Re: [CentOS] Unable to apply mysqld_db_t to mysql directory

[Bernard Fay]

James,

I read your email a couple of times.  There is so much to learn from it.

If I am right, the output of "semanage fcontext -l" is the content of the
SELinux database regarding the SELinux contexts.  Yet if I am right, when
we try to assign or verify what should be the contexts on files or
directories, a first look at the SELinux DB should be the first thing to
do. Right?

I have now a much better understanding of what is going on when I use
"semanage fcontext -a -t ..." then "restorecon -R".  "semanage fcontext -a"
add fcontext the SELinux DB and restorecon applies the fcontext to the
files or directory as defined in the DB.

In the past I have been confused by chcon and came to the conclusion this
command was totally useless.  But if the command exist, it should have a
use of it. What kind of situation could make chcon useful?

Regarding the equivalence, at first I understood it as "make this equal to
that". A bit like when using chmod --reference.  Wrong!!!

I didn't only have a slight misconception on label, I honestly would say I
was lost with the new lights you made on it.

Thanks a lot for your time James! I really appreciate it.

Bernard



On Mon, Oct 23, 2017 at 5:13 PM, James Hogarth <james.hoga...@gmail.com>
wrote:

> On 23 October 2017 at 19:18, Bernard Fay <bernard@gmail.com> wrote:
> > Thanks, I managed to fix /var/lib/mysql
> >
> > # ls -ldZ /var/lib/mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql
> >
> > To fix it, I tried:
> > semanage fcontext -d -e /var/lib/mysql
> > this command returned:
> > KeyError: /var/lib/mysql
> > I tried restorecon anyway:
> > restorecon -Rv /var/lib/mysql
> > But not better:
> > ls -ldZ /var/lib/mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql
> >
> > So I did the following:
> > semanage fcontext -d -t var_lib_t /var/lib/mysql
> > It started to look better:
> > ls -ldZ /var/lib/mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql
> > Then I ran restorecon
> > restorecon -Rv /var/lib/mysql
> > I got a lot of :
> > restorecon reset /var/lib/mysql/...
> >
> > And then I got the proper context on /var/lib/mysql.
> >
> >
> > I think there are still many things I do not understand about SELinux.
> >
> > I thought the equivalence thing I did with the command below was going to
> > assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously
> not!
> > semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
> >
> >
>
> I think you have a slight misconception over how labels are determined.
>
> There's no relation between what is presently on the filesystem when
> you do ls -lZ and what the policy database thinks it ought to be.
>
> This is why you can chcon to change the label of something but a
> relabelling will change it back.
>
> When you run restorecon to relabel a path what happens is it takes the
> absolute (full) path and compares it against the regexes in the
> selinux policy database (see it with semanage fcontext -l for some,
> but now all, context matches) ...
>
> Then for the most specific match it will apply whatever label is in
> that database.
>
> When you do semanage fcontext -a -e /foo /bar to do an alias what you
> are telling selinux is that for every time that /bar is run through
> the regex replace bar with foo and check that instead.
>
> This is why when adding custom labelling you need to do a full regex
> path to match files under that directory too.
>
> When you moved /var/lib/mysql to /var/lib/mysql.old the labels moved
> with the files (this is the default unless you cross filesystems, you
> can force labelling as the destination with mv -Z).
>
> The selinux database still has /var/lib/mysql(/.*)? as being type
> mysqldb_db_t even if that directory doesn't exist.
>
> When the directory is created and put in place then it will get what
> policy says is right for that path.
>
> The point of using equivalence is when you move a default location -
> such as /home to /data/home or /var/lib/mysql to /data/mysql
>
> In that situation the default selinux policy doesn't know anything
> about /data or the contents of it so it'll end up with a default_t
> label ... not very useful.
>
> Now you could semanage fcontext -a -t mysqldb_db_t /data/mysql(/.*)?
> but quite often the 'story' of a directory tree isn't about just one
> label and it'd be tedious trying to match them all ...
>
> For the craziness that is $HOME for instance...
>
> CentOS7: cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs
> Fe

Re: [CentOS] Unable to apply mysqld_db_t to mysql directory

[Bernard Fay]

Thanks, I managed to fix /var/lib/mysql

# ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql

To fix it, I tried:
semanage fcontext -d -e /var/lib/mysql
this command returned:
KeyError: /var/lib/mysql
I tried restorecon anyway:
restorecon -Rv /var/lib/mysql
But not better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql

So I did the following:
semanage fcontext -d -t var_lib_t /var/lib/mysql
It started to look better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql
Then I ran restorecon
restorecon -Rv /var/lib/mysql
I got a lot of :
restorecon reset /var/lib/mysql/...

And then I got the proper context on /var/lib/mysql.


I think there are still many things I do not understand about SELinux.

I thought the equivalence thing I did with the command below was going to
assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously not!
semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql


I still have the following equivalence:
# semanage fcontext -lC
SELinux fcontext   type
Context

/home/users(/.*)?  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?   all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
mysql = ./mysql.old


Should I be worried about those two equivalence?


Thanks,
Bernard


On Mon, Oct 23, 2017 at 1:41 PM, James Hogarth <james.hoga...@gmail.com>
wrote:

> On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard@gmail.com> wrote:
>
> Interesting to see the Equivalence. As a first thing, I tried:
>
> semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
> then
> restorecon -R /var/lib/mysql
>
>
> # semanage fcontext -lC
> SELinux fcontext   type
> Context
>
> /home/users(/.*)?  all files
> system_u:object_r:user_home_dir_t:s0
> /var/lib/mysql all files
> system_u:object_r:mysqld_db_t:s0
> /var/lib/mysql(/.*)?   all files
> system_u:object_r:mysqld_db_t:s0
>
> SELinux Local fcontext Equivalence
>
> ./mysql = ./mysql.old
> /var/lib/mysql = /var/lib/mysql.old
> mysql = ./mysql.old
>
>
>
>
> On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hoga...@gmail.com>
> wrote:
>
> > On 23 October 2017 at 13:33, Bernard Fay <bernard@gmail.com> wrote:
> > > Hello,
> > >
> > > A server was configured in /var/lib/myslq in the root fs.  I added a LV
> > > specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
> > > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted the
> > LV
> > > on /var/lib/mysql.  I then copied with "cp -prZ" all mysql files in
> > > /var/lib/mysql.old to /var/lib/mysql.
> > >
> > > But then I got a selinux problem:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> > >
> > > I tried to changed the context on mysql with the following commands:
> > >
> > > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > > # restorecon -R -v /var/lib/mysql
> > >
> > > But the /var/lib/mysql directory didn't take the change as you can see
> > > below:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> > >
> > >
> > > How can I fix the wrong context on mysql directory?
> > > Thanks,
> > >
> >
> > /var/lib/mysql is already in default policy - no need to add anything
> there
> >
> > can you please provide the output of 'semanage fcontext -lC' so that
> > we can see any local selinux modifications made?
> >
> > From base policy with nothing added, for that directory, you *should*
> > be able to just restorecon -Rv /var/lib/mysql and have the correct
> > labelling.
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
> Th

