Monday, February 22, 2010


Can't find strptime in datetime because you're working in a Python 2.4 environment?

Python 2.4.3 (#1, Jul 27 2009, 17:56:30)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from datetime import datetime
>>> d = datetime.strptime("21-JAN-08", "%d-%b-%y")
Traceback (most recent call last):
File "", line 1, in ?
AttributeError: type object 'datetime.datetime' has no attribute 'strptime'

strptime was added to datetime in 2.5. Prior to 2.5 you pull it from the typically lower-level library 'time'.

>>> import time
>>> time.strptime("21-JAN-08", "%d-%b-%y")
(2008, 1, 21, 0, 0, 0, 0, 21, -1)

Ah, there it is. Of course, you wanted a datetime, didn't you?

>>> t = time.strptime("21-JAN-08", "%d-%b-%y")
>>> datetime(*t[0:6])
>>> datetime.datetime(2008, 1, 21, 0, 0)

Tuesday, February 09, 2010

mod_mono, Centos 5 64 bit, and SELinux Part 2

The trick to creating a SELinux policy is setting the mode to be permissive, which prevents nothing but logs all of the infractions to audit.log, and then using the log to generate the policy. After running my mod_mono based application for a bit in permissive mode, I used this command to generate a local policy.

egrep 'http|mono' /var/log/audit/audit.log | audit2allow -M myhttp

Here is the result:

module myhttp 1.0;

require {
type httpd_tmp_t;
type device_t;
type initrc_t;
type httpd_t;
type httpd_sys_script_t;
type http_port_t;
type port_t;
type inotifyfs_t;
class process { execstack execmem getsched ptrace };
class unix_stream_socket connectto;
class chr_file { read write ioctl };
class tcp_socket name_connect;
class file execute;
class sem { unix_read write unix_write associate read destroy };
class shm { unix_read read write unix_write associate };
class dir read;

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
allow httpd_sys_script_t httpd_tmp_t:file execute;
allow httpd_sys_script_t inotifyfs_t:dir read;
allow httpd_sys_script_t self:process { execmem getsched ptrace };
allow httpd_sys_script_t self:sem { unix_read write unix_write associate read destroy };

#============= httpd_t ==============
allow httpd_t device_t:chr_file { read write ioctl };
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read read write unix_write associate };
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t self:process { execstack execmem };

Monday, February 08, 2010

mod_mono, Centos 5 64 bit, and SELinux

Getting mod_mono up and running on Ubuntu 9.10 is relatively simple. Install the packages, drop in a test asmx file, browse to the URL and you are done.

apt-get install libapache2-mod-mono mono-apache-server2

My experience getting the same demo file with Centos 5 running SELinux was a bit more involved. First off, here's the complete simple web service. You should be able to drop it into your document root and browse to the appropriate URL, once mod_mono is properly installed.

<%@ WebService Language="c#" Codebehind="TestService.asmx.cs" Class="WebServiceTests.TestService" %>

using System;
using System.Web.Services;
using System.Web.Services.Protocols;

namespace WebServiceTests
public class TestService : System.Web.Services.WebService
public string Echo (string a)
return a;

public int Add (int a, int b)
return a + b;

On Centos 5, install these packages:

yum install mod_mono xsp mono-web

To enable mod_mono for Apache and run the xsp demo programs, add something like the following to the tail end of your http.conf file. Be sure to check that the paths used here are the same on your machine. (Note that I'm using a 64 bit Centos installation.)

AddType application/x-asp-net .aspx
AddType application/x-asp-net .asmx
AddType application/x-asp-net .ashx
AddType application/x-asp-net .asax
AddType application/x-asp-net .ascx
AddType application/x-asp-net .soap
AddType application/x-asp-net .rem
AddType application/x-asp-net .axd
AddType application/x-asp-net .cs
AddType application/x-asp-net .config
AddType application/x-asp-net .Config
AddType application/x-asp-net .dll
AddType application/x-asp-net .asp
DirectoryIndex index.aspx
DirectoryIndex Default.aspx
DirectoryIndex default.aspx

Alias /demo /usr/lib64/xsp/test
MonoApplications "/demo:/usr/lib64/xsp/test"
MonoServerPath /usr/bin/mod-mono-server

You are likely to run into myriad problems if using SELinux. Start with giving permissions to run mono to httpd.

chcon -t httpd_sys_content_t '/usr/bin/mono'

Each time you hit your URL you will likely encounter another SELinux error. You can repeat this process again and again until you come up with a final policy that will allow apache access to mono, its directories, and dependencies. My final policy looked like this.

module mymono 1.0;

require {
type lib_t;
type tmp_t;
type mono_exec_t;
type httpd_t;
type httpd_sys_script_t;
class process ptrace;
class sock_file { write create };
class sem create;
class file { read execute_no_trans };

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:sem create;

#============= httpd_t ==============
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t mono_exec_t:file { read execute_no_trans };
allow httpd_t self:process ptrace;
allow httpd_t tmp_t:sock_file { write create };

Mono makes extensive use of a temp directory known as the wapi directory. It is possible for you to specify your own temp directory in your http.conf file or else the default will be used: /tmp/.wapi.

It took awhile to discover that /tmp/.wapi needed different permissions. The best clue I could get from messages was:

Feb 8 08:43:32 carbon setroubleshoot: SELinux is preventing the mono from using potentially mislabeled files (mod_mono_server_global). For complete SELinux messages. run sealert -l a00a5946-cec1-4291-a410-e74c5f96edfd

This was corrected by running...

restorecon -R -v /tmp/.wapi suggested by sealert.

Just as I thought I was finished, as the mono test application was finally working, I found additional errors in the /var/log/audit/audit.log. This policy was the fix:

module mynotify 1.0;

require {
type httpd_t;
type inotifyfs_t;
class dir read;

#============= httpd_t ==============
allow httpd_t inotifyfs_t:dir read;

Are we done yet? I sure hope so. I read elsewhere on the web that there is a plan to get the proper SELinux configuration into the mod_mono RPMs. Until that happens, I hope that this info will help you to get your mod_mono setup working.

Note: After rebooting, I had to relabel the temp and bin directory with these two commands:

restorecon -R -v /tmp/.wapi
chcon -t httpd_sys_content_t '/usr/bin/mono'

I'm currently looking for a better, permanent solution.