MAL - Memória Auxiliar do Lutieri

terça-feira, janeiro 03, 2012

Studying for RHSCA and RHCE

My recent posts were about things that I was playing around and are related to topics that are covered in RHSCA and RHCE exams.

I'm preparing myself to take this exams in february/2012 and I need some place to store my notes. Here you will find small tips, tricks, common switches, commands, etc. This is all stuff that I need to know in order to succeed the exams. And it's also stuff that I know I have to play with and write down to help memory retain the information.

let the show begin....


  • Querying RPMs
rpm -qi xxx -> query info. same as yum info xxx
rpm -q --scripts xxx -> query scripts
rpm -ql xxx -> list of files inside the rpm.


any of the above can also have the -p switch. this will consider the xxx as a local rpm file. not an installed package

rom -qf /sbin/service -> will show which packege contains the /sbin/service file
rpm -qa -> query all installed packages


  • Extract files from rpm:
rpm2cpio xxx | cpio -idmv 

if you run rpm -qlp xxx and see the one file that you want you can extract it running the following:

rpm2cpio xxx | cpio -idmv ./etc/apt/sources.list.d/rpmforge-extras.list


Please don't forget the dot in front of the filename. otherwise no files will be extracted.

  • Querying installed packages

If you want to know if a package is installed use:

yum list "*http*"

It will list the Installed Packages and also the Available Packages. Yum list only search for the packages name. Yum search searches also in the description of the package.

  • Installing RPMs
yum localinstall xxx.rpm works just like rpm -ivh xxx.rpm but will also solve the dependencies if necessary.


  • Creating RPMs

yum install rpm-build make -y
mkdir -p /usr/src/lutieri/{BUILD,RPMS,SOURCES,SPECS,SRPMS,tmp}
cd /usr/src/lutieri/
mkdir sample
cd sample/
touch first_file second_file keys config_file
cd ..
tar -cf sample.tar.gz sample/
mv sample.tar.gz SOURCES/

create a spec file in SPECS: run vim foo.spec -> vim will load a template for you :-D

rpmbuild -v -bb SPECS/sample.spec
OR

rpmbuild -v -bb --sign SPECS/sample.spec

the former example works if you have the rpmmacros set correctly. then the package will be built and signed.

Instead of creating all those directories, create the .spec file and run with rpmbuild. it will create all the directory structure in ~/rpmbuild/. then move the .spec to ~/rpmbuild/SPECS and the tar to ~/rpmbuild/SOURCES and run rpmbuild again against the .spec.

OR

Install rpmdevtools and run rpmdev-setuptree. This will also create the folder structure in the home directory



in the SPEC file , under the sessino %files you should specify every file that this package is responsible for.
%files
%defattr(-,root,root,-)
%dir /root/package
%attr(755,root,root) /root/package/script.sh

Instead of use cp to copy files to a specific location, use install -D

  • Signing a package

gpg-agent --daemon
gpg2 --gen-keys
gpg2 --list-keys
gpg2 --export -a lutieri2 > RPM-GPG-KEY-lutieri2
su -
rpm --import /home/lutieri/RPM-GPG-KEY-lutieri2
exit
vim ~/.rpmmacros
%_signature gpg
%_gpg_name lutieri2
rpm --addsign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --resign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --checksig rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm

Run man rpm and search for macro.. this will show you what goes inside the .rpmmacros files.


all the keys imported into RPM DB are considered packages. take a look:
rpm -q gpg-pubkey --qf "%{name} - %{version} - %{release} -> %{summary}\n"
gpg-pubkey - c105b9de - 4e0fd3a3 -> gpg(CentOS-6 Key (CentOS 6 Official Signing Key) )
gpg-pubkey - 8cee003f - 4f03b71a -> gpg(lutieri )
gpg-pubkey - cf7fe955 - 4f03bacf -> gpg(lutieri2 )

rpm -qa gpg-pub*
gpg-pubkey-cf7fe955-4f03bacf
gpg-pubkey-8cee003f-4f03b71a
gpg-pubkey-c105b9de-4e0fd3a3

thus, to remove lutieri2 key. issue:


rpm -e gpg-pubkey-cf7fe955-4f03bacf





  • Create a repository:

yum install -y createrepo
mkdir /opt/myrepo
mv *.rpm /opt/myrepo
createrepo /opt/myrepo
vim /etc/yum.repos.d/lutieri.repo
[lutieri]
Baseurl=file:///opt/myrepo
name=lutierirepo
enabled=1

man yum.conf shows you the options that goes in the .repo files.

If later on you add new RPMs to the directory run the following to update de metadata:
createrepo -update /opt/myrepo 


--------------------------------------------------

Network

on ifcfg-* files, the option NM_CONTROLLED="NO" will not allow network manager to manage this interface

Bonding:
vim /etc/modprobe.d/bonding.conf
alias bond0 bonding

To find out what options are necessary in the master interface do the follwing
find /usr/share/doc/kernel-doc* -iname "bond*"

less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/bonding.txt

miimon is required as well as mode. Mode 1=rr, 2=active/passive 3=broadcast

Master:
vim /etc/sysconfig/network-scripts/ifcfg-bond0

TYPE=Ethernet
DEVICE=bond0
BOOTPROTO=none
IPADDR=1.1.1.1
NETMASK=255.255.255.0
USERCTL=yes
IPV6INIT=no
ONBOOT=yes
BONDING_OPTS="miimon=100 mode=0"




Slaves:
vim /etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=Ethernet
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes




If you wanna see if the options in BONDING_OPTS were applied, take a look in
[root@zeus ~]# cat /sys/class/net/bond0/bonding/miimon
100
[root@zeus ~]# cat /sys/class/net/bond0/bonding/mode
balance-rr 0



--------------------------------------------------
File Systems

palimpsest

it's a graphic utility to manage disks.


TIP:

fdisk -cul /dev/?d?

it lists all disk devices.



LUKS - Linux Unified Key Setup
make sure you have the partition unmount

Format the partition to be encrypted:
cryptsetup luksFormat /dev/sdb1

Open the FS and give it a name:
cryptsetup luksOpen /dev/sdb1 hiddenData

Format it to use:
mkfs.ext4 /dev/mapper/hiddenData

Use it:
mkdir /mnt/hiddenData
mount /dev/mapper/hiddenData /mnt/hiddenData
touch /mnt/hiddenData/file1

Lock it after use:
umount /mnt/hiddenData
cryptsetup luksClose /dev/mapper/hiddenData

Make it the mounting persistent after reboot:
vim /etc/crypttab
hiddenData     /dev/sda2  none

none means you will have to type the password during boot. any other value is interpreted as a file that contains the password for the FS

vim /etc/fstab
/dev/mapper/hiddenData /mnt/hiddenData  ext4 defaults 0 0 


To avoid being prompted for a password you can create a key, save it in a file and use this key to open the device:

vim /etc/key
type anything in there

chmod 400 /etc/key
cryptsetup luksAddKey /dev/vda5 /etc/key
cryptsetup luksDump /dev/vda5


vim /etc/crypttab
hiddenData      /dev/sda2 /etc/key

------------------

iSCSI


doc under: /usr/share/doc/iscsi*/README

# yum install -y iscsi-initiator-utils


# iscsiadm -m discovery -t st -p 192.168.56.101
192.168.56.101:3260,1 iqn.2006-01.com.openfiler:tsn.cc35969be1c0

Login in the target

# iscsiadm -m node -T  iqn.2006-01.com.openfiler:tsn.cc35969be1c0  -p 192.168.56.101 -l
Logging in to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] (multiple)
Login to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] successful.

take a look in /var/log/messages and see what block devices appear OR run
# find /sys/devices/platform/host* -name "block*"
/sys/devices/platform/host4/session1/target4:0:0/4:0:0:0/block
# ls /sys/devices/platform/host4/session1/target4\:0\:0/4\:0\:0\:0/block/
sdc



service iscsi status

will also show you, in the very bottom line, what devices iscsi is attached to.


