Booting PLD/DOS from USB pendrive

Create partition on your flash drive (using fdisk or cfdisk). Mark one of partitions bootable in fdisk/cdisk. Format that partition with FAT/FAT32 filesystem:

mkfs.vfat -F 32 /dev/sdXY

where sdXY is your partition.

Mount it and copy contents of PLD RescueCD like x86 and x86_64 ISO image to that partition, to /rcd subdirectory.

Make MBR record:

ms-sys -s /dev/sdX

(where sdX is entire flash disk; ms-sys comes from ms-sys package)

Copy syslinux configuration for USB to root directory of your flash drive as syslinux.cfg. DOS/Windows image should be placed in /rcd/boot/dos.gz (compress it with gzip first).

Run:

syslinux -s /dev/sdXY

to load syslinux onto your flash drive.

Reboot your system and check if it boots correctly 🙂

Note that some systems have problems with booting from flash driver (especially big like 1G or 2G flash drives).

Booting PLD RescueCD from LILO

Copy files from rescuecd iso image and add section similar to this one to lilo.conf:

image=/boot/rescuecd-20070617/boot/isolinux/vmlinuz
label=rcd
root=/dev/ram0
initrd=/boot/rescuecd-20070617/rescue.cpi
append=" console=tty0 console=ttyS1,38400n81 panic=60"

lftp and editing remote files

lftp is a very nice piece of software (for people who like text console).

How to edit remote files? Take a look!


[arekm@tarm ~]$ cat .lftp/rc
alias edit source -e ~/.lftp/edit.sh
[arekm@tarm ~]$ cat .lftp/edit.sh
#!/bin/sh
tempid=$$
echo get $1 -o /tmp/$tempid$1
echo shell vim /tmp/$tempid$1
echo put -E /tmp/$tempid$1 -o $1
[arekm@tarm ~]$ lftp -u arm ftp.somewhere.pl
Password:
lftp arm@ftp.somewhere.pl:~> ls
drwxr-xr-x 2 0 0 4096 Jan 29 20:35 .
drwxr-xr-x 2 0 0 4096 Jan 29 20:35 ..
lftp arm@ftp.somewhere.pl:~> edit test.txt
get: Access failed: 550 Can't open test.txt: No such file or directory

[HERE vim is opened; after saving]

9 bytes transferred
lftp arm@ftp.somewhere.pl:~> rels
drwx---r-x 3 10089 999 50 Jun 15 18:35 .
drwxr-xr-x 2 0 0 4096 Jan 29 20:35 ..
-rw-r--r-- 1 10089 nogroup 9 Jun 15 18:35 test.txt
lftp arm@ftp.somewhere.pl:~> cat test.txt
El test.
10 bytes transferred
lftp arm@ftp.somewhere.pl:~> edit test.txt
9 bytes transferred

[HERE again vim is opened; after saving]

23 bytes transferred
lftp arm@ftp.somewhere.pl:~> cat test.txt
El test.
Small change.
25 bytes transferred
lftp arm@ftp.somewhere.pl:~>

Don’t we all love lftp?

201504 EDIT: lftp 4.6.1 will have edit command built in!

PXE remote boot for your home/work lab

PXE is a well known and widely used in some enviroments. I’m quite often playing with some servers, testing, installing various things, reflashing firmwares etc. Usually that was done with PLD RescueCD on a CDRW medium, (Free)DOS images/isos etc. Unfortunately burning different stuff over and over is annoying. How to do something nice and usable?

What you need is a dhcp server, tftp server and PXE ready client machines (most of newer hardware has ability to boot from network over PXE).

Setting dhcp server.

Beside standard network settings in dhcpd.conf you will need:

allow booting ;
allow bootp ;
next-server 192.168.0.250 ;
filename “/pxelinux.0” ;

Setting tftp server

Under PLD that means just installing atftpd package. If you built from sources then run something like:

atftpd -v5 –daemon /var/lib/tftp

Note that atftpd can not serve images bigger than 64MB (due to lack of block number rollover support). tftpd-hpa supports this fortunately.

pxelinux

You will also need syslinux package that comes with pxelinux. pxelinux will load multiple images for us depending on user choice. Use latest available version (3.31 at this moment) because older version miss important piece of functionality (menus).

