|
|
Since the earliest days there has been a command named audit2allow that takes audit messages of operations that SE Linux denied and produces policy that will permit those operations. A lesser known option for this program is the “-R” option to use the interfaces from the Reference Policy (the newer version of the policy that was introduced a few years ago). I have updated my SE Linux repository for Lenny [1] with new packages of policy and python-sepolgen that fix some bugs that stopped this from being usable.
To use the -R option you have to install the selinux-policy-dev package and then run the command sepolgen-ifgen to generate the list of interfaces (for Squeeze I will probably make the postinst script of selinux-policy-dev do this). Doing this on Lenny requires selinux-policy-default version 0.0.20080702-20 or better and doing this on Debian/Unstable now requires selinux-policy-default version 0.2.20100524-2 (which is now in Testing) or better.
Would it be useful if I maintained my own repository of SE Linux packages from Debian/Unstable that can be used with Debian/Testing? You can use preferences to get a few packages from Unstable with the majority from Testing, but that’s inconvenient and anyone who wants to test the latest SE Linux stuff would need to include all SE Linux related packages to avoid missing an important update. If I was to use my own repository I would only include packages that provide a significant difference and let the trivial changes migrate through Testing in the normal way.
The new Lenny policy includes a back-port of the new Milter policy from Unstable, this makes it a lot easier to write policy for milters. Here is an example of the basic policy for two milters, it allows the milters (with domains foo_milter_t and bar_milter_t) to start, to receive connections from mail servers, and to create PID files and Unix domain sockets.
policy_module(localmilter,1.0.0)
milter_template(foo)
files_pid_filetrans(foo_milter_t, foo_milter_data_t, { sock_file file })
milter_template(bar)
files_pid_filetrans(bar_milter_t, bar_milter_data_t, { sock_file file })
allow bar_milter_t self:process signull;
type bar_milter_tmp_t;
files_tmp_file(bar_milter_tmp_t)
files_tmp_filetrans(bar_milter_t, bar_milter_tmp_t, file)
manage_files_pattern(bar_milter_t, tmp_t, bar_milter_tmp_t)
After generating that policy I ran a test system in permissive mode and sent a test message. I ran audit2allow on the resulting AVC messages from /var/log/audit/audit.log and got the following output:
#============= bar_milter_t ==============
allow bar_milter_t bin_t:dir search;
allow bar_milter_t bin_t:file getattr;
allow bar_milter_t home_root_t:dir search;
allow bar_milter_t ld_so_cache_t:file { read getattr };
allow bar_milter_t lib_t:file execute;
allow bar_milter_t mysqld_port_t:tcp_socket name_connect;
allow bar_milter_t net_conf_t:file { read getattr ioctl };
allow bar_milter_t self:process signal;
allow bar_milter_t self:tcp_socket { read write create connect setopt };
allow bar_milter_t unlabeled_t:association { recvfrom sendto };
allow bar_milter_t unlabeled_t:packet { recv send };
allow bar_milter_t urandom_device_t:chr_file read;
allow bar_milter_t usr_t:file { read getattr ioctl };
allow bar_milter_t usr_t:lnk_file read;
#============= foo_milter_t ==============
allow foo_milter_t ld_so_cache_t:file { read getattr };
allow foo_milter_t lib_t:file execute;
allow foo_milter_t mysqld_port_t:tcp_socket name_connect;
allow foo_milter_t net_conf_t:file { read getattr };
allow foo_milter_t self:capability { setuid setgid };
allow foo_milter_t self:tcp_socket { write setopt shutdown read create connect };
allow foo_milter_t unlabeled_t:association { recvfrom sendto };
allow foo_milter_t unlabeled_t:packet { recv send };
Running the audit2allow command with the “-R” option gives the following output, it includes the require section that is needed for generating policy modules:
require {
type sshd_t;
type ld_so_cache_t;
type bar_milter_t;
type foo_milter_t;
class process signal;
class tcp_socket { setopt read create write connect shutdown };
class capability { setuid setgid };
class fd use;
class file { read getattr };
}
#============= bar_milter_t ==============
allow bar_milter_t ld_so_cache_t:file { read getattr };
allow bar_milter_t self:process signal;
allow bar_milter_t self:tcp_socket { read write create connect setopt };
corecmd_getattr_sbin_files(bar_milter_t)
corecmd_search_sbin(bar_milter_t)
corenet_sendrecv_unlabeled_packets(bar_milter_t)
corenet_tcp_connect_mysqld_port(bar_milter_t)
dev_read_urand(bar_milter_t)
files_read_usr_files(bar_milter_t)
files_read_usr_symlinks(bar_milter_t)
files_search_home(bar_milter_t)
kernel_sendrecv_unlabeled_association(bar_milter_t)
libs_exec_lib_files(bar_milter_t)
sysnet_read_config(bar_milter_t)
#============= foo_milter_t ==============
allow foo_milter_t ld_so_cache_t:file { read getattr };
allow foo_milter_t self:capability { setuid setgid };
allow foo_milter_t self:tcp_socket { write setopt shutdown read create connect };
corenet_sendrecv_unlabeled_packets(foo_milter_t)
corenet_tcp_connect_mysqld_port(foo_milter_t)
kernel_sendrecv_unlabeled_association(foo_milter_t)
libs_exec_lib_files(foo_milter_t)
sysnet_read_config(foo_milter_t)
To get this working I removed the require lines for foo_milter_t and bar_milter_t as it’s not permitted to both define a type and require it in the same module. Then I replaced the set of tcp_socket operations { write setopt shutdown read create connect } with create_socket_perms as it’s easiest to allow all the operations in that set and doesn’t give any security risks.