Make it persistent after reboots:
vim /etc/fstab
/dev/sdc1    /mnt/openfiler   ext4 _netdev 0 0



Cleaning the DBs:

Removing known portals:


[root@zeus ~]# iscsiadm -m discoverydb
192.168.56.102:3260 via sendtargets
192.168.56.101:3260 via sendtargets
[root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.102
[root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.101
[root@zeus ~]# iscsiadm -m discovery
[root@zeus ~]#





----------------------------------



After managing partitions you should reload the partition table partprobe used to be a good choice but seems to be deprecated right now. partx ou kpartx seems to be the new options.

partx -a /dev/sda
 will add new partitions to the system. double check running cat /proc/partitions


partx -d /dev/sda
will remove all inactive partitions from the system.


Please use fdisk -cu.. these switches will disable DOS-compatible mode and show sectors instead of cylinders



-------

LVM


  • Creating PVs


[root@zeus ~]# fdisk -l /dev/sdc
Disk /dev/sdc: 1073 MB, 1073741824 bytes
34 heads, 61 sectors/track, 1011 cylinders
Units = cylinders of 2074 * 512 = 1061888 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0000dfdc
   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1          95       98484+  8e  Linux LVM
/dev/sdc2              96         426      343247   83  Linux
[root@zeus ~]# pvcreate /dev/sdc1
  Physical volume "/dev/sdc1" successfully created
[root@zeus ~]# pvcreate /dev/sdc2
  Physical volume "/dev/sdc2" successfully created
[root@zeus ~]#
The man page for pvcreate says a partition should be type 8e but it does not complain about /dev/sdc2 though. let's move on..


  • Creating a VG


[root@zeus ~]# vgcreate mp3 /dev/sdc1
  Volume group "mp3" successfully created
[root@zeus ~]# vgdisplay -v mp3
    Using volume group(s) on command line
    Finding volume group "mp3"
  --- Volume group ---
  VG Name               mp3
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  1
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                0
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               92.00 MiB
  PE Size               4.00 MiB
  Total PE              23
  Alloc PE / Size       0 / 0
  Free  PE / Size       23 / 92.00 MiB
  VG UUID               tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO

  --- Physical volumes ---
  PV Name               /dev/sdc1
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI
  PV Status             allocatable
  Total PE / Free PE    23 / 23

Note that -v switch brings up the PV that are part of the VG.


  • Creating LVs

[root@zeus ~]# lvcreate -L 50M mp3 -n rock_and_roll
  Rounding up size to full physical extent 52.00 MiB
  Logical volume "rock_and_roll" created
[root@zeus ~]# lvcreate -L 10M mp3 -n soul
  Rounding up size to full physical extent 12.00 MiB
  Logical volume "soul" created
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m


  • Observing the VG

[root@zeus ~]# vgdisplay -v mp3
    Using volume group(s) on command line
    Finding volume group "mp3"
  --- Volume group ---
  VG Name               mp3
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  3
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                2
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               92.00 MiB
  PE Size               4.00 MiB
  Total PE              23
  Alloc PE / Size       16 / 64.00 MiB
  Free  PE / Size       7 / 28.00 MiB
  VG UUID               tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO

  --- Logical volume ---
  LV Name                /dev/mp3/rock_and_roll
  VG Name                mp3
  LV UUID                EQ73g4-TFPw-6WTg-ufWp-RAXq-MVVU-fHSh9T
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                52.00 MiB
  Current LE             13
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

  --- Logical volume ---
  LV Name                /dev/mp3/soul
  VG Name                mp3
  LV UUID                nchsYN-2eSX-Z3Bw-WV5w-2xxV-5oQM-8Vh8xj
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                12.00 MiB
  Current LE             3
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:3

  --- Physical volumes ---
  PV Name               /dev/sdc1
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI
  PV Status             allocatable
  Total PE / Free PE    23 / 7



  • Rename a LV:
[root@zeus ~]# lvcreate -L 10M mp3
  Rounding up size to full physical extent 12.00 MiB
  Logical volume "lvol0" created
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  lvol0         mp3     -wi-a- 12.00m
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m
[root@zeus ~]# lvrename /dev/mp3/lvol0 /dev/mp3/celtic
  Renamed "lvol0" to "celtic" in volume group "mp3"
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  celtic        mp3     -wi-a- 12.00m
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m


  • Resizing LVs


[root@zeus ~]# lvresize -L 15M /dev/mp3/celtic
4  Rounding up size to full physical extent 16.00 MiB
  Extending logical volume celtic to 16.00 MiB
  Logical volume celtic successfully resized
[root@zeus ~]# lvresize -L 12M /dev/mp3/celtic
  WARNING: Reducing active logical volume to 12.00 MiB
  THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce celtic? [y/n]: y
  Reducing logical volume celtic to 12.00 MiB
  Logical volume celtic successfully resized

Extending/Reducing VGs
[root@zeus ~]# vgs
  VG      #PV #LV #SN Attr   VSize  VFree
  mp3       1   3   0 wz--n- 92.00m 16.00m
  vg_zeus   1   2   0 wz--n-  7.51g     0
[root@zeus ~]# vgextend mp3 /dev/sdc2
  Volume group "mp3" successfully extended
[root@zeus ~]# vgs
  VG      #PV #LV #SN Attr   VSize   VFree
  mp3       2   3   0 wz--n- 424.00m 348.00m
[root@zeus ~]# vgreduce mp3 /dev/sdc2
  Removed "/dev/sdc2" from volume group "mp3"
[root@zeus ~]#

Moving extents from one disk to another

Make sure you VG has more than one disk. In this case I have sdc1 and sdc2 and will move the extents from sdc1 to sdc2
[root@zeus ~]# pvmove /dev/sdc1 /dev/sdc2
  /dev/sdc1: Moved: 0.0%
  /dev/sdc1: Moved: 21.1%
  /dev/sdc1: Moved: 31.6%
  /dev/sdc1: Moved: 47.4%
  /dev/sdc1: Moved: 57.9%
  /dev/sdc1: Moved: 68.4%
  /dev/sdc1: Moved: 78.9%
  /dev/sdc1: Moved: 84.2%
  /dev/sdc1: Moved: 100.0%

If now you take a look at sdc1 no extents are found in this partition (disc)
[root@zeus ~]# pvdisplay -v /dev/sdc1
    Using physical volume(s) on command line
  --- Physical volume ---
  PV Name               /dev/sdc1
  VG Name               mp3
  PV Size               96.18 MiB / not usable 4.18 MiB
  Allocatable           yes
  PE Size               4.00 MiB
  Total PE              23
  Free PE               23
  Allocated PE          0
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI


Taking Snapshots

lvcreate -s -L50M -n rock_snapshot /dev/mp3/rock_and_roll
mount the snapshot, copy the frozen data and delete it.
lvremove /dev/mp3/rock_snapshot



-------------------------------------------------------------

FileSystems

ACLs:

dumpe2fs /dev/xxx | grep Defaults will show which are the default mouting options. acl, user_xattr must be listed to have acl support in first place.

tune2fs -o acl,user_xattr /dev/xxx
can be issued to set the defaults mounting options.

tune2fs -o ^acl,^user_xattr /dev/xxx
can be issued to clear the defaults mounting options.

These options are overwritten by /etc/fstab or options in the mount command line.
BTW, if you set the defaults mount options and mount the volume you won't be able to see the acl option listed in the output of mount. This can cause some confusion but acl will be enabled anyway.

