Month: January 2011

Debian Squeeze power management and SELinux

~ flihp ~ Leave a comment

Most of the work that’s gone into the Debian SELinux policy seems to have has been done on servers. After taking a serious look at the AVCs on my laptop it seems that most of the power management stuff isn’t quite working. It was close though so the patch I had to whip up wasn’t too serious. It basically came down to:

  • get policykit started properly by dbus (I guess it used to be started by init)
  • differences between file paths on Fedora and Debian
  • allow upowerd to execute anacron properly(pm-utils script executing the anacron init scrip)
  • allow upowerd to talk to the unconfined users dbus session (started by X login scripts)

The Debian SELinux mailing list is pretty much defunct so I’ve been sending these patches directly to the package maintainer. We’ll see if he picks it up. The patch (against the current unstable package) is here if anyone is interested. Just copy the patch file to the root of the current policy from unstable (get it via apt-get source) and then apply it:

patch -p2 < 2011-01-26_devicekit.patch

Adding an Online Spare to p400i RAID Controller

~ flihp ~ Leave a comment

I’ve had a HP DL360 hosting my blog, MySQL, SMTP and IMAP servers for a while now. The server’s been great and I’ve always intended to add an online spare (a.k.a. hot spare) for a little piece of mind. I’ve finally got around to it and it turns out that the syntax for using the CLI configuration tool from HP is a bit cryptic so this is a few notes on how I got the job done.

Tools & Documentation

Tracking down the tools for the job was a bit of a pain. To save you some time the documentation you want is here: Controller Reference Guide

HP actually supports the configuration tool (hpacucli) for Debian and they provide a package through the Proliant Support Pack apt repository. You can add the repository to your sources.list file with the following line:

deb http://downloads.linux.hp.com/SDR/downloads/ProLiantSupportPack/ lenny/current non-free

A Few Basic Commands

The general syntax for the hpacucli command is something like [parameter=value]. But to do something useful like dump out all of the disks on the controller (I’ve only got one on my server) you’ll do something like this:

flihp@server:~$ sudo hpacucli controller slot=0 physicaldrive all show

Smart Array P400i in Slot 0 (Embedded)

   array A

      physicaldrive 2I:1:5 (port 2I:box 1:bay 5, SATA, 32.0 GB, OK)

   array B

      physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SAS, 72 GB, OK)
      physicaldrive 1I:1:2 (port 1I:box 1:bay 2, SAS, 72 GB, OK)
      physicaldrive 1I:1:3 (port 1I:box 1:bay 3, SAS, 72 GB, OK)
      physicaldrive 1I:1:4 (port 1I:box 1:bay 4, SAS, 72 GB, OK)

   unassigned

      physicaldrive 2I:1:6 (port 2I:box 1:bay 6, SAS, 72 GB, OK)

So there are 6 disks attached to the controller. For this task I’m concerned with those that make up array B and the unassigned disk. This disk is the one that I wish to add as an online spare to array B. But first lets dump so info about array B:

flihp@server:~$ sudo hpacucli controller slot=0 array B show

Smart Array P400i in Slot 0 (Embedded)

   Array: B
      Interface Type: SAS
      Unused Space: 0 MB
      Status: OK

That’s not very hlepful … Let’s try something else. The documentation says something about logical drives so lets try that:

flihp@www:~$ sudo hpacucli controller slot=0 array B logicaldrive all show

Smart Array P400i in Slot 0 (Embedded)

   array B

      logicaldrive 2 (136.7 GB, RAID 1+0, OK)

That’s what I wanted to see: the logical drives that are on array B. As you can see this is 136.7 GB and configured as RAID 1+0. This makes sense since it is a RAID 1+0 made up of 4x72GB SAS drives. I’ve only allocated one logical drive on this array because I’m using LVM to create logical volumes in software. This is just how I like to do things. It may very well be faster and just as convenient to allocate more logical drives at the controller level but that’s another debate for another time. For now let’s stay focused on adding the unallocated disk as an online spare to array B.

Assigning an Online Spare

The specific syntax is spelled out in the manual I linked above. We’ve gathered all the necessary data for the command above and it looks like this:

flihp@server:~$ sudo hpacucli controller slot=0 array B add spares=2I:1:6

The target is controller slot=0 array B. This is the identifier for the array discussed above. The command is add spares which is pretty self explanatory. The last part is the identifier for the physical device we’re adding as a spare. If you scroll a bit up you’ll see that I got this identifier by asking the controller to dump info on all attached physical drives. If you want to see which drive this is on your system you can actually make the drive light on it flash which I thought was pretty cool (see the manual for details).

Executing the above command produced no output so you can either assume everything went as planned or you can check up on the array that we just modified:

flihp@www:~$ sudo hpacucli controller slot=0 array B physicaldrive all show

Smart Array P400i in Slot 0 (Embedded)

   array B

      physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SAS, 72 GB, OK)
      physicaldrive 1I:1:2 (port 1I:box 1:bay 2, SAS, 72 GB, OK)
      physicaldrive 1I:1:3 (port 1I:box 1:bay 3, SAS, 72 GB, OK)
      physicaldrive 1I:1:4 (port 1I:box 1:bay 4, SAS, 72 GB, OK)
      physicaldrive 2I:1:6 (port 2I:box 1:bay 6, SAS, 72 GB, OK, spare)

Sweet! Now that extra drive is lined up to be a fail-over if one of the other drives in the array fails.

What does acpi_fakekeyd do?

~ flihp ~ Leave a comment

In setting up SELinux on my Laptop running Squeeze I’m taking a pretty standard approach. First off I’m working off the packages provided in Sid maintained by Russell Coker so most of the hard work has been done. There are a few programs, mostly specific to a laptop that still aren’t in the right domains. We can see this by dumping out the running programs and their domains:

ps auxZ

Determining the “right domain” for a process is a bit harder but there’s a pretty obvious place to start. No daemons should be running in initrc_t!

initrc_t is the domain given to scripts run by the init daemon. That’s pretty much any script in /etc/init.d. If a daemon is running in this domain after startup it likely means that there was no transition rule in place to put it into a domain specific to the daemon. I figured I’d take these on alphabetically and started with acpi_fakekeyd 🙂

A policy for acpi_fakekeyd

All of the power management stuff like acpid runs in the apmd_t so the first thing I tried was running acpi_fakekeyd in this domain. You can go through the trouble of adding the path /usr/sbin/acpi_fakekeydto the apmd_t policy module, rebuilding it and reloading it (which really isn’t that hard these days) or you can take a shortcut like so:

echo "system_u:system_r:apmd_exec_t:s0" | sudo attr -S -s selinux /usr/sbin/acpi_setkeyd

This sets the label on the executable such that when init runs the start up script, the daemon will end up in the apmd_t domain.

Once the label is set you can restart the daemon using run_init, assuming your user is in a domain that can run init scripts (unconfined, admin etc). If all goes well the daemon will end up running in the right domain. I then did what I thought was exercising the domain to see if it would cause any AVCs. This required sending the daemon a few characters using the acpi_fakekey command directly as well as putting my laptop to sleep and into hibernation (see the /etc/acpi/sleep.sh script). There weren’t any AVCs so I concluded the apmd_t domain had all of the permissios that the fakekey daemon needed. I was wrong but we’ll get to that.

acpi_fakekeyd in it’s own domain

I was really expecting a few denial messages so I decided to put acpi_fakekeyd into its own domain with no privileges. The idea was to see some AVCs and to get a feeling for what exactly the daemon does.

The policy module I whipped up is super simple:
acpi_fakekeyd.te

policy_module(acpi_fakekeyd, 0.1)

########################################
#
# Declarations
#
type acpi_fakekeyd_t;
type acpi_fakekeyd_exec_t;
init_daemon_domain(acpi_fakekeyd_t, acpi_fakekeyd_exec_t)

acpi_fakekey.fc

/usr/sbin/acpi_fakekeyd --      gen_context(system_u:object_r:acpi_fakekeyd_exec_t,s0)

No interfaces yet so the acpi_fakekeyd.if file was empty.

After restarting the daemon, checking it’s in the right domain and exercising my ACPI system … there still weren’t any AVCs! Obviously I’m missing something so a bit of research turned up this bug report which explains pretty much everything.

acpi_fakekeyd deprecated

To save you a bunch of reading it turns out that toward the end of the discussion thread (about 8 months after the initial post) it’s identified that the functionality of acpi_fakekeyd is deprecated in kernels after 2.6.24. It seems that the functionality should instead be provided by an in-kernel driver which my laptop (ThinkPad x61s) has.

