The article I wrote for lwn on writing ACPI drivers is now available for free.

I have been personally accountable for the Fedora Project's budget for the past four years, and in that time I have tracked every penny that the Fedora Project has spent on community building worldwide, travel for contributors, marketing, etc.

After much long consideration, I have determined what would be for me the optimal process for these matters.

(1) At the beginning of the quarter, the budget Red Hat gives me for that quarter is handed to me in the form of a check, which is deposited into a separate bank account used for nothing but Fedora.

(2) Cards that can draw from that account are created, and handed to trusted members of the community worldwide. We also have the ability to do direct bank transfers in order to pay bills, etc.

(3) We all work together to get people, goods, etc. in the right place at the right time, so that the Fedora Project can do everything that it needs to do.

(4) At the end of the quarter, I produce a pile of receipts. The total of those receipts, plus any unspent money, should equal the original amount given at the beginning of the quarter. I justify the manner in which the money was spent, and demonstrate how it all provides value back to the Fedora Project.

If everything is acceptable, goto (1). If there are issues, Red Hat fires me for malfeasance.

This would be so much more simple. Alas, life is not a pony farm.

I often get asked how many processes are confined with SELinux. 

In RHEL4 we estimated around 15.
In RHEL5 we estimated around 200.

Well there is a cool tool called seinfo (setools package) that allows you query the installed policy for attributes and types,  as well as other policy features.  In SELinux, every process type has an attribute associated with it called "domain". 

A good estimate of the number of different confined processes is to count the number of types with the domain attribute.

seinfo -adomain -x | tail -n +2 | wc -l
513

Note: I am removing the first line because it lists the attribute name.

Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain attribute.

seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
52

Unconfined Domains

bootloader_t	devicekit_power_t	ldconfig_t	unconfined_cronjob_t	unconfined_sendmail_t
setfiles_mac_t	initrc_t	ada_t	fsadm_t	kudzu_t
lvm_t	mdadm_t	mono_t	rpm_t	wine_t
unconfined_mount_t	prelink_t	anaconda_t	rpm_script_t	system_cronjob_t
tmpreaper_t	samba_unconfined_net_t	unconfined_notrans_t	unconfined_execmem_t	devicekit_disk_t
firstboot_t	samba_unconfined_script_t	unconfined_java_t	unconfined_mono_t	httpd_unconfined_script_t
depmod_t	insmod_t	kernel_t	livecd_t	apmd_t
clvmd_t	crond_t	inetd_t	init_t	udev_t	virtd_t
xend_t	nagios_unconfined_plugin_t	devicekit_t	remote_login_t	inetd_child_t
qemu_unconfined_t	unconfined_t	ricci_modcluster_t	useradd_t	xserver_t

If you disable the unconfined policy package, which I recommend.

This leaves only user domains unconfined, along with some domains that do not make sense to confine.  (anaconda, firstboot, kernel,rpm)

# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14

Unconfined User Domains

unconfined_sendmail_t	rpm_t	unconfined_mount_t	anaconda_t	rpm_script_t
unconfined_notrans_t	unconfined_execmem_t	firstboot_t	unconfined_java_t	unconfined_mono_t
kernel_t	livecd_t	qemu_unconfined_t	unconfined_t

You can disable all unconfined domains by disabling unconfineduser module

# semodule -d unconfineduser

Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.

One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.

# seinfo --permissive -x | tail -n +3 | wc -l
31

Permissive Domains

gitd_session_t	smoltclient_t	kdumpgui_t	sandbox_xserver_t	prelink_cron_system_t
abrt_helper_t	firewallgui_t	corosync_t	asterisk_t	dnsmasq_t
plymouth_t	chrome_sandbox_t	nut_upsd_t	plymouthd_t	ksmtuned_t
nagios_checkdisk_plugin_t	nagios_services_plugin_t	abrt_t	clogd_t	gitd_t
kdump_t	tgtd_t	tuned_t	nagios_system_plugin_t	nut_upsmon_t
rgmanager_t	certmonger_t	sectoolm_t	chronyd_t	nut_upsdrvctl_t
vhostmd_t

A couple of other interesting statistics.