Re: [CentOS] Unable to apply mysqld_db_t to mysql directory

[Bernard Fay]

Interesting to see the Equivalence. As a first thing, I tried:

semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
then
restorecon -R /var/lib/mysql


# semanage fcontext -lC
SELinux fcontext   type
Context

/home/users(/.*)?  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?   all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
/var/lib/mysql = /var/lib/mysql.old
mysql = ./mysql.old




On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hoga...@gmail.com>
wrote:

> On 23 October 2017 at 13:33, Bernard Fay <bernard@gmail.com> wrote:
> > Hello,
> >
> > A server was configured in /var/lib/myslq in the root fs.  I added a LV
> > specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
> > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted the
> LV
> > on /var/lib/mysql.  I then copied with "cp -prZ" all mysql files in
> > /var/lib/mysql.old to /var/lib/mysql.
> >
> > But then I got a selinux problem:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> > I tried to changed the context on mysql with the following commands:
> >
> > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > # restorecon -R -v /var/lib/mysql
> >
> > But the /var/lib/mysql directory didn't take the change as you can see
> > below:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> >
> > How can I fix the wrong context on mysql directory?
> > Thanks,
> >
>
> /var/lib/mysql is already in default policy - no need to add anything there
>
> can you please provide the output of 'semanage fcontext -lC' so that
> we can see any local selinux modifications made?
>
> From base policy with nothing added, for that directory, you *should*
> be able to just restorecon -Rv /var/lib/mysql and have the correct
> labelling.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Unable to apply mysqld_db_t to mysql directory

[Bernard Fay]

Hello,

A server was configured in /var/lib/myslq in the root fs.  I added a LV
specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
/var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted the LV
on /var/lib/mysql.  I then copied with "cp -prZ" all mysql files in
/var/lib/mysql.old to /var/lib/mysql.

But then I got a selinux problem:
# ls -ldZ mysql.old/ mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/

I tried to changed the context on mysql with the following commands:

# semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
# restorecon -R -v /var/lib/mysql

But the /var/lib/mysql directory didn't take the change as you can see
below:
# ls -ldZ mysql.old/ mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/


How can I fix the wrong context on mysql directory?
Thanks,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fix for the CVE-2017-7494?

[Bernard Fay]

Thanks Mark and Christian,

I have two Samba servers running those two versions.  That reassure me!

Thanks,
Bernard


On Fri, May 26, 2017 at 12:08 PM, Paul Heinlein <heinl...@madboa.com> wrote:

> On Fri, 26 May 2017, Christian, Mark wrote:
>
> On Fri, 2017-05-26 at 11:19 -0400, Bernard Fay wrote:
>>
>>> Hi,
>>>
>>> Does a fix has already been made in the CenOS RPM repositories for this
>>> Samba remote execution code vulnerability, CVE-2017-7494?
>>>
>> yes. samba-3.6.23-43.el6_9.x86_64.rpm
>>
>
> And samba-*-4.4.4-14.el7_3.x86_64
>
> --
> Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Fix for the CVE-2017-7494?

[Bernard Fay]

Hi,

Does a fix has already been made in the CenOS RPM repositories for this
Samba remote execution code vulnerability, CVE-2017-7494?

Thx,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] users still member of LDAP group after being removed from group 5 days ago

[Bernard Fay]

Sometime it is too obvious!  Users had the group in question as their
primary group.  I changed the primary group for those users and problem
fixed.

Sorry for the noise  :/


On Mon, May 8, 2017 at 12:06 PM, Bernard Fay <bernard@gmail.com> wrote:

> Hi,
>
> Last Thursday I removed users from an LDAP group and today the Linux
> command groups still shows those users as member of this group. I double
> checked in the LDAP to make sure the users are really removed and also not
> part of the local Linux group users on both the server hosting the LDAP
> service and the Linux clients.
>
> Could this be related to a cache somewhere? If not cache related what
> could be the problem?
>
> Thanks in advance for your help,
> Bernard
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] users still member of LDAP group after being removed from group 5 days ago

[Bernard Fay]

Hi,

Last Thursday I removed users from an LDAP group and today the Linux
command groups still shows those users as member of this group. I double
checked in the LDAP to make sure the users are really removed and also not
part of the local Linux group users on both the server hosting the LDAP
service and the Linux clients.

Could this be related to a cache somewhere? If not cache related what could
be the problem?

Thanks in advance for your help,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sshd Match Group directive problem

[Bernard Fay]

A detail I forgot...

The need is to have members of the groups wheel and users being dropped to
a shell and administer the server while members of only the group users
have a script started forcing them to a few command on the server.



On Tue, Feb 28, 2017 at 10:50 AM, Bernard Fay <bernard@gmail.com> wrote:

> I try to set up two "Match Group" directives in sshd_config.
>
> I have an LDAP server.  All users including admins are part of the LDAP
> group users. The admins users are also part of the LDAP group wheel. For
> example:
>
> [~]groups admin1
> admin1 : users wheel
> [~]groups users
> user1 : users
>
> On a client server to LDAP, I try to configure two "Match Group"
> directives in sshd_config as follows:
>
> Match Group wheel
> some keywords...
>
> Match Group users
> some keywords...
>
>
> The problem is that even if a user is a member of LDAP group wheel, the
> "Match Group wheel" directive is skipped in favor of the "Match Group
> users" directive.
>
> Is it possible to have two "Match Group" directives as I like to do it?
> If yes, what is wrong in my configuration?
>
> Thanks,
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] sshd Match Group directive problem

[Bernard Fay]

I try to set up two "Match Group" directives in sshd_config.

I have an LDAP server.  All users including admins are part of the LDAP
group users. The admins users are also part of the LDAP group wheel. For
example:

[~]groups admin1
admin1 : users wheel
[~]groups users
user1 : users

On a client server to LDAP, I try to configure two "Match Group" directives
in sshd_config as follows:

Match Group wheel
some keywords...

Match Group users
some keywords...


The problem is that even if a user is a member of LDAP group wheel, the
"Match Group wheel" directive is skipped in favor of the "Match Group
users" directive.

Is it possible to have two "Match Group" directives as I like to do it?  If
yes, what is wrong in my configuration?

Thanks,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to resize a partition of a disk define as a physical volume

[Bernard Fay]

I usually use the whole disk a PV but this disk has the /boot partition
which cannot be LVM.

I decided to simply use the third partition as another PV and extended the
VG.

