options snd-hda-intel index=1,0


Enable dmix with surround 5.1 support (no upmixing):


pcm.dmixer {
type dmix
ipc_key 1024
ipc_key_add_uid false # let multiple users share
ipc_perm 0666 # IPC permissions (octal, default 0600)
slave {
pcm "hw:0,0"
channels 6
# buffer_size 16384
}
}

pcm.!default {
type plug
slave.pcm dmixer
slave.channels 6
}


to /etc/asound.conf. Enable 6 channels in alsamixer, too.

Which means that radeon itself eats more than 16W of power (meausred with powertop). That’s more than whole notebook in integrated gpu mode. Nightmare!

Note that HD 3400 was driven by open source radeon driver which doesn’t have any power management support at this moment.

200904 update: ati driver in git contains updated power management and it’s eating ~16W here instead of ~28W now with DynamicPM turned on.

and verify that IPv6 works by doing for example:

mtr -6 www.pld-linux.org


This solution doesn’t require any configuration (well, there are some options that can be altered). It should work even if you are behind some NATs and other weird gateways thanks to Teredo.

Working setup causes new interface to appear, for example:

Of course there are other solutions for non-native IPv6 like 6to4 (pure rc-scripts are enough), ISATAP (see miredo-client-isatap package) or just typical SIT tunnel.

Mount it and copy contents of PLD RescueCD like x86 and x86_64 ISO image to that partition, to /rcd subdirectory.

Make MBR record:

ms-sys -s /dev/sdX

(where sdX is entire flash disk; ms-sys comes from ms-sys package)

Copy syslinux configuration for USB to root directory of your flash drive as syslinux.cfg. DOS/Windows image should be placed in /rcd/boot/dos.gz (compress it with gzip first).

Run:

syslinux -s /dev/sdXY

to load syslinux onto your flash drive.

Reboot your system and check if it boots correctly

Note that some systems have problems with booting from flash driver (especially big like 1G or 2G flash drives).

See screenshot:

What you need is a dhcp server, tftp server and PXE ready client machines (most of newer hardware has ability to boot from network over PXE).

Setting dhcp server.

Beside standard network settings in dhcpd.conf you will need:

allow booting ;
allow bootp ;
next-server 192.168.0.250 ;
filename “/pxelinux.0″ ;

Setting tftp server

Under PLD that means just installing atftpd package. If you built from sources then run something like:

atftpd -v5 –daemon /var/lib/tftp

pxelinux

You will also need syslinux package that comes with pxelinux. pxelinux will load multiple images for us depending on user choice. Use latest available version (3.31 at this moment) because older version miss important piece of functionality (menus).

/var/lib/tftp preparation

Structure I use is shown below. The most important thing is a pxelinux.0 file (symlink to real file in my case) that is whole pxelinux loader that comes with syslinux package. pxelinux uses configuration file from pxelinux.cfg directory. pxelinux tries to load various configuration files and stops at first found:

Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/01-00-a0-cc-da-d9-3c to 192.168.0.113:57089
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A80071 to 192.168.0.113:57090
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A8007 to 192.168.0.113:57091
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A800 to 192.168.0.113:57092
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A80 to 192.168.0.113:57093
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A8 to 192.168.0.113:57094
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A to 192.168.0.113:57095
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0 to 192.168.0.113:57096
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C to 192.168.0.113:57097
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/default to 192.168.0.113:57098

This means that we can have different configurations for different machines (based on MAC address of machine ehternet card). I’m using default configuration file which is always tried.