Total number of file types.

seinfo -afile_type -x | tail -n +2  | wc -l
1630

In order to get the number of allow rules, you need to use sesearch

sesearch --allow | wc -l
225042

Dontaudit Rules

sesearch --dontaudit | wc -l
106021

Every time I demonstrate sandbox to some one, they say, "That's great, but can it do X, Y and Z?" 

I have taken those suggestions along with some great patches from Josh Cogliati, I have updated the sandbox tool.

New Features:

> man sandbox

SANDBOX(8)                       User Commands                      SANDBOX(8)

NAME
       sandbox - Run cmd under an SELinux sandbox

SYNOPSIS
       sandbox  [-l level ] [[-M | -X]  -H homedir -T tmpdir ] [-I includefile
       ] [[-i file ]...] [ -t type ] cmd
...
       -M     Create a Sandbox  with  temporary  files  for  $HOME  and  /tmp,
              defaults to sandbox_t

       -H homedir
              Use alternate homedir to mount.  Defaults to temporary. Requires
              -X or -M.

       -T tmpdir
              Use alternate tempdir to mount.  Defaults to temporary. Requires
              -X or -M.
...
      -l     Specify the MLS/MCS  Security  Level  to  run  the  sandbox  in.
              Defaults to random.
...

Several people asked for a permanent Homedir and tmpdir, rather then blowing it away when you exit.  We added -H and -T qualifiers to allow you to specify a homedir and/or tmpdir that sandbox will use and leave in tact when it completes.

For example you can use

mkdir /tmp/myweb ~/myweb
sandbox -X -T /tmp/myweb -H ~/myweb -t sandbox_web_t firefox danwalsh.livejournal.com

Then you can download any content, setup bookmarks ... and the sandbox will not remove them when you are done.   If you later run a command with the same sandbox homedir and tmpdir, the content will be there. 

sandbox -X -T /tmp/myweb -H ~/myweb -t sandbox_web_t firefox danwalsh.livejournal.com

You could use similar sandbox commands for games, you could use sandbox to stop any rogue game from attacking your system, but be able to save your levels.

Note: You would not be able to run two sanbox at the same time with the same homedir.  Unless ....  Read on.

I met Stephen  Smoogen at the Fedora Summit and he asked if we could use sandbox with MLS environments.  
I added a -l option to sandbox which allows you to select the MCS/MLS level you wish to run at. 

sandbox -X -l TopSecret ooffice ~/MySecrets.odf

Should work on an MLS X Station.  This would run a X Session at TopSecret running openoffice on a copy of MySecrets.odf.

If you combine this with selection of levels, you can start to do stuff like

mkdir ~/homedir_TopSecret /tmp/tmp_TopSecret
chcon -t TopSecret ~/homedir_TopSecret /tmp/tmp_TopSecret
sandbox -X -l TopSecret -H ~/homedir_TopSecret -I /tmp/tmp_TopSecret xterm

And now you are running an xterm at TopSecret on permanent files that are TopSecret.   I actually like this better then Xace, but that is for another blog.

Note:  Fedora 12 has not been certified for LSPP, but you should be able to run MLS policy on it.

MLS is not required, you can also specify an MCS domain and the tool will still work,  This allows you to run two sandboxes at the same time with the same homedir/tmpdir.

Finally we added the -M which allow non -X sandboxes to run with temporary or permanent storage.

Depending on the sandbox's you might have to add more privs to the SELinux types in order to get them to work.  For example, I think we need a sandbox_games_t type.  Anyone want to take a stab.

sandbox_x_domain_template(sandbox_games)

Will get you started.

Now if we could only get re-sizable Xephyr, or at least allow the user to specify the sandbox X window size.

So I learned about SSHFP records at FUDCon and decided to implement them for some of our externally facing sites like cvs.fedoraproject.org, fedorapeople.org and git.fedorahosted.org (and others).

What is an SSHFP record? It's a ssh host key in DNS so you can verify it is correct. For example you can run:

$ dig SSHFP git.fedorahosted.org

Which will get you:

git.fedorahosted.org. 85975 IN SSHFP 2 1 DE382873ABE19B40AEFE714D686E15E16EAD5177
git.fedorahosted.org. 85975 IN SSHFP 1 1 A843ECED826C2F0075888150E89AE4567CD37D7F

So how can you use this information? Set VerifyHostKeyDNS to yes in your ssh_config (man ssh_config for more info, but you'll probably want to place it in your ~/.ssh/config file)

I have used some free time during the holidays to completely revamp my Fedora add-on repository available at http://fedora.danny.cz/danny/ that contains some packages already submitted for review in Fedora, new experimental versions of packages already existing in Fedora and also some packages I find useful. It used to be based on manual work - build packages with mock, place them in proper directories, run createrepo and finally sync to my hosting space. Now I have switched to a Koji based setup where Koji takes care of building the package for all release/arch combinations exploiting Koji's external repository feature, the resulting rpms are signed with my GPG key using the sign_unsigned.py script borrowed from Fedora infrastructure, mash is used to produce installable repositories and only the "sync to hosting" step is still the same :-)

The infrastructure plan for next weeks is to start building packages also for RHEL/CentOS + EPEL. Also a switch from building from source rpms to building from SCM would be nice. And in the content I want to build newer versions of Tryton for releases that carry older versions - like versions 1.2 and 1.4 for EL and 1.4 for Fedora 12.

And finally how to use it - as user install the danny-release package from http://fedora.danny.cz/danny/. If you want to join me as packager write a comment here or send me an email (sharkcz at fedoraproject dot org).

Finally vpost delivers the Fonera 2.0n I ordered online. Earlier this week, I was suprised to receive a letter (yes, paper mail) from SingPost that my Fon was being held at Singapore Customs pending approval to import from IDA. The letter had the names of the IDA folks to contact. I sent them an email and they came back promptly that they are OK with the device. I sent a PDFed copy of the letter to the IDA officer, who printed it out, stamped it saying that there are no objections, and PDFed it back. Thankfully I had cc'ed SingPost during all the correspondance, and viola, I get an email from SingPost that the delivery will be sent to my house. Wow! All done by email, PDFs and with litterally zero hassle. I do hope that SingPost would be able to check with IDA on these devices beforehand to see if there are any issues before going through the paces, but, as in any good story, the ending is happy.

Now I am a happy owner of a brand new Fonera 2.0n and I can now deploy at home. Welcome, 2010!

Thanks to Xournal, you can now annotate any PDF and export it out to a new PDF. This is excellent for filling in forms, note taking, keeping a journal, writing using a stylus etc. I have just experimented it on my newly minted Fedora 12 machine and it just worked wonderfully. My set up has a Genius G-Pen 340 pen tablet plugged in via a USB port and it just all worked seamlessly. Kudos to all who make this happen!

I was disappointed that the Brother DCP-135C is not within the CUPS database. However, kudos to Brother, they do make drivers available on their website.

I have the USB version of the printer/scanner/fax machine and I had to download the drivers from DCP-135C. Pick the 32-bit or 64-bit rpms as needed.

What I did was to download the LPR, cupswrapper drivers, then went to scanner section and downloaded the brscan2 and scan-key-tool rpms.

With the 4 rpms downloaded, I switched to a terminal and:

yum install brscan2-0.2.5-1.i386.rpm brscan-skey-0.2.1-3.i386.rpm \
  dcp135ccupswrapper-1.0.1-1.i386.rpm dcp135clpr-1.0.1-1.i386.rpm --nogpgcheck

I hope Brother will set up a proper repo so that these can be done automatically!

Filed in BZ: https://bugzilla.redhat.com/show_bug.cgi?id=550651

Just updated Chromium via Spot's page using yum update for Fedora 12. SELinux permission issues on three libraries. Need to grant permission to SELinux to run the following:

#!/bin/sh
chcon -t textrel_shlib_t '/usr/lib/chromium-browser/libmedia.so' 
chcon -t textrel_shlib_t '/usr/lib/chromium-browser/libnacl.so' 
chcon -t textrel_shlib_t '/usr/lib/chromium-browser/libsandbox.so'
#to make the change permanent 
semanage fcontext -a -t textrel_shlib_t '/usr/lib/chromium-browser/libmedia.so' 
semanage fcontext -a -t textrel_shlib_t '/usr/lib/chromium-browser/libnacl.so' 
semanage fcontext -a -t textrel_shlib_t '/usr/lib/chromium-browser/libsandbox.so'
#

Put those 6 lines above in a script, run it and chromium should work there after.

BTW, Chromium was from:

[chromium]
name=Chromium Test Packages
baseurl=http://spot.fedorapeople.org/chromium/F$releasever/
enabled=1
gpgcheck=0