Thursday, November 29, 2018

Add additional context to SELinux

In this post we quickly look into how we add context for SELinux on our Orthanc binary storage.
$ sudo semanage fcontext -a -t etc_t -s system_u /opt/localdrive/orthancstorage

$ sudo restorecon -R -v /opt/localdrive/orthancstorage

Now we confirm it by the below command:
$ cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/opt/localdrive/postgres(/.*)?    system_u:object_r:postgresql_db_t:s0
/opt/localdrive/orthancstorage    system_u:object_r:etc_t:s0


Confirm the updates
$ ls -laZ /opt/localdrive/orthancstorage

Wednesday, November 28, 2018

Fixing SELinux Warnings for Postgres after changing the data directory

We moved the postgres data directory from its default location /var/lib/pgsql/data to /opt/localdrive/postgres.

This started to give lots of warnings in the SELinux audit logs. Postgres service was running fine as SELinux was in permissive mode, albeit giving verbose warnings as below.

$ sudo tail -f /var/log/audit/audit.log
type=AVC msg=audit(1543413248.637:5277): avc:  denied  { getattr } for  pid=5285 comm="postgres" path="/opt/localdrive/postgres/base/16386/PG_VERSION" dev="sdb1" ino=1725 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1543413248.637:5277): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffef5d9e1f0 a2=7ffef5d9e1f0 a3=1 items=0 ppid=1314 pid=5285 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm="postgres" exe="/usr/bin/postgres" subj=system_u:system_r:postgresql_t:s0 key=(null)
type=PROCTITLE msg=audit(1543413248.637:5277): proctitle=706F7374677265733A206175746F76616375756D20776F726B65722070726F63657373202020
type=AVC msg=audit(1543413248.638:5278): avc:  denied  { write } for  pid=5285 comm="postgres" name="12730" dev="sdb1" ino=1263 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1543413248.638:5278): arch=c000003e syscall=2 success=yes exit=5 a0=2947210 a1=2 a2=180 a3=50 items=0 ppid=1314 pid=5285 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm="postgres" exe="/usr/bin/postgres" subj=system_u:system_r:postgresql_t:s0 key=(null)


To fix this, we had to perform a number of steps:

Edit SELinux to point to the current postgres data directory
$ sudo semanage fcontext -a -t postgresql_db_t "/opt/localdrive/postgres(/.*)?"

$ sudo restorecon -R -v /opt/localdrive/postgres


Restart Postgres service
$ sudo service postgresql restart


Now the audit "denied" logs are gone!

Tuesday, October 23, 2018

Installing Standalone Viewer of OHIF


You can install an OHIF Simple Viewer by following the below steps:

1) Install Meteor
$ curl https://install.meteor.com/ | sh


2) Clone the Viewers repository
$ git clone https://github.com/OHIF/Viewers.git

 
3) Go to the SimpleViewer directory
$ cd Viewers/StandaloneViewer/StandaloneViewer/


4) Run the Standalone viewer
$ METEOR_PACKAGE_DIRS="../../Packages" meteor --settings ../../config/dcm4cheeDIMSE.json

Make sure that your JSON file consisting of the URLs of DICOM images (i.e., series instances) is placed inside the directory Viewers/StandaloneViewer/StandaloneViewer/public
as in
Viewers/StandaloneViewer/StandaloneViewer/public/big.json
 
5) Access the viewer from the browser.
You may access it from localhost:3000 followed by the url of a JSON file consisting of Dicom images.
http://localhost:3000/?url=https://raw.githubusercontent.com/OHIF/Viewers/master/StandaloneViewer/StandaloneViewer/private/testData/PTCTStudy.json
or access your local json files consisting of the DICOM instances, as in,
http://localhost:3000/?url=big.json

Wednesday, September 26, 2018

Restaurant Scams in Atlanta

This weekend we had dinner at an Indian restaurant. My bill came as 37$ for the food we consumed for 29$ (11+ 15 + 3). The additional 8$ includes the sales tax and 20% service charge. (We were a group - but asked for individual bills). Since there was already a 20% service charge, I put 0$ on the tip. I clearly also indicated 37$ as the total in the bill (37 + 0.00 = 37).


Initially, my bank showed 37$ as pending. Now it shows 43$ as the completed amount. Mistakenly, or intentionally, the restaurant charged 6$ as the tip. I have a hard time to believe this is an honest mistake, since I also wrote down the total amount as 37$, after putting 0$ under the tip.


Also, a 20% service charge for a lousy service was not something I was planning to do. The food was below average too - and overpriced. Of course, from the menu, it looked 29$ for two, and with sales tax and 20% mandatory service charge, it came to 37$. Add the 20% service charge, why would I pay another 6$ to make a 40% tip in total for this below-average experience? Seriously?!


I have disputed this additional 6$ charge with my bank. The bank said, generally, they charge for the disputes, though they can make it free for me this time since this is my first dispute. However, they recommended to contact the restaurant and resolve this dispute with them.


So I called them. Judging from the voice, the first guy to answer the call was the waiter who served us (the second one). I explained to him my situation. He insisted I visit the restaurant with the bill to get a refund. He pretended that he could not find their copy of the receipt, while I was waiting for him searching through the records. He also verified what I had, where we sat down, and how much each cost, etc. Like security questions. :P I told him "I am busy to come to the restaurant to get the refund." when he repeated as if that is the only way. He said, "come on, you have time to call for 6$, and you tell me you are busy?" sarcastically. His intention was to shame me and make me give up. Now I realized he was the one who intentionally made the 0 to 6$ to get the 6$ for himself. I told him that I have already disputed this with the bank. Then he said, "Ok, give me your name and phone number. We will call you back if we find out what you say is correct". Then he also asked me to spell my name! Come on. :D He was also very unapologetic.


Within a few minutes, they called back. This time it must be a senior or a manager. He was polite and apologetic, and he accepted that it was their mistake. He said, "Your zero gave the one who entered to put a 6" (not sure what he meant. Did he mean the employee was a fraud or was it an honest mistake? It was unclear). He said they would send me a cheque for the 6$.

Update: I received a cheque from the restaurent on the 28th/Friday, 3 days from the 25th/Tuesday since I complained. This issue is resolved!


Anyway, lesson learned. Next time, I would not put 0.00 $ and write the same amount down, if I choose not to tip. I always tip. But not when a 20% service charge is already added to my bill. I would make sure just to cut the section standing for "tip" if I were to give no tip!

Luckily I paid attention. I am not sure how many customers lost their money to this scam.


Summary
1. Keep your receipts safe, especially when the waiter takes your card away from your view, and especially when there is a potential for them to seek a tip from your card.

2. Check your bank accounts online every day, and keep track of the balance, to make sure there are no weird transactions.

3. Report to the bank instantly if you find something weird.

4. Be extra vigilant if you are a tourist. You cannot spend time and money making international calls, and your bank may have limited control over a foreign transaction. Also, if your transaction is in a different currency, it will make the things even more complicated. If I were not living in Atlanta, even if they send me a cheque, I won't be able to receive it anyway - giving me no choice other than to give up.

Monday, September 17, 2018

Configuring Orthanc with Postgres backend with a network data directory

So we hve configured Orthanc with a Postgres backend. To support a large-scale data store, we mapped a network directory as the data directory of Postgres. Then we configured Orthanc to have Postgres as its backend data store, instead of its default SQLite backend, using the Postgres plugin. There is also an option for a MySQL/MariaDB backend, which we found not stable with MySQL in a network directory.

However, since we have the configured Postgres in a network directory, we have to make sure everything is running fine. Unfortunately, when we reboot, often the network directory does not mount on its own. Therefore, despite our configuration to start Postgres and Orthanc at the boot time, they both fail.

Data directory unaccessible → Postgres fails to start. Postgres failed to start → Orthanc fails to start.

We have to configure the below services in Centos, following the same order.