----------------

Authentication

To enable LDAP authentication run

authconfig-tui

or

vi /etc/openldap/ldap.conf OR vi /etc/ldap.conf
URI ldap://127.0.0.1/
BASE dc=lutierigabriel
vim /etc/nsswitch.conf
add ldap to group, shadow, passwd
or

system-config-authentication


-------------------

kickstart

some options:

zerombr
clearpart --all

always use /root/anaconda-ks.cfg as a template.
-------------------

NFS

Firewall

TCP/2049
UDP/111,32769
TCP/32803,892
 All ports but 111 and 2049 has to be specified in /etc/sysconfig/nfs

yum install -y nfs-utils  nfs4-acl-tools
chkconfig nfs on; chkconfig nfslock on; chkconfig rpcbind on
vim /etc/exports
/mnt    *(ro,sync)

exportfs -avr -> reexport all directories

Adjusting SELinux ( this will allow directories to be exported as RO and RW:


getsebool -a | grep nfs
setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1



  • mounting a NFS share:

mount localhost:/mnt /nfs

  • Verifying the exported directories on the server side:


# cat /var/lib/nfs/etab
/mnt    *(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)


  • Verifying the mount NFS share on the cliente side:


nfsstat -m


  • Persistent NFS mounts:


vim /etc/fstab
rhel01:/opt/company_data     /opt/company_data     nfs4   rw,sync  0 0


Client side mounting option

soft -> means that if a timeout occurs the process will give up and try again later. the device will become unavailable meanwhile
hard -> in the same situation as state above, the process will never give up on mounting/accessing the device. it will hang there 'til it gets mounted.
intr -> usually used along the hard option. means the besides hard it can be interrupted. usually better have hard, intr than soft.

-------------------------------

automount

how to automount home directories:

/etc/auto.master
/home/guests     /etc/auto.guests


/etec/auto.guests
*   -rw,soft,intr   instructor.example.com:/home/guests/&


service autofs reload

ls /home/guests/user1 -> will mount the user1 folder from the instructor box

 -----------

SetUID and SetGID

setuid allows users to execute a file with privileges of the file's owner

chmod u+s file
chmod 4755 file
find / -perm -4000

SetGID
chmod g+s file
chmod 2755 file
find / -perm -2000

Sticky bit (set on directories, only owner and root can delete contentes in the dir)
chmod +t sticky/
chmod 1755 sticky/
find / -perm -1000


-------

Virtualization (only available in 64 bits OS)


yum install qemu-kvm qemu-img

virsh list
virshlist --all

virsh shutdown X
virsh start NAME
virt-viewer X

virsh autostart --disable X
 virsh autostart X

virt-viewer X

Create a guess VM:

virt-install –-name Client03 –-ram 512 –-disk path=/var/lib/libvirt/images/client03.img,size=8 –-network network=default –-cdrom /dev/cdrom


it's recommended to use /var/lib/libvirt/images to hold the virtual disks. to use other directory you should configure SELinux to allow it.



Can also create via GUI with virt-manager.

Useful commands


virsh connect localhost
virsh start guest1-rhel6-64
virsh stop guest1-rhel6-64
virsh list -all
virsh console
virsh autostart  X

virsh net-list
virsh net-start X
------------------

SELinux

Make sure you have setroubleshoot-server so you will get nicer SELinux messages.


Check how SELinux is running:
[root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# getenforce Enforcing [root@zeus ~]# setenforce permissive [root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# setenforce enforcing [root@zeus ~]# getenforce Enforcing
you can also edit /etc/selinux/config. Regardless of the method you should reboot the system. When you change the mode the files must be relabed (their contexts will change) this is done on the boot process.

