Re: [CentOS] Unable to apply mysqld_db_t to mysql directory
James, I read your email a couple of times. There is so much to learn from it. If I am right, the output of "semanage fcontext -l" is the content of the SELinux database regarding the SELinux contexts. Yet if I am right, when we try to assign or verify what should be the contexts on files or directories, a first look at the SELinux DB should be the first thing to do. Right? I have now a much better understanding of what is going on when I use "semanage fcontext -a -t ..." then "restorecon -R". "semanage fcontext -a" add fcontext the SELinux DB and restorecon applies the fcontext to the files or directory as defined in the DB. In the past I have been confused by chcon and came to the conclusion this command was totally useless. But if the command exist, it should have a use of it. What kind of situation could make chcon useful? Regarding the equivalence, at first I understood it as "make this equal to that". A bit like when using chmod --reference. Wrong!!! I didn't only have a slight misconception on label, I honestly would say I was lost with the new lights you made on it. Thanks a lot for your time James! I really appreciate it. Bernard On Mon, Oct 23, 2017 at 5:13 PM, James Hogarth <james.hoga...@gmail.com> wrote: > On 23 October 2017 at 19:18, Bernard Fay <bernard@gmail.com> wrote: > > Thanks, I managed to fix /var/lib/mysql > > > > # ls -ldZ /var/lib/mysql > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql > > > > To fix it, I tried: > > semanage fcontext -d -e /var/lib/mysql > > this command returned: > > KeyError: /var/lib/mysql > > I tried restorecon anyway: > > restorecon -Rv /var/lib/mysql > > But not better: > > ls -ldZ /var/lib/mysql > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql > > > > So I did the following: > > semanage fcontext -d -t var_lib_t /var/lib/mysql > > It started to look better: > > ls -ldZ /var/lib/mysql > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql > > Then I ran restorecon > > restorecon -Rv /var/lib/mysql > > I got a lot of : > > restorecon reset /var/lib/mysql/... > > > > And then I got the proper context on /var/lib/mysql. > > > > > > I think there are still many things I do not understand about SELinux. > > > > I thought the equivalence thing I did with the command below was going to > > assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously > not! > > semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql > > > > > > I think you have a slight misconception over how labels are determined. > > There's no relation between what is presently on the filesystem when > you do ls -lZ and what the policy database thinks it ought to be. > > This is why you can chcon to change the label of something but a > relabelling will change it back. > > When you run restorecon to relabel a path what happens is it takes the > absolute (full) path and compares it against the regexes in the > selinux policy database (see it with semanage fcontext -l for some, > but now all, context matches) ... > > Then for the most specific match it will apply whatever label is in > that database. > > When you do semanage fcontext -a -e /foo /bar to do an alias what you > are telling selinux is that for every time that /bar is run through > the regex replace bar with foo and check that instead. > > This is why when adding custom labelling you need to do a full regex > path to match files under that directory too. > > When you moved /var/lib/mysql to /var/lib/mysql.old the labels moved > with the files (this is the default unless you cross filesystems, you > can force labelling as the destination with mv -Z). > > The selinux database still has /var/lib/mysql(/.*)? as being type > mysqldb_db_t even if that directory doesn't exist. > > When the directory is created and put in place then it will get what > policy says is right for that path. > > The point of using equivalence is when you move a default location - > such as /home to /data/home or /var/lib/mysql to /data/mysql > > In that situation the default selinux policy doesn't know anything > about /data or the contents of it so it'll end up with a default_t > label ... not very useful. > > Now you could semanage fcontext -a -t mysqldb_db_t /data/mysql(/.*)? > but quite often the 'story' of a directory tree isn't about just one > label and it'd be tedious trying to match them all ... > > For the craziness that is $HOME for instance... > > CentOS7: cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs > Fe
Re: [CentOS] Unable to apply mysqld_db_t to mysql directory
Thanks, I managed to fix /var/lib/mysql # ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql To fix it, I tried: semanage fcontext -d -e /var/lib/mysql this command returned: KeyError: /var/lib/mysql I tried restorecon anyway: restorecon -Rv /var/lib/mysql But not better: ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql So I did the following: semanage fcontext -d -t var_lib_t /var/lib/mysql It started to look better: ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql Then I ran restorecon restorecon -Rv /var/lib/mysql I got a lot of : restorecon reset /var/lib/mysql/... And then I got the proper context on /var/lib/mysql. I think there are still many things I do not understand about SELinux. I thought the equivalence thing I did with the command below was going to assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously not! semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql I still have the following equivalence: # semanage fcontext -lC SELinux fcontext type Context /home/users(/.*)? all files system_u:object_r:user_home_dir_t:s0 /var/lib/mysql all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql(/.*)? all files system_u:object_r:mysqld_db_t:s0 SELinux Local fcontext Equivalence ./mysql = ./mysql.old mysql = ./mysql.old Should I be worried about those two equivalence? Thanks, Bernard On Mon, Oct 23, 2017 at 1:41 PM, James Hogarth <james.hoga...@gmail.com> wrote: > On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard@gmail.com> wrote: > > Interesting to see the Equivalence. As a first thing, I tried: > > semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql > then > restorecon -R /var/lib/mysql > > > # semanage fcontext -lC > SELinux fcontext type > Context > > /home/users(/.*)? all files > system_u:object_r:user_home_dir_t:s0 > /var/lib/mysql all files > system_u:object_r:mysqld_db_t:s0 > /var/lib/mysql(/.*)? all files > system_u:object_r:mysqld_db_t:s0 > > SELinux Local fcontext Equivalence > > ./mysql = ./mysql.old > /var/lib/mysql = /var/lib/mysql.old > mysql = ./mysql.old > > > > > On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hoga...@gmail.com> > wrote: > > > On 23 October 2017 at 13:33, Bernard Fay <bernard@gmail.com> wrote: > > > Hello, > > > > > > A server was configured in /var/lib/myslq in the root fs. I added a LV > > > specifically for mysql. I stopped myql and renamed /var/lib/mysql to > > > /var/lib/mysql.old. I created a new dir /var/lib/mysql and mounted the > > LV > > > on /var/lib/mysql. I then copied with "cp -prZ" all mysql files in > > > /var/lib/mysql.old to /var/lib/mysql. > > > > > > But then I got a selinux problem: > > > # ls -ldZ mysql.old/ mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > > > I tried to changed the context on mysql with the following commands: > > > > > > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?" > > > # restorecon -R -v /var/lib/mysql > > > > > > But the /var/lib/mysql directory didn't take the change as you can see > > > below: > > > # ls -ldZ mysql.old/ mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > > > > > > How can I fix the wrong context on mysql directory? > > > Thanks, > > > > > > > /var/lib/mysql is already in default policy - no need to add anything > there > > > > can you please provide the output of 'semanage fcontext -lC' so that > > we can see any local selinux modifications made? > > > > From base policy with nothing added, for that directory, you *should* > > be able to just restorecon -Rv /var/lib/mysql and have the correct > > labelling. > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > > > Th