Finally I replaced the mysql lines such as corenet_tcp_connect_mysqld_port(foo_milter_t) with sections such as the following:
mysql_tcp_connect(foo_milter_t)
optional_policy(`
mysql_stream_connect(foo_milter_t)
‘)
This gives it all the access it needs and additionally the optional policy will allow Unix domain socket connections for the case where the mysqld is running on localhost.
I’ve just done some quick research on Digital Video Cameras for some relatives. It seems to me that the main feature that is necessary is Full HD (1920*1080) resolution as everyone seems to be getting 1920*1080 resolution monitors (getting smaller doesn’t save enough money to be worth-while). Resolutions higher than 1920*1080 will probably available in affordable monitors in the next few years, so the ability of programs like mplayer to zoom videos will probably be required even for Full HD video soon. Saving maybe $300 on a video camera while getting a lower resolution doesn’t seem like a good idea.
The next feature is optical zoom, most cameras are advertised with features such as “advanced zoom” to try and trick customers, cameras which advertise 60* or better zoom often turn out to only have 20* zoom. I think that about 20* optical zoom should be considered the minimum, not that there is anything special about 20* zoom, it’s just that there is a good range of cameras with better zoom capacity.
Image stabilisation is a required feature, no-one can keep their hand perfectly steady and the typically a DVC only gets hand-held use – most people who own them don’t even own a tripod! Digital image stabilisation is apparently not nearly as good as optical image stabilisation, and image stabilisation that involves moving the CCD is apparently somewhere in between.
Finally it’s good to have the ability to take quality photos as few people will want to carry a Digital Camera and a Digital Video Camera.
I did a search for DVCs on the web site of Ted’s Camera store (a chain of camera stores in Australia that generally provide good service at a competitive price – but not the cheapest price). The best of the Ted’s options seems to be the Panasonic SD60 HD Video [1] which does 25* optical zoom, 1920*1080i video, 5 megapixel still photography, and optical image stabilisation – it costs $750 from Ted’s.
The next best option seems to be the Sony Handycam HDR-CX110 HD [2] which does 25* optical zoom, 1920*1080i video, 3.1 megapixel 2048*1536 still photography, and digital image stabilisation. The Panasonic seems to be a better option due to having optical image stabilisation and a higher resolution for still photographs. It is also $750 from Ted’s.
Now there’s the issue of how well the cameras work on Linux. A quick Google search indicated that the Sony cameras present themselves as USB card readers and can be mounted on a Linux system, I couldn’t discover anything about the Panasonic. If I was going to buy one I would take my Netbook to the store and do a quick test.
I don’t have enough information to recommend either of those cameras, they may have some awful defects that are only apparent when you use them. But in terms of features they seem pretty good. The Panasonic SD60 HD Video should be a good benchmark when comparing cameras in the store. If nothing else the camera store staff seem to not be very helpful if asked generic questions such as “which camera is best”, but if asked questions such as “how is this other camera better than the one I’m looking at” they can usually give good answers.
If anyone has any other advice for purchasing a DVC then please let me know. Either generic advice or specific examples of Linux-friendly DVCs that have been purchased recently.
