Snort a Sprocket

(So Little) Oil Just Out of Reach

2010-06-01T00:00:00-04:00

I’m really tired of people and pundits going on and on about how we have so much oil that just can’t be reached because the mean old government won’t let the oil companies drill for it. Remember “Drill, Baby, Drill”? ANWR? Yeah, that.

FOX Business News correspondent John Stossel is the latest to blame the government for keeping all those precious lands oil-rig free, all the while pushing the oil companies into dangerous deepwater exploration.

[Former Shell President John Hofmeister is] right. More than 50% of Western land is owned by the federal government. But 75% of that is off limits or restricted for private drilling. Land that the government estimates contains 20 billion barrels. If government would just step out of the way and let people drill, oil companies wouldn’t have to go so far offshore!

Well, the truth is that the oil companies were going to go deep-sea drilling at some point anyway, even if they could have gotten permission to drill on government land. They’re just there sooner, but the main reason they are there has less to do with the government than our insatiable demand for “Texas tea”.

20 billion barrels sure sounds like a lot until you put it in perspective up against what the United States consumes. According to the US Energy Information Adminstration’s summary page, we as a country consume 19.5 million barrels a day. At that rate, 20 billion barrels will give us an extra 2.8 years of oil.

So, even if the government “stepped out of the way”, it will cost a lot of money and time to get those oil wells online and producing, and there will be an environmental cost. And after all that, you’ll have a little less than three years of oil to show for it. Those consumption figures were current as of 2009; by the time we have those hypothetical rigs online, who knows where are consumption will be? Even if consumption were to stay flat or decrease, will the rest of the developing world curb their nascent appetites? (Mumble mumble China mumble.)

Is having an extra three years of oil worth spoiling precious natural resources? According to this chart, the entire Gulf of Mexico is estimated as having only 3.5 billion barrels total. That’s enough to last a paltry 177 days at the US’s current rate of consumption.

While we’re doing some number crunching, let’s think about those thousands of barrels of oil that are currently spewing into the Gulf of Mexico from the foundered Deepwater Horizion. The government estimates—conservatively—that the flow rate is 19,000 barrels of oil a day. At that rate, as of this writing, over 800,000 barrels have spilled in the Gulf of Mexico. It’s a spill so large it’s easily visible from space. It’s going to ruin coastal fishermen’s livelihoods, kill wildlife, and spoil the coastlines of several states. But had we been able to use the oil that’s been spilled, it would only equal the amount of oil that the entire US consumes in a single hour. ONE. LOUSY. HOUR.

The idea that somehow we could ever become energy independent on producing our own oil alone is a complete crock unless we learn to do with a lot less of the stuff and look for more sustainable resources. Oil is not the final answer, and if we act like it is, we’re going to be in a heap of trouble when the wells run dry and we have nothing to show for it.

o

2010-04-12T00:00:00-04:00

Meanwhile, Jonna Lee has deleted her accounts on Facebook and Twitter because

she is undergoing a radical metamorphosis, or
she’s sick of everyone assuming that she’s iamamiwhoami, or
sunspots.

Pick one. Whatever the reason, I’m loving this video and viral video series.

I Am... Mandragora Officinarum

2010-04-09T00:00:00-04:00

“To whom it may concern.”

I have really been enjoying watching the viral campaign for iamamiwhoami unfold since the beginning of this year. If you haven’t already seen the videos that have been released, you owe it to yourself to go and watch them in chronological order, especially if you like music described as “ethereal”, “odd”, “otherworldly”, and “dark”.

However, with a single release on iTunes for “b”, and a forthcoming single called “o” available on 11 April 2010 via Amazon MP3, it looks like the mystery is finally drawing to a close. I, along with most of the other folks following the evolution of the campaign, believe that she is the alter ego or side project of Swedish singer Jonna Lee. After all, Jonna’s picture in Wikipedia looks like this picture from iamamiwhoami’s Twitpic. Also, why would Jonna need an inflatable pool full of mud if not to romp around in like the pre-born version of iamamiwhoami?

Whatever the case, she promises to reveal herself to the world if she gets 10,000 followers on Twitter by the 15th of April. I’m looking forward to it.

Incidentally, I’ve enjoyed discovering Jonna Lee (as herself). I really dig her song “Lake Chermain” from her most recent album This is Jonna Lee, as well as “I Wrote This Song” her début 10 pieces, 10 bruises. Finally: check out her haunting, sparse cover of “Violent Playground” by Nitzer Ebb.

UPDATE: I should note that synth Goddess Tara Busch of AnalogSuicide.com has made a remix of “b”.

Hell

2010-04-06T00:00:00-04:00

LAUNCELOT: Nay, indeed, if you had your eyes, you might fail of the knowing me: it is a wise father that knows his own child. Well, old man, I will tell you news of your son: give me your blessing: truth will come to light; murder cannot be hid long; a man’s son may, but at the length truth will out.

— Shakespeare
The Merchant of Venice
Act II, Scene 2

I was ordered to go in there and destroy the enemy. That was my job that day. That was the mission I was given. I did not sit down and think in terms of men, women and children. They were all classified as the same, and that’s the classification that we dealt with over there, just as the enemy. I felt then and I still do that I acted as I was directed, and I carried out the order that I was given and I do not feel wrong in doing so.

— 2nd Lt. William Calley
spoken during his murder trial
for his role in the My Lai Massacre

There is no question that coalition forces were clearly engaged in combat operations against a hostile force.

— Lt. Col. Scott Bleichwehl
Spokesman for the multinational forces in Baghdad
13 July 2007, one day after the engagement

Well it’s their fault for bringing their kids into a battle.

— Unknown US soldier
regarding children who were wounded during an engagement on 12 July 2007

During this engagement, US Soldiers killed over a dozen civilians including two journalists for Reuters. The civilians were believed to be hostile forces armed with RPG launchers. Over the past two and a half years, Reuters’ requests for the footage of the incident under the Freedom of Information Act had not been granted by US Military, who said as recently as last week that they were still processing the request.

On 5 April 2010, WikiLeaks released the footage obtained by military whistleblowers. It’s as horrifying as you’d expect.

This is the inevitable consequence of war. To those of you who advocated for it in 2002 and continue to do so today, I have to ask: how do you sleep at night?

Sadly, Not an April Fool's Joke

2010-04-01T00:00:00-04:00

Behold: Teabonics.

219-212

2010-03-22T00:00:00-04:00

I think I fell in love with America… all over again.

Meanwhile, a cursory glance at FreeRepublic, RedState and GOP.com will shows that we haven’t even hit peak butthurt yet.

Also: it’s too bad he wasn’t here to see it.

Finally, I’d be remiss to not have fun with this:

If weâ€™re able to stop Obama on [Health Care Reform] it will be his Waterloo. It will break him.

Rep. Jim DeMint (R-SC), July 2009

Jim, this is for you.

Passenger Phusion (aka mod_rails) and SELinux

2010-03-17T00:00:00-04:00

Unfortunately SELinux is so incredibly complex that few people understand it. If anybody can contribute proper SELinux support or tell me what Phusion Passenger is supposed to do to make it play nice with the default policies, then that would be greatly appreciated.

Hongli Lai, principal author of Phusion Passenger, in a mailing list post

At my day job, I’ve been tasked with deploying an application based on the Sinatra framework on one of our production webservers. Because we are a CentOS shop, and Apache is the path of least resistance, I chose to deploy the application using Passenger Phusion, also known as mod_rails.

A colleague of mine set Passenger up pretty easily on our test/QA server, and, after mutually flogging the Apache configuration, got the Sinatra app up and running. We ran the application through QA, and after a week or two, decided that we’d like to beta test this on our actual production server.

We repeated the same steps to get Passenger installed, but this time, nothing worked at all. Trying to hit the web application returned 403 Forbidden. Weird.

