Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

    PaulHowarth/Blog/2007-11-08

Thursday 8th November 2007

Local Packages

Completed populating the Fedora 8 repository with builds of city-fan.org-release, perl-HTTP-Size, weblint, and weblint++

Fedora 8 and VMware Server

Upgraded my work desktop to Fedora 8 in the morning, and found I needed a few extra steps to get VMware Server up and running: 

# rpm -Uvh VMware-server-1.0.4-56528.i386.rpm

Before configuring VMware Server, it's necessary to install a few additional packages, patch the kernel modules, and make an SELinux tweak. VMware defaults to using a reserved port (902) for the server; it's easier to make it play nice with SELinux by using an unreserved port such as 4800. 

# yum install gcc-c++ kernel-devel xinetd 'perl(ExtUtils::MakeMaker)'
# cd
# wget http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update114.tar.gz
# semanage port -a -t inetd_child_port_t -p tcp 4800
# tar xf vmware-any-any-update114.tar.gz
# cd vmware-any-any-update114
# ./runme.pl
# restorecon -v /etc/services

/!\ If you have a firewall enabled, you'll need to poke a hole in it to allow connections to port 4800 or whatever your chosen port is

SELinux in Fedora 8

Came across a new (to me) type of SELinux denial whilst trying to get a crontab entry like this one to work in Fedora 8: 

45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates subset mirror report" phowarth

Even after adding all of the rules suggested by audit2allow -R in a local policy module, I was still getting Permission denied errors with SELinux in enforcing mode, but it was working in permissive mode.

In /var/log/audit/audit.log, I found this: 

type=SELINUX_ERR msg=audit(1194609955.230:176): security_compute_sid:  invalid context unconfined_u:unconfined_r:system_mail_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process

After querying this on fedora-selinux-list, I found that auditallow doesn't currently cope with this sort of denial (which is not an AVC denial), and what I needed to add was: 

role unconfined_r types system_mail_t;

So the policy module I ended up with to allow my mail from cron was this: 

policy_module(localmisc, 0.0.8) 

require {
        type system_mail_t;
        class netlink_route_socket { bind create getattr nlmsg_read read write };
}

#============= system_mail_t ==============
role unconfined_r types system_mail_t;
allow system_mail_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)

Recent