2.20.2008

python: reference anonymous list created by list comprehension

When using a list comprehension, the list created under the hood can be referred to with locals()['_[1]']. In the case of nested elements, the elements are named _[2], _[3], etc, as you delve deeper into the nested items. The 'anonymous' list exists only while the list comprehension executes,ie. only during the work between '[' and ']'. It's sometimes handy to be able to refer to this list for in-line processing during the list comprehension. Here's an easy example. Let's say I wanted to join three lists together, removing any duplicate elements:

>>> L1 = [ 1,2,3 ]
>>> L2 = [ 2,3,4 ]
>>> L3 = [ 2,4,5 ]
>>> [ x for x in L1 + L2 + L3 if x not in locals()['_[1]'] ]
[1, 2, 3, 4, 5]

Now, the 'gotcha' is that locals()['_[n]'] is not just incremented for each nested list comprehension, it's incremented whenever a list comprehension is used in the local scope. So, if you've executed four list comprehensions previously in the run of the local scope, your next one is referenced as locals()['_[5]']. This is most evident within a loop:
>>> for x in [1,2,3]:
... [ x for x in l1 + l2 + l3 if x not in locals()['_[1]'] ] #this will work
... [ x for x in l1 + l2 + l3 if x not in locals()['_[1]'] ] #this key no longer exists
...
[1, 2, 3, 4, 5]
Traceback (most recent call last):
File "", line 3, in
KeyError: '_[1]'

>>> for x in [1,2]:
... [ x for x in l1 + l2 + l3 if x not in locals()['_[1]'] ]
... [ x for x in l1 + l2 + l3 if x not in locals()['_[2]'] ] #here's the increment
...
[1, 2, 3, 4, 5]
[1, 2, 3, 4, 5]
[1, 2, 3, 4, 5]
[1, 2, 3, 4, 5]




2.06.2008

Prettying up my ion3 desktop

Every once in a while, I get a wild hair to change up my desktop. Every time I've played with an xterm replacement that supports transparency, I generally get annoyed within hours, being too lazy to actually spend any time tweaking it. For whatever reason, today I bit the bullet, and took a couple of minutes set up aterm to be useable. There was actually no excuse for my earlier laziness - all my 'problems' were settled with just a few entries to ~/.Xdefaults:

! For aterms:
Aterm*loginShell: true
Aterm*saveLines: 2000
Aterm*foreground: DeepSkyBlue
Aterm*transparent: true
Aterm*font: fixed
Aterm*scrollBar: false
Aterm*backspacekey: ^H
Aterm*borderless: true
Aterm*internalBorder: 0
Aterm*termName: xterm
Aterm*fading: 80
Aterm*shading: 50
These take care of the annoyances (such as the character mapping for my backspace key changing within a vi session).
Then, enabling transparency in empty frames for ion3 brings back the old school behavior (well ion2 old school =]):

In your styles look_.lua:

de.defstyle("frame", {
background_colour = "#000000",
--transparent_background = false,
transparent_background = true,
})

Then, what the heck, I dl'd some darker gtk-2 themes, so that pidgin, gqview, firefox, etc would be happy.

That brought me to this place, and nothing annoys me yet. No guarantees about next week. =]










1.24.2008

create SELinux policy from audit2allow - RHEL5

To create a policy using messages from avc:
RHEL5 has a few handy tools to help with allowing specific exceptions to the canned selinux policy, by creating
policy modules to import as needed.

Use audit2allow, which transforms audit messages from alerts to loadable modules

So, this /var/log/messages alert:
Aug 7 07:22:19 testbox setroubleshoot: SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write" to cricket (mail_spool_t). For complete SELinux messages. run sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18

Shows this in sealert:
[07:25:12 testbox ] tmp $ sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18
Summary
SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write"
to cricket (mail_spool_t).