Re: [CentOS] Unable to apply mysqld_db_t to mysql directory
Interesting to see the Equivalence. As a first thing, I tried: semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql then restorecon -R /var/lib/mysql # semanage fcontext -lC SELinux fcontext type Context /home/users(/.*)? all files system_u:object_r:user_home_dir_t:s0 /var/lib/mysql all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql(/.*)? all files system_u:object_r:mysqld_db_t:s0 SELinux Local fcontext Equivalence ./mysql = ./mysql.old /var/lib/mysql = /var/lib/mysql.old mysql = ./mysql.old On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hoga...@gmail.com> wrote: > On 23 October 2017 at 13:33, Bernard Fay <bernard@gmail.com> wrote: > > Hello, > > > > A server was configured in /var/lib/myslq in the root fs. I added a LV > > specifically for mysql. I stopped myql and renamed /var/lib/mysql to > > /var/lib/mysql.old. I created a new dir /var/lib/mysql and mounted the > LV > > on /var/lib/mysql. I then copied with "cp -prZ" all mysql files in > > /var/lib/mysql.old to /var/lib/mysql. > > > > But then I got a selinux problem: > > # ls -ldZ mysql.old/ mysql > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > I tried to changed the context on mysql with the following commands: > > > > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?" > > # restorecon -R -v /var/lib/mysql > > > > But the /var/lib/mysql directory didn't take the change as you can see > > below: > > # ls -ldZ mysql.old/ mysql > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > > > How can I fix the wrong context on mysql directory? > > Thanks, > > > > /var/lib/mysql is already in default policy - no need to add anything there > > can you please provide the output of 'semanage fcontext -lC' so that > we can see any local selinux modifications made? > > From base policy with nothing added, for that directory, you *should* > be able to just restorecon -Rv /var/lib/mysql and have the correct > labelling. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Unable to apply mysqld_db_t to mysql directory
Hello, A server was configured in /var/lib/myslq in the root fs. I added a LV specifically for mysql. I stopped myql and renamed /var/lib/mysql to /var/lib/mysql.old. I created a new dir /var/lib/mysql and mounted the LV on /var/lib/mysql. I then copied with "cp -prZ" all mysql files in /var/lib/mysql.old to /var/lib/mysql. But then I got a selinux problem: # ls -ldZ mysql.old/ mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ I tried to changed the context on mysql with the following commands: # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?" # restorecon -R -v /var/lib/mysql But the /var/lib/mysql directory didn't take the change as you can see below: # ls -ldZ mysql.old/ mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ How can I fix the wrong context on mysql directory? Thanks, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fix for the CVE-2017-7494?
Thanks Mark and Christian, I have two Samba servers running those two versions. That reassure me! Thanks, Bernard On Fri, May 26, 2017 at 12:08 PM, Paul Heinlein <heinl...@madboa.com> wrote: > On Fri, 26 May 2017, Christian, Mark wrote: > > On Fri, 2017-05-26 at 11:19 -0400, Bernard Fay wrote: >> >>> Hi, >>> >>> Does a fix has already been made in the CenOS RPM repositories for this >>> Samba remote execution code vulnerability, CVE-2017-7494? >>> >> yes. samba-3.6.23-43.el6_9.x86_64.rpm >> > > And samba-*-4.4.4-14.el7_3.x86_64 > > -- > Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Fix for the CVE-2017-7494?
Hi, Does a fix has already been made in the CenOS RPM repositories for this Samba remote execution code vulnerability, CVE-2017-7494? Thx, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] users still member of LDAP group after being removed from group 5 days ago
Sometime it is too obvious! Users had the group in question as their primary group. I changed the primary group for those users and problem fixed. Sorry for the noise :/ On Mon, May 8, 2017 at 12:06 PM, Bernard Fay <bernard@gmail.com> wrote: > Hi, > > Last Thursday I removed users from an LDAP group and today the Linux > command groups still shows those users as member of this group. I double > checked in the LDAP to make sure the users are really removed and also not > part of the local Linux group users on both the server hosting the LDAP > service and the Linux clients. > > Could this be related to a cache somewhere? If not cache related what > could be the problem? > > Thanks in advance for your help, > Bernard > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] users still member of LDAP group after being removed from group 5 days ago
Hi, Last Thursday I removed users from an LDAP group and today the Linux command groups still shows those users as member of this group. I double checked in the LDAP to make sure the users are really removed and also not part of the local Linux group users on both the server hosting the LDAP service and the Linux clients. Could this be related to a cache somewhere? If not cache related what could be the problem? Thanks in advance for your help, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sshd Match Group directive problem
A detail I forgot... The need is to have members of the groups wheel and users being dropped to a shell and administer the server while members of only the group users have a script started forcing them to a few command on the server. On Tue, Feb 28, 2017 at 10:50 AM, Bernard Fay <bernard@gmail.com> wrote: > I try to set up two "Match Group" directives in sshd_config. > > I have an LDAP server. All users including admins are part of the LDAP > group users. The admins users are also part of the LDAP group wheel. For > example: > > [~]groups admin1 > admin1 : users wheel > [~]groups users > user1 : users > > On a client server to LDAP, I try to configure two "Match Group" > directives in sshd_config as follows: > > Match Group wheel > some keywords... > > Match Group users > some keywords... > > > The problem is that even if a user is a member of LDAP group wheel, the > "Match Group wheel" directive is skipped in favor of the "Match Group > users" directive. > > Is it possible to have two "Match Group" directives as I like to do it? > If yes, what is wrong in my configuration? > > Thanks, > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] sshd Match Group directive problem
