmed by grep'ing dmesg:

[root@virtual-host xen]# dmesg |grep pciback
pciback 0000:01:06.0: seizing device
pciback 0000:01:06.0: enabling permissive mode configuration space accesses!
pciback 0000:01:06.0: permissive mode is potentially unsafe!
pciback: vpci: 0000:01:06.0: assign to virtual slot 0
pciback: vpci: 0000:01:06.0: assign to virtual slot 0
[root@virtual-host xen]#

There you have the results of several hours of reading and trial and error. Don't forget that if you install a new xen kernel you will again have to make a new initrd.

One way around having to create a new initrd is to create a file named pciback under /etc/sysconfig/mkinitrd. Put an entry into the pciback file that reads PREMODS="$PREMODS pciback". That should automatically install the pciback module when your new kernel creates it's new mkinitrd.

Hope this helps.

-j


November 10, 2008  6:02 PM

Russia and Cuba kick out Microsoft in favor of Open Source Software

John Little Profile: Xjlittle

In a recent article that I ran across the two Governments have decided that Open Source is what they should be using instead of Microsoft. They stated the normal reasons that we usually hear when a government makes this decision. Primarily it has to do with economics and the introduction of Open Source Software into their fiscal institutions, schools and government institutions.

To use their words a move like this

Alexei Smirnov said that the distribution of free software as in Cuba, and Russia is a strategic priority related to the sovereignty of countries

Like I said this sounds like pretty much the same reasons that we hear from other governments making this move.

What really bothered me though were some of the comments that were made regarding this article and Russia’s and Cuba’s decision.

OMG and this is supposed to be a “good thing”, sure russia and cuba, socialist/communist regemes, uses assinations, fear and extortion, and are very against the American way of life,

but becuase they are using linux, and supposedly again Microsoft, you know that company that employes thousands of Americans and western people all over the world.

that makes this kind of thing good.

So you would not mind if Linux was used in russian cruse missiles pointed at the US, as long as they accepted the GPLv2. ??

you guys are a freaking joke,

and

You’re absolutely right: torture, imprisonment without trial, illegal “disappearances” and a cynical disregard for international norms like the Geneva Convention are completely unacceptable, whatever the operating system.

Really now. How long has it been since Russia has been a serious threat to the US or any other country? From where I sit they get involved in the same political battles of right and wrong that we do. Their Nuclear Missiles have long been destroyed.

An speaking of supporting countries that have countless human rights violations what about China and the Olympics. Did you watch them or boycott them in favor of your idealism?

IMHO Russia and other countries are beginning to grasp the realities and advantages of the freedom of people to think and do and starting to reap the benefits of it for their own countries. Russia even acknowledged Alexei Smirnov, CEO of ALT Linux, as leader in bringing this movement to bear. If you didn’t know ALT Linux is developed in Russia.

The negative statements made above are from non thinking people who are going to find fault with anything and everything. That is their right as people living in a free country or countries. It is also the right of Russia, which is a country that is working towards freedom, to decide to build and deploy Open Source Software in their institutions and schools.

j-


November 8, 2008  2:59 PM

Help! root can’t login

John Little Profile: Xjlittle

I occasionally see the post Help! root can’t login on some of the discussion boards around the net. Generally this is for two reasons. Either the account has expired or a forgotten password.

The forgotten password is straightforward to fix. When booting the machine enter the grub menu. Your default kernel should already be highlighted. Press e which will bring you to a screen with the three lines for that kernel that are in the grub.conf. Highlight the one titled kernel and press e again.

This will open up that line for editing. Move to the end of the line and type s and then hit enter. Now type b for that kernel to boot. This will put you into single user mode.

Once the machine has booted into single user mode you may change root’s password using the normal passwd command.

Having root’s account account expired is a little more complicatedb is still straightforward. Once again boot into single user mode as describe above. We will use the chage command to fix root’s account.

If you issue:

[root@centos5-lt ~]# chage --help
Usage: chage [options] user

Options:
-d, --lastday LAST_DAY set last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS

[root@centos5-lt ~]#

The two comands that we are interested in here are

chage -l
chage -E
chage -l root will list root’s user account so that we can confirm that it is expired. We want to set the account so that it will not expire. use chage -E -1 root to accomplish this.

chage -l root
Account expires : Nov 07, 2008 #The account expires line is what you want to check
chage -E -1 root
chage -l root
Account expires : never # Now we have solved our problem of the root account expiring

There you go. Now you should be able to fix root’s account if you accidentally make a mistake with it.

