Uwe Hermann | A slightly paranoid Debian developer

For everybody who might be interested in this kind of stuff: the LinuxBIOS project's annual LinuxBIOS Symposium will take place October 1st-3rd, 2006 in the nice German city Hamburg.

In the light of the recent discussions about "sourceless firmware" and similar issues in Debian, some people might be interesting in helping with (or at least getting informed about) a practical project related to this - a free (GPL'd) BIOS replacement. It's quite likely that some OLPC people will be there, too, as the OLPC (One Laptop Per Child) project employs LinuxBIOS on their hardware...

Deadline for workshop and talk proposals is September 10th (if you should plan to give a talk), and a preliminary agenda is already available online. The registration process has also recently started (deadline is September 11th). See this post for the full announcement.

Now, if I manage to somehow gather a reasonably large amount of Euros, I'll probably be there.

Update 2006-09-11: I have decided to register for the conference, so I'll be there! Anyone else?

Update: "Testing stuff with QEMU"-articles published so far:

• Part 3: Debian GNU/kFreeBSD
• Part 2: MenuetOS, a tiny OS written in 100% assembly language
• Part 1: SELinux support in Debian unstable

Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...

Basic Debian unstable install in QEMU:

1. Install QEMU:
   apt-get install qemu
2. Download the latest Debian etch installer ISO image (etch beta 3, currently):
   wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/debian-testing-i386-binary-1.iso
3. Create a QEMU image which will hold the Debian installation:
   qemu-img create -f qcow /path/to/debian.img 5000M
4. Boot directly from the ISO image and install Debian into the QEMU image (I won't go into the details of the installation itself; Wolfang Lonien has nice HOWTOs for that: part 1, part 2, video):
   qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
5. After the installation is done, configure the system, tweak /etc/apt/sources.list if needed, and then dist-upgrade to the latest stuff:
   apt-get update && apt-get dist-upgrade
6. That's about it for the basic Debian install, you can now shutdown the OS and QEMU (type "halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "quit").

Creating a QEMU overlay image:

QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).

1. Create an overlay image based on the previously installed Debian image:
   qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
2. Now boot into the new overlay image:
   qemu -hda /path/to/debian_selinux_overlay.img

Basic SELinux setup:

1. SELinux wants to label all the files on your system (all inodes actually), so your filesystem(s) need the so-called extended attributes (xattr) and "security labels" (both are kernel options) which most modern file systems now support. For ext3 (for example) you need these config options:
CONFIG_EXT3_FS=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_SECURITY=y
Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.

2. Install the basic SELinux packages and the source package of the SELinux reference policy:
   apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
3. I noticed a bug in the current Debian packages (the setfiles utility is in the wrong place, see #384850), but there's a simple workaround:
   ln -s /sbin/setfiles /usr/sbin/setfiles
4. Now we can (re-)label the file system:
   cd /etc/selinux/refpolicy/src/policy
make relabel
   This will build the reference policy from source and relabel your file system (this will take a while).
   There might be some warnings (and maybe you'll notice further bugs), but they seem not to be critical.
5. We can now (almost) enable SELinux, but before we can reboot we need to work around another bug (#384852), otherwise SELinux will not be enabled when we reboot:
   ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
6. Now reboot the emulated Debian system, and at the GRUB console add the kernel option selinux=1 to enable SELinux in the kernel (press "e" to edit the boot options).
7. You'll get tons of SELinux log messages while the system boots, that's normal at this point, don't worry.
   Then you can type "sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.

Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.

As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.

Update 2006-08-28: You don't really need user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).

It's strange that the FSF/UNESCO Free Software Directory project has managed to remain hidden from my eye until today...

The Free Software Directory is a project of the Free Software Foundation (FSF) and United Nations Education, Scientific and Cultural Organization (UNESCO). We catalog useful free software that runs under free operating systems — particularly the GNU operating system and its GNU/Linux variants.

The main difference to similar software directories (Freshmeat, SourceForge, ...) is that "licenses are verified for each and every program listed in this directory", which is a good thing.

If you've got too much time on your hands, here's an idea how to get rid of it and at the same time help the Free Software community...

Note: This article is part of my OS Install Experiences series.

Long time no install, so here goes.

Install

1. First, I downloaded a Mandriva One CD image, burned it on a CD, and booted from that.
2. The (graphical) installer allows you to choose language and country, but there's no German(y). WTF? Maybe I just overlooked it, but I did look twice! When choosing the keyboard layout there is a German layout...
3. After choosing the timezone, a KDE 3.4 live system is started. If you want to install Mandriva, you click the "Install from live system" icon on the desktop. The installation is done in a wizard after that.
4. The partitioning tool is quite nice and has an "expert mode" you can enable to see more info and get more control. It performs all actions immediately, though, (AFAICS) which can lead to trouble.
5. You can choose between LILO or GRUB, and even edit the list of GRUB entries manually (which is nice; many other distributions don't allow that).
6. After a while there were no more windows or messages, so I thought the install was done and rebooted. Obviously I was wrong. GRUB wasn't installed (the old one was still there), so I had to manually boot into the Mandriva installation. From there, the installation continued...
7. After net config (even asked me for a zeroconf hostname), root password, user creation and all the usual stuff, you're dropped in a KDE session and the install is done.

Security

Continue reading here...

• Work on ext4 has begun. It'll be ext3-compatible at some point.
• Linux shall get full NTFS write support (German article) in ca. one year, and Apple pays for it, as they want the driver for Mac OS, too.
• DevFS is finally dead. It was removed from the Linux kernel, udev is used as replacement.

Enough spamming, back to work.