Detailed Description
SELinux denied access requested by /usr/libexec/postfix/local. It is not
expected that this access is required by /usr/libexec/postfix/local and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for cricket, restorecon -v cricket
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context user_u:system_r:postfix_local_t
Target Context system_u:object_r:mail_spool_t
Target Objects cricket [ file ]
Affected RPM Packages postfix-2.3.3-2 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name testbox
Platform Linux testbox 2.6.18-8.1.6.el5 #1 SMP Fri Jun 1
18:52:13 EDT 2007 x86_64 x86_64
Alert Count 7676
Line Numbers

Raw Audit Messages

avc: denied { write } for comm="local" dev=dm-1 egid=650 euid=650
exe="/usr/libexec/postfix/local" exit=-13 fsgid=650 fsuid=650 gid=0 items=0
name="cricket" pid=25939 scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0
Basically, postfix can't write to /var/spool/mail/cricket
[07:26:30 testbox ] tmp $ ls -alZ /var/spool/mail/
drwxrwxr-x root mail system_u:object_r:mail_spool_t .
drwxr-xr-x root root system_u:object_r:var_spool_t ..
-rw------- cricket mail system_u:object_r:mail_spool_t cricket
So run audit2allow, and generate a te file:
[07:36:29 testbox ] tmp $ sudo audit2allow -a -m postfixlocal > postfixlocal.te
[07:37:22
testbox ] tmp $ cat postfixlocal.te
module postfixlocal 1.0;
require {
class file write;
type mail_spool_t;
type postfix_local_t;
role system_r;
};

allow postfix_local_t mail_spool_t:file write;
And compile it:
[07:37:25 testbox tmp ] $ sudo checkmodule -M -m -o postfixlocal.mod postfixlocal.te
checkmodule: loading policy configuration from postfixlocal.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to postfixlocal.mod
And create a policy package:
[07:37:47 testbox ] tmp $ semodule_package -o postfixlocal.pp -m postfixlocal.mod
Now we have the ingredients:
[07:38:39 testbox ] tmp $ file postfixlo*
postfixlocal.mod: data
postfixlocal.pp: data
postfixlocal.te: ASCII C++ program text
Load the policy to the kernel:
[07:38:46 testbox] tmp $ sudo semodule -i postfixlocal.pp

[07:44:14 testbox] / $ sudo semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
postfixlocal 1.0 <------------ module loaded =]
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0
Also, we can load the module to another server:
[07:47:50 testbox] tmp $ scp postfixlocal.pp testbox2:/var/tmp
stewpid@testbox2's password:
postfixlocal.pp 100% 1017 1.0KB/s 00:00

[07:48:37 testbox2] tmp $ sudo semodule -i postfixlocal.pp

[07:49:02 testbox2] tmp $ sudo semodule -l |grep postfixlocal
postfixlocal 1.0
From audit2allow man page:
[Note] Important
In order to load this newly created policy package into the kernel, you are required to
execute semodule -i local.pp
Note that if you later install another module called local, it will replace this module.
If you want to keep these rules around, then you either need to append future customizations
to this local.te, or give future customizations a different name.
So, it's best to either maintain a single policy (named local or whatever you'll remember), or separate
policy names for each access you'd like to allow/maintain. I prefer the modular approach, easy to load/unload.


iozone for filesystem I/O testing

iozone (http://www.iozone.org/) is a filesystem benchmark tool, I found it particularly useful to benchmark and test throughput when we were experiencing slowness over NFS to our NetApp filer.

Here's some common options:
-c Include close in the timing calculations
-e Include flush (fsync,fflush) in the timing calculations
-s # file size in Kb
or -s #m .. size in Mb
or -s #g .. size in Gb
-r # record size in Kb
or -r #m .. size in Mb
or -r #g .. size in Gb
-i # Test to run (0=write/rewrite, 1=read/re-read, 2=random-read/write
3=Read-backwards, 4=Re-write-record, 5=stride-read, 6=fwrite/re-fwrite
7=fread/Re-fread, 8=random_mix, 9=pwrite/Re-pwrite, 10=pread/Re-pread
11=pwritev/Re-pwritev, 12=preadv/Re-preadv)
-+n No retests selected.
-f filename to use
-w Do not unlink temporary file # good to keep files for read tests =]
And, here's some examples:
### Write speed test:
# iozone -c -s 1g -r 32k -i0 -+n -w -f ./single_thread_write_test.out

### Read test (unmount/remount the file system to clear cache, or you'll be getting the
throughput from RAM):
# iozone -c -s 1g -r 32k -i1 -+n -w -f ./single_thread_write_test.out

### Multiple thread write test:
iozone -T -c -s 1g -r 32k -i0 -u6 -l6 -+n -w -F ./rac3_mt1.out ./rac3_mt2.out ./rac3_mt3.out ./rac3_mt4.out ./rac3_mt5.out ./rac3_mt6.out