-j


November 5, 2008  2:56 PM

Maintaining your sanity with SELinux

John Little Profile: Xjlittle

Yes I know..everyone wants to turn off selinux. The Notes Domino people even tell you to turn off selinux before installing Domino. While this is probably a good idea for them in normal server cases it is maybe not such a good idea under normal circumstances. SeLinux is another excellent layer to protecting your system along with iptables and hosts.all and hosts.deny. Keeping a few things in mind will help you maintain your sanity while using selinux.

First up are the /var/log/audit/audit.log, /var/log/security and /var/log/messages. If selinux is set to enforcing and you’ve just installed a new application or created a file or directory that is not allowing proper access these three files are the place to go. Before you do this make sure the following applications are installed:
setroubleshoot.noarch
setroubleshoot-plugins.noarch
setroubleshoot-server.noarch

After installing these make sure that you start the setroubleshoot application and set it to start on reboot:

/etc/init.d/setroubleshoot start
Starting setroubleshootd: [ OK ]
chkconfig setroubleshoot on

Watch the logs in real time as you attempt to access the application, file or directory like this:

cd /var/logs
tail -f security audit/audit.log messages

After doing this hit enter three times to give you some white space between the old messages and the new ones that are generated. If selinux is giving you a problem you will see something like the following in the messages log:

Nov 5 08:18:44 centos5-dev setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37

To find out not only what is going on but how to fix it run the sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37 command described in the message.

[root@centos5-dev ~]# sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37

Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context system_u:system_r:hplip_t
Target Context system_u:object_r:file_t
Target Objects libc.so.6 [ lnk_file ]
Source hpssd.py
Source Path /bin/env
Port
Host centos5-dev.hendricks.org
Source RPM Packages coreutils-5.97-14.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name file
Host Name centos5-dev.hendricks.org
Platform Linux centos5-dev.hendricks.org
2.6.18-92.1.10.el5xen #1 SMP Tue Aug 5 08:46:32
EDT 2008 i686 athlon
Alert Count 3
First Seen Wed Nov 5 08:18:39 2008
Last Seen Wed Nov 5 08:18:39 2008
Local ID d102b5a4-ac6f-470f-aa34-55ac37dafa37
Line Numbers

Raw Audit Messages

host=centos5-dev.hendricks.org type=AVC msg=audit(1225891119.851:12): avc: denied { read } for pid=2634 comm="hpssd.py" name="libc.so.6" dev=dm-0 ino=1547246 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file

host=centos5-dev.hendricks.org type=SYSCALL msg=audit(1225891119.851:12): arch=40000003 syscall=5 success=no exit=-13 a0=b7fb2b4b a1=0 a2=bfd8a2b4 a3=8 items=0 ppid=2633 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hpssd.py" exe="/bin/env" subj=system_u:system_r:hplip_t:s0 key=(null)
[root@centos5-dev ~]#

The part that we are interested in is under the above heading Allowing Access: You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

When we run this command this will fix our problem. Note that these problems could run from accessing html pages to allowing a public web directory in your home directory.

Next up we have the command:

chcon --reference

Lets say you are using your localhost as your web server. You decide that you want to add some virtual hosts. You then add the virtual host directories outside of the normal /var/www/html directory. You build your virtual hosts but now you can’t access them. Watching your messages you see that this is definitely an selinux problem. Using the above command we can fix our problem like this:

chcon --reference /var/www/html /srv/www/vhosts #This will fix the selinux properties on the root directory of the virtual hosts
chcon -- reference /var/www/html/* /srv/www/vhosts/* # This will fix the properties on the files in case they are different from the directory

This code references the contexts of the given files or directories and applies them to the new files and directories. Now every time that you add a file or directory under /srv/www/vhosts it will get the proper selinux context.

The last way that we are going to discuss is restorecon. Taking the above scenario under either of the directories you find that some files or directories did not pick up the correct context or maybe none at all. Easy enough to fix:

restorecon /var/www/html

The reason this works is because the restorecon looks at the current contexts of the other files and directories and applies that context to the ones with the incorrect or no context.

There you have it. Keep your sanity and still use SELinux.

-j


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: