NoMachine NX, Fedora 9 and SELinux

I upgraded from Fedora 7 to Fedora 9 using [preupgrade](http://fedoraproject.org/wiki/PreUpgrade), and then I couldn’t connect to the [NoMachine NX Server](http://www.nomachine.com/). It’s due to SELinux, again (I [wrote about this earlier](http://jaredrobinson.com/blog/?p=89)). The approach to solve it is still the same, although the policy is different:

Here’s what my audit.log messages looked like:

May 30 07:48:03 localhost kernel: type=1400 audit(1212155283.470:7): avc: denied { getattr } for pid=876 \
comm=”sshd” path=”/usr/NX/home/nx/.ssh/authorized_keys2″ dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file \
May 30 08:22:35 localhost kernel: type=1400 audit(1212157355.873:9): avc: denied { read } for pid=872 \
comm=”sshd” name=”authorized_keys2″ dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

Here’s how I created and inserted the policy:

cd /etc/selinux
cat /var/log/audit/audit.log | audit2allow -M nx
semodule -i nx.pp

And here’s the nx.te file:

module nx 1.0;
require {
type sshd_t;
type usr_t;
class file { read getattr };
}
#============= sshd_t ==============
allow sshd_t usr_t:file { read getattr };

Open Source Security report from Coverity

[Coverity](http://www.coverity.com) has published it’s [Open Source Scan Report 2008](http://coverity.com/library/pdf/Coverity-Scan_Open_Source_Report_2008.pdf), which details the security status of several open source projects. Here’s my summary:

* The overall security of open source projects is improving.
* There’s a linear relationship between the amount of code and the amount of bugs.
* Surprisingly, there’s no relation between function length and defect density.

Projects with exceptionally low defect density include Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python, TCL, Postfix, Samba, curl, libvorbis and vim.

The top two security defects are

1. NULL pointer dereference
2. Resource leak

I got to preview [Coverity Prevent](http://www.coverity.com/html/prod_prevent.html) at a previous job, and it rocks at finding real bugs in code, with a very low rate of false positives.

Attempt to patent a mental process

David A. Wheeler says, “The US Court of Appeals for the Federal Circuit in Washington, DC just heard arguments in the Bilski case, where the appellant (Bilski) is arguing that a completely mental process should get a patent. The fact that this was even entertained demonstrates why the patent system has truly descended into new levels of madness. At least the PTO rejected the application.”

Wheeler goes on to explain why [patents on information is lunacy](http://www.dwheeler.com/blog/2008/05/09#bilski-information-is-physical)