So why is this daemon installed and running? If I disable it my laptop ACPI still works fine. But the acpi_support package which is required to put my laptop to sleep depends on the acpi_fakekey package. This is likely because the scripts provided by acpi_support call the acpi_fakekey application for backwards comparability on some systems. This doesn’t make much sense to me though since Squeeze ships with a 2.6.32 kernel.

The answer to the question I pose as the title of this post is: It doesn’t do anything on my system. I don’t even need to have it running so I just shut it off. Problem solved I guess, and from a security perspective this is an even better solution that running it in it’s own SELinux domain. If it’s not running, it can’t do any damage. I’d rather be able to remove the package completely though.

Does anyone out there have a laptop that requires this daemon? I’m tempted to file a bug against the package … Anyway on to the next daemon 🙂

SELinux on Squeeze Laptop

~ flihp ~ Leave a comment

I’ve been meaning to play around with the SELinux packages in Squeeze for a while now. Over this past weekend I finally got started. Russell Coker maintains these packages and you can find them on his website under the SELinux tag.

The Debian package for the policy is quite nice. The post install script even enumerates the installed packages and attempts to load the necessary policy modules. This is, of course, limited by a mapping in the post-install script that manually maps SELinux policy packages to the packages installed through dpkg. This will likely be difficult to maintain over time and was the source of the first bug that I ran into.

I’ve written in the past about playing around with the racoon daemon so I’ve got the ipsec-tools and racoon packages on my laptop. The selinux-policy-default post install script however was missing the mapping between the ipsec policy package and the Debian packages. 10 minutes of reading the script was enough to whip up a one-line patch even though I’ve never written a line of perl in my life. Russell picked up the patch and … problem solved!

There’s probably lots of little bugs like this lurking in the policy package most of which won’t be discovered until it’s installed on lots of different systems and configurations (servers, desktops, laptops etc). The Debian community in general doesn’t seem very interested in SELinux so this is probably a very good place to make some contributions. More to come.

Barnes and Noble Customer Disservice

~ flihp ~ Leave a comment

Even though I’ve got an ebook reader I’m still on the look-out for a new one since the technology is moving so fast and new features seem to hit the market regularly. There’s no way I’m buying a Kindle because they don’t support the ePub format and that’s what the local library is using. I ran into a friend at the bar the other day and she started showing off her Nook. She couldn’t say enough good things about it so I thought I’d go down to the local Barnes & Noble to see if the sales person could convince me to shell out $150 for one.

Requirements

The criteria I’m using in my eBook reader search are pretty simple:

  1. Lots of ebook format support. Specifically PDF, ePub and plain text (txt) are necessities.
  2. Display that isn’t back-lit. ePaper gets extra points but isn’t a requirement.
  3. MUST render some obscure PDF formats well. Specifically articles from scientific journals / conferences (like ACM and IEEE) are a must.

That’s a pretty short list. I don’t care if it’s got a 3G connection (frankly I’d rather it not). WiFi and a web browser would be nice but since these devices aren’t very powerful yet I’d rather it not have a browser than have a crappy one. The requirement that’s really hard to meet is that last item on the list. For the interested reader a good example of such a document would a paper by Bryan Parno, Jonathan M. McCune, and Adrian Perrig titled “Bootstrapping Trust in Commodity Computers.” This was published by IEEE and is supplied in their required format.

I read tons of papers like this so having a reader that renders them well is essential. So I took a trip down to the Barnes & Noble on Erie blvd in Syracuse to see if I could get the sales person to let me try a Nook out and load up a paper in this format. Everyone reading this probably knows how badly was destined to turn out and so did I. But hell, I’m not going to shell out that kind of money without knowing whether or not it can render the documents I read daily.

The Shopping Experience

So I walk into B&N and walk up to the Nook display. There’s a bunch of floor models, both the black and white model and the color one. Since the color model is back-lit I took to the black and white one. The interface was very easy to figure out and in a minute or two I was searching the web for an IEEE formatted publication to download.

First big strike against the Nook was a web browser that can surf web pages but can’t download PDFs. WTF?!? Why would you put WiFi on a device if it can’t download content from the web? If it can download books from the B&N online store why can’t the browser download a PDF (other than for the reason of cutting into B&N’s bottom line)?