Thanks,



On Wed, Feb 22, 2017 at 8:52 AM, Gianluca Cecchi <gianluca.cec...@gmail.com>
wrote:

> On Wed, Feb 22, 2017 at 2:42 PM, Bernard Fay <bernard@gmail.com>
> wrote:
>
> > How do you resize the partition without loosing data?
> >
> > gparted does not support LVM.
> >
> >
> It is preferrable to create PV on the whole disk also to manage these kind
> of situations.
> In case I have to manage with partitions, the must is that you can do it
> only if it is the last partition, and you are ok.
> Normally I use fidsk and I first delete the last partition and then without
> exiting the utility I create again it using the same starting point and the
> new larger end.
> For this, take care of using option to show sectors and not cylinders ("u"
> switches between the two options) and print your partition layout ("p"
> comamnd), so that you can set exactly the same starting point of the new
> xvda2 partition otherwise you will have destroyed it and LVM layer would
> not be able to identify it (also the type if now it is 8e for Linux LVM).
> Eventually you will have to run also the command
>
> partprobe /dev/xvda
>
> to align os with new partition layout
>
> Take care and read well (also on other sources on internet in case). Also
> backup your partiion layout before making changes with
>
> sfdisk -d /dev/xvda > part_table.before
>
> and compare with what you have after.
>
> HIH,
> Gianluca
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to resize a partition of a disk define as a physical volume

[Bernard Fay]

How do you resize the partition without loosing data?

gparted does not support LVM.



On Wed, Feb 22, 2017 at 8:37 AM, SysAdmin <admin@s-s.network> wrote:

> Hi,
>
> you need to resize partition /dev/xvda2, afterwards resize pv.
>
> Regards,
> Holger
>
> > -Ursprüngliche Nachricht-
> > Von: CentOS [mailto:centos-boun...@centos.org] Im Auftrag von Bernard
> > Fay
> > Gesendet: Mittwoch, 22. Februar 2017 14:18
> > An: CentOS mailing list
> > Betreff: Re: [CentOS] how to resize a partition of a disk define as a
> > physical volume
> >
> > I should have added the output of pvs:
> >
> > [root ~]# pvs
> >   PV VG  Fmt  Attr PSize PFree
> >   /dev/xvda2 cl_vm731611 lvm2 a--  9.00g0
> >
> > PFree still show 0. It should show 5g.
> >
> > Also:
> > [root ~]# pvdisplay /dev/xvda2
> >   --- Physical volume ---
> >   PV Name   /dev/xvda2
> >   VG Name   cl_vm731611
> >   PV Size   9.00 GiB / not usable 2.00 MiB
> >   Allocatable   yes (but full)
> >   PE Size   4.00 MiB
> >   Total PE  2303
> >   Free PE   0
> >   Allocated PE  2303
> >   PV UUID   RtXa0c-07RP-RJ0V-kSjC-Tuo0-5QQv-sQIKlr
> >
> >
> > With fdisk, we can see the additional space has is there as it shows
> > 16GB.
> > The original disk had 10GB.
> > [root ~]# fdisk  -l /dev/xvda
> >
> > Disk /dev/xvda: 16.1 GB, 16106127360 bytes, 31457280 sectors [snip]
> >
> > Device Boot  Start End  Blocks   Id  System
> > /dev/xvda1   *2048 2099199 1048576   83  Linux
> > /dev/xvda2 209920020971519 9436160   8e  Linux LVM
> >
> >
> > vgs also shows 0 Free PE:
> > [root@CTSSVN01 ~]# vgs
> >   VG  #PV #LV #SN Attr   VSize VFree
> >   cl_vm731611   1   2   0 wz--n- 9.00g0
> >
> >
> > Thanks,
> >
> >
> > On Wed, Feb 22, 2017 at 8:06 AM, Jon LaBadie <j...@labadie.us> wrote:
> >
> > > On Wed, Feb 22, 2017 at 07:44:33AM -0500, Bernard Fay wrote:
> > > > Hello,
> > > >
> > > > I have a CentOS VM with only one disk on a Xenserver.
> > > >
> > > > The disk has 2 partitions:
> > > >
> > > > /dev/xvda1 -> /boot
> > > > /dev/xvda2 -> a physical volume for LVM
> > > >
> > > >
> > > > I added 5GB to this disk via Xencenter to extend /dev/xvda2.
> > > > Usually I just have to do "pvresize /dev/xvda" to have the
> > > > additional space added
> > > to
> > > > the disk. But for some reason it does not work for this disk.
> > > >
> > > > [root ~]# pvresize /dev/xvda
> > > >   Failed to find physical volume "/dev/xvda".
> > > >   0 physical volume(s) resized / 0 physical volume(s) not resized
> > > >
> > > > [root ~]# pvresize /dev/xvda2
> > > >   Physical volume "/dev/xvda2" changed
> > > >   1 physical volume(s) resized / 0 physical volume(s) not resized
> > > >
> > > >
> > > > Does someone have seen this problem before or could have an idea of
> > > > the problem?
> > >
> > > Looks like xvda2 was resized.  You should now have an added 5GB worth
> > > of unallocated extents in the vg
> > >
> > > --
> > > Jon H. LaBadie j...@jgcomp.com
> > >  11226 South Shore Rd.  (703) 787-0688 (H)
> > >  Reston, VA  20190  (703) 935-6720 (C)
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to resize a partition of a disk define as a physical volume

[Bernard Fay]

I should have added the output of pvs:

[root ~]# pvs
  PV VG  Fmt  Attr PSize PFree
  /dev/xvda2 cl_vm731611 lvm2 a--  9.00g0

PFree still show 0. It should show 5g.

Also:
[root ~]# pvdisplay /dev/xvda2
  --- Physical volume ---
  PV Name   /dev/xvda2
  VG Name   cl_vm731611
  PV Size   9.00 GiB / not usable 2.00 MiB
  Allocatable   yes (but full)
  PE Size   4.00 MiB
  Total PE  2303
  Free PE   0
  Allocated PE  2303
  PV UUID   RtXa0c-07RP-RJ0V-kSjC-Tuo0-5QQv-sQIKlr


With fdisk, we can see the additional space has is there as it shows 16GB.
The original disk had 10GB.
[root ~]# fdisk  -l /dev/xvda

Disk /dev/xvda: 16.1 GB, 16106127360 bytes, 31457280 sectors
[snip]

Device Boot  Start End  Blocks   Id  System
/dev/xvda1   *2048 2099199 1048576   83  Linux
/dev/xvda2 209920020971519 9436160   8e  Linux LVM


vgs also shows 0 Free PE:
[root@CTSSVN01 ~]# vgs
  VG  #PV #LV #SN Attr   VSize VFree
  cl_vm731611   1   2   0 wz--n- 9.00g0


Thanks,


On Wed, Feb 22, 2017 at 8:06 AM, Jon LaBadie <j...@labadie.us> wrote:

> On Wed, Feb 22, 2017 at 07:44:33AM -0500, Bernard Fay wrote:
> > Hello,
> >
> > I have a CentOS VM with only one disk on a Xenserver.
> >
> > The disk has 2 partitions:
> >
> > /dev/xvda1 -> /boot
> > /dev/xvda2 -> a physical volume for LVM
> >
> >
> > I added 5GB to this disk via Xencenter to extend /dev/xvda2.  Usually I
> > just have to do "pvresize /dev/xvda" to have the additional space added
> to
> > the disk. But for some reason it does not work for this disk.
> >
> > [root ~]# pvresize /dev/xvda
> >   Failed to find physical volume "/dev/xvda".
> >   0 physical volume(s) resized / 0 physical volume(s) not resized
> >
> > [root ~]# pvresize /dev/xvda2
> >   Physical volume "/dev/xvda2" changed
> >   1 physical volume(s) resized / 0 physical volume(s) not resized
> >
> >
> > Does someone have seen this problem before or could have an idea of the
> > problem?
>
> Looks like xvda2 was resized.  You should now have an added
> 5GB worth of unallocated extents in the vg
>
> --
> Jon H. LaBadie j...@jgcomp.com
>  11226 South Shore Rd.  (703) 787-0688 (H)
>  Reston, VA  20190  (703) 935-6720 (C)
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] how to resize a partition of a disk define as a physical volume

[Bernard Fay]

Hello,

I have a CentOS VM with only one disk on a Xenserver.

The disk has 2 partitions:

/dev/xvda1 -> /boot
/dev/xvda2 -> a physical volume for LVM


I added 5GB to this disk via Xencenter to extend /dev/xvda2.  Usually I
just have to do "pvresize /dev/xvda" to have the additional space added to
the disk. But for some reason it does not work for this disk.

[root ~]# pvresize /dev/xvda
  Failed to find physical volume "/dev/xvda".
  0 physical volume(s) resized / 0 physical volume(s) not resized

[root ~]# pvresize /dev/xvda2
  Physical volume "/dev/xvda2" changed
  1 physical volume(s) resized / 0 physical volume(s) not resized


Does someone have seen this problem before or could have an idea of the
problem?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Allow execution of commands via ssh but not to login

[Bernard Fay]

I made my search on google way to complicated for nothing :(

Thanks John and Seb!  authorized_keys will do the job.


On Wed, Jan 11, 2017 at 10:40 AM, seb <sebast...@r2-info.fr> wrote:

> Hi,
>
> you can use the option command  your /home/user/.ssh/authorized_keys  .
>
> for example :
>
> command="cd /some_where;  other command , ssh-rsa key ."
>
>
>
>
> Le 11/01/2017 à 16:34, Bernard Fay a écrit :
>
>> Hi,
>>
>> Is there a way to allow a user to execute commands via ssh, for example:
>> "ssh user@server ls",  but disallow the same user to login on this server
>> with "ssh user@server" ?
>>
>>
>> Thanks,
>> Bernard
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Allow execution of commands via ssh but not to login

[Bernard Fay]

Hi,

Is there a way to allow a user to execute commands via ssh, for example:
"ssh user@server ls",  but disallow the same user to login on this server
with "ssh user@server" ?


Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to start a script to complete configuration

[Bernard Fay]

To Bill,

The script solution is what I try to do.  I am close to it.  The problem I
am facing at the moment is that this script need to be interactive to have
input from the sysadmin.

I tried to add the following lines to the service unit file to direct the
interaction of the script to tty1 but without success:
StandardInput=tty
TTYPath=/dev/tty1
TTYReset=yes
TTYVHangup=yes




On Wed, Nov 9, 2016 at 8:01 AM, Bill Howe <howe.b...@gmail.com> wrote:

> How you could do this with scripts:
>
> *CentOS 7*
>
>1. Deploy a VM from your base CentOS 7 template
>2. Copy your "my-firstboot.sh" script (or whatever its called) to a
>location such as /root/scripts/
>   1. This scripts only job should be to mount a NFS location and
>   execute any post install scripts you have stored there, and provide
> a log
>   file.
>   2. This script should disable the "my-firstboot.service" at the end
>   and then change permissions of itself to no execute to ensure it
> doesn't
>   get run more than once.
>   3. It is also useful to have this script email the system admins when
>   its done and reboot the VM (in the case of full system updates
> that require
>   a reboot to new kernel)
>   3. Create your "my-firstboot.service" unit file at: /etc/systemd/
>system/my-firstboot.service, enable it. example contents:
>1. [Unit]
>   Description=Auto-execute my post install scripts
>   After=network.target
>
>   [Service]
>   ExecStart=/root/scripts/my-firstboot.sh
>
>   [Install]
>   WantedBy=multi-user.target
>
> *CentOS 6*
>
>1. Same thing as above, except no service unit file. Instead simply
>create a line in /etc/rc.local to execute the "my-firstboot.sh" script
> like
>so:
>   1.
>
>   echo "/root/scripts/my-firstboot.sh" >> /etc/rc.d/rc.local
>
>   2. And have the "my-firstboot.sh" script remove that same line above
>from rc.local at the end of its execution so its not run again on the
> next
>reboot.
>
>
> Bill
>
>
> On Tue, Nov 8, 2016 at 3:44 PM, Oscar Osta Pueyo <oostap.lis...@gmail.com>
> wrote:
>
> > Hello,
> > I think you can use anaconda for this task, you can configure some
> actions
> > after the installation.
> >
> > Best regards,
> >
> > El dt, 8 nov 2016 a les 18:44 Leon Fauster <leonfaus...@googlemail.com>
> va
> > escriure:
> >
> > > Am 08.11.2016 um 16:47 schrieb cpol...@surewest.net:
> > > > On 2016-11-07 14:35, Bernard Fay wrote:
> > > >> Hi,
> > > >>
> > > >> We have a virtual environment based on XenServer. In this
> environment
> > I
> > > >> defined a template for CentOS 7 servers.
> > > >>
> > > >> I would like to start a script a boot time to complete the
> > > configuration of
> > > >> new VMs based on this template. How can I have a script started
> before
> > > any
> > > >> login prompt to ask question to the user to complete the
> configuration
> > > such
> > > >> as hostname, IP address, etc?
> > > >
> > > > Hi Bernard,
> > > >
> > > > My first impulse was "don't!", and that's probably the best
> > > > advise.  A popular model is that the "firstboot" package takes
> > > > care of this at the first user login, and *nix systems sort of
> > > > depend on this "logged in users do stuff" model.
> > > >
> > > > Even better, use ansible, cfengine, chef, or puppet to automate
> > > > the task of setting things up. This is the _best_ solution and
> > > > you will eventually come back to it.
> > > >
> > > > But, the darker, cynical part of my brain, the part that says
> > > > "what, you're cutting down on coffee?" part, said "sure you
> > > > can". Here's how it _could_ be done.
> > > >
> > > > DON'T DO THIS. TURN BACK NOW.
> > > >
> > > >Replace /sbin/init with a shell script that does what you want.
> > > >It will be the first userland process started, have the console
> > > >for I/O, and run as root. At completion, restore the original
> > > >/sbin/init and reboot. Leave no traces behind. Do not document
> > > >your awful hack, others will use your words against you.
> > >
> > >
> > >
> > > :-) ... kernel parameter init=/root/yourscript
> > >
> > > https://www.kernel.org/doc/Documentation/kernel-parameters.txt
> > >
> > > --
> > > LF
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to start a script to complete configuration

[Bernard Fay]

It would be hard to use ansible, cfengine or whatever while there no IP
address on the new VM.