I try to set up two "Match Group" directives in sshd_config. I have an LDAP server. All users including admins are part of the LDAP group users. The admins users are also part of the LDAP group wheel. For example: [~]groups admin1 admin1 : users wheel [~]groups users user1 : users On a client server to LDAP, I try to configure two "Match Group" directives in sshd_config as follows: Match Group wheel some keywords... Match Group users some keywords... The problem is that even if a user is a member of LDAP group wheel, the "Match Group wheel" directive is skipped in favor of the "Match Group users" directive. Is it possible to have two "Match Group" directives as I like to do it? If yes, what is wrong in my configuration? Thanks, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to resize a partition of a disk define as a physical volume
I usually use the whole disk a PV but this disk has the /boot partition which cannot be LVM. I decided to simply use the third partition as another PV and extended the VG. Thanks, On Wed, Feb 22, 2017 at 8:52 AM, Gianluca Cecchi <gianluca.cec...@gmail.com> wrote: > On Wed, Feb 22, 2017 at 2:42 PM, Bernard Fay <bernard@gmail.com> > wrote: > > > How do you resize the partition without loosing data? > > > > gparted does not support LVM. > > > > > It is preferrable to create PV on the whole disk also to manage these kind > of situations. > In case I have to manage with partitions, the must is that you can do it > only if it is the last partition, and you are ok. > Normally I use fidsk and I first delete the last partition and then without > exiting the utility I create again it using the same starting point and the > new larger end. > For this, take care of using option to show sectors and not cylinders ("u" > switches between the two options) and print your partition layout ("p" > comamnd), so that you can set exactly the same starting point of the new > xvda2 partition otherwise you will have destroyed it and LVM layer would > not be able to identify it (also the type if now it is 8e for Linux LVM). > Eventually you will have to run also the command > > partprobe /dev/xvda > > to align os with new partition layout > > Take care and read well (also on other sources on internet in case). Also > backup your partiion layout before making changes with > > sfdisk -d /dev/xvda > part_table.before > > and compare with what you have after. > > HIH, > Gianluca > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to resize a partition of a disk define as a physical volume
How do you resize the partition without loosing data? gparted does not support LVM. On Wed, Feb 22, 2017 at 8:37 AM, SysAdmin <admin@s-s.network> wrote: > Hi, > > you need to resize partition /dev/xvda2, afterwards resize pv. > > Regards, > Holger > > > -Ursprüngliche Nachricht- > > Von: CentOS [mailto:centos-boun...@centos.org] Im Auftrag von Bernard > > Fay > > Gesendet: Mittwoch, 22. Februar 2017 14:18 > > An: CentOS mailing list > > Betreff: Re: [CentOS] how to resize a partition of a disk define as a > > physical volume > > > > I should have added the output of pvs: > > > > [root ~]# pvs > > PV VG Fmt Attr PSize PFree > > /dev/xvda2 cl_vm731611 lvm2 a-- 9.00g0 > > > > PFree still show 0. It should show 5g. > > > > Also: > > [root ~]# pvdisplay /dev/xvda2 > > --- Physical volume --- > > PV Name /dev/xvda2 > > VG Name cl_vm731611 > > PV Size 9.00 GiB / not usable 2.00 MiB > > Allocatable yes (but full) > > PE Size 4.00 MiB > > Total PE 2303 > > Free PE 0 > > Allocated PE 2303 > > PV UUID RtXa0c-07RP-RJ0V-kSjC-Tuo0-5QQv-sQIKlr > > > > > > With fdisk, we can see the additional space has is there as it shows > > 16GB. > > The original disk had 10GB. > > [root ~]# fdisk -l /dev/xvda > > > > Disk /dev/xvda: 16.1 GB, 16106127360 bytes, 31457280 sectors [snip] > > > > Device Boot Start End Blocks Id System > > /dev/xvda1 *2048 2099199 1048576 83 Linux > > /dev/xvda2 209920020971519 9436160 8e Linux LVM > > > > > > vgs also shows 0 Free PE: > > [root@CTSSVN01 ~]# vgs > > VG #PV #LV #SN Attr VSize VFree > > cl_vm731611 1 2 0 wz--n- 9.00g0 > > > > > > Thanks, > > > > > > On Wed, Feb 22, 2017 at 8:06 AM, Jon LaBadie <j...@labadie.us> wrote: > > > > > On Wed, Feb 22, 2017 at 07:44:33AM -0500, Bernard Fay wrote: > > > > Hello, > > > > > > > > I have a CentOS VM with only one disk on a Xenserver. > > > > > > > > The disk has 2 partitions: > > > > > > > > /dev/xvda1 -> /boot > > > > /dev/xvda2 -> a physical volume for LVM > > > > > > > > > > > > I added 5GB to this disk via Xencenter to extend /dev/xvda2. > > > > Usually I just have to do "pvresize /dev/xvda" to have the > > > > additional space added > > > to > > > > the disk. But for some reason it does not work for this disk. > > > > > > > > [root ~]# pvresize /dev/xvda > > > > Failed to find physical volume "/dev/xvda". > > > > 0 physical volume(s) resized / 0 physical volume(s) not resized > > > > > > > > [root ~]# pvresize /dev/xvda2 > > > > Physical volume "/dev/xvda2" changed > > > > 1 physical volume(s) resized / 0 physical volume(s) not resized > > > > > > > > > > > > Does someone have seen this problem before or could have an idea of > > > > the problem? > > > > > > Looks like xvda2 was resized. You should now have an added 5GB worth > > > of unallocated extents in the vg > > > > > > -- > > > Jon H. LaBadie j...@jgcomp.com > > > 11226 South Shore Rd. (703) 787-0688 (H) > > > Reston, VA 20190 (703) 935-6720 (C) > > > ___ > > > CentOS mailing list > > > CentOS@centos.org > > > https://lists.centos.org/mailman/listinfo/centos > > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to resize a partition of a disk define as a physical volume
I should have added the output of pvs: [root ~]# pvs PV VG Fmt Attr PSize PFree /dev/xvda2 cl_vm731611 lvm2 a-- 9.00g0 PFree still show 0. It should show 5g. Also: [root ~]# pvdisplay /dev/xvda2 --- Physical volume --- PV Name /dev/xvda2 VG Name cl_vm731611 PV Size 9.00 GiB / not usable 2.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 2303 Free PE 0 Allocated PE 2303 PV UUID RtXa0c-07RP-RJ0V-kSjC-Tuo0-5QQv-sQIKlr With fdisk, we can see the additional space has is there as it shows 16GB. The original disk had 10GB. [root ~]# fdisk -l /dev/xvda Disk /dev/xvda: 16.1 GB, 16106127360 bytes, 31457280 sectors [snip] Device Boot Start End Blocks Id System /dev/xvda1 *2048 2099199 1048576 83 Linux /dev/xvda2 209920020971519 9436160 8e Linux LVM vgs also shows 0 Free PE: [root@CTSSVN01 ~]# vgs VG #PV #LV #SN Attr VSize VFree cl_vm731611 1 2 0 wz--n- 9.00g0 Thanks, On Wed, Feb 22, 2017 at 8:06 AM, Jon LaBadie <j...@labadie.us> wrote: > On Wed, Feb 22, 2017 at 07:44:33AM -0500, Bernard Fay wrote: > > Hello, > > > > I have a CentOS VM with only one disk on a Xenserver. > > > > The disk has 2 partitions: > > > > /dev/xvda1 -> /boot > > /dev/xvda2 -> a physical volume for LVM > > > > > > I added 5GB to this disk via Xencenter to extend /dev/xvda2. Usually I > > just have to do "pvresize /dev/xvda" to have the additional space added > to > > the disk. But for some reason it does not work for this disk. > > > > [root ~]# pvresize /dev/xvda > > Failed to find physical volume "/dev/xvda". > > 0 physical volume(s) resized / 0 physical volume(s) not resized > > > > [root ~]# pvresize /dev/xvda2 > > Physical volume "/dev/xvda2" changed > > 1 physical volume(s) resized / 0 physical volume(s) not resized > > > > > > Does someone have seen this problem before or could have an idea of the > > problem? > > Looks like xvda2 was resized. You should now have an added > 5GB worth of unallocated extents in the vg > > -- > Jon H. LaBadie j...@jgcomp.com > 11226 South Shore Rd. (703) 787-0688 (H) > Reston, VA 20190 (703) 935-6720 (C) > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] how to resize a partition of a disk define as a physical volume