/var/lib/tftp preparation

Structure I use is shown below. The most important thing is a pxelinux.0 file (symlink to real file in my case) that is whole pxelinux loader that comes with syslinux package. pxelinux uses configuration file from pxelinux.cfg directory. pxelinux tries to load various configuration files and stops at first found:

Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/01-00-a0-cc-da-d9-3c to 192.168.0.113:57089
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A80071 to 192.168.0.113:57090
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A8007 to 192.168.0.113:57091
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A800 to 192.168.0.113:57092
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A80 to 192.168.0.113:57093
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A8 to 192.168.0.113:57094
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0A to 192.168.0.113:57095
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C0 to 192.168.0.113:57096
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/C to 192.168.0.113:57097
Jan 13 15:29:12 arm atftpd[5234]: Serving /pxelinux.cfg/default to 192.168.0.113:57098

This means that we can have different configurations for different machines (based on MAC address of machine ehternet card). I’m using default configuration file which is always tried.

My entire /var/lib/tftp structure:

[root@arm /var/lib/tftp]# ls -alR
.:
total 1456
drwxr-xr-x 9 root root 4096 Jan 13 15:26 .
drwxr-xr-x 35 root root 4096 Jan 12 17:35 ..
-rw-r–r– 1 root root 5237 Jan 13 15:25 pxe-background.png
lrwxrwxrwx 1 root root 30 Jan 12 17:41 pxelinux.0 -> /usr/lib64/syslinux/pxelinux.0
drwxr-xr-x 2 root root 20 Jan 13 16:51 pxelinux.cfg
drwxr-xr-x 4 root root 47 Jan 12 09:47 rescue-x86-20060625
drwxr-xr-x 4 root root 47 Jan 12 11:39 rescue-x86-20070109
drwxr-xr-x 4 root root 47 Jan 12 09:47 rescue-x86_64-20060625
drwxr-xr-x 2 root root 31 Jan 12 10:37 suse-10.1
drwxr-xr-x 2 root root 60 Jan 12 10:06 suse-9.2
drwxr-xr-x 2 root root 60 Jan 12 10:05 suse-9.3
lrwxrwxrwx 1 root root 19 Jan 12 17:41 syslinux -> /usr/lib64/syslinux
-rw-r–r– 1 root root 1474560 Nov 18 1999 winb98se.img

./pxelinux.cfg:
total 8
drwxr-xr-x 2 root root 20 Jan 13 16:51 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 2152 Jan 13 15:24 default

./rescue-x86-20060625:
total 54340
drwxr-xr-x 4 root root 47 Jan 12 09:47 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jun 25 2006 boot
drwxr-xr-x 2 root root 24 Jan 12 09:53 custom
-rw-r–r– 1 root root 55638528 Jun 25 2006 rescue.cpi

./rescue-x86-20060625/boot:
total 36
drwxr-xr-x 3 root root 104 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jun 25 2006 isolinux
-rwxr-xr-x 1 root root 3695 Jun 25 2006 isomod

./rescue-x86-20060625/boot/isolinux:
total 1508
drwxr-xr-x 2 root root 138 Jun 25 2006 .
drwxr-xr-x 3 root root 104 Jun 25 2006 ..
-r–r–r– 1 root root 2048 Jun 25 2006 boot.catalog
-rw-r–r– 1 root root 1594 Jun 25 2006 boot.msg
-rw-r–r– 1 root root 1443 Jun 15 2006 help.msg
-rw-r–r– 1 root root 357528 Jun 25 2006 initrd.ide
-rw-r–r– 1 root root 10440 Jun 25 2006 isolinux.bin
-rw-r–r– 1 root root 1156 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1056768 Jun 25 2006 vmlinuz

./rescue-x86-20060625/custom:
total 4
drwxr-xr-x 2 root root 24 Jan 12 09:53 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 1024 Jun 25 2006 custom.cpio