On Tue, Nov 8, 2016 at 10:47 AM, <cpol...@surewest.net> wrote:

> On 2016-11-07 14:35, Bernard Fay wrote:
> > Hi,
> >
> > We have a virtual environment based on XenServer. In this environment I
> > defined a template for CentOS 7 servers.
> >
> > I would like to start a script a boot time to complete the configuration
> of
> > new VMs based on this template. How can I have a script started before
> any
> > login prompt to ask question to the user to complete the configuration
> such
> > as hostname, IP address, etc?
>
> Hi Bernard,
>
> My first impulse was "don't!", and that's probably the best
> advise.  A popular model is that the "firstboot" package takes
> care of this at the first user login, and *nix systems sort of
> depend on this "logged in users do stuff" model.
>
> Even better, use ansible, cfengine, chef, or puppet to automate
> the task of setting things up. This is the _best_ solution and
> you will eventually come back to it.
>
> But, the darker, cynical part of my brain, the part that says
> "what, you're cutting down on coffee?" part, said "sure you
> can". Here's how it _could_ be done.
>
> DON'T DO THIS. TURN BACK NOW.
>
> Replace /sbin/init with a shell script that does what you want.
> It will be the first userland process started, have the console
> for I/O, and run as root. At completion, restore the original
> /sbin/init and reboot. Leave no traces behind. Do not document
> your awful hack, others will use your words against you.
>
> Best regards,
> --
> Chuck
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] How to start a script to complete configuration

[Bernard Fay]

Hi,

We have a virtual environment based on XenServer. In this environment I
defined a template for CentOS 7 servers.

I would like to start a script a boot time to complete the configuration of
new VMs based on this template. How can I have a script started before any
login prompt to ask question to the user to complete the configuration such
as hostname, IP address, etc?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux context not applied

[Bernard Fay]

Our emails crossed on the line!  ;-)

Thanks anway Leonard,


On Mon, Oct 17, 2016 at 9:26 AM, Leonard den Ottolander <
leon...@den.ottolander.nl> wrote:

> Hello Bernard,
>
> On Mon, 2016-10-17 at 09:10 -0400, Bernard Fay wrote:
> > I tried to apply a security context on a directory with the following
> > commands:
> >
> > [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t
> "netdot(/.*)?"
> > [root@ local]# restorecon -R netdot/
>
> Try using absolute paths in your commands and see if that fixes your
> issue.
>
> Regards,
> Leonard.
>
> --
> mount -t life -o ro /dev/dna /genetic/research
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux context not applied

[Bernard Fay]

I used the full path and got it working:

[root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t
"/usr/local/netdot(/.*)?"
[root@ local]# restorecon -R /usr/local/netdot/
[root@ local]# ls -ldZ /usr/local/netdot/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0
/usr/local/netdot/





On Mon, Oct 17, 2016 at 9:10 AM, Bernard Fay <bernard@gmail.com> wrote:

> Hi,
>
> I tried to apply a security context on a directory with the following
> commands:
>
> [root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t
> "netdot(/.*)?"
> [root@ local]# restorecon -R netdot/
>
>
> When I list the contexts, it is part of the list
> [root@ local]# semanage fcontext -l | grep netdot
> ./netdot(/.*)? all files
> system_u:object_r:httpd_sys_rw_content_t:s0
>
>
> ... but does not appear on the directory itself:
> [root@ local]# ls -ldZ netdot/
> drwxr-xr-x. root root unconfined_u:object_r:*usr_t*:s0   netdot/
>
>
> I am expecting to see something like:
> drwxr-xr-x. root root unconfined_u:object_r:*httpd_sys_rw_content_t*:s0
> netdot/
>
>
> What am I doing wrong or do not understand?
>
> Thanks,
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux context not applied

[Bernard Fay]

Hi,

I tried to apply a security context on a directory with the following
commands:

[root@ local]# semanage fcontext -a -t httpd_sys_rw_content_t "netdot(/.*)?"
[root@ local]# restorecon -R netdot/


When I list the contexts, it is part of the list
[root@ local]# semanage fcontext -l | grep netdot
./netdot(/.*)? all files
system_u:object_r:httpd_sys_rw_content_t:s0


... but does not appear on the directory itself:
[root@ local]# ls -ldZ netdot/
drwxr-xr-x. root root unconfined_u:object_r:*usr_t*:s0   netdot/


I am expecting to see something like:
drwxr-xr-x. root root unconfined_u:object_r:*httpd_sys_rw_content_t*:s0
netdot/


What am I doing wrong or do not understand?

Thanks,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Could not fetch domain SID

[Bernard Fay]

Hello,

I try to setup a new test environment with Samba and LDAP on CentOS 7 but I
could not get my domain SID:

[root@ ~]# net getdomainsid
SID for local machine LDAP-TEST is: S-1-5-21-1044143993-
2427131616-1047417663
Could not fetch domain SID


What I do wrong or forget to do?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not fetch domain SID

[Bernard Fay]

I see there is "net setdomainsid" to define the domains SID.  I am rather
puzzled with this command.  There isn't some kind of algorithm that define
a SID?



On Wed, Sep 28, 2016 at 8:04 AM, Bernard Fay <bernard@gmail.com> wrote:

> Hello,
>
> I try to setup a new test environment with Samba and LDAP on CentOS 7 but
> I could not get my domain SID:
>
> [root@ ~]# net getdomainsid
> SID for local machine LDAP-TEST is: S-1-5-21-1044143993-2427131616
> -1047417663
> Could not fetch domain SID
>
>
> What I do wrong or forget to do?
>
> Thanks,
> Bernard
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] smbldap-passwd does not update samba password

[Bernard Fay]

Ok fixed found some typos in my Samba configuration...



On Thu, Sep 22, 2016 at 3:39 PM, Gordon Messmer <gordon.mess...@gmail.com>
wrote:

> On 09/22/2016 12:18 PM, Bernard Fay wrote:
>
>> I have never heard of ACI before and I really do not know what it is.
>>
>
> ACIs are the rules in your directory server that govern what entries and
> attributes (such as the samba password) each DN (user) is allowed to edit.
> You should have an ACI that allows users to modify their own password and
> samba password.
>
> In the other hand, what does this have do to with the passwords in Samba?
>>
>
>
> ?
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] smbldap-passwd does not update samba password

[Bernard Fay]

I have never heard of ACI before and I really do not know what it is.

In the other hand, what does this have do to with the passwords in Samba?

Obviously, there are many things I do not know about LDAP and Samba but I
have to manage it



On Tue, Sep 20, 2016 at 10:16 AM, Gordon Messmer <gordon.mess...@gmail.com>
wrote:

> On 09/20/2016 04:05 AM, Bernard Fay wrote:
>
>> What do you mean by ACIs?
>>
>
>
> What ACIs govern access to attributes and entries, on your LDAP server?
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] smbldap-passwd does not update samba password

[Bernard Fay]

What do you mean by ACIs?