Hello, I have a CentOS VM with only one disk on a Xenserver. The disk has 2 partitions: /dev/xvda1 -> /boot /dev/xvda2 -> a physical volume for LVM I added 5GB to this disk via Xencenter to extend /dev/xvda2. Usually I just have to do "pvresize /dev/xvda" to have the additional space added to the disk. But for some reason it does not work for this disk. [root ~]# pvresize /dev/xvda Failed to find physical volume "/dev/xvda". 0 physical volume(s) resized / 0 physical volume(s) not resized [root ~]# pvresize /dev/xvda2 Physical volume "/dev/xvda2" changed 1 physical volume(s) resized / 0 physical volume(s) not resized Does someone have seen this problem before or could have an idea of the problem? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Allow execution of commands via ssh but not to login
I made my search on google way to complicated for nothing :( Thanks John and Seb! authorized_keys will do the job. On Wed, Jan 11, 2017 at 10:40 AM, seb <sebast...@r2-info.fr> wrote: > Hi, > > you can use the option command your /home/user/.ssh/authorized_keys . > > for example : > > command="cd /some_where; other command , ssh-rsa key ." > > > > > Le 11/01/2017 à 16:34, Bernard Fay a écrit : > >> Hi, >> >> Is there a way to allow a user to execute commands via ssh, for example: >> "ssh user@server ls", but disallow the same user to login on this server >> with "ssh user@server" ? >> >> >> Thanks, >> Bernard >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Allow execution of commands via ssh but not to login
Hi, Is there a way to allow a user to execute commands via ssh, for example: "ssh user@server ls", but disallow the same user to login on this server with "ssh user@server" ? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to start a script to complete configuration
To Bill, The script solution is what I try to do. I am close to it. The problem I am facing at the moment is that this script need to be interactive to have input from the sysadmin. I tried to add the following lines to the service unit file to direct the interaction of the script to tty1 but without success: StandardInput=tty TTYPath=/dev/tty1 TTYReset=yes TTYVHangup=yes On Wed, Nov 9, 2016 at 8:01 AM, Bill Howe <howe.b...@gmail.com> wrote: > How you could do this with scripts: > > *CentOS 7* > >1. Deploy a VM from your base CentOS 7 template >2. Copy your "my-firstboot.sh" script (or whatever its called) to a >location such as /root/scripts/ > 1. This scripts only job should be to mount a NFS location and > execute any post install scripts you have stored there, and provide > a log > file. > 2. This script should disable the "my-firstboot.service" at the end > and then change permissions of itself to no execute to ensure it > doesn't > get run more than once. > 3. It is also useful to have this script email the system admins when > its done and reboot the VM (in the case of full system updates > that require > a reboot to new kernel) > 3. Create your "my-firstboot.service" unit file at: /etc/systemd/ >system/my-firstboot.service, enable it. example contents: >1. [Unit] > Description=Auto-execute my post install scripts > After=network.target > > [Service] > ExecStart=/root/scripts/my-firstboot.sh > > [Install] > WantedBy=multi-user.target > > *CentOS 6* > >1. Same thing as above, except no service unit file. Instead simply >create a line in /etc/rc.local to execute the "my-firstboot.sh" script > like >so: > 1. > > echo "/root/scripts/my-firstboot.sh" >> /etc/rc.d/rc.local > > 2. And have the "my-firstboot.sh" script remove that same line above >from rc.local at the end of its execution so its not run again on the > next >reboot. > > > Bill > > > On Tue, Nov 8, 2016 at 3:44 PM, Oscar Osta Pueyo <oostap.lis...@gmail.com> > wrote: > > > Hello, > > I think you can use anaconda for this task, you can configure some > actions > > after the installation. > > > > Best regards, > > > > El dt, 8 nov 2016 a les 18:44 Leon Fauster <leonfaus...@googlemail.com> > va > > escriure: > > > > > Am 08.11.2016 um 16:47 schrieb cpol...@surewest.net: > > > > On 2016-11-07 14:35, Bernard Fay wrote: > > > >> Hi, > > > >> > > > >> We have a virtual environment based on XenServer. In this > environment > > I > > > >> defined a template for CentOS 7 servers. > > > >> > > > >> I would like to start a script a boot time to complete the > > > configuration of > > > >> new VMs based on this template. How can I have a script started > before > > > any > > > >> login prompt to ask question to the user to complete the > configuration > > > such > > > >> as hostname, IP address, etc? > > > > > > > > Hi Bernard, > > > > > > > > My first impulse was "don't!", and that's probably the best > > > > advise. A popular model is that the "firstboot" package takes > > > > care of this at the first user login, and *nix systems sort of > > > > depend on this "logged in users do stuff" model. > > > > > > > > Even better, use ansible, cfengine, chef, or puppet to automate > > > > the task of setting things up. This is the _best_ solution and > > > > you will eventually come back to it. > > > > > > > > But, the darker, cynical part of my brain, the part that says > > > > "what, you're cutting down on coffee?" part, said "sure you > > > > can". Here's how it _could_ be done. > > > > > > > > DON'T DO THIS. TURN BACK NOW. > > > > > > > >Replace /sbin/init with a shell script that does what you want. > > > >It will be the first userland process started, have the console > > > >for I/O, and run as root. At completion, restore the original > > > >/sbin/init and reboot. Leave no traces behind. Do not document > > > >your awful hack, others will use your words against you. > > > > > > > > > > > > :-) ... kernel parameter init=/root/yourscript > > > > > > https://www.kernel.org/doc/Documentation/kernel-parameters.txt > > > > > > -- > > > LF > > > > > > ___ > > > CentOS mailing list > > > CentOS@centos.org > > > https://lists.centos.org/mailman/listinfo/centos > > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to start a script to complete configuration
