type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”/dev/hpilo/d0ccb5″ dev=tmpfs ino=6784 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”socket:[22602]” dev=sockfs ino=22602 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_route_socket

I don’t know what this is but I DON’T want to allow it and I don’t want to see this in the audit log anymore

First off 3 terms:

• SElinux – Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. (wikipedia)
• ProLiant Support Packs (PSP) represent operating system (OS) specific bundles of ProLiant optimized drivers, utilities, and management agents.
• RHEL (Red Hat Enterprise Linux) – CentOS (Community ENTerprise Operating System, RHEL Clone)

So basicly what I did to get rid of these messages is that I wrote a new module called pspignore to ignore, without allowing them. Here’s what I did:

Make a local directory for my modules

mkdir -p /etc/selinux/local

cd /etc/selinux/local

Download my custom module which include “dontaudit” for these conditions.

wget http://tommi.org/static/ignorepsp.te

Build the module and install it

checkmodule -M -m -o ignorepsp.mod ignorepsp.te

semodule_package -o ignorepsp.pp -m ignorepsp.mod

semodule -i ignorepsp.pp

That should be it. The main thing can be found at the bottom of ignorepsp.te:

dontaudit ifconfig_t device_t:chr_file { read write };
dontaudit ifconfig_t initrc_t:netlink_route_socket { read write };

Hope this is helpfull.

HighPoint RocketRaid 1740 is only supported on Red Hat / CentOS 5.2 so you have to install it first.

Download the driver from http://highpoint-tech.com/USA/bios_rr1740.htm

You can download the media for CentOS 5.2 at http://vault.centos.org/5.2/isos/

Now you need to go through the Install guide http://highpoint-tech.com/BIOS_Driver/rr1740/Linux/newformat/Install_RHEL_CentOS_RR174x.pdf

To shortly go over what you need to do:

• Untar the contents of the driver onto a USB flash drive
• Boot 5.2 with the boot params “linux nostorage”
• When the graphical X look is up and running, hit CTRL-ALT-F2
• Mount the USB flash drive
• copy the contents of the driver to /tmp/hptdd
• unmount the flash drive
• run sh /tmp/hptdd/rhel-install-step1.sh
• Go back to the install, CTRL-ALT-F6
• Setup the OS as usual all the way till all packages are installed, it says “Congratulations, the installation is complete.”
• Hit CTRL-ALT-F2 again
• cp -r /tmp/hptdd /mnt/sysimage/tmp/hptdd
• chroot /mnt/sysimage
• sh /tmp/hptdd/rhel-install-step2.sh
• exit
• Hit CTRL-ALT-F6 and hit Reboot
• Voila, the machine should boot normally

Kernel updates can also be problematic, so here’s how I do it

Download the latest Open Source driver version from http://highpoint-tech.com/USA/bios_rr1740.htm

I untar it into /usr/src and you need to modify the script below if you change the path

cd /usr/src

tar zxvf rr174x-linux-src-v2.4-091009-1434.tar.gz

Now, I have a special script to build for the latest kernel

So, if you haven’t already, do yum -y update

Download my build script from http://tommi.org/static/update-rr17xx.sh

cd /usr/local/bin

wget http://tommi.org/static/update-rr17xx.sh

chmod 750 /usr/local/bin/update-rr17xx.sh

/usr/local/bin/update-rr17xx.sh

If everything looked alright, you should be ready to boot into your new kernel

Nagios plugin as an added bonus

I decided to write up a Nagios plugin as an added bonus and you can get it at http://tommi.org/static/rr-state.pl

It should grab broken raid arrays and if the machine is rebuilding

OK, everything is great

Warning, Logical disk is rebuilding

Critical, Failed drive

Install packages:

oracle-instantclient11.1-basic-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-devel-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1.x86_64.rpm

Put the relevant libraries into the textrel_shlib_t context:

semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64 /lib/libnnz11.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplus.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libociei.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplusic.so
restorecon -R -v /usr/lib/oracle/11.1/client64/lib/

Put the libraries into the path of the dynamic library loader

echo "export ORACLE_HOME=/usr/lib/oracle/11.1/client64" > /etc/profile.d/oracle.sh

Set the path to the tnsnames.ora, I like /etc/tnsnames.ora

echo “export TNS_ADMIN=/etc/tnsnames.ora” >> /etc/profile.d/oracle.sh

Of course you have to have a valid tnsnames.ora file available.