On Mon, Sep 19, 2016 at 3:56 PM, Gordon Messmer <gordon.mess...@gmail.com>
wrote:

> On 09/19/2016 10:18 AM, Bernard Fay wrote:
>
>> Any idea what can be wrong on my server?
>>
>
>
> What are your ACIs?
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] smbldap-passwd does not update samba password

[Bernard Fay]

Hi,

On CentOS 7, when I execute smbldap-passwd to change password it does
change LDAP password but _NOT_ Samba password.  This is true while running
smbldap-passwd either as a regular user or a root.

Any idea what can be wrong on my server?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux module

[Bernard Fay]

Thanks a lot Jonathan,

It was that simple!!!

Problem fixed!


On Fri, Sep 16, 2016 at 10:05 AM, Jonathan Billings <billi...@negate.org>
wrote:

> If you are using NFS homedirs, you should run:
>
> setsebool -P use_nfs_home_dirs 1
>
> --
> Jonathan Billings
>
> > On Sep 16, 2016, at 08:25, Bernard Fay <bernard@gmail.com> wrote:
> >
> > setsebool -P use_nfs_home_dirs 1
> >
> > *  Plugin catchall (11.6 confidence) suggests
> > **
> >
> > If you believe that mkhomedir should be allowed setattr access on the
> > .bash_logout file by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux module

[Bernard Fay]

I do not want to disable SELinux at large but only for a directory and its
sub-directories.


On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O'Connor Jr. <eoconno...@gmail.com
> wrote:

> Not sure about most others,  but I was always told that you never disable
> Selina.  Of course that is in a business/corporate setting.  If it's just
> you at home with a few servers?  Then yeah I guess disabling it would be
> the "quickest" route around this problem. On Sep 16, 2016 8:25 AM, Bernard
> Fay <bernard@gmail.com> wrote:
> >
> > Hello everyone,
> >
> > I have a problem with oddjob_mkhomedir on a NFS mount point. The actual
> > context is nfs_t
> >
> > drwxr-xr-x. root root system_u:object_r:nfs_t:s0   users/
> >
> >
> > With this type, oddjob_mkhomedir cannot do is job of creating home user
> > directories.
> >
> > In the logs, I found about creating a new module with audi2allow and
> > semodule:
> >
> > [root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
> > X11 connection rejected because of wrong authentication.
> > SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access
> on
> > the file .bash_logout.
> >
> > *  Plugin catchall_boolean (89.3 confidence) suggests
> > **
> >
> > If you want to allow use to nfs home dirs
> > Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs'
> > boolean.
> > You can read 'None' man page for more details.
> > Do
> > setsebool -P use_nfs_home_dirs 1
> >
> > *  Plugin catchall (11.6 confidence) suggests
> > **
> >
> > If you believe that mkhomedir should be allowed setattr access on the
> > .bash_logout file by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Context
> > system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
> >   3
> > Target Contextsystem_u:object_r:nfs_t:s0
> > Target Objects.bash_logout [ file ]
> > Sourcemkhomedir
> > Source Path   /usr/libexec/oddjob/mkhomedir
> > Port  
> > Host
> > Source RPM Packages   oddjob-mkhomedir-0.31.5-4.el7.x86_64
> > Target RPM Packages
> > Policy RPMselinux-policy-3.13.1-60.el7_2.7.noarch
> > Selinux Enabled   True
> > Policy Type   targeted
> > Enforcing ModePermissive
> > Host Name
> > Platform  Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
> >   Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
> > Alert Count   1
> > First Seen2016-09-15 15:12:48 EDT
> > Last Seen 2016-09-15 15:12:48 EDT
> > Local ID  fe2d7f60-d3ff-405b-b518-38d0cf021598
> >
> > Raw Audit Messages
> > type=AVC msg=audit(1473966768.233:9091): avc:  denied  { setattr } for
> > pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581
> > scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:nfs_t:s0 tclass=file
> >
> >
> > type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown
> > success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0
> > ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir
> > exe=/usr/libexec/oddjob/mkhomedir
> > subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null)
> >
> > Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr
> >
> >
> >
> > I then created the module and the te file says this:
> >
> > [root@ selinux]# cat mkhomedir_nfs.te
> >
> > module mkhomedir_nfs 1.0;
> >
> > require {
> > type oddjob_mkhomedir_t;
> > type nfs_t;
> > class file { write create open setattr };
> > class dir { write create add_name setattr };
> > }
> >
> > #= oddjob_mkhomedir_t ==
> >
> > # This avc is allowed in the current policy
> > allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr };
&

[CentOS] SELinux module

[Bernard Fay]

Hello everyone,

I have a problem with oddjob_mkhomedir on a NFS mount point. The actual
context is nfs_t

drwxr-xr-x. root root system_u:object_r:nfs_t:s0   users/


With this type, oddjob_mkhomedir cannot do is job of creating home user
directories.

In the logs, I found about creating a new module with audi2allow and
semodule:

[root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
X11 connection rejected because of wrong authentication.
SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access on
the file .bash_logout.

*  Plugin catchall_boolean (89.3 confidence) suggests
**

If you want to allow use to nfs home dirs
Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs'
boolean.
You can read 'None' man page for more details.
Do
setsebool -P use_nfs_home_dirs 1

*  Plugin catchall (11.6 confidence) suggests
**

If you believe that mkhomedir should be allowed setattr access on the
.bash_logout file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context
system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
  3
Target Contextsystem_u:object_r:nfs_t:s0
Target Objects.bash_logout [ file ]
Sourcemkhomedir
Source Path   /usr/libexec/oddjob/mkhomedir
Port  
Host
Source RPM Packages   oddjob-mkhomedir-0.31.5-4.el7.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModePermissive
Host Name
Platform  Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
  Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count   1
First Seen2016-09-15 15:12:48 EDT
Last Seen 2016-09-15 15:12:48 EDT
Local ID  fe2d7f60-d3ff-405b-b518-38d0cf021598

Raw Audit Messages
type=AVC msg=audit(1473966768.233:9091): avc:  denied  { setattr } for
pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581
scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=file


type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown
success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0
ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir
exe=/usr/libexec/oddjob/mkhomedir
subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null)

Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr



I then created the module and the te file says this:

[root@ selinux]# cat mkhomedir_nfs.te

module mkhomedir_nfs 1.0;

require {
type oddjob_mkhomedir_t;
type nfs_t;
class file { write create open setattr };
class dir { write create add_name setattr };
}

#= oddjob_mkhomedir_t ==

# This avc is allowed in the current policy
allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr };

# This avc is allowed in the current policy
allow oddjob_mkhomedir_t nfs_t:file { write create open setattr };


Reading this output, I thought I had to add the context oddjob_mkhomedir_t to
the users directory but I got another problem:

[root@ home]# semanage fcontext -a -t oddjob_mkhomedir_t "./users"
ValueError: Type oddjob_mkhomedir_t is invalid, must be a file or device
type


What I do wrong?