It would be hard to use ansible, cfengine or whatever while there no IP address on the new VM. On Tue, Nov 8, 2016 at 10:47 AM, <cpol...@surewest.net> wrote: > On 2016-11-07 14:35, Bernard Fay wrote: > > Hi, > > > > We have a virtual environment based on XenServer. In this environment I > > defined a template for CentOS 7 servers. > > > > I would like to start a script a boot time to complete the configuration > of > > new VMs based on this template. How can I have a script started before > any > > login prompt to ask question to the user to complete the configuration > such > > as hostname, IP address, etc? > > Hi Bernard, > > My first impulse was "don't!", and that's probably the best > advise. A popular model is that the "firstboot" package takes > care of this at the first user login, and *nix systems sort of > depend on this "logged in users do stuff" model. > > Even better, use ansible, cfengine, chef, or puppet to automate > the task of setting things up. This is the _best_ solution and > you will eventually come back to it. > > But, the darker, cynical part of my brain, the part that says > "what, you're cutting down on coffee?" part, said "sure you > can". Here's how it _could_ be done. > > DON'T DO THIS. TURN BACK NOW. > > Replace /sbin/init with a shell script that does what you want. > It will be the first userland process started, have the console > for I/O, and run as root. At completion, restore the original > /sbin/init and reboot. Leave no traces behind. Do not document > your awful hack, others will use your words against you. > > Best regards, > -- > Chuck > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] How to start a script to complete configuration
Hi, We have a virtual environment based on XenServer. In this environment I defined a template for CentOS 7 servers. I would like to start a script a boot time to complete the configuration of new VMs based on this template. How can I have a script started before any login prompt to ask question to the user to complete the configuration such as hostname, IP address, etc? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context not applied
Our emails crossed on the line! ;-) Thanks anway Leonard, On Mon, Oct 17, 2016 at 9:26 AM, Leonard den Ottolander < leon...@den.ottolander.nl> wrote: > Hello Bernard, > > On Mon, 2016-10-17 at 09:10 -0400, Bernard Fay wrote: > > I tried to apply a security context on a directory with the following > > commands: > > > > [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t > "netdot(/.*)?" > > [root@ local]# restorecon -R netdot/ > > Try using absolute paths in your commands and see if that fixes your > issue. > > Regards, > Leonard. > > -- > mount -t life -o ro /dev/dna /genetic/research > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context not applied
I used the full path and got it working: [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t "/usr/local/netdot(/.*)?" [root@ local]# restorecon -R /usr/local/netdot/ [root@ local]# ls -ldZ /usr/local/netdot/ drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 /usr/local/netdot/ On Mon, Oct 17, 2016 at 9:10 AM, Bernard Fay <bernard@gmail.com> wrote: > Hi, > > I tried to apply a security context on a directory with the following > commands: > > [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t > "netdot(/.*)?" > [root@ local]# restorecon -R netdot/ > > > When I list the contexts, it is part of the list > [root@ local]# semanage fcontext -l | grep netdot > ./netdot(/.*)? all files > system_u:object_r:httpd_sys_rw_content_t:s0 > > > ... but does not appear on the directory itself: > [root@ local]# ls -ldZ netdot/ > drwxr-xr-x. root root unconfined_u:object_r:*usr_t*:s0 netdot/ > > > I am expecting to see something like: > drwxr-xr-x. root root unconfined_u:object_r:*httpd_sys_rw_content_t*:s0 > netdot/ > > > What am I doing wrong or do not understand? > > Thanks, > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux context not applied
Hi, I tried to apply a security context on a directory with the following commands: [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t "netdot(/.*)?" [root@ local]# restorecon -R netdot/ When I list the contexts, it is part of the list [root@ local]# semanage fcontext -l | grep netdot ./netdot(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 ... but does not appear on the directory itself: [root@ local]# ls -ldZ netdot/ drwxr-xr-x. root root unconfined_u:object_r:*usr_t*:s0 netdot/ I am expecting to see something like: drwxr-xr-x. root root unconfined_u:object_r:*httpd_sys_rw_content_t*:s0 netdot/ What am I doing wrong or do not understand? Thanks, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Could not fetch domain SID
Hello, I try to setup a new test environment with Samba and LDAP on CentOS 7 but I could not get my domain SID: [root@ ~]# net getdomainsid SID for local machine LDAP-TEST is: S-1-5-21-1044143993- 2427131616-1047417663 Could not fetch domain SID What I do wrong or forget to do? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not fetch domain SID
I see there is "net setdomainsid" to define the domains SID. I am rather puzzled with this command. There isn't some kind of algorithm that define a SID? On Wed, Sep 28, 2016 at 8:04 AM, Bernard Fay <bernard@gmail.com> wrote: > Hello, > > I try to setup a new test environment with Samba and LDAP on CentOS 7 but > I could not get my domain SID: > > [root@ ~]# net getdomainsid > SID for local machine LDAP-TEST is: S-1-5-21-1044143993-2427131616 > -1047417663 > Could not fetch domain SID > > > What I do wrong or forget to do? > > Thanks, > Bernard > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] smbldap-passwd does not update samba password
Ok fixed found some typos in my Samba configuration... On Thu, Sep 22, 2016 at 3:39 PM, Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 09/22/2016 12:18 PM, Bernard Fay wrote: > >> I have never heard of ACI before and I really do not know what it is. >> > > ACIs are the rules in your directory server that govern what entries and > attributes (such as the samba password) each DN (user) is allowed to edit. > You should have an ACI that allows users to modify their own password and > samba password. > > In the other hand, what does this have do to with the passwords in Samba? >> > > > ? > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] smbldap-passwd does not update samba password
I have never heard of ACI before and I really do not know what it is. In the other hand, what does this have do to with the passwords in Samba? Obviously, there are many things I do not know about LDAP and Samba but I have to manage it On Tue, Sep 20, 2016 at 10:16 AM, Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 09/20/2016 04:05 AM, Bernard Fay wrote: > >> What do you mean by ACIs? >> > > > What ACIs govern access to attributes and entries, on your LDAP server? > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] smbldap-passwd does not update samba password
What do you mean by ACIs? On Mon, Sep 19, 2016 at 3:56 PM, Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 09/19/2016 10:18 AM, Bernard Fay wrote: > >> Any idea what can be wrong on my server? >> > > > What are your ACIs? > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] smbldap-passwd does not update samba password
