Category Archives: RHEL

SELinux and FreeNX

[Note added in August 2011: Be sure to read the comment by Dan Walsh. There is a simpler solution]

When you attempt to connect to a remote machine using freenx, you might encounter this message:

The NX service is not available or the NX access was disabled on host XXX.

This is likely due to SELinux blocking the connection. If you are using QtNX, it just hangs without any message.  Here is how to solve the issue.

(1) Disable auditd.

service auditd stop

(2) Rename /var/log/audit/audit.log or move it somewhere else.

(3) Enable auditd

service auditd start

(4) Try connection from the client. It will fail. This writes the audit.log file.

(5) Generate SELinux policy rules from the log file and install it.

cat /var/log/audit/audit.log | audit2allow -M freenx
semodule -i freenx.pp

(6) You can see the policy by reading the .te file.

cat freenx.te

module freenx 1.0;

require {
type nx_server_var_lib_t;
type sshd_t;
class file read;
}

#============= sshd_t ==============
allow sshd_t nx_server_var_lib_t:file read;

(7) Now, try connecting from the client again. It will fail again. Repeat the steps (1) to (5) using ‘freenx2’ instead of ‘freenx’.

(8) You will most likely need to repeat the process yet one more time until the connection finally succeeds. So, once again repeat the steps (1) to (5) but this time using ‘freenx3’ instead of ‘freenx’.

If you look at the policy files generated, you will find what was added by each action.

Go green with newer AMD processors

Not long ago, Steve, one of the founders of the ELRepo project, built new systems with the AMD II X4 Phenom processor. After hearing his positive comments, I replaced my old desktop with a new one equipped with a Phenom cpu.

Steve soon noticed that the machine consumed more power when it was running CentOS compared to when running Fedora. Turns out that, in CentOS, there is no per-core control — meaning when the system needs a higher processor power, all cores will shoot up to the maximum frequency. In Fedora, each core gets attenuated independently.

This issue was noted by a CentOS forum user, AlexAT, here. He not only reported it in the upstream bugzilla but came up with a fix later.

Using the patch provided by AlexAT, we built a kernel module kmod-powernow-k8 and released it through ELRepo. After installing kmod-powernow-k8, Steve saw that the system was now measured drawing ~110W at idle from the wall outlet, similar to the power consumption observed under Fedora 10 and under CentOS 4.7. So without kmod-powernow-k8 installed, the system was consuming ~40W (36%) more power at idle and the core temperature was running 8-10°C hotter than with kmod-powernow-k8 installed, making this a very environmentally friendly kmod.

So, if you have newer Opterons, the Phenoms or Phenoms II (or Kuma core Athlons X2), you should give this driver a try. Also, you would want a backported AMD K10 core temperature monitor driver module (kmod-k10temp) from ELRepo.

Let’s go green!

ELRepo project

It all started in the CentOS forums.

CentOS, being an Enterprise Class Linux distro, may not have support for new hardware, especially those found in desktops and laptops. CentOS forums get many postings from users who are looking for drivers that are needed for their network device, webcam, etc. In fact, googling for “driver” and “centos” yields much more hits from the forums than the mailing list as shown in my earlier blog.

Alan Bartlett who has been actively helping in the forum has strong background in the kernel and its modules and has been building, whenever possible, a driver module each time he sees a cry for help. In a fairly short period of time, quite an impressive number of such kernel modules were built this way and it was growing.

Because these drivers were designed to be independent of the kernel version (kABI-tracking, kABI = kernel application binary interface), they survive kernel updates. Also, they can be used in RHEL and all its rebuilds, not just CentOS. So, it was a good idea to make them available to wider communities. NedSlider proposed to establish a repository for that purpose. The ELRepo project was thus started by five members of the CentOS / Scientific Linux community.

A little more details of ELRepo can be found in the Ned’s recent blog.

yum — when all is not all

A while ago, I was talking with my buddies and the subject was about installing / updating a package using yum.  yum did not find the package that had just been added.  No problem, either yum clean metadata or yum clean all will do.  Err … it didn’t. 

As it turned out, it didn’t work because the repository in question was disabled by default.  The man page for yum clearly states:

Note that "all files" in the commands below means "all files in 
currently enabled repositories".   If you  want  to  also clean  any 
(temporarily)  disabled  repositories you need to use --enablerepo=’*’ 
option.

Getting rid of Suspend on a desktop machine

For some reason, my desktop gnome menu had a “Suspend” option.  It was right under the “Log out …” option in the System dropdown menu.  One day, when I meant to click on the “Log out” option, my mouse went too far and I ended up selecting this “Suspend” option.

After struggling for the next few minutes, I gave up and rebooted the machine to come out of the suspended state.

The Suspend option should not have been there to begin with.  Anyway, it was time to remove it.  Fortunately, that was as easy as typing [1]:

gconftool-2 --type boolean --set /apps/gnome-power-manager/can_suspend false

Likewise, if you want to get rid of the Hybernate option,

gconftool-2 --type boolean --set /apps/gnome-power-manager/can_hibernate false

[1] http://magazine.redhat.com/2008/05/30/tips-and-tricks-how-do-i-remove-the-suspendhibernate-entries-from-the-system-menu-in-the-gnome-panel/

Strip it – but not all of it

My first encounter with kernel modules was when my systems running Fedora Core 5 started crashing after the kernel update to 2.6.18.  Long story short, it was due to a bug in the cifs kernel module which was fixed after more than 100 e-mail exchanges with samba developers.  The problem was solved, but there was something I never understood; the patched cifs module I built was much larger than the distro’s.  This is always true.  A custom-built version can be more than 10-times larger than its counter part in the distro kernel.

I never pursued this issue until the other day when wolfy and Ned started a conversation on IRC about this size difference.  It is not due to stripping because the distro version is “not stripped” and, in fact, if you strip it the module no longer loads.

Then later, Alan asked in his clever voice, “have you checked the options to strip?  It might be that a total strip is verboten but a selective strip works?”

That was it! 🙂

I tried a strip --strip-unneeded command and that reduced the size of my module file to something close to the distro’s AND the file remained “not stripped“.  Soon after, Ned found the --strip-debug option does the trick, too.  This is probably what is used when the kernel is built and modules compiled.

Mystery solved.

Clean that Inbox

Like many other people, I use Linux as a backup server.  The other day, I noticed that daily incremental backup of one of the Windows machines was well over 1 GB even on the day the user was mostly idle.  The only thing the user was doing was … e-mailing.  Aha! (heard the bell?)  It must be that inflated Inbox.

Mozilla-based mail clients like Thunderbird and Seamonkey mail do not physically remove messages that user deletes.  Instead they are only tagged “deleted”.  This is true even after the Trash folder is emptied.  The [supposedly] deleted mails get [really] deleted when Inbox (or any folder for that matter) is compacted.

I went to the blasted machine and did just that and the Inbox went from > 1 GB to a fraction of its original size.

Of course, this is not just Windows.  Huge mail folders can potentially cause trouble and also degrade the performance of the client.  The best strategy to prevent this is to set up an automatic clean up.  In Thunderbird, go to Edit -> Preferences -> Advanced -> Network & Disk Space and then enable the “Compact folders when it will save over…KB” option.

Getting kino to work on CentOS-5

One of the many things I use Linux for at work is to edit movies.  No, not that kind of movies you are thinking about … this is strictly for science work.  Anyway, the first step is to transfer video from a camcorder connected through a firewire port using kino.  I am doing this on a machine running Fedora Core 6.  I attempted to do the work on a CentOS-5 box.  However, going to the capture mode on kino produces an error:

*raw1394 kernel module not loaded or failure to read/write .....

Long story short, this is a known issue, and the kino web site offers a couple of workarounds. I am going to summarize a CentOS version of these workarounds.

Method 1 — requires a kernel from the centosplus repository

(1) Edit /etc/modprobe.d/blacklist-firewire and comment out blacklist firewire-ohci
(2) Reboot
(or run modprobe firewire-ohci to achieve the same without reboot)
(3) Connect the camcorder
(4) Step (3) creates /dev/fw? (? = 0, 1, etc). Change the owner to the logged-in user.
(5) Start kino and go to Capture. Press the Capture button.

Method 2 — Use if Method 1 does not work

(1) Install ieee1394 from the ATrpms repository. Refer to the CentOS Wiki Repository article for the instruction.
(2) Download the kmod-ieee1394 package frpm the ELRepo repository and install it using the rpm -Uvh command. There is no need to reinstall this kernel module upon kernel update.
(3) Download packages libraw1394_8 and libraw1394 from my collection and install them as in (2).
(4) Edit /etc/modprobe.d/blacklist and add these lines:
blacklist firewire_core
blacklist firewire_ohci
(5) Reboot
(6) Chenge the ownership of /dev/raw1394 to the logged in user.

More about colors – thunderbird

While we are talking about colors …

As you know, thunderbird has gobs of options you can play with. I usually do not care much about how it looks and just use the default settings. The only thing I have done was to change the background color of sub-windows.

Thunderbird in color

Thunderbird in color

This was easily done by editing the userChrome.css file in ~/.thunderbird/xxxxxx/chrome/ .

#folderPaneHeader,
#folderTree treecol,
#folderTree
{background-color: #ccf !important;}

#acctCentralGrid
{background-color: #cfc !important;}

#threadTree treecol,
#threadTree
{background-color: #fcc !important;}

#msgHeaderView,
#attachmentList
{background-color: #cfc !important;}

#folderpane_splitter,
#threadpane-splitter,
#attachment-splitter
{background-color: #00d !important;}

Socks proxy with auto-config

OpenSSH has built-in support to act as a SOCKS proxy. In my case, there are web sites I can access only from work computers and I need to get to them from home. So, I issue the command from my home computer:

ssh -D 1080 my work IP

However, I do not want to redirect all traffic through work.  Fortunately, you can redirect only selected URLs fairly easily by using a proxy auto-config file.

In firefox, Go to Edit -> Preferences -> Advanced -> Network -> Settings

In the Connection Settings box, select “Automatic proxy configuration URL:” and enter:
file:///path/to/proxylist.pac
The proxylist.pac file may look like this:

function FindProxyForURL(url, host)
{
// Proxy direct connections to these hosts
if (
shExpMatch(url, "http://www.jbc.com/*") ||
shExpMatch(url, "*.sgmjournals.org/*") ||
shExpMatch(url, "http://www.ncbi.nih.gov/*")
) {
return "SOCKS localhost:1080; DIRECT";
}
// Otherwise go directly
else return "DIRECT";
}

For more details on the pac file and auto config, see
http://en.wikipedia.org/wiki/Proxy_auto-config