In the other hand, is it possible to disable SELinux to a directory and all
is subdirectories?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mysterious change in directory ownership and removal of the execute bit on directory

[Bernard Fay]

Dohhh...

-a implies -p, -o and -g which preserve permissions, owner and group.
Therefore I chose to use:  -r -l -t --devices --specials

For the benefits of everyone...


On Fri, Jul 22, 2016 at 12:06 PM, Bernard Fay <bernard@gmail.com> wrote:

> In the following sequence of commands, you can see directory /7.2.1511/
> will change of ownership to another user and the execute bit is removed.
> This user, lbfay, is actually my own user but I am not logged on the server
> while running rsync with root.
>
> [root@ctsrepocos ~]# who
> root tty1 2016-07-22 10:40
>
>
> [root@ctsrepocos ~]# ls -l /share/CentOS/
> total 476
> lrwxrwxrwx.  1 apache apache  9 Dec 15  2015 7 -> 7.2.1511/
> *drwxr-xr-x*. 13 *apache apache   *4096 May 18 12:48 7.2.1511
>
>
> [root@ctsrepocos ~]# /usr/bin/rsync -a -vvv --delete --delete-excluded
> --exclude "local" --exclude "isos" --exclude "*.iso" --exclude "xen4"
> --exclude "*.i686.*" --exclude "i386" --exclude "atomic" rsync://
> centos.mirror.iweb.ca/centos/7.2.1511 /share/CentOS
>
>
> [root@ctsrepocos ~]# ls -l /share/CentOS/
> total 476
> lrwxrwxrwx.  1 apache apache  9 Dec 15  2015 7 -> 7.2.1511/
> *drw-r--r--. *13 *lbfay  lbfay*4096 May 18 12:48 7.2.1511
>
>
>
> Someone has an idea of what is going on?
>
> Thanks,
>
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Mysterious change in directory ownership and removal of the execute bit on directory

[Bernard Fay]

In the following sequence of commands, you can see directory /7.2.1511/
will change of ownership to another user and the execute bit is removed.
This user, lbfay, is actually my own user but I am not logged on the server
while running rsync with root.

[root@ctsrepocos ~]# who
root tty1 2016-07-22 10:40


[root@ctsrepocos ~]# ls -l /share/CentOS/
total 476
lrwxrwxrwx.  1 apache apache  9 Dec 15  2015 7 -> 7.2.1511/
*drwxr-xr-x*. 13 *apache apache   *4096 May 18 12:48 7.2.1511


[root@ctsrepocos ~]# /usr/bin/rsync -a -vvv --delete --delete-excluded
--exclude "local" --exclude "isos" --exclude "*.iso" --exclude "xen4"
--exclude "*.i686.*" --exclude "i386" --exclude "atomic" rsync://
centos.mirror.iweb.ca/centos/7.2.1511 /share/CentOS


[root@ctsrepocos ~]# ls -l /share/CentOS/
total 476
lrwxrwxrwx.  1 apache apache  9 Dec 15  2015 7 -> 7.2.1511/
*drw-r--r--. *13 *lbfay  lbfay*4096 May 18 12:48 7.2.1511



Someone has an idea of what is going on?

Thanks,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to have more than on SELinux context on a directory

[Bernard Fay]

Thanks Fabian,

That's what I need!  A bit more open than I wish but it is ok.

One more thing... I got some problems to get the man page for
tftpd_selinux.

[ ]$ yum search tftpd_selinux
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
Warning: No matches found for: tftpd_selinux
No matches found

[ ~]$ yum provides tftpd_selinux
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
No matches found

Of course, google came to the rescue. But is there a another way, Linux or
yum based solution to find the proper packages when yum search or yum
provides don't get it?

Thanks again



On Thu, Jul 7, 2016 at 5:58 AM, Fabian Arrotin <arr...@centos.org> wrote:

> On 06/07/16 21:17, Bernard Fay wrote:
> > I can access /depot/tftp from a tftp client but unable to do it from a
> > Windows client as long as SELinux is enforced.  If SELinux is permissive
> I
> > can access it then I know Samba is properly configured.
> >
> > # getenforce
> > Enforcing
> > # ls -dZ /depot/tftp/
> > drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
> >
> >
> > And if I do it the other way around, give the directory a type
> > samba_share_t then the tftp clients are unable to push files.
> >
> > # getenforce
> > Enforcing
> > [root@CTSFILESRV01 depot]# ls -ldZ tftp/
> > drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
> >
> >
> > I would then to either create my own type or missing access rules as you
> > suggest. Unfortunately, this will be when I will have time which I don't
> > have at the moment.
> >
> > Thanks for you help
> >
>
> Don't forget that it's about process type and context.
> If you need multiple processes/domain types accessing the same context
> files, you'd probably just need a common context/label.
>
> 
> man -k _selinux => will show you man pages for everything regarding
> selinux and domain/process/context
> 
>
> => man tftpd_selinux
> => search for samba and :
> 
> If you want to share files with multiple domains (Apache, FTP, rsync,
> Samba), you can set  a  file  context  of  public_content_t  and
> public_content_rw_t.   These context allow any of the above domains to
> read the content.
>  If you want a particular domain to write to the public_content_rw_t
> domain, you must set the appropriate  boolean.
> 
>
> But read the whole tftpd_selinux and samba_selinux man pages (and they
> share almost the same content for "Sharing files" stanzas :-)
>
> --
> Fabian Arrotin
> The CentOS Project | http://www.centos.org
> gpg key: 56BEC54E | twitter: @arrfab
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to have more than on SELinux context on a directory

[Bernard Fay]

I can access /depot/tftp from a tftp client but unable to do it from a
Windows client as long as SELinux is enforced.  If SELinux is permissive I
can access it then I know Samba is properly configured.

# getenforce
Enforcing
# ls -dZ /depot/tftp/
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/


And if I do it the other way around, give the directory a type
samba_share_t then the tftp clients are unable to push files.

# getenforce
Enforcing
[root@CTSFILESRV01 depot]# ls -ldZ tftp/
drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/


I would then to either create my own type or missing access rules as you
suggest. Unfortunately, this will be when I will have time which I don't
have at the moment.