Hi, On CentOS 7, when I execute smbldap-passwd to change password it does change LDAP password but _NOT_ Samba password. This is true while running smbldap-passwd either as a regular user or a root. Any idea what can be wrong on my server? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux module
Thanks a lot Jonathan, It was that simple!!! Problem fixed! On Fri, Sep 16, 2016 at 10:05 AM, Jonathan Billings <billi...@negate.org> wrote: > If you are using NFS homedirs, you should run: > > setsebool -P use_nfs_home_dirs 1 > > -- > Jonathan Billings > > > On Sep 16, 2016, at 08:25, Bernard Fay <bernard@gmail.com> wrote: > > > > setsebool -P use_nfs_home_dirs 1 > > > > * Plugin catchall (11.6 confidence) suggests > > ** > > > > If you believe that mkhomedir should be allowed setattr access on the > > .bash_logout file by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux module
I do not want to disable SELinux at large but only for a directory and its sub-directories. On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O'Connor Jr. <eoconno...@gmail.com > wrote: > Not sure about most others, but I was always told that you never disable > Selina. Of course that is in a business/corporate setting. If it's just > you at home with a few servers? Then yeah I guess disabling it would be > the "quickest" route around this problem. On Sep 16, 2016 8:25 AM, Bernard > Fay <bernard@gmail.com> wrote: > > > > Hello everyone, > > > > I have a problem with oddjob_mkhomedir on a NFS mount point. The actual > > context is nfs_t > > > > drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/ > > > > > > With this type, oddjob_mkhomedir cannot do is job of creating home user > > directories. > > > > In the logs, I found about creating a new module with audi2allow and > > semodule: > > > > [root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598 > > X11 connection rejected because of wrong authentication. > > SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access > on > > the file .bash_logout. > > > > * Plugin catchall_boolean (89.3 confidence) suggests > > ** > > > > If you want to allow use to nfs home dirs > > Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' > > boolean. > > You can read 'None' man page for more details. > > Do > > setsebool -P use_nfs_home_dirs 1 > > > > * Plugin catchall (11.6 confidence) suggests > > ** > > > > If you believe that mkhomedir should be allowed setattr access on the > > .bash_logout file by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Context > > system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102 > > 3 > > Target Contextsystem_u:object_r:nfs_t:s0 > > Target Objects.bash_logout [ file ] > > Sourcemkhomedir > > Source Path /usr/libexec/oddjob/mkhomedir > > Port > > Host > > Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64 > > Target RPM Packages > > Policy RPMselinux-policy-3.13.1-60.el7_2.7.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing ModePermissive > > Host Name > > Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP > > Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 > > Alert Count 1 > > First Seen2016-09-15 15:12:48 EDT > > Last Seen 2016-09-15 15:12:48 EDT > > Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598 > > > > Raw Audit Messages > > type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for > > pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581 > > scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:nfs_t:s0 tclass=file > > > > > > type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown > > success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0 > > ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir > > exe=/usr/libexec/oddjob/mkhomedir > > subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null) > > > > Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr > > > > > > > > I then created the module and the te file says this: > > > > [root@ selinux]# cat mkhomedir_nfs.te > > > > module mkhomedir_nfs 1.0; > > > > require { > > type oddjob_mkhomedir_t; > > type nfs_t; > > class file { write create open setattr }; > > class dir { write create add_name setattr }; > > } > > > > #= oddjob_mkhomedir_t == > > > > # This avc is allowed in the current policy > > allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr }; &
[CentOS] SELinux module
Hello everyone, I have a problem with oddjob_mkhomedir on a NFS mount point. The actual context is nfs_t drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/ With this type, oddjob_mkhomedir cannot do is job of creating home user directories. In the logs, I found about creating a new module with audi2allow and semodule: [root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598 X11 connection rejected because of wrong authentication. SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access on the file .bash_logout. * Plugin catchall_boolean (89.3 confidence) suggests ** If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_nfs_home_dirs 1 * Plugin catchall (11.6 confidence) suggests ** If you believe that mkhomedir should be allowed setattr access on the .bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102 3 Target Contextsystem_u:object_r:nfs_t:s0 Target Objects.bash_logout [ file ] Sourcemkhomedir Source Path /usr/libexec/oddjob/mkhomedir Port Host Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-60.el7_2.7.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen2016-09-15 15:12:48 EDT Last Seen 2016-09-15 15:12:48 EDT Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598 Raw Audit Messages type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581 scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0 ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir exe=/usr/libexec/oddjob/mkhomedir subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null) Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr I then created the module and the te file says this: [root@ selinux]# cat mkhomedir_nfs.te module mkhomedir_nfs 1.0; require { type oddjob_mkhomedir_t; type nfs_t; class file { write create open setattr }; class dir { write create add_name setattr }; } #= oddjob_mkhomedir_t == # This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr }; # This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:file { write create open setattr }; Reading this output, I thought I had to add the context oddjob_mkhomedir_t to the users directory but I got another problem: [root@ home]# semanage fcontext -a -t oddjob_mkhomedir_t "./users" ValueError: Type oddjob_mkhomedir_t is invalid, must be a file or device type What I do wrong? In the other hand, is it possible to disable SELinux to a directory and all is subdirectories? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mysterious change in directory ownership and removal of the execute bit on directory