My entire /var/lib/tftp structure:

[root@arm /var/lib/tftp]# ls -alR
.:
total 1456
drwxr-xr-x 9 root root 4096 Jan 13 15:26 .
drwxr-xr-x 35 root root 4096 Jan 12 17:35 ..
-rw-r–r– 1 root root 5237 Jan 13 15:25 pxe-background.png
lrwxrwxrwx 1 root root 30 Jan 12 17:41 pxelinux.0 -> /usr/lib64/syslinux/pxelinux.0
drwxr-xr-x 2 root root 20 Jan 13 16:51 pxelinux.cfg
drwxr-xr-x 4 root root 47 Jan 12 09:47 rescue-x86-20060625
drwxr-xr-x 4 root root 47 Jan 12 11:39 rescue-x86-20070109
drwxr-xr-x 4 root root 47 Jan 12 09:47 rescue-x86_64-20060625
drwxr-xr-x 2 root root 31 Jan 12 10:37 suse-10.1
drwxr-xr-x 2 root root 60 Jan 12 10:06 suse-9.2
drwxr-xr-x 2 root root 60 Jan 12 10:05 suse-9.3
lrwxrwxrwx 1 root root 19 Jan 12 17:41 syslinux -> /usr/lib64/syslinux
-rw-r–r– 1 root root 1474560 Nov 18 1999 winb98se.img

./pxelinux.cfg:
total 8
drwxr-xr-x 2 root root 20 Jan 13 16:51 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 2152 Jan 13 15:24 default

./rescue-x86-20060625:
total 54340
drwxr-xr-x 4 root root 47 Jan 12 09:47 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jun 25 2006 boot
drwxr-xr-x 2 root root 24 Jan 12 09:53 custom
-rw-r–r– 1 root root 55638528 Jun 25 2006 rescue.cpi

./rescue-x86-20060625/boot:
total 36
drwxr-xr-x 3 root root 104 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jun 25 2006 isolinux
-rwxr-xr-x 1 root root 3695 Jun 25 2006 isomod

./rescue-x86-20060625/boot/isolinux:
total 1508
drwxr-xr-x 2 root root 138 Jun 25 2006 .
drwxr-xr-x 3 root root 104 Jun 25 2006 ..
-r–r–r– 1 root root 2048 Jun 25 2006 boot.catalog
-rw-r–r– 1 root root 1594 Jun 25 2006 boot.msg
-rw-r–r– 1 root root 1443 Jun 15 2006 help.msg
-rw-r–r– 1 root root 357528 Jun 25 2006 initrd.ide
-rw-r–r– 1 root root 10440 Jun 25 2006 isolinux.bin
-rw-r–r– 1 root root 1156 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1056768 Jun 25 2006 vmlinuz

./rescue-x86-20060625/custom:
total 4
drwxr-xr-x 2 root root 24 Jan 12 09:53 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 1024 Jun 25 2006 custom.cpio

./rescue-x86-20070109:
total 52768
drwxr-xr-x 4 root root 47 Jan 12 11:39 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jan 9 01:10 boot
drwxr-xr-x 2 root root 24 Jan 9 01:10 custom
-rw-r–r– 1 root root 54028800 Jan 9 01:10 rescue.cpi

./rescue-x86-20070109/boot:
total 36
drwxr-xr-x 3 root root 104 Jan 9 01:10 .
drwxr-xr-x 4 root root 47 Jan 12 11:39 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jan 9 01:10 isolinux
-rwxr-xr-x 1 root root 3695 Jan 9 01:10 isomod

./rescue-x86-20070109/boot/isolinux:
total 1708
drwxr-xr-x 2 root root 138 Jan 9 01:10 .
drwxr-xr-x 3 root root 104 Jan 9 01:10 ..
-r–r–r– 1 root root 2048 Jan 9 01:10 boot.catalog
-rw-r–r– 1 root root 1594 Jan 8 21:33 boot.msg
-rw-r–r– 1 root root 1443 Jun 15 2006 help.msg
-rw-r–r– 1 root root 381123 Jan 9 01:10 initrd.ide
-rw-r–r– 1 root root 10440 Jan 9 01:10 isolinux.bin
-rw-r–r– 1 root root 1156 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1234944 Jan 9 01:05 vmlinuz

./rescue-x86-20070109/custom:
total 4
drwxr-xr-x 2 root root 24 Jan 9 01:10 .
drwxr-xr-x 4 root root 47 Jan 12 11:39 ..
-rw-r–r– 1 root root 1024 Jan 9 01:10 custom.cpio

