[K12OSN] How to enable USB devices in K12LTSP

Alain Reguera Delgado alain.reguera at gmail.com
Sun Jan 4 21:30:11 UTC 2015 

On 1/3/15, Barry R Cisna <brcisna at eazylivin.net> wrote:
> You have tried 2 or 3 usb sticks on a client,correct?

That is correct. The usb sticks I am using for testing purposes work
in the server as expected. They also worked as expected on the thin
clients when the server had K12Linux (based on Fedora 10) installed.

> Also disable SeLinux and reboot server.

Done for testing purposes.

> You do have iptables turned off at boot correct?

No I didn't, but done now for testing purposes. To do this, I first
unplugged the external interface cable.

> Providing you have user al added(which it looks like al is in fuse
> group)  to the fuse group  usb sticks should show an icon on desktop
> when plugged in.

I really wish it does, but it doesn't.

> One other thing.
> You did have a group fuse without manually adding this group to the
> server,correct?

Yes. That is correct. The fuse group was there right after installing
the system. There is no fuse user, just a fuse group.

> Let us know your progress.

No USB icon in the desktop so far after plug a memory stick in a thin
client where I've successfully logged in with a username that is in
the fuse group. I've made the same tests in different clients (of
identical model) and nothing. So, I set SELinux to enforcing mode
again and enabled IPtables at boot time again. Then restarted the
server and plugged the external interface cable in to send this
message.

Beyond testing purposes, is there any particular reason to fully
disable SELinux (or even put it in permissive mode) when no denial
message is reported in the /etc/audit/audit.log file?

Beyond testing purposes, is there any particular reason to fully
disable IPtables when the internal interface is accepting everything
from the internal network, and thin clients boot up and allow users to
do login successfully on them?

As far as I know, the local devices' mount process takes place through
fuse, which is executed as the root user. If this is correct, and
SELinux doesn't report any issue, there must not be any user-related
permission issue, I guess. Some of the directories that might be
affected by any type of user/selinux-related permission issue could be
the following (or, could them be others?):

drwx------  al   al   system_u:object_r:user_home_dir_t /home/al
drwxr-xr-x  al   al   user_u:object_r:user_home_t      /home/al/Drives/
drwxr-xr-x  root root system_u:object_r:mnt_t          /media/

In the package filtering side of things, I've configured IPtables to
ACCEPT all the packages in the INPUT of the internal interface (eth0)
where the thin clients are connected to. However, I am DROPing all
packages in the INPUT of the external interface (eth1) except those
packages that have been generated from the host itself. In the case of
OUTPUT and FORWARD rules they are both ACCEPTed for internal and
external interfaces. See the output of iptables -L -n -v command
below:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 1348 1733K ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
 2281 1722K ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
  144 30506 Internet_services  all  --  eth1   *       0.0.0.0/0
     0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 1348 1733K ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0
 2438 2668K ACCEPT     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
   83 12176 ACCEPT     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain Internet_services (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 255
   23 19604 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
  121 10902 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-prohibited

Would it be in the /etc/exports file?

## LTSP-begin ##
#
# The lines between 'LTSP-begin' and 'LTSP-end' were added
# on: vie ene  2 15:18:15 2015, by the ltspcfg configuration tool.
# For more information, visit the LTSP homepage
# at http://www.LTSP.org
#

/opt/ltsp                 192.168.0.0/255.255.255.0(ro,no_root_squash,sync)
/var/opt/ltsp/swapfiles   192.168.0.0/255.255.255.0(rw,no_root_squash,async)

## LTSP-end ##

Would it be in the /opt/ltsp/i386/etc/ltsp.conf file (comments and
empty lines removed from output)?

[Default]
        SERVER             = 192.168.0.254
        XRAMPERC = 90
        XSERVER            = "auto"
        X4_MODULE_01 = glx
        X_MOUSE_PROTOCOL   = "auto"
        X_USBMOUSE_PROTOCOL = "auto"
        X_MOUSE_DEVICE     = "/dev/psaux"
        X_USBMOUSE_DEVICE   = "/dev/input/mice"
        X_MOUSE_RESOLUTION = 400
        X_USBMOUSE_RESOLUTION = 400
        X_MOUSE_BUTTONS    = 3
        X_USBMOUSE_BUTTONS   = 3
        USBEMULATE_3_BUTTONS = "off"
        XkbSymbols         = "us(pc101)"
        XkbModel           = "pc101"
        XkbLayout          = "us"
        USE_XFS            = N
        LOCAL_APPS         = N
        SCREEN_01          = startx
        LOCAL_STORAGE = Y
        LTSPFSD_OPTIONS=""
        HOTPLUG = Y
        SOUND              = Y
        SOUND_DAEMON       = "esd"
        VOLUME             = 75
[ws002]
     PRINTER_0_DEVICE = /dev/lp0
     PRINTER_0_PORT   = 9100

Somewhere else?

More information about the K12OSN mailing list