Fix problem updating packages in Fedora/Korora due to broken SELinux update

Unfortunately an update to the SELinux policy package in Fedora 20 (and therefore Korora 20) caused RPM scriptlets to fail when updating packages.

This bug only affects systems that have SELinux mode set to enforcing (which is the default) and were updated to version 3.12.1-116 of the selinux-policy package. If you have seen the following sort of error when updating packages, then this bug may affect you:

warning: %post(libkcompactdisc-4.12.1-1.fc20.x86_64) scriptlet failed, exit status 127
Non-fatal POSTIN scriptlet failure in rpm package libkcompactdisc-4.12.1-1.fc20.x86_64

Below are the commands to resolve this issue (which has been fixed in an updated 3.12.1-117 version of selinux-policy).

sudo setenforce 0
sudo yum clean expire-cache
sudo yum update selinux-policy\*
sudo setenforce 1

The first command disables SELinux enforcement for the current session and the subsequent commands expire the yum cache and install the SELinux policy update which fixes this issue. The last command re-enables SELinux enforcement.

If you previously installed any packages which failed with scriptlet errors like above, you can reinstall them using the following command:

sudo yum reinstall

You can find out what packages were installed after the broken update using a command like this:

sudo sed '1,/selinux-policy-3.12.1-116/d' /var/log/yum.log

If you require any assistance please don’t hesitate to ask for help using Engage or jump onto the #korora channel in IRC freenode.net servers.

Add permanent rules to FirewallD

Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.

Get the default zone, this is usually “public”:
firewall-cmd --get-active-zones

List services on that zone:
firewall-cmd --zone=public --list-all

Add required TCP ports (let’s do port 80):
firewall-cmd --permanent --zone=public --add-port=80/tcp

If you need a UDP port:
firewall-cmd --permanent --zone=public --add-port=123/udp

You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.

Restart firewall:
systemctl restart firewalld.service

You can also specify services, rather than ports if you like.

sudo firewall-cmd --permanent --zone=public --add-service=http

You’re done!

Force rsync to use delta transfer to fix corrupt remote file

We host our Korora Project ISO images on SourceForge and I (naturally) use rsync to move them there (slowly, at 100kb/sec). Sometimes though the connection drops off and that’s OK because rsync picks up where it left off.

However occasionally the ISO ends up with the wrong checksum, so something went wrong in the transfer. No amount of re-rsyncing seems to fix this up because by default it uses file size and timestamps to check whether it should skip existing files.

Fortunately, I don’t need to re-send the whole file again as rsync can perform a delta transfer instead and only send the small difference. Yay!

The way I do this is by passing a combination of options to rsync, such as –checksum (to enable transfer of the file), –in-place (to transfer the file in place as rsync normally writes a temporary file, then moves) and –no-whole-file (which tells rsync to not copy the whole file, but use deltas instead).

This becomes something like:
rsync -Pa --checksum --inplace --no-whole-file local.file remote.server:

Here’s a real example:
chris@x220 ~ $ rsync -Pa --checksum --inplace --no-whole-file -e ssh korora-20-i386-cinnamon-live.iso csmart,kororaproject@frs.sourceforge.net:/home/frs/project/k/ko/kororaproject/20/
 
sending incremental file list
korora-20-i386-cinnamon-live.iso
  1,715,470,336 100% 220.87MB/s 0:00:07 (xfr#1, to-chk=0/1)

So rsync just saved me 4 hours of uploading the ISO again. Thanks rsync.

Enable and test TLS 1.2 in Firefox 26

Firefox has (unfortunately) lagged behind other browsers recently when it comes to implementing the more secure TLS 1.2 and it’s only now officially landing in the upcoming release 27. It can always use more testing though and if you’re running version 26 you can still enable it and test.

Browse to:
about:config

Set the following:
security.tls.version.max:3

This is the maximum supported protocol so it doesn’t mean that the sites you visit will now be using TLS 1.2. If you want to (try and) force it, there is a security.tls.version.min but be warned that probably most of your sites will fail.

You may also wish to disable this deprecated SSL3 algorithm:
security.ssl3.rsa_fips_des_ede3_sha:false

You can test this out by browsing to http://howsmyssl.com.

Calomel is a handy addon (BSD licence) to tell you what your secure connection negotiated to when you visit a site and gives it a score.

If you notice breakage, please report upstream.

Korora 20 (Peach) released

Today we released the final images for Korora Project (Fedora1 Remix) version 20 with Cinnamon, GNOME, KDE, MATE and Xfce desktops (in 32 and 64 bit).

The release was a little delayed because we were waiting for a few bug fixes to land, as well as Christmas and New Year holidays which got in the way.

We have also been hard at work building our new open source web platform which includes a replacement for our forums which is called Engage. Anyone who had an account with our old forums can log in to the new site, you will just get an email to activate your account first. Bug reports welcome!

1 Korora is not provided or supported by the Fedora Project. Official, unmodified Fedora software is available through the Fedora Project website.

Permanently fixing permissions on a shared git repo

When creating a shared git repository (perhaps on a central server) it’s good to use the –shared option:
git init --bare --shared

If you don’t, then you may find that repository permissions get clobbered each time a different person commits and no amount of umasks, chmods and sticky bits seem to help long term.

For your next shared repo that’s fine, but if you have an existing repository you can still fix this (assuming git is your group for write access):

ssh server
chown -Rf root:git /path/to/bare/git/repo
cd /path/to/bare/git/repo
git config core.sharedRepository group
find /path/to/bare/git/repo -type f | xargs chmod 664
find /path/to/bare/git/repo -type d | xargs chmod 775
find /path/to/bare/git/repo -type d | xargs chmod g+s

Enjoy some sanity!

Delete local and remote git branches

Just a quick one for reference..

Deleting one or more local branches is trivial:
git branch --delete branch branch2

However if you want to delete regardless of the merge state:
git branch -D branch branch2

To delete a remote branch you need to push the delete:
git push remote --delete branch

The –delete option is newish, so if your git is old you can use the original syntax:
git push remote :branch

That’s all.

PolicyKit Javascript rules with catchall

So the desktop is ruled by PolicyKit which is awesome. It includes sets of rules about who can run certain actions (such as mounting an internal drive).

The rules are read in lexical order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories.

You can get a list of available actions with the command:
$ pkaction

There may come a time when you want to tweak those rules though, to make management of your system easier. For example, managing virt-manager without a password if you’re in the wheel group (the rule is org.libvirt.unix.manage). If so, you can create one with a name like “10-my-policy.rules” in either directory above.

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Some related tasks have several actions, like configuring cups:
$ pkaction |grep cups
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings

Previously, before the new javascript format, one could match all those actions with:
org.opensuse.cupspkhelper.mechanism.*

That doesn’t work with js though, so this is how you can do it:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.opensuse.cupspkhelper.mechanism") == 0 &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Changes are picked up straight away, so just save the file and test!

Introducing Pharlap, our new driver manager replacement for Jockey

Previous versions of Korora have shipped with Ubuntu’s Jockey for installing drivers like NVIDIA and Catalyst but now we have Pharlap. Jockey has been deprecated upstream in favour of ubuntu-drivers-common, so we thought we’d see if we could make some use of that code base and create a version for Korora/Fedora+RPMFusion.

It seemed to work out well and so it’s included by default in the Korora 20 beta release, although Jockey is still available to install if you so desire. It’s much more lightweight and uses yum-daemon for package management. The packages are pharlap and pharlap-modaliases, both of which are available for Fedora 20 from the Korora repo (including source RPMs).

Pharlap, driver manager

Pharlap, driver manager

We need lots of testing on Pharlap so if you’re keen to help, we would appreciate any feedback. Hopefully at some point we can get it into RPMFusion.

