Sunday 2nd April 2006

Fedora Core 5

Time to do the upgrade on the last of my machines, the firewall/router/DNS/mail/web/ftp server. Naturally I leave this one to last so that I can figure out the new distro's quirks and gotchas before doing it. Upgrade seemed to go smoothly, but the machine hung at Starting udev: . Well, actually it didn't hang but went extremely slowly. Machine is currently up but running in crippled mode. This will not do.

Football

Woeful performance from the boys in blue against the bogey side, Middlesbrough. We clearly seem to have declared our total for the season. Stu was furious, and it'll be interesting to see the reaction his reaction gets next time out.

Monday 3rd April 2006

Firewall Box

Borrowed a disk from a work machine and did a fresh install of Fedora Core 5 on. Installed the disk in the firewall box and it booted just fine. So the old system has some configuration issue that was causing the problem. Unfortunately I can't tell what it was and I can't spare the time to diagnose it. So instead I've migrated most of the old applications acrosss to what is effectively a new box. This would have been much easier had I not accidentally deleted most of /home whilst moving the data across.

Anyway, issues that cropped up:

• bacula seems to have forgotten about most of the files in the last full dump I did at the start of September last year, and hence didn't restore them. That's my own fault for assuming it works like Legato NetWorker and wouldn't prune data from the database until there was fresh data. I'll be doing a full dump every three months or so to prevent a recurrence of this. I recovered the data using bextract instead.

• openldap has a new Berkeley DB version built in, and won't read the nld one. Didn't see that in the release notes. Got the data back by copying /var/lib/ldap back to a spare FC4 box and using slapcat to extract it into an LDIF file, which I could then import back in to FC5.

Tuesday 4th April 2006

Local Packages

• Updated perl-Term-ReadLine-Gnu to 1.16

Wednesday 5th April 2006

curl and SELinux

The log messages generated by every invocation of curl are beginning to irritate me:

Apr  5 12:20:11 goalkeeper kernel: audit(1144236011.710:2884): avc:  granted  { execstack } for  pid=30759 comm="curl" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  5 12:20:11 goalkeeper kernel: audit(1144236011.710:2885): avc:  granted  { execmem } for  pid=30759 comm="curl" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process

I've raised Bug #188006 accordingly.

Update: It was entirely my own fault; my local libidn package (built on Red Hat Linux 9) was the culprit as it didn't define a separate stack segment. I shall have to build an FC5-specific version of this package in future

Thursday 6th April 2006

Local Packages

• updated getmail to 4.6.0

• rewrote the spec file for libidn in my own style (I was just tweaking the upstream Fedora spec previously) and built a separate package for FC5 to address Bug #188006

Fedora Extras

• updated spamass-milter to 0.3.1

Friday 7th April 2006

Local Packages

• Updated perl-HTTP-Size to 0.93

Saturday 8th April 2006

Backups

Having updated all my boxes to Fedora Core 5, it was time to do some full backups. Using bacula, I dumped my 3 machines and the data from Bingning's Windows box onto 5 DVDs.

Sunday 9th April 2006

Fedora Extras

Took over perl-Convert-BinHex, perl-IO-stringy, perl-MailTools, and perl-MIME-tools, orphaned by Ville Skyttä. They could all do with a bit of tidying up, and perl-MIME-tools is due an upgrade to 5.420. Should get round to that later this week.

Monday 10th April 2006

Local Packages

• Updated perl-HTTP-Size to 0.94

Wiki

• Updated moin to 1.5.3rc2

• (SRPM available from http://www.city-fan.org/ftp/contrib/websrv/)

Tuesday 11th April 2006

Local Packages

• Updated perl-ConfigReader-Simple to 1.23

Wednesday 12th April 2006

Wiki

JonBurgess becomes the first guest editor.

Monday 17th April 2006

Local Packages

• Updated moin to 1.5.3

Wiki

The new version of moin seems to make it difficult to log in. The UserPreferences page refers to a login button that doesn't exist. There's a login action, which works, but you have to know it's there. Need to think about what to do about this.

Tuesday 18th April 2006

PPTP Client Project

Moved pptpconfig dependency packages php4-pcntl and php4-pcntl-gtk into the pptp-stable repository and released the packages (plus the updated pptpconfig package that uses them) to sourceforge.net. Updated CVS too. The web site will need updating to refer to the new packages.

Fedora Extras

• Made changes to perl-Math-Pari (Bug #175198) and perl-Crypt-RSA (Bug #183888) following review comments

• Imported perl-Crypt-Random, perl-Crypt-Primes, and perl-Math-Pari into CVS and built them

• Mailed upstream bittorrent about (Bug #189072)

Local Packages

• Updated perl-Jcode to 2.04

Wednesday 19th April 2006

Fedora Extras

• Imported perl-Crypt-RSA and perl-Net-SSH-Perl into CVS and built them

• Updated perl-MIME-tools to 5.420 (my first update since taking over the package from Ville Skyttä)

• Mailed upstream bittorrent about (Bug #189295)

SELinux

Made a policy module for mock that allows builds for legacy distros like Red Hat Linux 7.3 on a Fedora Core 5 host. Without the module, execmod AVCs occur because the old DSOs that need to be loaded aren't labelled textrel_shlib_t in the mock root.

mock.if:

########################################
## <summary>
##      Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="file_type">
##      <summary>
##      The type of the object to be created
##      </summary>
## </param>
## <param name="object_class">
##      <summary>
##      The object class.
##      </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
        gen_require(`
                type var_t, var_lib_t, mock_var_lib_t;
        ')

        allow $1 var_t:dir search_dir_perms;
        allow $1 var_lib_t:dir search_dir_perms;
        allow $1 mock_var_lib_t:dir rw_dir_perms;
        type_transition $1 mock_var_lib_t:$3 $2;
')

mock.fc:

/var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
/var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0)

mock.te:

policy_module(mock, 0.5)

require {
        type unconfined_t;
};

# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)

# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })

# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;

Building and installing is easy. Copy the three files into an empty directory and do:

# make -f /usr/share/selinux/devel/Makefile
Compliling targeted mock module
/usr/bin/checkmodule:  loading policy configuration from tmp/mock.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/mock.mod
Creating targeted mock.pp policy package
rm tmp/mock.mod.fc tmp/mock.mod
# semodule -i mock.pp

The selinux-policy and checkpolicy packages are required

This all seems to work very nicely, provided the module is loaded before mock is installed so that /var/lib/mock gets created as mock_var_lib_t

Otherwise, a restorecon is needed.

Thursday 20th April 2006

Fedora Extras

• Built perl-Math-Pari, perl-Crypt-Random, perl-Crypt-Primes, perl-Crypt-RSA, and perl-Net-SSH-Perl for FC4 and FC5

SELinux

Rewrote the SELinux policy module for mock that I did yesterday. Whilst it handled the execmod issue for old distro libraries fairly cleanly, it wasn't able to handle the problem I'd been having building mono applications. It took me a surprisingly long amount of time to twig that this was an SELinux issue. Mono apps normally run in their own domain, mono_t, and have execmem and execheap privileges. This particular problem was caused by running mono in the unconfined_t domain and not being allowed execheap privilege. Domain transitions don't happen in mock because it makes child processes think that SELinux is disabled, so even getting /usr/bin/mono in the buildroot set to mono_exec_t wouldn't help. This left me with two options as I could see:

1. Allow unconfined_t execheap privilege (equivalent to turning on the allow_execheap boolean)

2. Run the entire mock process in its own domain, and grant that domain execheap privilege

Clearly the second option made more sense as it only enabled execheap for mock rather than virually every process run by a user. I also took the opportunity of removing mock_root_t as there didn't seem to be much point in differentiating between mock_var_lib_t and mock_root_t.