Ok I wasted 10 minutes playing with the browser to no end but at least I found this glaring shortcoming in the Nook. Not a deal breaker though so I got in line to talk to the one guy servicing customers at the Nook display. He was pretty frazzled because there were no less than 8 people waiting for him to help them. As we were standing around I learned that only myself and one other person were there to buy a Nook. A number of them had updated the firmware on the device and now couldn’t open books they’d previously purchased or had devices that were bricked outright.

After kicking around for a half hour the sales guy got some backup and there were 3 people working the line. Eventually I got to the guy behind the counter and described what I had tried on the display model. Obviously he knew that I wouldn’t be able to download the PDF directly and he instructed me to “side load” the document onto my Nook instead. It took me a few minutes to explain that I didn’t own a Nook YET but that I wanted to buy one after seeing how it rendered this specific PDF. “The books we sell on-line are PDFs so it renders them fine” he tells me but I’m insistent that I want to see it render an ACM or IEEE formated publication because they’re a two column format with graphics integrated. He got a very skeptical look on his face like I was trying to trick him or something. This is a bad sign.

After a few moments of contemplation he proclaimed “I can’t help you”. I’m pretty sure the look on my face at this point was one of shock. He was standing next to a computer but he couldn’t load up a PDF for me to see it on the device. “Wait a minute” I say, “the ability to load PDFs on to the Nook is an advertised feature but you can’t show it doing this?”. I may have been pushing it but this seems like a reasonable request to me especially since I’m considering buying one of these things. His response seemed to me like a car salesmen showing someone a car, starting it up but refusing to let the prospective buyer drive it.

I’m not quite giving up at this point but I can see where this is going. In a last ditch effort I point out the close proximity of the computer and the Nook (which he was holding at this point). All of the necessary parts are there if only he’d hook them up! He wasn’t budging though. Finally I ask if he really can’t help me or if he just won’t help me … and that marked the end of our conversation. Yeah I got testy with that last line but seriously, I’m not asking for anything too far out of the box am I?

Conclusion

Needless to say I didn’t buy a Nook even though I really wanted to. The Nook may actually render these documents perfectly but I wouldn’t know. As someone who’s pretty tech-savvy I’m having to face the reality that the questions I ask seem completely unreasonable to most sales people. Well thanks to Barnes & Noble and their unhelpful sales staff I’m getting the hint: buy your stuff on line after doing the research yourself.

I guess in the case of B&N this isn’t surprising since their staff generally is accustomed to shelving books and helping people find the books that they just put on the shelf. They’re pretty much librarians … next time I’ll ask the kid working at the Starbucks they have in the B&N for help.

Update
I floated the same question to the Barnes & Noble Nook forum. The users there are much better than the B&N sales staff and in about 20 minutes I had a responder that was willing to download the USENIX sample paper and report back on how his Nook rendered it.

Sadly enough the paper crashed his Nook. Luckily he didn’t report any permanent damage. My Aluratek Libre gets confused by the two column format but only when there are graphics on the page that are full page width mixed in with the two column text. It doesn’t crash though it just scales the full page to fit the screen. The text is so small that it’s pretty much illegible though. Oh well, I guess I’m waiting for the next generation of ebook readers.

Thruxton 900 Ceramic Exhaust

~ flihp ~ 2 Comments

It’s a new year. I’m not one for resolutions but something I always aim to do is put up more info on the mods I’ve made to my 2004 Thruxton 900. Last time I posted it was about the chrome T100 engine covers I picked up. In those photos the exhaust was off because it was away getting a ceramic coat from a local guy a buddy of mine recommended. As promised (if a bit late) here are the photos of his work:

The contrast between the two photos above is pretty dramatic. They look even better on the bike:

The exhaust clamp covers had some large blemishes when I picked them up. The guy at Affordable Powder Coating in Cato N.Y. was cool and fixed ’em up for me without any hassle.

I’m very happy with the way this turned out. It didn’t cost much and the pipes run super cool too. After running for nearly an hour I can stop and touch the tail of the muffler and it’s almost cool enough to hold on. I wish I had a dyno run from before and after so I could be sure of the horse power difference but I can really feel it.

So this isn’t much of a DIY post since removing and replacing the exhaust is just a few bolts and a little grease. Helps to have an extra set of hands to fit the pipes through the frame too. The photos sure are nice though … they’ve got me longing for riding weather in a bad way.