One of the access controls in SE Linux is for execmem – which is used to stop processes from creating memory regions that are writable and executable (as they make it easier to compromise programs and get them to execute supplied code). When the SE Linux audit log tells you that a program is attempting such access it’s sometimes difficult to discover where in the code such an access occurs, for example if you have a large code base and mmap() is called in many places it can be difficult to determine which one is the culprit. Especially if you have a source package that contains multiple binaries that use a common shared library and you don’t know which bits of library code are called by each executable.
To solve this problem in the case of freshclam to provide extra information for Debian bug report #588599 [1] I wrote the following little shared object which can be compiled with “gcc -shared -g -fPIC mmap.c -o mmap.so” and used with “LD_PRELOAD=./mmap.so whatever“. Then when the program in question (or any non-SUID program it executes) calls mmap() with both PROT_EXEC and PROT_WRITE set the program will abort. If you run this through gdb then the program will break and you will get a back-trace of the function calls that led to the undesired mmap().
One thing to note is that this method only catches direct calls to a library function outside libc. When the libc code calls the library function (EG all the fwrite() etc code that calls mmap()) the LD_PRELOAD hack won’t catch it. Thanks to Keith Owens for pointing this out.
#include <dlfcn.h>
#include <stdio.h>
#include <sys/mman.h>
#include <stdlib.h>
#undef NDEBUG
#include <assert.h>
void *libc6 = NULL;
void *(*real_mmap)(void *, size_t, int, int, int, off_t);
void do_init()
{
libc6 = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
if(!libc6)
{
printf("Aieee\n");
exit(1);
}
real_mmap = (void * (*)(void *, size_t, int, int, int, off_t))dlsym(libc6, "mmap");
}
void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset)
{
if(!real_mmap)
do_init();
assert(!(prot & PROT_EXEC) || !(prot & PROT_WRITE));
return real_mmap(addr, length, prot, flags, fd, offset);
}
My parents have just got a mobile phone with a Lebara pre-paid SIM [1]. Lebara advertise free calls to other Lebara phones but have a disclaimer that they charge a 25 cent flagfall and charge 15 cents per minute after the first 10 minutes – which is still cheaper than most mobile calls although not as good as some other mobile telcos such as Three that offer completely free calls to other phones with the same provider.
Lebara’s main selling point seems to be cheap international calls, half a cent per minute to Thailand, 1 cent per minute to Hong Kong, Indonesia and Singapore and 3 cents per minute to Bangladesh and China. Strangely calls to the US are 5 cents per minute and to Japan are 7 cents per minute, I would have expected that calling developed countries would have been cheaper due to better infrastructure and more competition. The trend of more developed countries having less expensive calls seems clear, some very undeveloped countries cost as much as $2 per minute! Note that all these rates are for calls to land-lines (calls to mobiles cost more) and are based on the new prices that apply after the 13th of July (it’s slightly cheaper for the next 8 days).
It seems really strange that calls to land-lines in Australia cost 15 cents per minute which is more than twice as much as calls to the US and Japan. In theory it would be possible to redirect calls to Australian land-lines via the US or Japan to save money. In practice it’s probably possible to do so by setting up a PBX in Thailand, Hong Kong, or Singapore.
But what I think is most noteworthy about Lebara is the fact that the call credit lasts for 90 days (this is in the FAQ). The cheapest top-up is $10 so therefore the minimum cost for mobile phone service is $40 per annum. Given the importance of owning a mobile phone to job seekers I think that with the current state of the economy there are a lot of people who could do with such a phone.
If anyone knows of Australian mobile phones that provide cheaper calls to other countries or a cheaper minimum annual fee then please let me know via the comments section.
For international readers, all prices are in Australian cents – which are worth about 85% as much as US cents.
Recently I have been doing a bit of work on libcsoap (the C library for making SOAP XML calls over http) and the libnanohttp library that it depends on. The most important part of my work on it was making it thread-safe with the technique I described in my post about finding thread unsafe code [1]. But I also did some work to make the code faster, reading data one byte at a time is very inefficient.
There has been no upstream release of this software for years, email to one of the maintainers bounced and the other one indicated that they are no longer involved in the project. So I’m thinking of taking over upstream development.
The previous Debian maintainer for the packages in question has recently resigned so I’ve taken over the packaging. But for this one I think I can do better work in an upstream capacity, so I’d like to get a co-maintainer for the Debian package and possibly someone who will help with upstream work. I would appreciate any offers of assistance with these things.
