Tuesday, January 27, 2009

SELinux is preventing npviewer.bin .. unconfined_t

I have to say that SELinux on Fedora 10 and media playback via Firefox is just a pain in the ass. At a minimum, SELinux will deny you from listening to audio from YouTube or Vimeo, and at most, will completely lock you out from viewing videos from those sites that use the Flash plugin.

In the setroubleshoot message browser, you'll see messages like this:
SELinux is preventing npviewer.bin (nsplugin_t) "destroy" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "getattr" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "read write" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" unconfined_t.


You can always solve this by disabling SELinux entirely. Of course, that's the easy way out, so I figured I'd be a good system administrator and investigate how to allow the Flash plugin to execute while keeping SELinux running. I consulted the Documentation of the Fedora project to find out what the hell to do in order to allow Flash to work in Firefox:
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

What To Do
If you have this problem, you need to resolve it by allowing npviewer.bin to do its thing. Thus, you need to relax the SELinux policies for npviewer.bin. This boils down to a few steps:
1) pull out the most recent policy violations in /var/log/messages or /var/log/audit/audit.log
2) create a policy exclusion to allow npviewer.bin to run unimpeded by SELinux
3) compile the policy as a module
4) create a policy package
5) load the policy into the kernel

Detail
1 & 2) audit2allow both pulls out the policy violation information from your log file and formats into a Type Enforcement (.te) file. The Type Enforcement file is the basis for policy exclusions.

As my audit log had the SELinux denials listed in it, I ran this command:
[sodo@ogre ~]$ sudo audit2allow -m local -l -i /var/log/audit/audit.log > local.te

The result of that command was the Type Enforcement file. The .te file looks like this:
module local 1.0;
require {
type unconfined_t;
type nsplugin_t;
class sem destroy;
class shm { write unix_read getattr unix_write associate read };
}
#============= nsplugin_t ==============
allow nsplugin_t unconfined_t:sem destroy;
allow nsplugin_t unconfined_t:shm { write unix_read getattr unix_write associate read };


You can see the last few lines look suspiciously like the entries in the setroubleshoot browser, especially the verbs: write, unix_read, getattr, unix_write, associate, read, etc.

3) Compile the policy
The following command compiles the .te file:
[sodo@ogre ~]$ checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 8) to local.mod


4) Create a policy package
[sodo@ogre ~]$ semodule_package -o local.pp -m local.mod

5) Load the policy into the kernel
[sodo@ogre ~]$ semodule -i local.pp

If you try to load the policy as a non-priveleged (not root) user, you get this error:
[sodo@ogre ~]$ semodule: SELinux policy is not managed or store cannot be accessed.

These steps should insure that your flash plugin shall run unimpeded on your wonderful new Fedora 10 system!

Hooray!
TAG

Reference
Fedora Core 5 SELinux FAQ
SELinux: allowing AVS denials

Tuesday, January 20, 2009

sound via RDP

I was working today but wanted to listen to Obama's inauguration speech. I noticed my client's (RDP) session was configured to play sound:
Under Local Resources, Remote Computer Sound was set to "Bring to this computer."

But sound via the terminal services connection was not working. Reading up on this very nice Win2K3 tutorial site:
http://www.visualwin.com/Audio-Mapping/

I saw that I was missing the server side configuration. What you want to do is open up the Terminal Services Configuration applet (either under Control Panel -> Administration -> Terminal Services Configuration or Start -> Run -> tscc.msc) and select Properties on the RDP-Tcp connection.


Therein, select the Client Settings tab and under the "Disable the following" section, uncheck Audio Mapping. In order for the new setting to take effect, once you uncheck this setting, you'll have to logoff and log back onto your remote server.


Et Voila! You'll have sound through your RDP session!

Go Obama!

Saturday, January 17, 2009

VMware clone and IIS 6.0 SSL problem

Yesterday, we cloned our first virtual machine running Win2K3 that uses IIS 6.0 and runs multiple websites via separate IP addresses. The clone process went smoothly: the new VM was assigned a new IP address and hostname and the IWAM and IUSR accounts and permissions migrated to that new machine name. However, during testing, we encountered a problem with the SecureBindings in the IIS metabase.

Because this VM had multiple websites in IIS configured, the SecureBindings setting in the IIS metabase (c:\windows\system32\inetsrv\metabase.xml) kept the old IP address information that was configured in the source VM. I'm not sure if this is caused by VMware or IIS, but the solution is to manually edit SecureBindings in IIS to point the website's SSL to the correct IP.

MS Article on Editing the Metabase

TAG
Feel free to drop me a line or ask me a question.