./rescue-x86_64-20060625:
total 44900
drwxr-xr-x 4 root root 47 Jan 12 09:47 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jun 25 2006 boot
drwxr-xr-x 2 root root 24 Jun 25 2006 custom
-rw-r–r– 1 root root 45970224 Jun 25 2006 rescue.cpi

./rescue-x86_64-20060625/boot:
total 36
drwxr-xr-x 3 root root 104 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jun 25 2006 isolinux
-rwxr-xr-x 1 root root 3695 Jun 25 2006 isomod

./rescue-x86_64-20060625/boot/isolinux:
total 1776
drwxr-xr-x 2 root root 138 Jun 25 2006 .
drwxr-xr-x 3 root root 104 Jun 25 2006 ..
-r–r–r– 1 root root 2048 Jun 25 2006 boot.catalog
-rw-r–r– 1 root root 1530 Jun 25 2006 boot.msg
-rw-r–r– 1 root root 1197 Jun 18 2006 help.msg
-rw-r–r– 1 root root 364891 Jun 25 2006 initrd.ide
-rw-r–r– 1 root root 10440 Jun 25 2006 isolinux.bin
-rw-r–r– 1 root root 701 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1321472 Jun 25 2006 vmlinuz

./rescue-x86_64-20060625/custom:
total 4
drwxr-xr-x 2 root root 24 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 1024 Jun 25 2006 custom.cpio

./suse-10.1:
total 9164
drwxr-xr-x 2 root root 31 Jan 12 10:37 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 8137429 May 3 2006 initrd
-rw-r–r– 1 root root 1237785 May 3 2006 linux

./suse-9.2:
total 12972
drwxr-xr-x 2 root root 60 Jan 12 10:06 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 5379369 Oct 21 2004 initrd
-rw-r–r– 1 root root 4730075 Oct 20 2004 initrd64
-rw-r–r– 1 root root 1555945 Oct 21 2004 linux
-rw-r–r– 1 root root 1608082 Oct 20 2004 linux64

./suse-9.3:
total 14932
drwxr-xr-x 2 root root 60 Jan 12 10:05 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 6183757 Mar 24 2005 initrd
-rw-r–r– 1 root root 6048487 Mar 24 2005 initrd64
-rw-r–r– 1 root root 1424645 Mar 24 2005 linux
-rw-r–r– 1 root root 1625590 Mar 24 2005 linux64

rescue-* directories contain unmodified copy of PLD RescueCD ISO images content. suse-* contain kernel images and initrd file copied from SuSE installation cdrom/dvd. winb98se.img is a image of Windows 98 SE boot floppy disk.

pxelinux “default” configuration file

The configuration file is shown below. vesamenu.c32 allows do display menus in graphical mode with background jpg/png images. For pure text mode there is menu.c32. MENU LABEL allows to add text message shown in menu for single label part of configuration.

“^” is used to mark keyboard shortcut letter.

Windows floppy image uses special loader called memdisk which allows to boot legacy operating systems.

CPU identification case is interesting because it starts entire new “program” named cpuidtest.c32 which is the same kind of “program” as vesamenu.c32. That’s way of handling allows us to create multiple submenus which will read different configuration files specified in APPEND directive – example:

LABEL newmenu
MENU LABEL New Menu
KERNEL vesamenu.c32
APPEND something.conf newmenu.conf

I don’t use submenus in my setup though.

[root@arm /var/lib/tftp]# cat pxelinux.cfg/default
DEFAULT syslinux/vesamenu.c32
MENU BACKGROUND pxe-background.png
PROMPT 0

MENU TITLE Remote Boot Services

label rescue-x86
MENU LABEL ^1. PLD Rescue 20060625 x86
kernel rescue-x86-20060625/boot/isolinux/vmlinuz
append initrd=rescue-x86-20060625/rescue.cpi,rescue-x86-20060625/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”
ipappend 1

label rescue-x86
MENU LABEL ^2. PLD Rescue 20070109 x86
kernel rescue-x86-20070109/boot/isolinux/vmlinuz
append initrd=rescue-x86-20070109/rescue.cpi,rescue-x86-20070109/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”
ipappend 1

label rescue-x86_64
MENU LABEL ^3. PLD Rescue 20060625 x86_64
kernel rescue-x86_64-20060625/boot/isolinux/vmlinuz
append initrd=rescue-x86_64-20060625/rescue.cpi,rescue-x86_64-20060625/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”

label suse-install-9.2-x86
MENU LABEL ^4. SuSE Linux Install 9.2 x86
kernel suse-9.2/linux
append initrd=suse-9.2/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/9.2

label suse-install-9.2-x86_64
MENU LABEL ^5. SuSE Linux Install 9.2 x86_64
kernel suse-9.2/linux64
append initrd=suse-9.2/initrd64 splash=silent showopts install=ftp://192.168.1.250/SUSE/9.2

label suse-install-9.3-x86
MENU LABEL ^6. SuSE Linux Install 9.3 x86
kernel suse-9.3/linux
append initrd=suse-9.3/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/9.3

label suse-install-9.3-x86_64
MENU LABEL ^7. SuSE Linux Install 9.3 x86_64
kernel suse-9.3/linux64
append initrd=suse-9.3/initrd64 splash=silent showopts install=ftp://192.168.1.250/SUSE/9.3

label suse-install-10.1-x86
MENU LABEL ^8. SuSE Linux Install 10.1 x86
kernel suse-10.1/linux
append initrd=suse-10.1/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/10.1

label win98se
MENU LABEL ^9. Windows 98 SE Boot Disk
kernel syslinux/memdisk
append initrd=winb98se.img

LABEL cpuid
MENU LABEL ^A. Identify Processor
KERNEL syslinux/cpuidtest.c32

Screenphotos

(click images to see in full size))

Text boot using menu.c32 (or when vesamenu.c32 gets wrong options, files like background image in wrong size (needs to be 640×480)).

Graphical boot with PLD-style background image.

You can change boot options just like in grub.

PLD RescueCD boots…

Windows 98 SE image already started.

Example of CPU Identification that comes with syslinux package.

Background image used in screenshots

There are some ways to protect your files:

• FastCGI (mainly for PHP; allows to run php scripts under different privileges)
• CGI (running PHP and other scripts through suexec)
• nonstandard apache MPMs like peruser, metuxmpm (allow to run parts of httpd with different UID/GID; unfortunately very alpha quality)

The primary problem with all above is that performance drops dramaticly.

That’s where AppArmor comes to a rescue.
AppArmor is kind of SuSE response to SELinux. SELinux is preety good
when it comes to creating fine grained policy rules but tends to be quite complicated when it comes to writting policies for programs.
The AppArmor on the other hand is much simpler but also quite limited. AppArmor can be used to restrict file and capabilities(7)
access only. That’s enough for us - we want exactly that - limit access to parts of filesystem. 
The primary reason why we choose AppArmor over SELinux here is the ,,change hat” functionality.
It allows to define subpolicies for a program and the program is able to switch between subpolicies.
apache-mod_apparmor allows to switch subpolicy on per virtual host, directory and location basis!

How to do that?

First you need to patch you kernel with apparmor patches (these are very small and non-intrusive);
most of AppArmor lives in separate directory in kernel tree: security/apparmor so it’s not conflicting
even with grsecurity patches. You will also need to download and build apparmor-parser, apparmor-profiles
and apparmor-utils packages. All these available on AppArmor Home Page.