./rescue-x86-20070109:
total 52768
drwxr-xr-x 4 root root 47 Jan 12 11:39 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jan 9 01:10 boot
drwxr-xr-x 2 root root 24 Jan 9 01:10 custom
-rw-r–r– 1 root root 54028800 Jan 9 01:10 rescue.cpi

./rescue-x86-20070109/boot:
total 36
drwxr-xr-x 3 root root 104 Jan 9 01:10 .
drwxr-xr-x 4 root root 47 Jan 12 11:39 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jan 9 01:10 isolinux
-rwxr-xr-x 1 root root 3695 Jan 9 01:10 isomod

./rescue-x86-20070109/boot/isolinux:
total 1708
drwxr-xr-x 2 root root 138 Jan 9 01:10 .
drwxr-xr-x 3 root root 104 Jan 9 01:10 ..
-r–r–r– 1 root root 2048 Jan 9 01:10 boot.catalog
-rw-r–r– 1 root root 1594 Jan 8 21:33 boot.msg
-rw-r–r– 1 root root 1443 Jun 15 2006 help.msg
-rw-r–r– 1 root root 381123 Jan 9 01:10 initrd.ide
-rw-r–r– 1 root root 10440 Jan 9 01:10 isolinux.bin
-rw-r–r– 1 root root 1156 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1234944 Jan 9 01:05 vmlinuz

./rescue-x86-20070109/custom:
total 4
drwxr-xr-x 2 root root 24 Jan 9 01:10 .
drwxr-xr-x 4 root root 47 Jan 12 11:39 ..
-rw-r–r– 1 root root 1024 Jan 9 01:10 custom.cpio

./rescue-x86_64-20060625:
total 44900
drwxr-xr-x 4 root root 47 Jan 12 09:47 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
drwxr-xr-x 3 root root 104 Jun 25 2006 boot
drwxr-xr-x 2 root root 24 Jun 25 2006 custom
-rw-r–r– 1 root root 45970224 Jun 25 2006 rescue.cpi

./rescue-x86_64-20060625/boot:
total 36
drwxr-xr-x 3 root root 104 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 17131 Jun 15 2006 ElTorito.img.gz
-rw-r–r– 1 root root 744 Jun 15 2006 README
-rw-r–r– 1 root root 83 Jun 15 2006 boot.bat
-rw-r–r– 1 root root 1475 Jun 15 2006 floppy.img.gz
drwxr-xr-x 2 root root 138 Jun 25 2006 isolinux
-rwxr-xr-x 1 root root 3695 Jun 25 2006 isomod

./rescue-x86_64-20060625/boot/isolinux:
total 1776
drwxr-xr-x 2 root root 138 Jun 25 2006 .
drwxr-xr-x 3 root root 104 Jun 25 2006 ..
-r–r–r– 1 root root 2048 Jun 25 2006 boot.catalog
-rw-r–r– 1 root root 1530 Jun 25 2006 boot.msg
-rw-r–r– 1 root root 1197 Jun 18 2006 help.msg
-rw-r–r– 1 root root 364891 Jun 25 2006 initrd.ide
-rw-r–r– 1 root root 10440 Jun 25 2006 isolinux.bin
-rw-r–r– 1 root root 701 Jun 15 2006 isolinux.cfg
-rw-r–r– 1 root root 94760 Jun 15 2006 memtest
-rw-r–r– 1 root root 1321472 Jun 25 2006 vmlinuz

./rescue-x86_64-20060625/custom:
total 4
drwxr-xr-x 2 root root 24 Jun 25 2006 .
drwxr-xr-x 4 root root 47 Jan 12 09:47 ..
-rw-r–r– 1 root root 1024 Jun 25 2006 custom.cpio

./suse-10.1:
total 9164
drwxr-xr-x 2 root root 31 Jan 12 10:37 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 8137429 May 3 2006 initrd
-rw-r–r– 1 root root 1237785 May 3 2006 linux

./suse-9.2:
total 12972
drwxr-xr-x 2 root root 60 Jan 12 10:06 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 5379369 Oct 21 2004 initrd
-rw-r–r– 1 root root 4730075 Oct 20 2004 initrd64
-rw-r–r– 1 root root 1555945 Oct 21 2004 linux
-rw-r–r– 1 root root 1608082 Oct 20 2004 linux64

