My Debian packages are now available at debian.ejohansson.se instead of eddie.ejohansson.se. Please update your /etc/apt/sources.list to point to the new location.
Leave the first comment ▶Site moved to Host Gator
I decided to move my site from my own server to Host Gator. So far I’m very pleased with them. I’ve been in contact with the support two times and I’m very pleased. It only took a few minutes to get in contact with a real person and a few minutes more to have my issue resolved. Excellent support so far!
I’m also liking this cPanel software that’s used to administrate sites at Host Gator (and many other hosting companies). Really useful and easy to use. Used that to install this WordPress installation.
I’m currently in the process of moving content from the old site. The looks is still that of a default WordPress installation, but I’ll probably get around fixing that later.
Leave the first comment ▶Camillas Matuppror
This entry is different from what I usually write about, but I just wanted to point any Swedish reader to Camillas Matuppror.
Jag anser att det är en mänsklig rättighet att svenska barn, sjuka och äldre varje dag skall få äta sig mätta på god mat, lagad med omsorg och nära dem som skall äta den. Det gagnar både vår hälsa och miljö om vi tillsammans kan bryta trenden mot industrimat inom storhushåll och i livsmedelsbutiker.
(English summary: She wants Swedish children, sick, and elderly people to get good, locally produced food. I agree with her.)
One comment so far, add another ▶Web security
LWN has an interesting article on web security. Linked from that article is another interesting blog entry: Hardened stateless session cookies by the guy that discovered the latest WordPress vulnerabilities.
Back to catching up on LWN issues…
Leave the first comment ▶SELinux and mail() in PHP
Since I upgraded my server and activated SELinux I haven’t gotten any emails from wordpress when people post comments on this blog (that’s why it has taken my so long time to approve comments). Today I decided it was time to look into the problem.
It turned out that the problem was related to the following message that I’ve been seeing in my log:
avc: denied { execute_no_trans } for pid=972 comm="apache2"
name="bash" dev=hda1 ino=26110
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
The mail() function in PHP (which is what wordpress uses to send the notification mail) is implemented using popen(3). When you call mail(), PHP executes popen(”sendmail …”, “w”). This ends up with a call to “sh -c sendmail …”, which explains the log message.
The solution was allow execute_no_trans for httpd:
allow httpd_t shell_exec_t:file execute_no_trans;One comment so far, add another ▶
++git;
As all the other cool kids, I’ve also started experimenting with git, the version control system used by many, most notably the Linux kernel developers.
As a test I converted my program that enables the volume knob on Dell USB keyboards. You can find it on my gitweb site.
Also there is the selinux policy module I blogged about in my previous post, and a new one that I had to do to get gitweb to work. Getting gitweb to work also required the git repositories to be properly labelled:
semanage fcontext -a -t httpd_sys_script_ro_t '/home/git(/.*)?' restorecon -Rv /home/git
Some day I need to figure out the correct syntax for putting file contexts in the policy module.
Leave the first comment ▶SELinux, Subversion and mod_svn
After upgrading my server (from Debian Sarge to Debian Etch) I decided to enabled SELinux. After reading some documentation (besides Debian’s basic setup documentation I can recommend Fedora’s SELinux wiki and especially this presentation) I got the basic setup working. Getting Subversion to fully work required a few extra steps. For your convenience and my memory I’ve listed them below.
1. Turn on httpd_builtin_scripting and httpd_enable_cgi. Turning on httpd_builtin_scripting gives httpd_t (i.e. apache) permission to read and write files marked httpd_sys_script_rw_t. This is needed for commits to work. Turning on httpd_enable_cgi gives httpd_t permission to execute scripts (marked httpd_sys_script_exec_t), something which is needed for hooks to work.
# setsebool -P httpd_builtin_scripting=1 # setsebool -P httpd_enable_cgi=1
2. Set the proper security context on the files in the repository. Assuming that all repositories are located under /home/svn, the following commands will do the job. Also make sure that the user apache is running as (e.g. www-data) has read access to the repository and write access to the directories dav and db (this is the script I use for that).
# semanage fcontext -a -t httpd_sys_content_t '/home/svn(/.*)?' # semanage fcontext -a -t httpd_sys_script_rw_t '/home/svn/[^/]+/(dav|db)(/.*)?' # semanage fcontext -a -t httpd_sys_script_exec_t '/home/svn/[^/]+/hooks(/.*)?' # restorecon -Rv /home/svn
3. Make sure selinux-policy-refpolicy-dev is installed.
4. Create the directory mysvn. In that directory, create the file mysvn.te with the following contents:
policy_module(mysvn,0.0.1)
require {
type httpd_t;
type shell_exec_t;
type httpd_sys_script_t;
type var_run_t;
};
# If hooks are shell scripts, apache must be able to run a shell. The
# hooks will run in httpd_sys_script_t.
allow httpd_t shell_exec_t:file rx_file_perms;
# For some reason the scripts searches /var/run
allow httpd_sys_script_t var_run_t:dir search;
5. Then run:
# make -f /usr/share/selinux/refpolicy-targeted/include/Makefile # semodule -i mysvn.pp
The mysvn policy module is needed because hooks are normally shell scripts. For apache to be able to run them it must be able to run a shell. Once the scripts have started, they run in the httpd_sys_script_t domain.
4 comments so far, add yours ▶Google apps (and gmail) gets IMAP support
It was somewhat expected that Google would do it sooner or later, and now they’ve done it! The only thing I was missing from the otherwise excellent service that I’m using for my email at ejohansson.se: IMAP. Thank you Google!
Comments OffLicq 1.3.5 final
The final release of Licq 1.3.5 was just announced.
From the release note:
- Save the “Send through server” option to disk.
- Fixed bugs that caused Licq to leak memory.
- Fixed a bug where Licq would crash on authorization requests from new users.
- Added code (disabled by default) to help find locking issues that could cause Licq to hang and fixed the bugs that were discovered.
- Made Licq buildable with GCC 4.3.
- Updated autotools and friends.
- Use gdb if it’s installed to generate a better backtrace if Licq crashes.
- Display a dialog informing the user how to report the bug in case Licq crashes.
- ICQ: Fixed sending capabilities.
- ICQ: Fixed setting security settings (Require authorization, Show web presence).
- Qt/KDE: New emoticons theme FeltTip4.
- Qt/KDE: New “Date format” option for customizing date and time in message and history windows.
- Qt/KDE: The local time of contacts can be displayed in contact list and popup information.
- Qt/KDE: Made the history layout configurable.
- Qt/KDE: New option to use double return instead of Ctrl+Return for sending and in input dialogs.
- Qt/KDE: Skins can now set a separate background color for group headings in the contact list (parameter colors.groupBack).
- Qt/KDE: Tabs in chatdialog can be closed by middle clicking on them.
- Qt/KDE: Removed all Qt2 support.
- Qt/KDE: Open links in a new tab when using Opera.
- Qt/KDE: Made the standard group names translatable.
- Qt/KDE: Added %M modifier to print number of pending messages (if any).
- Qt/KDE: Popup information shows if contact is not authorized yet.
- Qt/KDE: Floaties are now saved properly for non-ICQ contacts.
Download and enjoy!
Comments OffLicq 1.3.5-rc1
The first release candidate is now available. See the announcement and read the release notes. And don’t forget to report all bugs you find.
Comments Off