AppArmor keeps policy files in /etc/apparmor.d/. These are simple text files, for example /etc/apparmor.d/usr.sbin.httpd.prefork policy:

# vim:syntax=apparmor
# Last Modified: Tue Dec 12 02:37:27 2006
#include <tunables/global>
/usr/sbin/httpd.prefork flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
/usr/sbin/httpd.prefork mr,
capability setuid,
capability setgid,
capability kill,
capability dac_override,
capability dac_read_search,

/etc/httpd/apache.conf r,
/etc/httpd/conf.d r,
/etc/httpd/conf.d/* r,
/etc/httpd/ssl/* r,
/usr/lib{,64}/apache/*.so mr,
/etc/httpd/webapps.d r,
/etc/gai.conf r,
/etc/httpd/magic r,
/etc/mime.types r,
/usr/share/file/magic* r,
/etc/openssl/** r,

/var/log/httpd/** w,
/var/log/archive/httpd/* w,

/etc/php4/** r,
/usr/lib{,64}/php4/*.so mr,
/etc/php/** r,
/usr/lib{,64}/php/*.so mr,

/var/run/httpd.pid rw,
/var/run/httpd/** rw,

/proc/[0-9]*/attr/current rw,
/etc/snmp/** r,
/usr/share/snmp/** r,

/usr/share/perl5/** r,
/usr/lib{,64}/perl5/** r,
/usr/lib{,64}/perl5/**.so* mr,

/usr/X11R6/lib{,64}/lib*.so* mr,

^HANDLING_UNTRUSTED_INPUT flags=(complain) {
/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,
/home/users/**/.htaccess r,
}

^HAT_no_access flags=(complain) {
/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,
}

#include <abstractions/httpd-users>
}

r – read, w – write, ix – inherited policy on execution, * – simple globbing, ** – glob that also matches slash character (there is more of these of course – see man apparmor.d(5) for details).

HANDLING_UNTRUSTED_INPUT and HAT_no_access are HATs configuration (HAT is previously mentioned subpolicy). By default mod_apparmor runs in HANDLING_UNTRUSTED_INPUT hat. That hat can be changed from configuration file for example:

AADefaultHatName HAT_no_access

<VirtualHost vhost.domain.org>
AADefaultHatName HAT_domain_org
[...]
</VirtualHost>

<VirtualHost vhost.other-domain.com>
AADefaultHatName HAT_other_domain_com
[...]
</VirtualHost>

will cause that mod_apparmor sets appropriate hat on per virtual host basis (as mentioned earlier we can use AADefaultHatName in Location and Directory directives, too).

Now we need to sets policies for these new vhost hats, but first we will put common rules into single abstraction/httpd-hat file that later will be used in HAT policies:

#include <abstractions/base>

capability setuid,
capability setgid,

/proc/[0-9]*/mounts r,
/proc/filesystems r,

/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,

/usr/lib{,64}/perl5/** r,
/usr/lib{,64}/perl5/**.so* mr,

/etc/mysql/mysql-client.conf r,
/etc/services r,
/etc/protocols r,
/etc/nsswitch.conf r,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
/etc/mtab r,
/etc/fstab r,
/etc/xml/* r,
/etc/fonts/** r,

/usr/share/** r,

/var/cache/fontconfig/* r,
/var/run/php r,
/var/run/php/** rw,
/var/run/nscd/socket rw,
/tmp r,
/tmp/** rwl,

/bin/* ixr,
/usr/bin/* ixr,

/usr/lib{,64}/lib*.so* mr,
/usr/X11R6/lib{,64}/lib*.so* mr,

/usr/lib{,64}/ImageMagick-** r,
/usr/lib{,64}/ImageMagick-**.so* mr,

and finally HAT policies in abstractions/httpd-users:

^HAT_domain_org {
#include <abstractions/httpd-hat>
/home/users/web-pages/domain_org rw,
/home/users/web-pages/domain_org/** rw,
/home/users/web-pages/domain_org/cgi-bin/** ixrw,
}

^HAT_other_domain_com {
#include <abstractions/httpd-hat>
/home/users/web-pages/other_domain_com rw,
/home/users/web-pages/other_domain_com/** rw,
/home/users/web-pages/other_domain_com/cgi-bin/** ixrw,
}

