SE Linux is a feature of the Linux kernel that provides mandatory access control. This policy based access control system grants far greater control over the resources on a machine than standard Linux access controls such as permissions.
Many modern Linux distributions are shipping with SELinux enabled by default, Fedora 14 and Rhel 6 both install with it enabled.
When you run Recital Web on a SELinux enabled machine and navigate to the default.rsp page you will see something similar to the screen shot below.
If you launch the SELinux troubleshooter you will see the following problem.
SELinux is blocking the apache server from accessing the Recital server running on port 8001.
To manage you SELinux policy you must have the policycoreutils package group installed. The policycoreutils contains the policy core utilities that are required for basic operation of a SELinux system.
If you wish to use a GUI tool, you must install the policycoreutils-gui package.
At the command prompt execute the following:
As root
$ yum install policycoreutils
$ semanage port -a -t http_port_t -p tcp 8001
$ service recital restart
$ service httpd restart
We use the semanage command here to allow the http server access to port 8001. Once you have completed the steps detailed above you can go and navigate back to the default.rsp page in your borwser, where you will find the permission denied message is now replaced by the default.rsp page.
SELinux does a great job of restricting services and daemons so rather than simply disabling it, why not work with it!
When it comes to security, every little bit helps...
Ext3 commits writes to disk within approximately 5 seconds - Ext4 can take from 40-150 seconds. In addition, if a system is using Ext3 and crashes before the commit takes place you will still have the previous contents of a file where under Ext4 the file will be empty. Theodore Tso feels that this is a failure at the application level and that the file system is behaving as designed and as specified by the POSIX spec (which apparently does not specify what is supposed to happen when a system is not shut down cleanly). His solution to the issue is to suggest proper use of fsync() and lists various scenarios/examples in post 54 of the bug report (linked above). In addition he wrote a patch that recognize the rename() situation mentioned in his post 54 yet retains the normal Ext4 behaviors and performance in the majority of cases. Also a more "proper" solution has been provided which allows the behavior of Ext3 to be retained under Ext4 by mounting it with alloc_on_commit.
A somewhat related topic is the use of on-board caching by hard drives. This behavior can be modified on most drives by using hdparm.
Many motherboards nowadays have integrated gigabit ethernet that use the Realtek NIC chipset.
The Realtek r8168B network card does not work out of the box in Redhat/Centos 5.3: instead of loading the r8168 driver, modprobe loads the r8169 driver, which is broken as can be seen with ifconfig which shows large amounts of dropped packets. A solution is to download the r8168 driver from the Realtek website and install it using the following steps:
Check whether the built-in driver, r8169.ko (or r8169.o for kernel 2.4.x), is installed.
# lsmod | grep r8169
If it is installed remove it.
# rmmod r8169
Download the R8168B linux driver from here into /root.
Unpack the tarball :
# cd /root
# tar vjxf r8168-8.012.00.tar.bz2
Change to the directory:
# cd r8168-8.012.00
If you are running the target kernel, then you should be able to do :
# make clean modules
# make install
# depmod -a
# insmod ./src/r8168.ko (or r8168.o in linux kernel 2.4.x)
make sure modprobe knows not to use r8169, and that depmod doesn’t find the r8169 module.
# echo "blacklist r8169" >> /etc/modprobe.d/blacklist
# mv /lib/modules/`uname -r`/kernel/drivers/net/r8169.ko \ /lib/modules/`uname -r`/kernel/drivers/net/r8169.ko.bak
You can check whether the driver is loaded by using the following commands.
# lsmod | grep r8168
# ifconfig -a
If there is a device name, ethX, shown on the monitor, the linux driver is loaded. Then, you can use the following command to activate it.
# ifconfig ethX up
After this you should not see any more dropped packets reported.
To insert code samples into your articles in joomla, you use the pre tag like this:
<pre xml:lang="xxx"> your code goes here </pre>
You can use any of the following languages for colorizing your code in articles.
recital, abap, dos, lotusscript, rails, actionscript3, dot, lscript, reg, actionscript, d, lua, robots, ada, eiffel, m68k, ruby, apache, email, make, sas, applescript, fortran, matlab, scala, apt_sources, freebasic, mirc, scheme, asm, genero, mpasm, scilab, asp, gettext, mxml, sdlbasic, autoit, glsl, mysql, smalltalk, avisynth, gml, nsis, smarty, bash, gnuplot, objc, sql, basic4gl, groovy,
ocaml-brieftcl, bf, haskell, ocaml, teraterm, blitzbasic, hq9plus, oobas, text, bnf, html4strict, oracle11, thinbasic, boo, idl, oracle8, tsql, caddcl, index.html, pascal, typoscript, cadlisp, ini, perl, vbnet, cfdg, inno, per, vb, cfm, intercal, php-brief, verilog, cil, io, php, vhdl, c_mac, java5, pic16, vim, cobol, java, pixelbender, visualfoxpro, c, javascript, plsql, visualprolog, cpp, kixtart, povray, whitespace, cpp-qt, klonec, powershell, winbatch, csharp, klonecpp, progress, xml, css, latex, prolog, xorg_conf, delphi, lisp, providex, xpp, diff, lolcode, python, z80, div, lotusformulas, qbasic
DirectoryIndex default.rsp index.html
Here's how to set up field validation based on dynamic values from another table.
Using the products.dbf table from the southwind sample database, validation can be added to the categoryid field to ensure it matches an existing categoryid from the categories.dbf table.
open database southwindThe rlookup() function checks whether an expression exists in the index (master or specified) of the specified table . An attempt to update categoryid with a value not in the list will give an error: Validation on field 'CATEGORYID' failed.
alter table products add constraint;
(categoryid set check rlookup(products.categoryid,categories))
If you have access to the Recital Workbench, you can use the modify structure worksurface to add and alter your dictionary entries, including a customized error message if required.
Another useful article on IBM developerworks shows how to build PHP extensions using SWIG. You can find the article here.
iptables -I INPUT -j ACCEPT -p tcp --destination-port 8001 -i lo
iptables -A INPUT -j DROP -p tcp --destination-port 8001 -i eth0
Some options of hdparm are dangerous and are generally listed as such in the man page.
Hdparm is available from SourceForge and there is even a version for Windows.
When installing nomachine on redhat 5.3 64-bit be sure to:
- Make sure you have installed the 64-bit packages as the 32-bit ones will not work.
- add the hostname to /etc/hosts
- Check "Disable encryption of all traffic" (in configuration / advanced tab)
- add the hostname to /etc/hosts
- make sure the host IP is not specified as 127.0.0.1 line
- Uncheck "Disable encryption of all traffic" (in configuration / advanced tab)