Where did the name come from?

Phar Lap, great racehorse

Phar Lap, great racehorse

Well since we were replacing Jockey, we thought we’d go with a horse theme. Born in 1926, Phar Lap was a New Zealand foaled, Australian-trained thoroughbred racehorse, one of the greatest of all time. Although Phar Lap came last in his first ever race, towards the end of his career he won 32 of 35 races (coming second in two of the others he lost).

In 1932 Phar Lap raced in the Agua Caliente Handicap at Tijuana, Mexico, which was North America’s then richest race. It was his first time racing in America, his first race on dirt tracks and his first start from barrier stalls. He was last out of the gate and started ten lengths behind the leaders, but by the half-mile he was in front and then won the race by three lengths, setting a new track record.

Two weeks later Phar Lap was dead after someone poisoned him with arsenic.

So to honour this great horse, we’ve named the project Pharlap.

Korora 20 (Peach) beta released

The Korora Project is pleased to announce the first beta release of version 20 (codename “Peach”) which is now available for download.

Note: This beta release of Korora is derived from a beta release of Fedora1 and as such there will likely be a larger number of bugs and many software updates.

For the first time we are introducing an Xfce desktop, which was made possible thanks to Maik Adamietz (AKA DarkEra) and others in the community. We would also like to thank Jeremiah Summers (AKA JMiahMan) for his assistance in updating the KDE version as well as Dan Marshall (AKA dan408) for his help with the MATE release. Thank you!

Features

GNOME 3.10

GNOME 3.10 will have a number of new applications and new features that will please GNOME-lovers. This release includes a new music application (gnome-music), a new maps application (gnome-maps), a revamp for the system status menu, and Zimbra support in Evolution. A preview of GNOME on Wayland compositor is also finally available. Refer to the GNOME 3.10 announcement for more details.

KDE Plasma Workspaces 4.11

A modern, stable desktop environment, this release includes faster Nepomuk indexing, improvements to Kontact, KScreen integration in KWin, Metalink/HTTP support for KGet, and much more. Refer to the KDE Plasma Workspaces 4.11 announcement for more details.

But wait, there’s more …

Derived from Fedora 201 beta, Korora benefits from Fedora’s long tradition of bringing the latest technologies to open source software users.

A complete list with details of each new inherited feature is available at the Fedora 20 Accepted Proposals List

  • Application Installer brings a new interface for installing packages in GNOME.
  • NetworkManager should be able to configure bond master and bridge interfaces with commonly used options and recognise their existing configuration on startup without disrupting their operation.
  • Ruby on Rails 4.0, which is the latest version of well know web framework written in Ruby.
  • LVM has introduced thin provisioning technology, which provides greatly improved snapshot functionality in addition to thin provisioning capability. This change will make it possible to configure thin provisioning during OS installation.
  • Plasma-nm replaces the current network applet in KDE with a new one and bring the latest features in NetworkManager to KDE.
  • SSD Cache is updated thanks to the recent kernel to support (fast) SSD caching of (slow) ordinary hard disks.
  • VirtManager user interface for managing virtual machines has the ability to easily manage snapshots.

Contributing

We don’t build Korora inside a box. We need your help! Bug reports are especially helpful – if you encounter any issues, please report them!

Korora is a fantastic, friendly community, and we have many ways in which you can contribute. Please send us feedback in the forums or log a bug report if you have any issues. Of course you can find us on social media like Identi.ca, Twitter, Google+ and Facebook.

What is the Beta release?

The Beta release is the last important milestone before the release of Korora 20. Join us in making this a solid release by downloading, testing, and providing your valuable feedback.

Of course, this is a beta release, meaning that some problems may still be lurking. A list of the problems already known can be found at the Common F20 bugs page.

1 Korora is not provided or supported by the Fedora Project. Official, unmodified Fedora software is available through the Fedora Project website.