Tommi's stuff

I’ve been getting these annoying messages in the audit log, /var/log/audit/audit.log after installing the Proliant Support Pack on RHEL5.

type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”/dev/hpilo/d0ccb5″ dev=tmpfs ino=6784 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”socket:[22602]” dev=sockfs ino=22602 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_route_socket

I don’t know what this is but I DON’T want to allow it and I don’t want to see this in the audit log anymore

First off 3 terms:

• SElinux – Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. (wikipedia)
• ProLiant Support Packs (PSP) represent operating system (OS) specific bundles of ProLiant optimized drivers, utilities, and management agents.
• RHEL (Red Hat Enterprise Linux) – CentOS (Community ENTerprise Operating System, RHEL Clone)

So basicly what I did to get rid of these messages is that I wrote a new module called pspignore to ignore, without allowing them. Here’s what I did:

Make a local directory for my modules

mkdir -p /etc/selinux/local

cd /etc/selinux/local

Download my custom module which include “dontaudit” for these conditions.

wget http://tommi.org/static/ignorepsp.te

Build the module and install it

checkmodule -M -m -o ignorepsp.mod ignorepsp.te

semodule_package -o ignorepsp.pp -m ignorepsp.mod

semodule -i ignorepsp.pp

That should be it. The main thing can be found at the bottom of ignorepsp.te:

dontaudit ifconfig_t device_t:chr_file { read write };
dontaudit ifconfig_t initrc_t:netlink_route_socket { read write };

Hope this is helpfull.

Been dabbling with getting RocketRaid 1740 to work on Centos 5. It was not as easy as I had hoped but below you can view the steps needed for the implmentation.

HighPoint RocketRaid 1740 is only supported on Red Hat / CentOS 5.2 so you have to install it first.

Download the driver from http://highpoint-tech.com/USA/bios_rr1740.htm

You can download the media for CentOS 5.2 at http://vault.centos.org/5.2/isos/

Now you need to go through the Install guide http://highpoint-tech.com/BIOS_Driver/rr1740/Linux/newformat/Install_RHEL_CentOS_RR174x.pdf

To shortly go over what you need to do:

• Untar the contents of the driver onto a USB flash drive
• Boot 5.2 with the boot params “linux nostorage”
• When the graphical X look is up and running, hit CTRL-ALT-F2
• Mount the USB flash drive
• copy the contents of the driver to /tmp/hptdd
• unmount the flash drive
• run sh /tmp/hptdd/rhel-install-step1.sh
• Go back to the install, CTRL-ALT-F6
• Setup the OS as usual all the way till all packages are installed, it says “Congratulations, the installation is complete.”
• Hit CTRL-ALT-F2 again
• cp -r /tmp/hptdd /mnt/sysimage/tmp/hptdd
• chroot /mnt/sysimage
• sh /tmp/hptdd/rhel-install-step2.sh
• exit
• Hit CTRL-ALT-F6 and hit Reboot
• Voila, the machine should boot normally

Kernel updates can also be problematic, so here’s how I do it

Download the latest Open Source driver version from http://highpoint-tech.com/USA/bios_rr1740.htm

I untar it into /usr/src and you need to modify the script below if you change the path

cd /usr/src

tar zxvf rr174x-linux-src-v2.4-091009-1434.tar.gz

Now, I have a special script to build for the latest kernel

So, if you haven’t already, do yum -y update

Download my build script from http://tommi.org/static/update-rr17xx.sh

cd /usr/local/bin

wget http://tommi.org/static/update-rr17xx.sh

chmod 750 /usr/local/bin/update-rr17xx.sh

/usr/local/bin/update-rr17xx.sh

If everything looked alright, you should be ready to boot into your new kernel

Nagios plugin as an added bonus

I decided to write up a Nagios plugin as an added bonus and you can get it at http://tommi.org/static/rr-state.pl

It should grab broken raid arrays and if the machine is rebuilding

OK, everything is great

Warning, Logical disk is rebuilding

Critical, Failed drive