That’s all. We load policy using rcapparmor init script (/etc/rc.d/init.d/apparmor in PLD/Linux). We can put profile into complain mode (everything is logged but no restriction is in effect) or in enforce mode (apparmor will enforce profile and log rejects). Example /var/log/audit/audit.log:

type=UNKNOWN[1500] msg=audit(1166014976.862:130983): REJECTING r access to /var/cache/fontconfig/2ee5dd3f6641dbe23533346fa3fce51a-x86-64.cache-2 (convert(13663) pro
file /usr/sbin/httpd.prefork active HAT_domain_org)
type=UNKNOWN[1500] msg=audit(1166015781.907:130984): REJECTING r access to /etc/fonts/conf.avail/20-fix-globaladvance.conf (convert(17219) profile /usr/sbin/httpd.p
refork active HAT_domain_org)
type=UNKNOWN[1500] msg=audit(1166015781.907:130985): REJECTING r access to /etc/fonts/conf.avail/20-lohit-gujarati.conf (convert(17219) profile /usr/sbin/httpd.pref
ork active HAT_domain_org)
[...]
type=UNKNOWN[1500] msg=audit(1166016116.536:131037): REJECTING r access to /var/cache/fontconfig/2ee5dd3f6641dbe23533346fa3fce51a-x86-64.cache-2 (convert(17596) pro
file /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.393:131038): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.405:131039): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.429:131040): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)

This log file is very usefull when creating policy (of course apparmor provides some tools that will create policy for you by parsing log file but I was doing everything manually with vim in one hand and tail in second).

Note that .htaccess checking is done at HANDLING_UNTRUSTED_INPUT level, before vhost HAT is applied.

ps. you will probably need to pass capability.disable=1 selinux=off when booting kernel. Otherwise apparmor won’t even load.

After setting headset in paring mode issue:

[root@tarm ~]# hcitool inq
Inquiring …
00:07:A4:BE:95:EE clock offset: 0x51ed class: 0×200404

Then pair with bt500:

[root@tarm ~]# hcitool cc 00:07:A4:BE:95:EE
[root@tarm ~]#

you will be asked for PIN code (enter: 0000).

[root@tarm ~]# btsco -v 00:07:A4:BE:95:EE
btsco v0.41
Device is 1:0
Voice setting: 0×0060
RFCOMM channel 1 connected
recieved AT*GNMK

From now one there should be second ALSA card available:

[root@tarm ~]# cat /proc/asound/cards
0 [Intel ]: HDA-Intel – HDA Intel
HDA Intel at 0xb0000000 irq 169
1 [Headset ]: Bluetooth SCO – BT Headset
BT Headset 1

Run your favorite application (twinkle perhaps – very nice SIP phone with G.711 support, ideal for connecting to Asterisk PBX) and choose BT Headset in sound setup (available also trough OSS emulation as /dev/dsp1 in my case).

You can view setting using alsamixer or amixer using -c 1 switch:

[root@tarm ~]# amixer -c 1
Simple mixer control ‘Master’,0
Capabilities: volume volume-joined
Playback channels: Mono
Capture channels: Mono
Limits: 0 – 15
Mono: 0 [0%]
Simple mixer control ‘Mic’,0
Capabilities: volume volume-joined
Playback channels: Mono
Capture channels: Mono
Limits: 0 – 15
Mono: 0 [0%]
Simple mixer control ‘AGC’,0
Capabilities: pswitch pswitch-joined
Playback channels: Mono
Mono: Playback [off]
Simple mixer control ‘Loopback’,0
Capabilities: pswitch pswitch-joined
Playback channels: Mono
Mono: Playback [off]

When pressing buttons on headset the commands are sent to Bluetooth dongle and are visible by btsco program. You can put your own script in .btscorc which will be executed when commands arrive. By this method you can for example connect hang up button on headset with skype disconnect button (through skype DBUS API).

Recently Hugh Dickins found a way to make resume reliable:
http://lkml.org/lkml/2006/4/21/303

Apply it to latest kernel (2.6.17rc2 in my case) and use suspend userspace tool s2ram.

It isn’t best way (patch violates layers in libata driver) but that’s all. It’s usable until clean solution is found.