jcm's blog

I love SELinux (part II)

June 25th, 2008

So yesterday’s post apparently got a little interest – mostly positive, insomuch as it’s realized that there are a few issues. But wait! There’s more! Call in the next 10 minutes and we’ll super extra double size your order!

Tonight, I decided to install a virtual machine containing a copy of the latest experimental Ubuntu (that’s known as “Ubuntu unstable”). To do this, I decided to install Hardy Heron via a CD image (bootstrap via ISO) and then perform an upgrade to the experimental release (dist-upgrade using apt). I downloaded a CD image from the MIT Media Lab using Firefox, then fed this into virt-manager. It failed, with a nice backtrace.

Now, this would seem to be the kind of activity that many people would want to undertake. Downloading images, booting them inside a virtual machine manager, and then using the resultant virtual machine image. But more than just that, what I wanted to do wasn’t exactly rocket science – skip the virtualization bit if that makes you think this is complex, I’m just talking about downloading a CD image and using it somehow.

The reason this activity failed was because of the SELinux configuration. The CD image Firefox had downloaded was in a temporary file download context, living in my Download directory, whereas virt-manager is not allowed to read from this kind of file until you’ve blessed it with a magical incantation of chcon. So, in this case, the “Microsoft Windows Vista” approach to security won out – get in the way so much that the user is quickly driven to distraction and inclined to turn it off. As I am, almost. After precisely one day of using SELinux in enforcing mode on a laptop (which has an encrypted disk and is only used by me) I’m about ready to throw it away…I’d hate to be an end user trying to manage this stuff.

No, this isn’t just like moving to UNIX permissions and groups. With the former, everything is well documented and widely understood already, but more importantly, there are nice tools to manage them. For example, right clicking on the file in the graphical file management application (nautilus) allows one to do many things, including viewing the SELinux context, but not actually changing this. I can’t find a nice pretty way for users to do this without having to grep through the policy files (to find out what the context should be) and then run other commands from the console. The point is, it’s a bit early in the game to have such complex policies with crazy numbers of contexts if users can’t easily manage this stuff. They need to be able to fix the problem too.

I tried to stop always blaming SELinux for everything by forcing myself to actually use it, but I’m beginning to regret this decision.

Jon.

Posted in Fedora, General | 6 Comments »

On hitting cows, and credit card rental coverage

June 24th, 2008

So as you may know, I hit a cow back in May, on a remote back road in Arizona. Not exactly the plan du jour. Now comes the fallout, the dealing with credit card companies, rental car companies, and my auto insurance too.

I hit a cow. Big deal. It was big, bovine, and rather unhappy, but we were ok and so was the cow. The car, however, was not so happy. But the Sheriff’s deputy in Mohave County, Arizona was very helpful, we got on our way (the car was driveable), and Hertz were reasonably friendly about the situation. I called American Express immediately, as well as Hertz, and we had a nice little chat about getting the claims process in motion. All seemed to be well.

Fast forward a few weeks, I’m back in MA, it’s raining and I’m far away from the Best Coast. I’m also wondering what this unmarked check for $500 is when, a day or two later, a “final settlement letter” comes from AMEX. They’ve decided that, because I have auto insurance too, they’ll be super friendly and nice and only give me $500 towards the $2554.26 worth of damage. After all, I have auto insurance and why should they pay more than the deductible? I mean, this isn’t Europe (where trading standards would force them to more adequately disclose this fact), and I should be happy to take the $500 and call my auto insurance.

So I called my auto insurer just now and started the whole process again. Meanwhile I’m left wondering whether I should just have paid the out of pocket expense, vowed never to use the credit card coverage again, oh, and perhaps reminded readers of the following:

Credit card rental coverage only covers your deductible

There. Now, hopefully at least a few of you will suddenly wonder whether you’ve been misled and reconsider taking out the rental insurance next time they offer – do you really want your premium to get hit like a flying cow?

Jon.

Posted in General | No Comments »

I love SELinux

June 24th, 2008

So I just love SELinux these days. It’s so easy to use, clearly grandmothers everywhere should be using it to admin their systems.

I used to think SELinux was just a government inspired masturbatory exercise in protecting systems from themselves. Complex policies could be created (where, usually, only a minimal policy protecting actual likely attack vectors would suffice) and hours upon hours could be wasted figuring out the optimal number of possible context types to use on any given system.

Recently, I upgraded some machines to Fedora 9. And as part of that, I decided that I would, for once, run in enforcing mode by default. Rather than just be able to get on with whatever I wanted to do, I decided to protect myself from myself and my own actions. And this has already paid off. For example, tonight, I did the following:

*). Create a new filesystem.
*). Mount on /virt.
*). Just add KVM.

I ran virt-manager to create a new VM in /virt/Rawhide.img, which went ok until virt-manager repeatedly generated unpleasant backtraces. Why was it complaining that it couldn’t open the file it had just created? Then I noticed the AVC denials. My shiny new filesystem had no labels on it, which meant that files were being labelled with the default file_t, etc. A quick diversion into reading SELinux policy, brushing up on a half dozen tools, and it was obvious that all I was missing was the following:

sudo chcon -t virt_image_t /virt/Rawhide.img

All I had needed was a simple change of context to virt_image_t (because all virt images always obviously live in the same place, nobody could ever possibly want to do what I just did) and then a quick restart of virt-manager. I could also have helpfully followed the advice of the AVC tool, rebooted my system and instructed it to relabel. That’s not inconvenient advice at all, that’s just ease of use. Or so friends who’ve spent any time in Redmond, Washington might tell me.

Ok. Even I can’t take my own sarcasm any more in this post. So, let me just cut to the chase and say it. SELinux annoys me every bit as much as it did when I first tried it about a decade ago, and I refute the notion that Linux distributions should be inflicting complex policy upon unsuspecting users. SELinux should instead be used to protect specific system services that are likely to be used by remote attackers – web services, file servers, and the like.

To me, distributions should save complex policy for optional spins and products targeted at the “security paranoid types”. But I shall leave it turned on for now, because I want to understand just how “misguided” I’ve been all these years turning it off the very first chance I get.

Jon.

Posted in Fedora, General | 5 Comments »

non-Best Coast Surfing – Part Deux

June 15th, 2008

Photo: Jon Masters, living with East Coast waves.

So I went surfing again yesterday at Nauset Beach, on the Cape (Cod). It more or less worked, although the surf was hardly West Coast, but it was still fun nevertheless.

I advertised on Facebook in case anyone wanted to come along for the ride, and my friend Kara was interested, so we headed out around 9am. I had wanted to leave at 7:30, but was dragged to, shall we say “a venue” by some friends celebrating a bachelor party last night…and that went longer than planned. I didn’t drink (I’m not really drinking much alcohol at the moment), but I was tired first thing and didn’t want to be exhausted before I tried hitting the beach. In any case, we got the beach before lunch.

After dropping my friend off, I went over to Pump House to pick up a board for the afternoon. This time, I was able to simply stick it in the passenger seat, and strap the board in using a tie attached to the headrest. Thus I achieved my long-desired goal of driving around in my convertible with the top down, playing cheesy music, with a surf board sticking out of the passenger seat. As long as you don’t need the full range of the hand brake (US: park break) – and goodness knows nobody here ever uses that anyway – and drive carefully, it’s safer than attaching it to the soft top, and less noisy. It also looks cool.

Once changed into my swim shorts and full winter-safe Atlantic rated wetsuit, I discovered the water to be much more pleasant than the last time. Not warm exactly, but not really cold either, and the sun was out too. It was a nice afternoon to be on the Cape. There were waves, few and far between, and not as powerful as one would like. But I was able to catch quite a few and just about stand a few times. I’ve concluded that bodyboarding is pretty easy, but full-scale surfing on the Cape is a skill that I’m going to really have to work on. Some people were able to make a lot more of the waves than I, however, so I know it’s possible.

Jon.

Posted in General | No Comments »

America: It’s “a saving” not “a savings”

June 15th, 2008

Dear America,

It is with regret that I must inform you that you have been using an incorrect spelling for some time now. The word is “saving”, not “savings”, “a savings” or other variances thereof.

People who know me know that I will generally defend Americanisms and Americani[sz]ation of the English language. After all, all languages undergo changes over time, and substituting a “z” for an “s” in every other word won’t actually result in the death of many kittens. But baby kittens do die every time someone talks about “a savings of 29.95″. It’s “a saving of” and “Daylight Saving Time”, not “a savings of” and never ever “Daylight Savings Time”. It is appropriate to use “a savings account” (since one has multiple savings in such a container), however, but don’t worry yourselves about that until you start persistently getting the first usage right in everyday situations.

I don’t expect the US to learn how to spell overnight, but if I see one more commercial today getting this wrong, I’m going to go nuts. The (commercial) TV has, therefore, been turned off for the evening.

Jon.

Posted in General | 4 Comments »

On being vegetarian – 6 weeks and counting

June 7th, 2008

So I’ve been completely vegetarian for a little over 6 weeks now (somewhat arbitrary since I hadn’t eaten any meat for years, and hadn’t had much seafood prior to making the big switchover). Anyway, after 6 weeks, here’s an update on my progress. Read on for some interesting statistics on meat and vegetable production, too.

I feel even more healthy than at any time in the past. Aside from having the flu this week (unrelated – I was hanging around with several others who came down with it), I generally feel that I have more energy and it’s positively benefiting my ongoing weight loss too (tantalizingly close to being permanently under 160lbs now) . I’ve pretty much given up milk too (though that’s only when there’s a choice of soy – or whenever I can supply my own soymilk, or take my coffee home and add it here), I don’t eat much cheese in general (I can usually count the occurrences thereof), although I do still eat eggs from time to time, and haven’t killed dairy entirely.

