A friend of mine recently ran into an issue with a Centos 6 box when trying to start amavisd. He knew it was SELinux related because the log had the following message in it

type=AVC msg=audit(1313917627.065:3081): avc:  denied  { name_bind } for  pid=28695 comm="amavisd" src=10026 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:amavisd_send_port_t:s0 tclass=tcp_socket

Usually SElinux issues boil down to a file or a port not having the correct security context. In this case that is not true. 

If you look at the part of the message that starts secontext= you will see amavis_t - this is the security context of the process that is generating this message. 

If you look at the part of the message that starts tcontext= you will see amavisd_send_port_t  This is the security context of the port.

So both the process and the port look to have the correct security contexts. This means that all that is missing is a rule to say "this process, can bind to this type of port"

So lets walk through fixing it

Grab the error line from the audit log and save it in a file called avc.txt    Next run the following

audit2allow -i avc.txt -r

This will generate the following output

require {

       type amavis_t;

       type amavisd_send_port_t;

       class tcp_socket name_bind;

}

#============= amavis_t ==============

allow amavis_t amavisd_send_port_t:tcp_socket name_bind;

Lets put this into a file called amavislocal.te

Lets check our module

checkmodule -M -m -o amavisdlocal.mod amavisdlocal.te

Next run semodule_package

semodule_package -o amavisdlocal.pp -m amavisdlocal.mod

Finally lets insert our new module

semodule -i amavisdlocal.pp<

Once this inserted, it will load each time the machine boots up.

Its rare that you need to write a policy tweak, usually changing the security contexts is enough but hopefully this shows you that its not actually so hard to write a policy

Till next time

Ade

Im working in Edinburgh next week so I thought Id take a look and see what veggie restaurants are in the area. Seems Im spoiled for choice.

Black Bo's

57–61 Blackfriars Street, Edinburgh, EH1 1NB

A blue neon sign draws you from the Royal Mile to this retro joint with its neighbouring bar. Inside, the harlequin chequered floor, mock columns and bentwood chairs are animated by flickering candles and amber light. An alcove where a small party can…

www.black-bos.com/

David Bann

56–58 St Mary's Street, Edinburgh, EH1 1SX

This reputable establishment is Edinburgh's long reigning king of vegetarian dining, with brilliantly executed dishes and carefully selected wine list. The minimalist décor is atmospheric and timeless, the claret and slate tones enhanced by subtle spot…

www.davidbann.com

Henderson's Bistro

25 Thistle Street, Edinburgh, EH2 1DX

The autumn colours, Moroccan-style lanterns and softly lit interior give the instant impression that this is a warm, intimate atmosphere where you'll enjoy eating, drinking and relaxing. Table service, and a special touch to the food, distinguish…

www.hendersonsofedinburgh.co.uk

Kalpna

2/3 St Patrick's Square, Edinburgh, EH8 9EZ

Kalpna is one of Edinburgh’s most established and award-winning vegetarian restaurants, specialising in South Indian cooking. An ornate mosaic adorns the walls of the cosy restaurant interior, in a location favoured by vegetarians and non-vegetarians…

www.kalpnarestaurant.com

Ann Purna

45 St Patrick's Square, Edinburgh, EH8 9ET

This is a very much spruced-up version of the Ann Purna of old, with black leather seats, dark wood tables and Indian paintings adorned with tassels on the walls. With inspiration from Gujarat and South India – regions where vegetarian dishes form the…

So we all know that Apple have something against Flash and while Flash is far from perfect, its a little odd that Apples iPhone and iPad wont work with Flash. I mean if you were synical you might think it was so that people wouldnt have access to all the Flash based games on the internet and would be forced to buy them from Apples very restricted App Store

Now however, Apple have announced another widely used technology that they are dropping support for - Java. I mean WTF? Why do people continue to rave about this company who arbitrarily decided that they wont support major internet technologies? Now OK the announcement is about Mac OS X but the principle is the same here

Finally, to add insult to injury, he (Steve) then goes and says that Android is not open !!!

Please be aware - this is a rant

Why do all banks have to be such utter wankers? "Hi my name is <bleh> and Im your new bank manager". If I had £10 for each time Ive heard that, maybe I would need a swiss bank account. 

So last week I got the quarterly

Bank: Hi, Im your new bank account manager and I thought Id call and

Me (interupting) "try and sell me something I neither want or need ?"

Bank: "erm, the reason Im calling is that Ive reviewed the accounts you have with us and your <blah> account just had its interest rates cut but we can offer you <blah2> account with much better interest. I wondered if you would be interested in setting up an appointment to meet and discuss it"

Me "No I really wouldnt, can you tell me something?"

Bank "Sure"

Me "Why did your bank just slash the interest on that type of account and then start another account with better interest? Was it to piss off your customers or just to give you an excuse to try and drag them into the branch and sell them even more stuff???"

Why dont I move? Well I have done, twice,  in the past but my current bank does reasonable good online banking

Does anyone have a bank that they can recommend - I just want good online banking, and no endless sales calls. A nice Android app would be lovely, but too much to hope for Im sure

AB

I have to say I have been very under excited by the news of the Ubuntu One Music store - Im not convinced we need another music store unless they are going to give us something that other stores dont - like flac support or something.

Ive just been reading Popeys blog about how to use the Ubuntu One Music Store and I have to say, unless Im missing something - what a massive FAF! 

For example, if I wanted to buy a new MP3 from Amazon, I would just

Amazon

1 install the rpm/deb from here

2 download the track

But it seems that in order to do that with the new Ubuntu One Music store, well first of all you need to sign up for an Ubuntu One account. Here are the steps (taken from Popeys blog)

UBUNTU One Music Store

In order to buy stuff in the store you need an Ubuntu One account. You can connect to Ubuntu One using an Ubuntu single sign on account (confusingly).

Historically this was your Launchpad.net account, so if you already have one of those, you can use that. New users who have not previously signed up at Launchpad.net or login.ubuntu.com will need to create a new account.

Right now the process by which a new user to the Music Store is walked through the sign-up process is in flux. It could be a popup application which prompts for an email address, account name and password, or something embedded within Rhythmbox. Alternatively a browser could be spawned which sends the user to the sign-up process at login.ubuntu.com. Once Ubuntu Lucid releases in April, this process should be sorted out, but for now I’d recommend signing up to Ubuntu single sign on before using the Ubuntu One Music Store.

You need to confirm your email address by clicking the link in the mail.

Clicking the link takes you back to the Ubuntu One sign up process.

Click continue.

Enable File Sync

The second step which needs to be setup before the Music Store works is file syncing with Ubuntu One. Music purchased in the store is delivered directly to your Ubuntu One synchronised folders, so this has to be working or you’ll never actually get the music you buy. Configuring Ubuntu One is detailed at one.ubuntu.com/support/installation although for Lucid there’s very little to do other than activate as the components are pre-installed. That documentation should be updated before Lucid is released.

In these screenshots I subscribed to the free 2G plan. The screens are slightly different if you choose the 50G paid plan.

Login using your Ubuntu One (or old migrated Launchpad.net) account.

Confirm you agree to the terms and conditions..

Now you’re signed up to Ubuntu One.

At this point there are no files in the ~/Ubuntu One/ folder, in fact it doesn’t even exist yet..

Activate a Computer

To enable the file sync on this laptop I needed to add/authorise this computer. When Lucid releases there should be a graphical ‘control panel’ for Ubuntu One which allows you to press a button to connect a machine to your Ubuntu One account. You can of course connect multiple machines to one account in order to keep them all in sync. That tool doesn’t exist yet, so I had to run the following to trigger the process below.

u1sdtool -c

Once the system has been connected to Ubuntu One once, there is a ‘Connect’ icon in nautilus file browser, but in a typical chicken/egg problem, that ‘Connect’ button doesn’t appear until you have connected at least once.

Pretty soon after that the ~/Ubuntu One/ folder should appear.

Which is of course initially empty. There is another special folder in which stuff appears that has been shared with you by other people. It too is initially empty.

Testing File Sync

It’s a very good idea to test the file syncing service, because if it doesn’t work the music won’t download, no matter what else you do. It could save time during bug triage if users ensure this file sync works before filing bugs in the music store.

A simple test of the file sync is to create a folder or upload a file via the web interface and wait for them to appear in your ~/Ubuntu One/ folder on the local machine. Alternatively create files on your local PC in ~/Ubuntu One/ and go to the website to see if they appear.

Here I’ve created a file on my computer in the ~/Ubuntu One/ folder

If I then go to the Ubuntu One web interface I can see the file has arrived.

So at this point you’re ready to test the Ubuntu One Music Store.

Really?? What a pain in the arse !!  Why would anyone prefer the later?

Maybe its just me, but am I missing something? Let me know, leave a comment

Ade