Dohhh... -a implies -p, -o and -g which preserve permissions, owner and group. Therefore I chose to use: -r -l -t --devices --specials For the benefits of everyone... On Fri, Jul 22, 2016 at 12:06 PM, Bernard Fay <bernard@gmail.com> wrote: > In the following sequence of commands, you can see directory /7.2.1511/ > will change of ownership to another user and the execute bit is removed. > This user, lbfay, is actually my own user but I am not logged on the server > while running rsync with root. > > [root@ctsrepocos ~]# who > root tty1 2016-07-22 10:40 > > > [root@ctsrepocos ~]# ls -l /share/CentOS/ > total 476 > lrwxrwxrwx. 1 apache apache 9 Dec 15 2015 7 -> 7.2.1511/ > *drwxr-xr-x*. 13 *apache apache *4096 May 18 12:48 7.2.1511 > > > [root@ctsrepocos ~]# /usr/bin/rsync -a -vvv --delete --delete-excluded > --exclude "local" --exclude "isos" --exclude "*.iso" --exclude "xen4" > --exclude "*.i686.*" --exclude "i386" --exclude "atomic" rsync:// > centos.mirror.iweb.ca/centos/7.2.1511 /share/CentOS > > > [root@ctsrepocos ~]# ls -l /share/CentOS/ > total 476 > lrwxrwxrwx. 1 apache apache 9 Dec 15 2015 7 -> 7.2.1511/ > *drw-r--r--. *13 *lbfay lbfay*4096 May 18 12:48 7.2.1511 > > > > Someone has an idea of what is going on? > > Thanks, > > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Mysterious change in directory ownership and removal of the execute bit on directory
In the following sequence of commands, you can see directory /7.2.1511/ will change of ownership to another user and the execute bit is removed. This user, lbfay, is actually my own user but I am not logged on the server while running rsync with root. [root@ctsrepocos ~]# who root tty1 2016-07-22 10:40 [root@ctsrepocos ~]# ls -l /share/CentOS/ total 476 lrwxrwxrwx. 1 apache apache 9 Dec 15 2015 7 -> 7.2.1511/ *drwxr-xr-x*. 13 *apache apache *4096 May 18 12:48 7.2.1511 [root@ctsrepocos ~]# /usr/bin/rsync -a -vvv --delete --delete-excluded --exclude "local" --exclude "isos" --exclude "*.iso" --exclude "xen4" --exclude "*.i686.*" --exclude "i386" --exclude "atomic" rsync:// centos.mirror.iweb.ca/centos/7.2.1511 /share/CentOS [root@ctsrepocos ~]# ls -l /share/CentOS/ total 476 lrwxrwxrwx. 1 apache apache 9 Dec 15 2015 7 -> 7.2.1511/ *drw-r--r--. *13 *lbfay lbfay*4096 May 18 12:48 7.2.1511 Someone has an idea of what is going on? Thanks, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to have more than on SELinux context on a directory
Thanks Fabian, That's what I need! A bit more open than I wish but it is ok. One more thing... I got some problems to get the man page for tftpd_selinux. [ ]$ yum search tftpd_selinux Loaded plugins: fastestmirror, langpacks Determining fastest mirrors Warning: No matches found for: tftpd_selinux No matches found [ ~]$ yum provides tftpd_selinux Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile No matches found Of course, google came to the rescue. But is there a another way, Linux or yum based solution to find the proper packages when yum search or yum provides don't get it? Thanks again On Thu, Jul 7, 2016 at 5:58 AM, Fabian Arrotin <arr...@centos.org> wrote: > On 06/07/16 21:17, Bernard Fay wrote: > > I can access /depot/tftp from a tftp client but unable to do it from a > > Windows client as long as SELinux is enforced. If SELinux is permissive > I > > can access it then I know Samba is properly configured. > > > > # getenforce > > Enforcing > > # ls -dZ /depot/tftp/ > > drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/ > > > > > > And if I do it the other way around, give the directory a type > > samba_share_t then the tftp clients are unable to push files. > > > > # getenforce > > Enforcing > > [root@CTSFILESRV01 depot]# ls -ldZ tftp/ > > drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/ > > > > > > I would then to either create my own type or missing access rules as you > > suggest. Unfortunately, this will be when I will have time which I don't > > have at the moment. > > > > Thanks for you help > > > > Don't forget that it's about process type and context. > If you need multiple processes/domain types accessing the same context > files, you'd probably just need a common context/label. > > > man -k _selinux => will show you man pages for everything regarding > selinux and domain/process/context > > > => man tftpd_selinux > => search for samba and : > > If you want to share files with multiple domains (Apache, FTP, rsync, > Samba), you can set a file context of public_content_t and > public_content_rw_t. These context allow any of the above domains to > read the content. > If you want a particular domain to write to the public_content_rw_t > domain, you must set the appropriate boolean. > > > But read the whole tftpd_selinux and samba_selinux man pages (and they > share almost the same content for "Sharing files" stanzas :-) > > -- > Fabian Arrotin > The CentOS Project | http://www.centos.org > gpg key: 56BEC54E | twitter: @arrfab > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to have more than on SELinux context on a directory
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is permissive I can access it then I know Samba is properly configured. # getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/ And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files. # getenforce Enforcing [root@CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/ I would then to either create my own type or missing access rules as you suggest. Unfortunately, this will be when I will have time which I don't have at the moment. Thanks for you help On Wed, Jul 6, 2016 at 11:07 AM, Александр Кирилловwrote: > If I understand well, I could add a type to another type?!?!?! >> > > No. > > The default targeted policy is mostly about Type Enforcement. Quote from > the manual: > > "All files and processes are labeled with a type: types define a SELinux > domain for processes and a SELinux type for files. SELinux policy rules > define how types access each other, whether it be a domain accessing a > type, or a domain accessing another domain. Access is only allowed if a > specific SELinux policy rule exists that allows it." > > You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label > the files in your shared directory and defined necessary rules to allow > access to these files by processes running in certain confined domains. > These new rules would most likely include a subset of rules already defined > in the default policy for samba_share_t and tftpdir_rw_t types. > > I've never added a new type myself and cannot really elaborate any further > on the subject. > > An easier approach would be to add missing access rules for already > existing file type (either samba_share_t or tftpdir_rw_t). > > BTW have you really tried to access files labelled with tftpdir_rw_t via > samba or vise versa? There's already a number of rules in the default > policy which allow ftp access to samba shares and smb/nmb access to files > labelled with tftpdir_rw_t. Eg > > # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp >allow ftpd_t samba_share_t : file { ioctl read write create getattr > setattr lock append unlink link rename open } ; >allow ftpd_t samba_share_t : dir { ioctl read write create getattr > setattr lock unlink link rename add_name remove_name reparent search rmdir > open } ; >allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr > setattr lock append unlink link rename } ; >allow ftpd_t samba_share_t : sock_file { ioctl read write create > getattr setattr lock append unlink link rename open } ; >allow ftpd_t samba_share_t : fifo_file { ioctl read write create > getattr setattr lock append unlink link rename open } ; > > May be the needed functionality is already there and all this discussion > is the equivalent of shooting a gun on sparrows. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to have more than on SELinux context on a directory