Anyway, I’ve decided that I made the right judgement call. For a variety of (mostly animal welfare and ethical) reasons I decided I had to do this, even though I used to love the taste of lobster, salmon, and had a Legal Seafoods addiction. I don’t regret that and I’ve decided the vegetarian lifestyle is enticingly excitingly me. Once I’m done with the weight loss (at least another 10lbs, down to 150lbs), I’m really looking forward to experimenting with all kinds of recipes. For the moment, my daily food intake is carefully controlled – yesterday, I consumed:

* 2 small 97% fat free burritos, 500 kcal.
* 2 glasses of Orange Juice.
* 1 packet of Strawberries
* 1 packet of Blackberries
* 1 packet of Olives
* 3 Cups of Decaf Coffee, with soymilk.
* Several glasses of soymilk

That’s a pretty typical day at the moment. I try to eat less in the way of burritos and more in the way of fruit (some days I largely eat just fruit, and vegetables). I sometimes eat Olives, sometimes have a salad, sometimes have a craving for Red Kidney Beans at 11pm and go to Stop and Shop to buy a can. Other times I have an insatiable need to eat lots of corn (UK: sweet corn) late at night, which also results in an emergency trip to a store (usually on the way home from the gym – saves an otherwise excessive trip in the car). It’s not a cheap lifestyle, however, since it would be far cheaper to eat crap than having fresh fruit.

I get all the main food groups. I eat avocados, salad, fresh crunchy carrots, and various additional sources of protein, especially if I’m going to the gym. Though I’m trying to cut down on the powder shakes (haven’t had any in weeks) and those kcalorie-loaded $5 smoothies that they have in the gym. I discovered heymarket recently, and will also be looking into the CSA opportunities available – I’m not sure I want to commit just yet, while I’m on a very restricted diet, perhaps saving that until I’m down to 145-150lbs and feeling like being more adventurous.

Anyway, I promised some statistics. Tonight, I watched my first BBC America version of the popular British “Newsnight” show (UK: “programme”), which is a variant of the nightly UK version, recut for the US market (though with segments that use terminology many Americans won’t understand – not much is lost in the translation here though), and I guess is only a once-a-week affair. Tonight’s show had some interesting justifications for why the world might benefit if everyone were to go vegetarian – or at least follow more of a vegetarian diet – in terms of natural resources saved. I’m not advocating that everyone reading this rush out and make the switch, but I thought you might find these figures interesting.

It takes 8.9 square metres of land to produce 1kg of pork, 20.9 square metres of land to produce 1kg of beef, and only 0.3 square metres of land to produce 1kg of vegetables. At the same time, it will take 7kg of grain to produce 1kg of beef, and 10,000 litres of water for that same 1kg of beef. It will, however, only take 1,000 litres of water to produce the grain. That’s 10 times less water.

World consumption of meat has risen sharply over the past few dacades. At the beginning of the 1980s, annual consumption was at 136 million tonnes. But by 4 years ago, consumption had risen to over 260 million tonnes. It hardly seems to be linear growth either, if you look at the charts. This means that we’ve doubled the resource burden placed on the world in order to produce all of these plastic packaged, regular geometrically-shaped meat-based products.

Jon.

Posted in Brave New Jon, General | 1 Comment »

non-Best Coast Surfing

June 2nd, 2008

So I went non-Best Coast (aka East Coast) surfing for the first time this weekend, at Nauset Beach, near Orleans, which is a few miles from Hyannis.

I got into surfing last year after my initial crash diet down from being fat Jon, as part of Brave New Jon. My ex-girlfriend happens to come from a quiet beach town filled with surfing types (San Buenaventura – more popularly known as “Ventura”), and so whenever I would go there to make myself miserable (rather a lot, as it happens), I’d try distraction in the form of surfing. I’m not a good surfer (I can barely do very much yet at all), but I understand the mechanics, have been a few times, and know enough to be dangerous on my own. And practice makes perfect.

Fast forward to this weekend. A mutual friend had decided to throw a random party down on the Cape, which conveniently coincided with me wanting to try proper non-Best Coast (East Coast) surfing for the first time, which is useful. I stayed over Friday night, hung out and drank the Raspberry wine that Andrew and Emilie had given me the week before, and then drove from Brewster over to the Pump House Surf Shop on 6A in time for 10am(ish).

Photo: Soft top rack

Pump House Surf Shop is actually pretty cool, if not a little annoying several miles from the actual beach. But they do great board rentals ($20 per day), and the guy who owns the shop is friendly enough. They also rented me a soft top rack for my MX5, which allowed me to strap a short board to the roof (I won’t really be able to use a long board and transport it with my car, but I can live with that), and drive down to the beach. I wouldn’t want to drive any further than that with a surf board strapped to the roof – one hears rumbling the whole time, and I’m not entirely convinced the soft top would enjoy the experience at 65mph.

Photo: Jon Masters, as “surfing dude”

Having proven that the concept is possible – driving from Cambridge down to the Cape, renting a board, physically attaching it to my car, and actually getting out into the ocean, the waves weren’t particularly great. But that’s ok, since I wasn’t expecting wonders this particular weekend. It was more about proof of concept, testing water temperature (you don’t want to go out into the Atlantic ocean without a 5mm wetsuit like mine, and be careful about getting cold – I managed a couple hours), this kind of thing. I shall endeavor to go more often this summer.

Jon.

Tags: Brave New Jon
Posted in Brave New Jon, General | No Comments »