Then I remember a salient difference between our test environment and production: SELinux was enabled and enforced on our production system, but not on our QA server. Uh oh. Sure, we could have just disabled SELinux (an easy fix), but then we wouldn’t benefit from SELinux itself. Plus, everything else was running just fine with SELinux enabled, so why shouldn’t Passenger?

Down the RabbitRat Hole

The Passenger “documentation for Apache” notes that you have to set the context of the Passenger codebase
to httpd_sys_content_t. I followed the directions, and things still didn’t work. No problem, I thought, I’ll just turn SELinux down to permissive mode so I can get the audit messages and use audit2allow to make a policy for Passenger! Sensing I had a slam dunk idea, I did just that, generated my own Passenger policy, and … nothing. For some stupid reason, the Passenger backend process kept dying, leading to messages in /var/log/httpd/error_log like these:

[Wed Mar 17 15:39:54 2010] [error] * Passenger could not be initialized because of this error: Could not connect to the ApplicationPool server: Connection reset by peer (104)

Googling on that error message led me to some lame comments, so I decided to dig into SELinux itself. Lo and behold, the Fedora Project have an excellent FAQ on SELinux, which included something that I suspected might be happening:

Q: I get a specific permission denial only when SELinux is in enforcing mode, but I don’t see any audit messages in /var/log/messages (or /var/log/audit/audit.log if using the audit daemon). How can I identify the cause of these silent denials?

A: The most common reason for a silent denial is when the policy contains an explicit dontaudit rule to suppress audit messages. The dontaudit rule is often used this way when a benign denial is filling the audit logs.

To look for your particular denial, enable auditing of all dontaudit rules:

semodule -b /usr/share/selinux/targeted/enableaudit.pp

Well, it turns out that one of the dontaudit rules governed the reading from and writing to UNIX stream sockets that Passenger uses to talk to its backend. It also seemed to screw up the backend’s ability to set its own signal handlers.

Anyways, after one last run of audit2allow, I had a working policy.

tl;dr – The Phusion Passenger SELinux Policy

Here it is.

module passenger 1.0;
require {
        type httpd_tmp_t;
        type devpts_t;
        type httpd_sys_script_t;
        type security_t;
        type httpd_t;
        type unconfined_t;
        type selinux_config_t;
        type hi_reserved_port_t;
        type httpd_sys_content_t;
        type var_t;
        type cert_t;
        class file { getattr read create append };
        class process { siginh signal noatsecure rlimitinh };
        class unix_stream_socket { read write shutdown };
        class chr_file { read write };
        class capability { setuid dac_override chown fsetid setgid fowner };
        class fifo_file { setattr create getattr unlink };
        class sock_file { write getattr setattr create unlink };
        class lnk_file { read getattr };
        class udp_socket name_bind;
        class dir { write read search add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t cert_t:dir search;
allow httpd_sys_script_t cert_t:file { read getattr };
allow httpd_sys_script_t cert_t:lnk_file read;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;
allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };
allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };
allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override };
allow httpd_sys_script_t unconfined_t:process signal;
allow httpd_sys_script_t var_t:dir { write read add_name };
allow httpd_sys_script_t var_t:file { read getattr create append };
#============= httpd_t ==============
allow httpd_t hi_reserved_port_t:udp_socket name_bind;
allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };
allow httpd_t security_t:dir search;
allow httpd_t self:capability { fowner fsetid };
allow httpd_t selinux_config_t:dir search;
allow httpd_t var_t:file { read getattr };
allow httpd_t var_t:lnk_file { read getattr };

To install this policy on your SELinux enabled box:

Copy and paste the above policy into a file called passenger.te.
Run checkmodule -M -m -o passenger.mod passenger.te.
Run semodule_package -o passenger.pp -m passenger.mod.
Finally, to install the policy, run semodule -i passenger.pp.

Final Thoughts

Having a working policy is great if you want to make things go, but it begs the following questions:

Is the policy for Passenger that I’ve generated insecure? How can it be improved?
Are there any ways that Passenger Phusion could be improved to fit into the RHEL/Fedora/CentOS base SELinux policy without having to go through such gymnastics, or is this the norm for applications built on Apache?