It is possible to disable enforcing mode, will only audit:

setenforcing 0

Check the boolean values or getsebool -a | grep http:
 sestatus -b | grep http
allow_httpd_anon_write                      off
allow_httpd_mod_auth_ntlm_winbind           off
allow_httpd_mod_auth_pam                    off
allow_httpd_sys_script_anon_write           off
httpd_builtin_scripting                     on
httpd_can_check_spam                        off
httpd_can_network_connect                   off
httpd_can_network_connect_cobbler           off
httpd_can_network_connect_db                off
httpd_can_network_memcache                  off
httpd_can_network_relay                     off
httpd_can_sendmail                          off
httpd_dbus_avahi                            on
httpd_enable_cgi                            on
httpd_enable_ftp_server                     off
httpd_enable_homedirs                       off


While I was reading about SELinux I found something very useful that I didn't know until now. Well, during the reading the author says to issue a commando called semanage that will explain each of the boolean options. However, I don't have semanage on my system and don't know which package provides it. So, the following command told me what package I should install to have semanage.

yum whatprovides *bin/semanage

Here we go, from the output it's clear to me that policycoreutils-python-2.0.83-19.1.el6.i686 has the binary that I was looking for.

Ok. moving on... so, to see what each boolean value does, issue:

[root@zeus ~]# semanage boolean -l | grep http
httpd_can_network_relay        -> off   Allow httpd to act as a relay
httpd_can_network_connect_db   -> off   Allow HTTPD scripts and modules to connect to databases over the network.
httpd_use_gpg                  -> off   Allow httpd to run gpg in gpg-web domain
httpd_enable_cgi               -> on    Allow httpd cgi support
allow_httpd_mod_auth_pam       -> off   Allow Apache to use mod_auth_pam


Changing boolean values:

setsebool -P httpd_enable_homedirs=1




Context is formed of:
User :  role  :  domain

Users are usually one of these:

unconfined_u: Unprotected user
system_u: System user
user_u: Normal user

Roles are usually one of these:
object_r: File 
system_r: Users and processes 

Domains (AKA type) are usually one of these:
unconfined_r: Unprotected file or process 

httpd_t: used for httpd process.
....


Roles do NOT have influence under files so object_r is used as a generic role for any file.

Checking files' context:
# ls -Z
-rw-------. root  root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rwxr-xr-x. root  root unconfined_u:object_r:admin_home_t:s0 a.out

Checking processes' context:
 ps -eZ |  grep httpd
unconfined_u:system_r:httpd_t:s0 14784 ?       00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14786 ?       00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14787 ?       00:00:00 httpd





Changing contexts (domains) http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Targeted_policy-Unconfined_processes.html



[root@zeus ~]# touch myfile
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile
[root@zeus ~]# chcon -vu system_u myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile
[root@zeus ~]# chcon -vt etc_t myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:etc_t:s0       myfile
[root@zeus ~]# chcon -vr system_r myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:system_r:etc_t:s0       myfile
[root@zeus ~]# touch myfile2
[root@zeus ~]# ls -Z myfile2
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile2
[root@zeus ~]# chcon --reference myfile myfile2
[root@zeus ~]# ls -Z myfile2
-rw-r--r--. root root system_u:system_r:etc_t:s0       myfile2

[root@zeus ~]# restorecon myfile
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile



Changing ports for services:
[root@zeus ~]# semanage port -l | grep http
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

[root@zeus ~]# semanage port -a -t http_port_t -p tcp 81

[root@zeus ~]# semanage port -l | grep http
http_port_t                    tcp      81, 80, 443, 488, 8008, 8009, 8443


Every time you change a context it will be restored in the next file system relabel (next reboot).
To make changes permanentely run:

semanage fcontext -a -t httpd_sys_content_t file1

TIP:
some daemons have man pages talking about the contexts and booleans used by them. take a look:

[root@zeus ~]# apropos _selinux
ftpd_selinux         (8)  - Security-Enhanced Linux policy for ftp daemons
httpd_selinux        (8)  - Security Enhanced Linux Policy for the httpd daemon
init_selinuxmnt      (3)  - initialize the global variable selinux_mnt
is_selinux_enabled   (3)  - check whether SELinux is enabled
kerberos_selinux     (8)  - Security Enhanced Linux Policy for Kerberos
named_selinux        (8)  - Security Enhanced Linux Policy for the Internet Name server (named) daemon
nfs_selinux          (8)  - Security Enhanced Linux Policy for NFS
pam_selinux          (8)  - PAM module to set the default security context
rsync_selinux        (8)  - Security Enhanced Linux Policy for the rsync daemon
samba_selinux        (8)  - Security Enhanced Linux Policy for Samba
ypbind_selinux       (8)  - Security Enhanced Linux Policy for NIS

semanage fcontext -a -t httpd_sys_content_t "/newweb(/.*)?"
restorecon -R -v /newweb