./suse-9.3:
total 14932
drwxr-xr-x 2 root root 60 Jan 12 10:05 .
drwxr-xr-x 9 root root 4096 Jan 13 15:26 ..
-rw-r–r– 1 root root 6183757 Mar 24 2005 initrd
-rw-r–r– 1 root root 6048487 Mar 24 2005 initrd64
-rw-r–r– 1 root root 1424645 Mar 24 2005 linux
-rw-r–r– 1 root root 1625590 Mar 24 2005 linux64

rescue-* directories contain unmodified copy of PLD RescueCD ISO images content. suse-* contain kernel images and initrd file copied from SuSE installation cdrom/dvd. winb98se.img is a image of Windows 98 SE boot floppy disk.

pxelinux “default” configuration file

The configuration file is shown below. vesamenu.c32 allows do display menus in graphical mode with background jpg/png images. For pure text mode there is menu.c32. MENU LABEL allows to add text message shown in menu for single label part of configuration.

“^” is used to mark keyboard shortcut letter.

Windows floppy image uses special loader called memdisk which allows to boot legacy operating systems.

CPU identification case is interesting because it starts entire new “program” named cpuidtest.c32 which is the same kind of “program” as vesamenu.c32. That’s way of handling allows us to create multiple submenus which will read different configuration files specified in APPEND directive – example:

LABEL newmenu
MENU LABEL New Menu
KERNEL vesamenu.c32
APPEND something.conf newmenu.conf

I don’t use submenus in my setup though.

[root@arm /var/lib/tftp]# cat pxelinux.cfg/default
DEFAULT syslinux/vesamenu.c32
MENU BACKGROUND pxe-background.png
PROMPT 0

MENU TITLE Remote Boot Services

label rescue-x86
MENU LABEL ^1. PLD Rescue 20060625 x86
kernel rescue-x86-20060625/boot/isolinux/vmlinuz
append initrd=rescue-x86-20060625/rescue.cpi,rescue-x86-20060625/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”
ipappend 1

label rescue-x86
MENU LABEL ^2. PLD Rescue 20070109 x86
kernel rescue-x86-20070109/boot/isolinux/vmlinuz
append initrd=rescue-x86-20070109/rescue.cpi,rescue-x86-20070109/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”
ipappend 1

label rescue-x86_64
MENU LABEL ^3. PLD Rescue 20060625 x86_64
kernel rescue-x86_64-20060625/boot/isolinux/vmlinuz
append initrd=rescue-x86_64-20060625/rescue.cpi,rescue-x86_64-20060625/custom/custom.cpio root=/dev/ram0 CONF=”`/dev/fd0:/rescue`;;;;;;;;;;;”

label suse-install-9.2-x86
MENU LABEL ^4. SuSE Linux Install 9.2 x86
kernel suse-9.2/linux
append initrd=suse-9.2/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/9.2

label suse-install-9.2-x86_64
MENU LABEL ^5. SuSE Linux Install 9.2 x86_64
kernel suse-9.2/linux64
append initrd=suse-9.2/initrd64 splash=silent showopts install=ftp://192.168.1.250/SUSE/9.2

label suse-install-9.3-x86
MENU LABEL ^6. SuSE Linux Install 9.3 x86
kernel suse-9.3/linux
append initrd=suse-9.3/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/9.3

label suse-install-9.3-x86_64
MENU LABEL ^7. SuSE Linux Install 9.3 x86_64
kernel suse-9.3/linux64
append initrd=suse-9.3/initrd64 splash=silent showopts install=ftp://192.168.1.250/SUSE/9.3

label suse-install-10.1-x86
MENU LABEL ^8. SuSE Linux Install 10.1 x86
kernel suse-10.1/linux
append initrd=suse-10.1/initrd splash=silent showopts install=ftp://192.168.1.250/SUSE/10.1

label win98se
MENU LABEL ^9. Windows 98 SE Boot Disk
kernel syslinux/memdisk
append initrd=winb98se.img

LABEL cpuid
MENU LABEL ^A. Identify Processor
KERNEL syslinux/cpuidtest.c32

Screenphotos

(click images to see in full size))

Text boot using menu.c32 (or when vesamenu.c32 gets wrong options, files like background image in wrong size (needs to be 640×480)).