If I understand well, I could add a type to another type?!?!?! If that is the case, I did not know about it like many things in the SELinux world. It is so complex and so badly documented. :-( On Tue, Jul 5, 2016 at 1:24 PM, Александр Кирилловwrote: > Александр Кириллов писал 2016-07-05 19:58: > >> I need to have the tftpdir_rw_t and samba_share_t SELinux context on >>> the same directory. >>> >>> How can we do this? Is it feasible to have more than one SELinux context? >>> >> >> I don't think it's possible/feasible. >> You'd probably need to add a new type and necessary rules to your local >> policy. >> Or add missing allow rules to an existing type (tftpdir_rw_t or >> samba_share_t). >> Or use audit2allow to add necessary allow rules to an existing type. >> Any of the above could be a major PITA. >> > > Some links and commands which might be useful if you really need this done: > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types > > # sesearch --help > # sesearch --allow -t samba_share_t > # sesearch --allow -t tftpdir_rw_t > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] How to have more than on SELinux context on a directory
Hello, I need to have the tftpdir_rw_t and samba_share_t SELinux context on the same directory. How can we do this? Is it feasible to have more than one SELinux context? Thanks, Bernard ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] how to debug authconfig execution
Hello group, Does anyone have an idea how to debug the execution of authconfig? I try to do many changes with authconfig but no files are modified. It seems authconfig does not have a verbose mode or any other way to know what is going wrong with it? Someone have an idea to find out what is going on with authconfig? Thanks, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] yum in test mode and downgrade of a package
Is it possible to run yum in test mode?Something similar to rpm --test ... Also, is it possible to downgrade a package? Say we install a package and we find this new version creates problem for an application running on the server and we need to go back to a previous version. Thanks, -- Bernard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.5 yum update with reference to 5.6
On Wed, Apr 13, 2011 at 3:15 PM, William Hooper whooper...@gmail.comwrote: On Wed, Apr 13, 2011 at 3:09 PM, Bernard Fay bernard@enodegroup.com wrote: Hello group, I have a CentOS 5.5 server freshly installed. When I do a yum updated package_name, I have referenced to 5.6. Why? CentOS point releases track the upstream Update x releases. So CentOS 5.6 is upstream version 5 update 6. The point releases are not a separate product, just a batch of updates to the base product. As soon as you do a yum update to get all the new updates you will have a 5.6 install. https://www.centos.org/modules/smartfaq/faq.php?faqid=34 -- William Hooper ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Oh ok! I didn't know about this way of tracking version in CentOS. It is a different paradigm from the other distros at least for the one I know. Thanks guys, Bernard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5.5 yum update with reference to 5.6
Hello group, I have a CentOS 5.5 server freshly installed. When I do a yum updated package_name, I have referenced to 5.6. Why? Here is an example: yum update vsftpd --changelog Loaded plugins: changelog, fastestmirror, security addons/other | 192 B 00:00 base/other_db | 11 MB 00:50 extras/other_db | 442 kB 00:01 updates/other_db | 2.8 MB 00:11 http://centos.arcticnetwork.ca/*5.6*/updates/x86_64/repodata/other.sqlite.bz2: [Errno -1] Metadata file does not match checksum Trying other mirror. updates/other_db | 2.7 MB 00:22 Loading mirror speeds from cached hostfile * addons: mirror.science.uottawa.ca * base: mirror.science.uottawa.ca * extras: mirror.science.uottawa.ca * updates: mirror.science.uottawa.ca Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data -- Running transaction check --- Package vsftpd.x86_64 0:2.0.5-16.el5_6.1 set to be updated -- Finished Dependency Resolution Changes in packages about to be updated: vsftpd-2.0.5-16.el5_6.1.x86_64 * Fri Mar 4 17:00:00 2011 Jiri Skala jsk...@redhat.com - 2.0.5-16.el5_6.1 - Resolves: #681893 - CVE-2011-0762 vsftpd: remote DoS via crafted glob pattern * Thu Apr 8 18:00:00 2010 Jiri Skala jsk...@redhat.com - 2.0.5-16.el5_5.1 - Resolves: #580055 - vsftpd prematurely closes connection just before processing of post-auth command - Resolves: #580396 - vsftpd issues in RHEL5 Dependencies Resolved Package Arch Version Repository Size Updating: vsftpd x86_64 2.0.5-16.el5_6.1 updates 139 k Transaction Summary Install 0 Package(s) Upgrade 1 Package(s) Total download size: 139 k The version installed is 5.5: [root@future_qljnl51p yum.repos.d]# lsb_release -a LSB Version: :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID:CentOS Description:CentOS release 5.5 (Final) Release:5.5 Codename:Final -- Bernard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] updates to package
Well, I would like to know what will be the changes before we apply the updates. I would like to generate a kind of a report showing what will be the changes for all packages with available updates. Is there a way to do it? Thanks Bernard On Mon, Apr 11, 2011 at 3:01 PM, Christopher J. Buckley ch...@cjbuckley.net wrote: On Mon, Apr 11, 2011 at 19:54, Bernard Fay bernard@enodegroup.com wrote: Hi, I'ld like to know where or how I can find changes in a package update. http://linux.die.net/man/1/yum-changelog rpm -qa --changelog foo.bar.rpm Cheers, -- Kind Regards, Christopher J. Buckley ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Bernard Fay Conseiller Groupe Enode inc. www.groupe-enode.com Tel: 418-614-7868, poste 122 Fax: 418-614-7544 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] updates to package
Hi, I'ld like to know where or how I can find changes in a package update. Also, is there a way to find out which package updates are security updates? thanks -- Bernard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] updates to package
Great! Thanks a lot! On Mon, Apr 11, 2011 at 3:01 PM, Christopher J. Buckley ch...@cjbuckley.net wrote: On Mon, Apr 11, 2011 at 19:54, Bernard Fay bernard@enodegroup.com wrote: Hi, I'ld like to know where or how I can find changes in a package update. http://linux.die.net/man/1/yum-changelog rpm -qa --changelog foo.bar.rpm Cheers, -- Kind Regards, Christopher J. Buckley ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Bernard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos