Kostas' random thoughts

IcedTea on it’s way to Fedora 8

Kostas Georgiou — Sat, 25 Aug 2007 16:29:12 +0000

I wasn’t expecting to see IcedTea available so soon in Fedora but it looks like it’s going to be on Fedora 8 if everything goes well with the package review. Not sure how usable it is yet but I am building an rpm right now so I’ll find out soon I guess.

Xen to the rescue

Kostas Georgiou — Sat, 21 Jul 2007 11:33:17 +0000

The fan at my shuttle at home died last week so the temperature inside the case reached around 65C and the disk drive couldn’t cope with it. So I moved the disk on my desktop and now the machine is running as a domU in xen. Surprisingly no problems so far beyond mplayer stuttering every time munin runs in domU (every five minutes). Time to play with xen scheduling I guess or upgrade my cpu to a dual core one. I don’t think I’ll bother replacing the fan in the shuttle box with only a socket 775 cpu there isn’t much use for it really.

glexec or why changing suexec is a bad idea

Kostas Georgiou — Tue, 05 Jun 2007 10:23:07 +0000

I can not really believe that the LHC grid people want to use glexec in every batch system. The thought of thousands of machines running this really scares me.

The suexec sources+documentation say it clearly but I am going to repeat it one more time “Do not make any changes in the source code unless you really know what you are doing”. Just count the security holes introduced in glexec for an example on what not to do.

Ruby 1.8.5-p35 and puppet in FC6

Kostas Georgiou — Tue, 17 Apr 2007 01:01:45 +0000

I was looking todat at a puppet ticket and I found this little gem in ruby’s svn. No wonder poor puppet got upset. I guess I’ll have to build new ruby rpms with a fix for this for my fedora machines at home until there is a new fedora rpm :(

Creating selinux modules

Kostas Georgiou — Thu, 15 Mar 2007 00:37:28 +0000

Here is how to compile and install an selinux module since I’ll forget if I don’t save it somwehere (based on audit2allow -M mysaslauthd -i /var/log/audit/audit.log output).

# cat mysaslauthd.te
module mysaslauthd 1.0.8;

require {
class dir { search write add_name remove_name };
class file { getattr lock read write create rename unlink };
type krb5_keytab_t;
type saslauthd_t;
type tmp_t;
role system_r;
};

allow saslauthd_t krb5_keytab_t:file read;
allow saslauthd_t krb5_keytab_t:file lock;
allow saslauthd_t tmp_t:dir search;
allow saslauthd_t tmp_t:file { getattr read write create rename unlink };
allow saslauthd_t tmp_t:dir { search write add_name remove_name };

# checkmodule -M -m -o mysaslauthd.mod mysaslauthd.te
# semodule_package -o mysaslauthd.pp -m mysaslauthd.mod
# semodule -i mysaslauthd.pp

Now Reading

Kostas Georgiou — Sun, 04 Mar 2007 03:23:01 +0000

I installed the Now Reading plugin to the blog tonight. Now I need to find the time to add all my books in the db.

SPF problems

Kostas Georgiou — Sun, 04 Mar 2007 01:34:14 +0000

The people managing the mail relays at work decided to start rejecting emails based on SPF records without any warnings. Unfortunately this caused problems with the CERN mailing lists and forwards from some other domains that don’t rewrite the envelope. Of course after a few rejected emails we found out and screamed a bit but their only solution -after three days- was to stop rejecting emails to our mail server which solves half the problem since some of our student mailboxes are in the exchange server.

At least the users seem to be taking it relatively well so far.

WordPress upgrade

Kostas Georgiou — Sun, 04 Mar 2007 01:01:58 +0000

Upgraded to 2.1.2 today since 2.1.1 was tainted. There is nothing in the logs to suggest an exploit attempt and with SELinux in enforcing mode it is unlikely that it an attempt would have been succesful but I really need to audit the machine to make sure that everything is OK.

cyrus-imapd and GSSAPI authentication

Kostas Georgiou — Sat, 03 Mar 2007 21:36:12 +0000

This is driving me crazy, I found out why it wasn’t working with sasl_keytab: … (#200892) and rebuilding the cyrus-sasl rpm with the patch fixed this problem. Now after a reboot it stopped working!! I suspect that SELinux is somehow affecting the kerberos server but I can’t see anything related in the audit logs. Really strange.

Java6 rpms

Kostas Georgiou — Wed, 07 Feb 2007 13:16:35 +0000

No srpm for sun’s java 6 on jpackage.org yet, I guess I would have to look at the available patches in the maling list and and test them. Probably a good opportunity to merge the plugin related changes from the ibm spec file. The existing setup fails once firefox/mozilla/seamonkey gets updated and the users start screaming. Since there is still no java plugin for x86_64 users will complain anyway I guess as we move more desktops to x86_64.