1) Postgresql
$ sudo systemctl start postgresql

$ sudo systemctl enable postgresql

$ sudo systemctl status postgresql

● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-09-17 14:46:41 EDT; 11min ago
 Main PID: 2655 (postgres)
   CGroup: /system.slice/postgresql.service
           ├─2655 /usr/bin/postgres -D /opt/pacs/postgres -p 5432
           ├─2657 postgres: logger process
           ├─2701 postgres: checkpointer process
           ├─2702 postgres: writer process
           ├─2703 postgres: wal writer process
           ├─2704 postgres: autovacuum launcher process
           ├─2705 postgres: stats collector process
           ├─2754 postgres: postgres orthanc ::1(48534) idle
           └─2755 postgres: postgres orthanc ::1(48536) idle

Sep 17 14:45:59 HOST.NAME systemd[1]: Starting PostgreSQL database server...
Sep 17 14:45:59 HOST.NAME pg_ctl[2652]: pg_ctl: another server might be running; trying to start server anyway
Sep 17 14:46:41 HOST.NAME systemd[1]: Started PostgreSQL database server.


2) Orthanc
$ sudo systemctl start orthanc

$ sudo systemctl enable orthanc

$ sudo systemctl status orthanc

● orthanc.service - Orthanc DICOM server
   Loaded: loaded (/usr/lib/systemd/system/orthanc.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-09-17 14:47:14 EDT; 8min ago
     Docs: man:Orthanc(1)
           http://www.orthanc-server.com/
 Main PID: 2753 (Orthanc)
   CGroup: /system.slice/orthanc.service
           └─2753 /usr/sbin/Orthanc /etc/orthanc/orthanc.json

Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.399045 ServerContext.cpp:167] Reloading the jobs from the last execution of Orthanc
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.399776 JobsEngine.cpp:281] The jobs engine has started with 2 threads
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.400023 ServerContext.cpp:293] Disk compression is disabled
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.400050 ServerIndex.cpp:1437] No limit on the number of stored patients
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.400490 ServerIndex.cpp:1454] No limit on the size of the storage area
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.400995 LuaContext.cpp:103] Lua says: Lua toolbox installed
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.403966 main.cpp:848] DICOM server listening with AET BMIPACS on port: 4242
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.404382 MongooseServer.cpp:1087] HTTP compression is enabled
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.405872 MongooseServer.cpp:1001] HTTP server listening on port: 8042 (HTTPS encryption is disabled, remote access is allowed)
Sep 17 14:47:15 HOST.NAME Orthanc[2753]: W0917 14:47:15.405915 main.cpp:667] Orthanc has started






To clean the data from Orthanc entirely

 

The easy way is to drop the Orthanc database.

First connect to the postgres client:
$ psql -U postgres
Password for user postgres:
psql (9.2.24)
Type "help" for help.


postgres-# \l
                                 List of databases
   Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges
-----------+----------+----------+------------+------------+-----------------------
 dcm4chee  | dcm4chee | UTF8     | en_US.utf8 | en_US.utf8 |
 mytest    | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 orthanc   | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 postgres  | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 template0 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
           |          |          |            |            | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
           |          |          |            |            | postgres=CTc/postgres
 testtest  | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
(7 rows)

Then go to another database to be able to drop the Orthanc database
orthanc=# \c mytest
You are now connected to database "mytest" as user "postgres".

mytest=# drop database orthanc;
ERROR:  database "orthanc" is being accessed by other users
DETAIL:  There are 2 other sessions using the database.

Yes, first we need to stop Orthanc!

[root@researchpacs postgres]# systemctl stop orthanc

Now drop the database. 
mytest=# drop database orthanc;
DROP DATABASE
mytest=#

Create the database again.

mytest=# create database orthanc;
CREATE DATABASE

Now you may start Orthanc again!

[root@researchpacs postgres]# systemctl start orthanc



You can also access your data via a browser, using the HTTP Port:

http://HOST.NAME:8042/app/explorer.html