My SE Linux Play Machine [1] has been offline for almost a month (it went offline late May 30 and has just gone online again). It’s the sort of downtime that can happen when you use Debian/Unstable.
For a while I’ve been using a HP E-PC (a SFF desktop system with 256M of RAM and a P3-800 CPU) to run my SE Linux Play Machine. I run it under Xen to make it easier for me to watch what happens. I’ve had some problems with increased memory use in the Xen Dom0 in Squeeze [2]. The latest installment of the memory problems is when I discovered that I can’t run two copies of tcpdump (for tracing separate interfaces) at once on a Xen Dom0 that has ~110M of RAM – this seems unreasonable, I’m sure that back when a big server had 128M of RAM I could have done such things! So now I’m using a Thinkpad T20 with 512M of RAM for my new SE Linux Play Machine, it uses less power than most systems (probably even less than the HP E-PC) and is very quiet.
I was forced to install on a new system when I broke my GRUB configuration. GRUB-2 in Debian currently has no support for generating a configuration that will boot a Xen Dom0. You can manually edit the GRUB configuration to get this working, but if you get it wrong then you can make GRUB not even display a prompt and force a reinstall (as I did). As an aside it would be really handy if someone would create a CD or USB bootable image that does nothing but install GRUB. Such an image would ideally allow replacing the configuration of an existing GRUB, overwriting an existing GRUB installation (all files in /boot/grub get replaced), or formatting a spare partition (default swap space) and installing GRUB there.
My current solution to the GRUB problems is to use the old version of GRUB in the grub-legacy package. The old version of GRUB has always done everything I want so I don’t seem to be missing anything by not using the new version. I’m happy to refrain from using Ext4 for /boot and have no desire to have /boot on an LVM volume.
Most of the month of down-time for my Play Machine was caused by bugs in the SE Linux policy I’m developing for Squeeze, while they weren’t difficult bugs I haven’t had much time to work on them consistently. I’m still running the Play Machine on Lenny, but the Dom0 is running Unstable.
I have just uploaded refpolicy version 0.2.20100524-1 to Unstable. This policy is not well tested (a SE Linux policy package ending in “-1” is not something that tends to work well for all people) and in particular lacks testing for Desktop environments. But for servers it should work reasonably well.
I expect to have a better version uploaded before this one gets out of Unstable.
Note that the selinux-policy-default package in this release lacks support for roles, it’s a targeted policy only. I plan to fix this soon.
I was asked “Can you run SELinux on a XEN guest without any problem?“. In a generic sense the answer is of course YES, Xen allows you to run Linux kernels with all the usual range of features and SE Linux isn’t a particularly difficult feature to enable. I do most of my SE Linux development and testing on virtual machines and until recently I didn’t have any hardware suitable for running KVM, so in the last few years I’ve done more SE Linux testing on Xen than on non-virtual machines. My SE Linux Play Machine [1] (which will be online again tomorrow) is one SE Linux system running under Xen.
But the question was asked in the context of my blog post comparing the prices of virtual hosting providers [2], which changes things.
Both Linode and Slicehost (the two virtual hosting providers that my clients use) provide kernels without SE Linux support, the command “grep selinux /proc/filesystems” (which is the easiest way to test for SE Linux support) gives no output. I am not aware of any other virtual hosting company that provides SE Linux support.
If anyone knows of a virtual hosting company that runs Xen or KVM virtual machines with SE Linux support then please let me know, I’ll write a blog post comparing such companies if there are some.
For the people who work at ISPs: If your company supports SE Linux virtual machines then I would be happy to review your service, just give me a free DomU for a couple of weeks so I can test it out. If your company is considering offering such virtual machines then I would be happy to have a confidential discussion about the issues that you will face, while I am available for paid consulting work in this area I am more than happy to spend an hour or two helping a company that’s going to help support my favorite free software project without expecting to be paid. But I have to note that if a dozen hosting companies happen to want advice I won’t be able to provide two hours of free advice to each of them.
I think that there is an unsatisfied market demand for SE Linux virtual machines. I don’t expect all virtual hosting companies to support it in the near future, but this will make it more profitable for those that do. If for the sake of discussion we assume that 5% of sysadmins who are making purchasing decisions regarding virtual servers really want to have SE Linux support and if 5% of virtual hosting companies were to offer such support, then those hosting companies would almost double their market share as a result of supporting SE Linux. It’s the usual economic factors relating to small companies that profit from providing good support for the needs of a minority of customers.
Linode has just announced a significant increase in the amount of RAM in each of their plans [1].
The last time I compared virtual hosting prices in a serious manner was over two years ago [2], so it seems like a good time to compare the prices again.
Now there are some differences between these providers that make things difficult to compare. Gandi used to not include the OS in the disk allocation – presumably they did de-duplication, I’m not sure if they still do that. OpenVZ/Virtuozzo and Xen can’t be directly compared. OpenVZ is an Operating System Level Virtualisation that allows virtual machines to share resources to some extent which should allow better overall utilisation of the system but may allow someone to hog more resources than they deserve – I prefer virtual machines so tend to avoid that. Virtuozzo is a technology I’m not familiar with so with all things being equal I would choose Xen because I know it better.
Years ago Vpsland deleted one of my DomUs without good notification and without keeping a backup and I’m not about to forgive them. XenEurope and Gandi get good reviews, but I have no personal experience with them so in my personal ranking they are below Linode and Slicehost.
RapidXen offers native IPv6 – a very noteworthy feature. But they are quite expensive.
Note that I have only included providers that advertise in English. I could use Google translation to place an order on a non-English web site but I am not going to risk a situation where Google translation is needed for technical support.
In the price comparison tables I have used $US for price comparisons, where the price was advertised in another currency I put the $US price in brackets. For every provider that doesn’t advertise prices in $US I used XE.com to get a spot price. Note that if you convert between currencies you will not get that rate, I used the spot rate because most of my readers don’t use the $US as their native currency (either due to living in a country that uses it or having business interests based on the $US) – converting from $AU to $US has about the same overhead for me as converting to the Euro or pound.
The bandwidth is listed as either a number of Gigabytes per month that can be transferred or as a number of Megabits per second that the connection may use.
I have tried to roughly order the offerings based on how good they seem to be. But as there are so many factors to consider it’s quite obvious that no provider can be considered to be universally better than the others.
The biggest surprise for me was how well Xen Europe compares to the others. Last time I did the comparison they were not nearly as competitive.
Finally note that I am comparing the options for low-end servers. These are services that are useful for hobbyist use and low-end servers for commercial use. Some providers such as Xen Europe exclude themselves from consideration for serious commercial use by not offering big servers – Xen Europe only supports up to 1GB of RAM.
Prices of Xen virtual servers:
Prices of non-Xen virtualisation systems:
| ISP |
Virtualisation |
RAM |
Disk |
Bandwidth |
Price |
| Quantact |
OpenVZ |
256M |
15G |
300GB |
$15 |
| Quantact |
OpenVZ |
512M |
35G |
600GB |
$35 |
| FreeVPS |
VMWare |
256M |
10G |
100GB |
#10UK ($14.76) |
| FreeVPS |
VMWare |
512M |
20G |
200GB |
#15UK ($22.14) |
| Vpsland |
Virtuozzo |
512M |
10G |
250GB |
$20 |
| Vpsland |
Virtuozzo |
1024M |
20G |
500GB |
$35 |
Update: Added RackVM to the listing, and removed the ambiguous part about Gandi disk allocation.
Three months ago I wrote about getting Carpal Tunnel Syndrome [1]. A few weeks after that I visited the specialist again and had my wrist brace adjusted to make it a little less uncomfortable. The specialist also gave me some quick ultra-sound treatment and then said that if it didn’t get better in a month or two then I should just get a referral to a surgeon!
I didn’t have a bad case, some people have their hand muscles atrophy. My hand strength was measured as 50Kg in my left hand (the one with CTS) and 52Kg in my right hand. The greater strength in my right hand is probably more due to the lack of left-handed tools and sporting equipment than any muscle atrophy. This is slightly better than the physical standards for the Victoria Police (just over 50Kg average for both hands) [2] and a lot better than the Australian Federal Police physical standards of 45Kg for the dominant hand and 40Kg for the non-dominant [3].
Really my hand strength should have been recorded as 490Newton and 510Newton respectively, medicine is the science of healing, in all aspects of science the Newton is the measure of force.
Over the past few months my hand seems to have recovered a lot while wearing the wrist-brace 24*7. I’ve just started going without the wrist-brace during the day and it seems to be OK. I’m currently planning to wear the wrist brace at night for a year or two as it’s the only way to ensure that my hand doesn’t end up on a bad angle when I’m asleep.
At this stage it seems that I’ve made as close to a full recovery from CPS as is possible!
|
|