So here's the new mock policy module, mostly cribbed from the mono policy:

mock.if:

## <summary>Build packages in a chroot environment.</summary>

########################################
## <summary>
##      Execute the mock program in the mock domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`mock_domtrans',`
        gen_require(`
                type mock_t, mock_exec_t;
        ')

        corecmd_search_bin($1)
        domain_auto_trans($1, mock_exec_t, mock_t)

        allow $1 mock_t:fd use;
        allow mock_t $1:fd use;
        allow mock_t $1:fifo_file rw_file_perms;
        allow mock_t $1:process sigchld;
')

########################################
## <summary>
##      Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="file_type">
##      <summary>
##      The type of the object to be created
##      </summary>
## </param>
## <param name="object_class">
##      <summary>
##      The object class.
##      </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
        gen_require(`
                type var_t, var_lib_t, mock_var_lib_t;
        ')

        allow $1 var_t:dir search_dir_perms;
        allow $1 var_lib_t:dir search_dir_perms;
        allow $1 mock_var_lib_t:dir rw_dir_perms;
        type_transition $1 mock_var_lib_t:$3 $2;
')

mock.fc:

/usr/bin/mock                   --      gen_context(system_u:object_r:mock_exec_t,s0)

/var/lib/mock(/.*)?                     gen_context(system_u:object_r:mock_var_lib_t,s0)

mock.te:

policy_module(mock, 0.7.1)

########################################
#
# Declarations
#

type mock_t;
domain_type(mock_t)

type mock_exec_t;
domain_entry_file(mock_t,mock_exec_t)

type mock_var_lib_t;
files_type(mock_var_lib_t)

########################################
#
# Local policy
#

ifdef(`targeted_policy',`

        # execheap & execmem are needed to run mono under mock
        # where no transition to mono_t will happen
        allow mock_t self:process { execheap execmem };
        unconfined_domain_noaudit(mock_t)
        role system_r types mock_t;

        # Old libraries may need execmod permission
        allow mock_t mock_var_lib_t:file execmod;

        # Transition to mock_t from unconfined_t
        mock_domtrans(unconfined_t)

')

Building and installing is easy. Copy the three files into an empty directory and do:

# make -f /usr/share/selinux/devel/Makefile
Compliling targeted mock module
/usr/bin/checkmodule:  loading policy configuration from tmp/mock.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/mock.mod
Creating targeted mock.pp policy package
rm tmp/mock.mod.fc tmp/mock.mod
# semodule -i mock.pp

The selinux-policy and checkpolicy packages are required

This all seems to work very nicely, provided the module is loaded before mock is installed so that /var/lib/mock gets created as mock_var_lib_t and /usr/bin/mock gets created as mock_exec_t

Otherwise, a restorecon is needed.

This policy would probably work for mach as well, just by adding these lines to mock.fc:

/usr/bin/mach                   --      gen_context(system_u:object_r:mock_exec_t,s0)
/var/lib/mach(/.*)?                     gen_context(system_u:object_r:mock_var_lib_t,s0)

Friday 21st April 2006

Birthday

Forty-one today! Got a box of chocolates (Thornton's Classic Selection 335g) courtesy of Sainsbury's, which was nice.

Many happy returns to the Queen too.

Local Packages

• Updated proftpd to 1.3.0

• Updated perl-Sub-Uplevel to 0.10

Fedora Extras

• Submitted milter-regex for review since the original submitter appears to have lost interest

Monday 24th April 2006

Local Packages

• Updated gotmail to 0.8.9

• Updated nmap to 4.03

Leaky Tap Connector

Had to return home at lunchtime because we had a water leak. A tap connector in the bathroom has a sharp edge somwhere inside it that wears through the fibre washer every year or so, causing a slow drip. It's easy enough to replace the washer and not sufficiently annoying to make it worth the time, trouble, and expense of a "real" fix.

Tuesday 25th April 2006

Fedora Extras

Had a look at the review requests for fuse-emulator-utils, compat-gtkhtml36, libnetfilter_conntrack, and libnfnetlink. Commented on all but none were ready for a full review.

Football

A win at last! Why is it that people seem to do disproportionately well against their old clubs (thanks Darius!)?

Wednesday 26th April 2006

Fedora Extras

• Reviewed gtkhtml36 for MichaelPeters.

• Wrote up my mock+SELinux how-to at: Extras/MockTricks

Micra Windows

The driver's side window pane has become detached from the winding mechanism - again. Grrrr.

Thursday 27th April 2006

Fedora Extras

• Approved gtkhtml36 for MichaelPeters