Kostas’ random thoughts

I wasn’t expecting to see IcedTea available so soon in Fedora but it looks like it’s going to be on Fedora 8 if everything goes well with the package review. Not sure how usable it is yet but I am building an rpm right now so I’ll find out soon I guess.

The fan at my shuttle at home died last week so the temperature inside the case reached around 65C and the disk drive couldn’t cope with it. So I moved the disk on my desktop and now the machine is running as a domU in xen. Surprisingly no problems so far beyond mplayer stuttering every time munin runs in domU (every five minutes). Time to play with xen scheduling I guess or upgrade my cpu to a dual core one. I don’t think I’ll bother replacing the fan in the shuttle box with only a socket 775 cpu there isn’t much use for it really.

I can not really believe that the LHC grid people want to use glexec in every batch system. The thought of thousands of machines running this really scares me.

The suexec sources+documentation say it clearly but I am going to repeat it one more time “Do not make any changes in the source code unless you really know what you are doing”. Just count the security holes introduced in glexec for an example on what not to do.

I was looking todat at a puppet ticket and I found this little gem in ruby’s svn. No wonder poor puppet got upset. I guess I’ll have to build new ruby rpms with a fix for this for my fedora machines at home until there is a new fedora rpm :(

Here is how to compile and install an selinux module since I’ll forget if I don’t save it somwehere (based on audit2allow -M mysaslauthd -i /var/log/audit/audit.log output).

# cat mysaslauthd.te
module mysaslauthd 1.0.8;

require {
class dir { search write add_name remove_name };
class file { getattr lock read write create rename unlink };
type krb5_keytab_t;
type saslauthd_t;
type tmp_t;
role system_r;
};

allow saslauthd_t krb5_keytab_t:file read;
allow saslauthd_t krb5_keytab_t:file lock;
allow saslauthd_t tmp_t:dir search;
allow saslauthd_t tmp_t:file { getattr read write create rename unlink };
allow saslauthd_t tmp_t:dir { search write add_name remove_name };

# checkmodule -M -m -o mysaslauthd.mod mysaslauthd.te
# semodule_package -o mysaslauthd.pp -m mysaslauthd.mod
# semodule -i mysaslauthd.pp

I installed the Now Reading plugin to the blog tonight. Now I need to find the time to add all my books in the db.

The people managing the mail relays at work decided to start rejecting emails based on SPF records without any warnings. Unfortunately this caused problems with the CERN mailing lists and forwards from some other domains that don’t rewrite the envelope. Of course after a few rejected emails we found out and screamed a bit but their only solution -after three days- was to stop rejecting emails to our mail server which solves half the problem since some of our student mailboxes are in the exchange server.

At least the users seem to be taking it relatively well so far.

Upgraded to 2.1.2 today since 2.1.1 was tainted. There is nothing in the logs to suggest an exploit attempt and with SELinux in enforcing mode it is unlikely that it an attempt would have been succesful but I really need to audit the machine to make sure that everything is OK.

This is driving me crazy, I found out why it wasn’t working with sasl_keytab: … (#200892) and rebuilding the cyrus-sasl rpm with the patch fixed this problem. Now after a reboot it stopped working!! I suspect that SELinux is somehow affecting the kerberos server but I can’t see anything related in the audit logs. Really strange.

No srpm for sun’s java 6 on jpackage.org yet, I guess I would have to look at the available patches in the maling list and and test them. Probably a good opportunity to merge the plugin related changes from the ibm spec file. The existing setup fails once firefox/mozilla/seamonkey gets updated and the users start screaming. Since there is still no java plugin for x86_64 users will complain anyway I guess as we move more desktops to x86_64.