Text boot

Graphical boot with PLD-style background image.

Graphical boot

You can change boot options just like in grub.

Graphical boot with editing parameters for single boot entry

PLD RescueCD boots…

Booting PLD RescueCD

Windows 98 SE image already started.

Booting Windows 98 SE floppy image

Example of CPU Identification that comes with syslinux package.

CPU Identification example

Background image used in screenshots

PLD Background

AppArmor protection for your Apache (including mod_php, mod_python and others)

The biggest weak of Apache httpd web server is lack of security when using it in multiuser enviroment.
All httpd processes run under the same UID and GID which means that user JOE can create simple
php script which when run via httpd will be able to open and read other users web files (which means
that other users database passwords hidden somewhere in web configuration files are not protected).

There are some ways to protect your files:

  • FastCGI (mainly for PHP; allows to run php scripts under different privileges)
  • CGI (running PHP and other scripts through suexec)
  • nonstandard apache MPMs like peruser, metuxmpm (allow to run parts of httpd with different UID/GID; unfortunately very alpha quality)

The primary problem with all above is that performance drops dramaticly.

That’s where AppArmor comes to a rescue.
AppArmor is kind of SuSE response to SELinux. SELinux is preety good
when it comes to creating fine grained policy rules but tends to be quite complicated when it comes to writting policies for programs.
The AppArmor on the other hand is much simpler but also quite limited. AppArmor can be used to restrict file and capabilities(7)
access only. That’s enough for us – we want exactly that – limit access to parts of filesystem. 
The primary reason why we choose AppArmor over SELinux here is the ,,change hat” functionality.
It allows to define subpolicies for a program and the program is able to switch between subpolicies.
apache-mod_apparmor allows to switch subpolicy on per virtual host, directory and location basis!

How to do that?

First you need to patch you kernel with apparmor patches (these are very small and non-intrusive);
most of AppArmor lives in separate directory in kernel tree: security/apparmor so it’s not conflicting
even with grsecurity patches. You will also need to download and build apparmor-parser, apparmor-profiles
and apparmor-utils packages. All these available on AppArmor Home Page.

AppArmor keeps policy files in /etc/apparmor.d/. These are simple text files, for example /etc/apparmor.d/usr.sbin.httpd.prefork policy:

# vim:syntax=apparmor
# Last Modified: Tue Dec 12 02:37:27 2006
#include
/usr/sbin/httpd.prefork flags=(complain) {
#include
#include
/usr/sbin/httpd.prefork mr,
capability setuid,
capability setgid,
capability kill,
capability dac_override,
capability dac_read_search,

/etc/httpd/apache.conf r,
/etc/httpd/conf.d r,
/etc/httpd/conf.d/* r,
/etc/httpd/ssl/* r,
/usr/lib{,64}/apache/*.so mr,
/etc/httpd/webapps.d r,
/etc/gai.conf r,
/etc/httpd/magic r,
/etc/mime.types r,
/usr/share/file/magic* r,
/etc/openssl/** r,

/var/log/httpd/** w,
/var/log/archive/httpd/* w,

/etc/php4/** r,
/usr/lib{,64}/php4/*.so mr,
/etc/php/** r,
/usr/lib{,64}/php/*.so mr,

/var/run/httpd.pid rw,
/var/run/httpd/** rw,

/proc/[0-9]*/attr/current rw,
/etc/snmp/** r,
/usr/share/snmp/** r,

/usr/share/perl5/** r,
/usr/lib{,64}/perl5/** r,
/usr/lib{,64}/perl5/**.so* mr,

/usr/X11R6/lib{,64}/lib*.so* mr,

^HANDLING_UNTRUSTED_INPUT flags=(complain) {
/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,
/home/users/**/.htaccess r,
}

^HAT_no_access flags=(complain) {
/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,
}

#include
}

r – read, w – write, ix – inherited policy on execution, * – simple globbing, ** – glob that also matches slash character (there is more of these of course – see man apparmor.d(5) for details).

