Good Morning Friends

Selamat Hari Raya Aidilfitri

3D DESKTOP! TOUCHSCREEN AND XGL ON LINUX!

Using Squid Proxy to Block Multimedia Streaming

Often multimedia streaming is not good for the office environment. It will dry out the bandwidth of our network, thus slows it down. We can block the multimedia streaming using squid filter. Below is the example of how I did it using squid:

In the /etc/squid/squid.conf :

<—–snipped—–>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave
<—–snipped—–>
<—–snipped—–>
#streaming files
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2
<—–snipped—–>

And of course, you have to force your users to use your squid proxy server.

Squirrel Mail ~ Change Password Plugins Fails

While working with squirrelmail in UMK mailserver, I encountered one strange problem. When I installed the change_password plugin, it failed to operate. A user cannot change his password even though the current password he entered is correct. Even worse, when i disable $confirmNewPass and $confirmOldPass in the config.php file, the same error keep hunting my users.

Although the plugin worked when run in bash shell but not from the website. Quite an interesting situation.

Further investigation shows that there is something wrong when the script is run from the website. SELinux is preventing the plugin from being run correctedly. The output of dmesg is like this:

audit(1184206216.485:2): avc: denied { execute } for pid=3140 comm=”chpasswd” name=”ld.so.cache” dev=hda4 ino=457427 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1184206216.486:3): avc: denied { setuid } for pid=3140 comm=”chpasswd” capability=7 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability

audit(1184206228.873:4): avc: denied { execute } for pid=3142 comm=”chpasswd” name=”ld.so.cache” dev=hda4 ino=457427 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1184206228.874:5): avc: denied { setuid } for pid=3142 comm=”chpasswd” capability=7 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability

Firstly, I am not sure what is going on but there is some security prevention involved. Later after I did some googling I realized that SELinux is the cause of the problem. This is the SELinux status on the machine:

[root@mail ~]# getenforce
Enforcing

[root@mail change_passwd]# getsebool -a
allow_syslog_to_console –> inactive
allow_ypbind –> inactive
dhcpd_disable_trans –> inactive
httpd_builtin_scripting –> active
httpd_disable_trans –> inactive
httpd_enable_cgi –> active
httpd_enable_homedirs –> active
httpd_ssi_exec –> active
httpd_tty_comm –> inactive
httpd_unified –> active
mysqld_disable_trans –> inactive
named_disable_trans –> inactive
named_write_master_zones –> inactive
nscd_disable_trans –> inactive
ntpd_disable_trans –> inactive
pegasus_disable_trans –> inactive
portmap_disable_trans –> inactive
postgresql_disable_trans –> inactive
snmpd_disable_trans –> inactive
squid_disable_trans –> inactive
syslogd_disable_trans –> inactive
use_nfs_home_dirs –> inactive
use_samba_home_dirs –> inactive
use_syslogng –> inactive
winbind_disable_trans –> inactive
ypbind_disable_trans –> inactive

Now I have to disabled the appropriate SELinux boolean. but… which is the correct one? hmm…. Well i think it is better to just disable the SELinux first and figure out the boolean later.

I disabled the SELinux using this command

[root@mail change_passwd]# setenforce 0
[root@mail change_passwd]# getenforce
Permissive

And wow… the new plugin run smoothly after that.