Logout and login to update your environment and voila, you should be able to run sqlplus, install perl-DBD-Oracle or php-oci8, python, whatever your flavor is..

Ohh, and merry christmas!

• Installed from the DVD install media
• Setup RPMFusion – rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
• Installed nvidia drivers,yum install xorg-x11-drv-nvidia
• Installed a few of my favorites, gnome-do, mplayer, networkmanager-vpnc, rdesktop, gnucash

A nice surprise was that rhythmbox now automaticly invites me to download and install the needed rpms for mp3 playback and others, finally!

Also, suspend and hibernate now works perfectly.

NetworkManager now works out of the box with my iwl3945 wifi card.

OpenOffice.org 3.0, now opens evil Microsoft Office 2007 files.

Conclusion, haven’t stumbled across a single annoying thing so I’m extremely happy with the quality of this release!

Just ran into quite a bit of trouble trying to get VMware Server 2.0 to run on Fedora 9. After quite a bit of digging I found that vmware-hostd calls PAM and unix_chkpwd seems to cause a problem in hostd. The error message from the VMware Management Web:

The server is not responding. Please check that the server is running and accepting connections.

And after looking through the proccess list I found the following:

root      9817  9741  0 17:26 ?        00:00:00 [unix_chkpwd] <defunct>

My fix was to turn off password authentication in PAM for VMware and hope for a fix from VMware soon. This fix was suggested in this post.

Turning off authentication:

# cat /etc/pam.d/vmware-authd

#%PAM-1.0

auth       required    pam_permit.so

account    required    pam_permit.so

After that I suggest closing out connections to the vmware ports using iptables if you have disabled the default firewall which should keep you safe. Addition to /etc/sysconfig/iptables follows:

-A INPUT -i ! lo -m tcp -p tcp -m multiport --dports 8009,8222,8308,8333 -j REJECT

Hope this helps..

See the AsteriskJA page.

In comes pam_abl which enables blacklisting on unsuccesfull password attempts. I’ve installed this on a few Red Hat Enterprise Linux machines, you can download rpm’s for RHEL at Dag Wieers site.

Download pam_abl

# wget http://dag.wieers.com/rpm/packages/pam_abl/pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Install

# rpm -Uvh pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Configure pam_abl in /etc/pam.d/system-auth

auth        required      pam_env.so
auth        required      pam_abl.so config=/etc/security/pam_abl.conf
auth        sufficient    pam_unix.so nullok try_first_pass

Configure /etc/security/pam_abl.conf according to your own paranoia.. Here’s mine:

# /etc/security/pam_abl.conf
# debug
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:4/1h,30/1d
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!root:4/1h,30/1d

You can check the state of pam_abl and manipulate it with the command pam_abl

# pam_abl
Failed users:
tommi (5)
Blocking users [!root]
Failed hosts:
evil.tommi.org (5)
Blocking users [*]

Now you have Auto Blacklisting for ftp, ssh, imap, pop, basicly anything that uses PAM for authentication. You can also just use it for one and one service for instance putting the pam line in /etc/pam.d/sshd instead of /etc/pam.d/system-auth.

I changed the xmltv id’s to reflect changes of names at 365. Sýn became Stöð 2 Sport, Sýn2 became Stöð 2 Sport 2, etc…

If you are using mythtv you need to update your xmltvid’s for channels and also the ~/.mythtv/FILENAME.xmltv. Run

tv_grab_is –list-channels

You can always get my newest version from my trac.

You will need to install the perl module XML::Simple until I rewrite the xml handling code but I’m too lazy right now, install methods:

yum install perl-XML-Simple

apt-get perl-XML-Simple

cpan perl-XML-SImple

This program makes programs and actions in them really easy. I have for instance installed the pidgin plugin for it, I hit “Windows button (super) – Space”, type the first few letters in a contacts email and voila, you have a open chat window with your friend.

I have a few icons to connect to various Windows terminal servers. I can hit Super-Space and then the first few letters of the hostname and whamm, I’m in. Same goes for ssh sessions, type for instance “root@mach”->Enter and I’m in.

This program is very similar to Quicksilver for MacOS X.

Here you can find some Gnome DO videos.

The Gnome DO webpage