HANDLING_UNTRUSTED_INPUT and HAT_no_access are HATs configuration (HAT is previously mentioned subpolicy). By default mod_apparmor runs in HANDLING_UNTRUSTED_INPUT hat. That hat can be changed from configuration file for example:

AADefaultHatName HAT_no_access


AADefaultHatName HAT_domain_org
[…]


AADefaultHatName HAT_other_domain_com
[…]

will cause that mod_apparmor sets appropriate hat on per virtual host basis (as mentioned earlier we can use AADefaultHatName in Location and Directory directives, too).

Now we need to sets policies for these new vhost hats, but first we will put common rules into single abstraction/httpd-hat file that later will be used in HAT policies:

#include

capability setuid,
capability setgid,

/proc/[0-9]*/mounts r,
/proc/filesystems r,

/home/services/httpd/** r,
/var/log/httpd/** w,
/var/log/archive/httpd/* w,

/usr/lib{,64}/perl5/** r,
/usr/lib{,64}/perl5/**.so* mr,

/etc/mysql/mysql-client.conf r,
/etc/services r,
/etc/protocols r,
/etc/nsswitch.conf r,
/etc/hosts r,
/etc/host.conf r,
/etc/resolv.conf r,
/etc/mtab r,
/etc/fstab r,
/etc/xml/* r,
/etc/fonts/** r,

/usr/share/** r,

/var/cache/fontconfig/* r,
/var/run/php r,
/var/run/php/** rw,
/var/run/nscd/socket rw,
/tmp r,
/tmp/** rwl,

/bin/* ixr,
/usr/bin/* ixr,

/usr/lib{,64}/lib*.so* mr,
/usr/X11R6/lib{,64}/lib*.so* mr,

/usr/lib{,64}/ImageMagick-** r,
/usr/lib{,64}/ImageMagick-**.so* mr,

and finally HAT policies in abstractions/httpd-users:

^HAT_domain_org {
#include
/home/users/web-pages/domain_org rw,
/home/users/web-pages/domain_org/** rw,
/home/users/web-pages/domain_org/cgi-bin/** ixrw,
}

^HAT_other_domain_com {
#include
/home/users/web-pages/other_domain_com rw,
/home/users/web-pages/other_domain_com/** rw,
/home/users/web-pages/other_domain_com/cgi-bin/** ixrw,
}

That’s all. We load policy using rcapparmor init script (/etc/rc.d/init.d/apparmor in PLD/Linux). We can put profile into complain mode (everything is logged but no restriction is in effect) or in enforce mode (apparmor will enforce profile and log rejects). Example /var/log/audit/audit.log:

type=UNKNOWN[1500] msg=audit(1166014976.862:130983): REJECTING r access to /var/cache/fontconfig/2ee5dd3f6641dbe23533346fa3fce51a-x86-64.cache-2 (convert(13663) pro
file /usr/sbin/httpd.prefork active HAT_domain_org)
type=UNKNOWN[1500] msg=audit(1166015781.907:130984): REJECTING r access to /etc/fonts/conf.avail/20-fix-globaladvance.conf (convert(17219) profile /usr/sbin/httpd.p
refork active HAT_domain_org)
type=UNKNOWN[1500] msg=audit(1166015781.907:130985): REJECTING r access to /etc/fonts/conf.avail/20-lohit-gujarati.conf (convert(17219) profile /usr/sbin/httpd.pref
ork active HAT_domain_org)
[…]
type=UNKNOWN[1500] msg=audit(1166016116.536:131037): REJECTING r access to /var/cache/fontconfig/2ee5dd3f6641dbe23533346fa3fce51a-x86-64.cache-2 (convert(17596) pro
file /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.393:131038): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.405:131039): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)
type=UNKNOWN[1500] msg=audit(1166016139.429:131040): REJECTING r access to /var/tmp (httpd.prefork(7442) profile /usr/sbin/httpd.prefork active HAT_other_domain_com)

This log file is very usefull when creating policy (of course apparmor provides some tools that will create policy for you by parsing log file but I was doing everything manually with vim in one hand and tail in second).