As Rails and Ruby have been slowly moving into “enterprisey” shops, it would seem that getting it to play nice with the largest commercial Linux distribution would be a priority for, well, someone. Unfortunately, Ruby has had a history of being being second-class at RedHat; after all, RHEL is still using 1.8.5, which was originally released in 2006, and many things—one being Rails—recommend if not require at least 1.8.7.

RedHatters and SELinux gurus: the ball is in your court, now.

"About" to "Antikythera"

2010-02-26T00:00:00-05:00

Ten songs listened to this morning by yours truly, in alphabetical order.

“About to Happen”, Siouxsie
“Adnan’s”, Orbital
“Adventures in Solitude”, The New Pornographers
“Again Today / Hiding My Heart”, Brandi Carlile
“All That I’m Good For”, Hem
“All That Makes Us Human Continues”, BT
“All the Old Showstoppers”, The New Pornographers
“All of the Things That Go to Make Heaven and Earth”, The New Pornographers
“Ambassador”, Noe Veneble
“The Antikythera Mechanism”, BT

This idea was gleefully stolen from Slacktivist, which itself is an alternate version of a the “it’s-Friday-Morning-so-post-the-next-ten-random-songs-played-on-your-iPod” meme.

Yes, Let's Talk About the Individual Mandate

2010-02-15T00:00:00-05:00

Did you know that the same individual mandate that Senate Republicans have been recently attacking in the proposed health care reform legislation was initially proposed by Republican lawmakers as a part of an alternate bill during Clinton’s failed health care reform initiative in 1993? Neither did I.

Digging around on this, I found an article from the American Prospect by Paul Starr that was written just after the collapse of that initiative. He notes that

The collapse of health care reform in the first two years of the Clinton administration will go down as one of the great lost political opportunities in American history. It is a story of compromises that never happened, of deals that were never closed, of Republicans, moderate Democrats, and key interest groups that backpedaled from proposals they themselves had earlier co-sponsored or endorsed.

It is also a story of strategic miscalculation on the part of the president and those of us who advised him. In 1993, 23 Republican senators, including then-Minority Leader Robert Dole, cosponsored a bill introduced by Senator John Chafee that sought to achieve universal coverage through a mandate that is, a mandate on individuals to buy insurance. Nearly every major health care interest group had endorsed substantial reforms—grandiose ones, in fact. The American Medical Association (AMA) and Health Insurance Association of America (HIAA), the two great, historic bastions of opposition to compulsory health insurance, both went on record in support of an employer mandate and universal coverage. Even the U.S. Chamber of Commerce endorsed an employer mandate, as did many large corporations. Other groups came out variously for reform options that ran along a spectrum from Canadian-style, single-payer programs on the left to managed competition and medical savings accounts and radical changes in tax policy on the right. Under the circumstances, it was easy to believe the country was ready for substantial reform and that a market-oriented, consumer-choice approach to universal coverage, positioned in the center, could become a platform for consensus.

It was easy to believe, but it turned out to be wrong.

Read the whole thing if for no other reason then to be reminded that the seeds of political nihilism were sown far earlier than you may want to imagine.

WTF, Whole Foods?

2010-02-05T00:00:00-05:00

Making Light:

[F]amously-crackpot Whole Foods CEO John Mackey has now made himself sufficiently repellent that I very much doubt Iâ€™ll ever feel like spending a dime in one of his stores again. Not content with peddling rich-guy â€œlibertarianâ€ attacks on health-care reform, asserting that climate change is a fraud designed to â€œraise taxes and increase regulation, and in turn lower our standard of living and lead to an increase in poverty,â€ comparing unionization to herpes, and getting caught playing sockpuppet games on financial message boards, Mackey is nowâ€¦charging his employees more for food if they fail to meet his arbitrarily-chosen cholesterol, blood pressure, and body-mass index criteria.

The original article at Jezebel dryly observes:

Because if public health research has taught us anything, it’s that reducing people’s buying power totally makes them healthier. Stay classy, Whole Foods.