-------------


Firewall

 iptables -p icmp -h
show all the possible icmp types :-)

POSTROUTING -> SNAT --to-source x.x.x.x OR MASQUERADE

----------
Rsyslog

/etc/rsyslog.conf

forwarding message to other host:

 Remote machine
       There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard, the plain TCP based trans-
       port which loses messages only during certain situations but is widely available and the RELP transport which does not lose messages  but
       is currently available only as part of rsyslogd 3.15.0 and above.

       To  forward  messages  to another host via UDP, prepend the hostname with the at sign ("@").  To forward it via plain tcp, prepend two at
       signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the hostname.

       Example:
              *.* @192.168.0.1

------

Apache

Test/Parse the config file:

service httpd configteste
VirtualHost

NameVirtualHost 192.168.56.200:80


<VirtualHost 192.168.56.200:80>
serverName site1.asdf.com
DocumentRoot "/var/www/site1"
</VirtualHost>


<VirtualHost 192.168.56.200:80>
Servername site2.asdf.com
DocumentRoot "/var/www/site2"
</VirtualHost>

Password protected


<Directory "/var/www/html/protected">
        AuthType        basic
        AuthName "You are out"
        AuthUserFile    "/var/www/html/protected/.users"
        Require user lutieri
        Options Indexes

        Order deny,allow
</Directory>


CGI Scripts


ScriptAlias /bin "/var/www/site1/bin"

OR

<Directory "/var/www/site1/bin/">
options ExecCGI Indexes
</Directory>

Addhandler cgi-script .lgb

The script will need to produce HTML output. Usually means that the first line in your script needs to print out which mime type the script will produce. I.E:


#!/bin/bash

echo "Content-type: text/html\n\n";
echo "Hello, World.";


Except that I found out that printing a blank line instead of content-type... also works great.



----------


Postfix


alternatives --config mta

-----------

Bind


[root@zeus ~]# cat /var/named/dynamic/asdf.com
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
site1   A       192.168.56.201
site2   A       192.168.56.202


Master zone


[root@zeus ~]# cat /etc/named.conf
---SNIP---

zone "asdf.com"  IN {
        type master;
        file "dynamic/asdf.com";
};
---SNIP---

Forward zone:

the directive Forwarders can also be used in the global context.

zone "asdf.com"  IN {
        type forward;
        forwarders {  66.33.206.206; };
};


--------------

Samba

If you create a directory and would like to share it, run:

 chcon -t samba_share_t /path
Allowing home directories to be shared:

[root@zeus ~]# setsebool -P samba_enable_home_dirs on
[root@zeus ~]# getsebool samba_enable_home_dirs
samba_enable_home_dirs --> on
[root@zeus ~]# semanage boolean -l | grep  samba_enable_home_dirs
samba_enable_home_dirs         -> on    Allow samba to share users home directories.

-P make the change to the boolean persistent across reboots.

OR

 semanage boolean -m --on  samba_enable_home_dirs


-----------


Vsftpd

Allow anonymoys upload
setsebool ftp_home_dir 1
chcon  -t public_content_rw_t /var/ftp/pub
setsebool allow_ftpd_anon_write 1
chgrp -R ftp: /var/ftp/dropbox
chmod g=wx /var/ftp/dropbox


cat /etc/vsftpd/vstfpd.conf
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES

asdf

VNC


server side:
/etc/sysconfig/vncservers

client side:
vncviewer -via server9 localhost:2

this will make a ssh tunnel to server9 and tunnel the vnc connection.

0 Comentários:

Postar um comentário

<< Home



Chat with Lutieri G. B.

Subscribe in a reader