Note that .htaccess checking is done at HANDLING_UNTRUSTED_INPUT level, before vhost HAT is applied.

ps. you will probably need to pass capability.disable=1 selinux=off when booting kernel. Otherwise apparmor won’t even load.

CB radio: Uniden PRO 520 XL

Ostatnio bardzo popularne radio w kraju… a teraz opinia RS39 (jeśli nie wiecie kto to -> google) w temacie: ,,w u520 brak jest selektywnosci, brak porządnego zestrojenia odbiornika na minimum zniekształceń w odbiorze, bardzo szumiący tor odbiorczy m.cz., brak porządnej modulacji AM …”. Unidenowi podziękujemy zwłaszcza w kontekście oficjalnych działań UKE . Na rynku nadal nie ma (nowego; do kupienia w sklepie) radia, które zyskało by przychylność użytkowników za rozsądną cenę. Większość ludzi poleca (dobrze się spisujące ale jednak) starocie…

Jabra BT-500 Bluetooth Headset and Linux

BT500 works quite well when paired with Linux. To get the thing working you will need BlueZ stack (already in recent kernels), utilities (bluez-utils.spec) and ALSA Bluetooth driver – snd-bt-sco. There is one issue with BT500 (where you will hear no sound, just single beep at start and end of audio stream) which is handled by sco-mtu patch.

After setting headset in paring mode issue:

[root@tarm ~]# hcitool inq
Inquiring …
00:07:A4:BE:95:EE clock offset: 0x51ed class: 0x200404

Then pair with bt500:

[root@tarm ~]# hcitool cc 00:07:A4:BE:95:EE
[root@tarm ~]#

you will be asked for PIN code (enter: 0000).

[root@tarm ~]# btsco -v 00:07:A4:BE:95:EE
btsco v0.41
Device is 1:0
Voice setting: 0x0060
RFCOMM channel 1 connected
recieved AT*GNMK

From now one there should be second ALSA card available:

[root@tarm ~]# cat /proc/asound/cards
0 [Intel ]: HDA-Intel – HDA Intel
HDA Intel at 0xb0000000 irq 169
1 [Headset ]: Bluetooth SCO – BT Headset
BT Headset 1

Run your favorite application (twinkle perhaps – very nice SIP phone with G.711 support, ideal for connecting to Asterisk PBX) and choose BT Headset in sound setup (available also trough OSS emulation as /dev/dsp1 in my case).

You can view setting using alsamixer or amixer using -c 1 switch:

[root@tarm ~]# amixer -c 1
Simple mixer control ‘Master’,0
Capabilities: volume volume-joined
Playback channels: Mono
Capture channels: Mono
Limits: 0 – 15
Mono: 0 [0%]
Simple mixer control ‘Mic’,0
Capabilities: volume volume-joined
Playback channels: Mono
Capture channels: Mono
Limits: 0 – 15
Mono: 0 [0%]
Simple mixer control ‘AGC’,0
Capabilities: pswitch pswitch-joined
Playback channels: Mono
Mono: Playback [off]
Simple mixer control ‘Loopback’,0
Capabilities: pswitch pswitch-joined
Playback channels: Mono
Mono: Playback [off]

When pressing buttons on headset the commands are sent to Bluetooth dongle and are visible by btsco program. You can put your own script in .btscorc which will be executed when commands arrive. By this method you can for example connect hang up button on headset with skype disconnect button (through skype DBUS API).

Suspend to RAM on IBM ThinkPad Z60m with SATA drive

Suspend on this laptop works quite well beside one important thing – SATA driver (ata_piix). It doesn’t resume properly, scsi subsystem timeouts, filesystem reports errors and the whole fs is remounted read only.

Recently Hugh Dickins found a way to make resume reliable:
http://lkml.org/lkml/2006/4/21/303

Apply it to latest kernel (2.6.17rc2 in my case) and use suspend userspace tool s2ram.

It isn’t best way (patch violates layers in libata driver) but that’s all. It’s usable until clean solution is found.