Thanks for you help


On Wed, Jul 6, 2016 at 11:07 AM, Александр Кириллов 
wrote:

> If I understand well, I could add a type to another type?!?!?!
>>
>
> No.
>
> The default targeted policy is mostly about Type Enforcement. Quote from
> the manual:
>
> "All files and processes are labeled with a type: types define a SELinux
> domain for processes and a SELinux type for files. SELinux policy rules
> define how types access each other, whether it be a domain accessing a
> type, or a domain accessing another domain. Access is only allowed if a
> specific SELinux policy rule exists that allows it."
>
> You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label
> the files in your shared directory and defined necessary rules to allow
> access to these files by processes running in certain confined domains.
> These new rules would most likely include a subset of rules already defined
> in the default policy for samba_share_t and tftpdir_rw_t types.
>
> I've never added a new type myself and cannot really elaborate any further
> on the subject.
>
> An easier approach would be to add missing access rules for already
> existing file type (either samba_share_t or tftpdir_rw_t).
>
> BTW have you really tried to access files labelled with tftpdir_rw_t via
> samba or vise versa? There's already a number of rules in the default
> policy which allow ftp access to samba shares and smb/nmb access to files
> labelled with tftpdir_rw_t. Eg
>
> # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
>allow ftpd_t samba_share_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
>allow ftpd_t samba_share_t : dir { ioctl read write create getattr
> setattr lock unlink link rename add_name remove_name reparent search rmdir
> open } ;
>allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr
> setattr lock append unlink link rename } ;
>allow ftpd_t samba_share_t : sock_file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>allow ftpd_t samba_share_t : fifo_file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> May be the needed functionality is already there and all this discussion
> is the equivalent of shooting a gun on sparrows.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to have more than on SELinux context on a directory

[Bernard Fay]

If I understand well, I could add a type to another type?!?!?!   If that is
the case, I did not know about it like many things in the SELinux
world. It is so complex and so badly documented.  :-(




On Tue, Jul 5, 2016 at 1:24 PM, Александр Кириллов 
wrote:

> Александр Кириллов писал 2016-07-05 19:58:
>
>> I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context on
>>> the same directory.
>>>
>>> How can we do this? Is it feasible to have more than one SELinux context?
>>>
>>
>> I don't think it's possible/feasible.
>> You'd probably need to add a new type and necessary rules to your local
>> policy.
>> Or add missing allow rules to an existing type (tftpdir_rw_t or
>> samba_share_t).
>> Or use audit2allow to add necessary allow rules to an existing type.
>> Any of the above could be a major PITA.
>>
>
> Some links and commands which might be useful if you really need this done:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
>
> # sesearch --help
> # sesearch --allow -t samba_share_t
> # sesearch --allow -t tftpdir_rw_t
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] How to have more than on SELinux context on a directory

[Bernard Fay]

Hello,

I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context on
the same directory.

How can we do this? Is it feasible to have more than one SELinux context?

Thanks,
Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] how to debug authconfig execution

[Bernard Fay]

Hello group,

Does anyone have an idea how to debug the execution of authconfig?

I try to do many changes with authconfig but no files are modified.  It
seems authconfig does not have a verbose mode or any other way to know what
is going wrong with it?

Someone have an idea to find out what is going on with authconfig?

Thanks,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] yum in test mode and downgrade of a package

[Bernard Fay]

Is it possible to run yum in test mode?Something similar to rpm --test
...


Also, is it possible to downgrade a package?  Say we install a package and
we find this new version creates problem for an application running on the
server and we need to go back to a previous version.

Thanks,


-- 
Bernard
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.5 yum update with reference to 5.6

[Bernard Fay]

On Wed, Apr 13, 2011 at 3:15 PM, William Hooper whooper...@gmail.comwrote:

 On Wed, Apr 13, 2011 at 3:09 PM, Bernard Fay bernard@enodegroup.com
 wrote:
  Hello group,
 
  I have a CentOS 5.5 server freshly installed.
 
  When I do a yum updated package_name, I have referenced to 5.6.  Why?

 CentOS point releases track the upstream Update x releases.  So
 CentOS 5.6 is upstream version 5 update 6.  The point releases are not
 a separate product, just a batch of updates to the base product.  As
 soon as you do a yum update to get all the new updates you will have
 a 5.6 install.

 https://www.centos.org/modules/smartfaq/faq.php?faqid=34

 --
 William Hooper
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos



Oh ok!  I didn't know about this way of tracking version in CentOS.  It is a
different paradigm from the other distros at least for the one I know.

Thanks guys,
Bernard
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS 5.5 yum update with reference to 5.6

[Bernard Fay]

Hello group,

I have a CentOS 5.5 server freshly installed.

When I do a yum updated package_name, I have referenced to 5.6.  Why?

Here is an example:

yum update vsftpd --changelog
Loaded plugins: changelog, fastestmirror, security
addons/other
|  192 B 00:00
base/other_db
|  11 MB 00:50
extras/other_db
| 442 kB 00:01
updates/other_db
| 2.8 MB 00:11
http://centos.arcticnetwork.ca/*5.6*/updates/x86_64/repodata/other.sqlite.bz2:
[Errno -1] Metadata file does not match checksum
Trying other mirror.
updates/other_db
| 2.7 MB 00:22
Loading mirror speeds from cached hostfile
 * addons: mirror.science.uottawa.ca
 * base: mirror.science.uottawa.ca
 * extras: mirror.science.uottawa.ca
 * updates: mirror.science.uottawa.ca
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
-- Running transaction check
--- Package vsftpd.x86_64 0:2.0.5-16.el5_6.1 set to be updated
-- Finished Dependency Resolution

Changes in packages about to be updated:

vsftpd-2.0.5-16.el5_6.1.x86_64
* Fri Mar  4 17:00:00 2011 Jiri Skala jsk...@redhat.com - 2.0.5-16.el5_6.1
- Resolves: #681893 - CVE-2011-0762 vsftpd: remote DoS via crafted glob
pattern

* Thu Apr  8 18:00:00 2010 Jiri Skala jsk...@redhat.com - 2.0.5-16.el5_5.1
- Resolves: #580055 - vsftpd prematurely closes connection just before
processing of post-auth command
- Resolves: #580396 - vsftpd issues in RHEL5


Dependencies Resolved


 Package  Arch
Version  Repository Size

Updating:
 vsftpd   x86_64
2.0.5-16.el5_6.1 updates   139 k

Transaction Summary

Install   0 Package(s)
Upgrade   1 Package(s)

Total download size: 139 k


The version installed is 5.5:

[root@future_qljnl51p yum.repos.d]# lsb_release -a
LSB Version:
:core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:CentOS
Description:CentOS release 5.5 (Final)
Release:5.5
Codename:Final



-- 
Bernard
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] updates to package

[Bernard Fay]

Well, I would like to know what will be the changes before we apply the
updates.  I would like to generate a kind of a report showing what will be
the changes for all packages with available updates.

Is there a way to do it?

Thanks
Bernard


On Mon, Apr 11, 2011 at 3:01 PM, Christopher J. Buckley ch...@cjbuckley.net
 wrote:

 On Mon, Apr 11, 2011 at 19:54, Bernard Fay bernard@enodegroup.com
 wrote:
  Hi,
 
  I'ld like to know where or how I can find changes in a package update.

 http://linux.die.net/man/1/yum-changelog
 rpm -qa --changelog foo.bar.rpm

 Cheers,

 --
 Kind Regards,
 Christopher J. Buckley
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Bernard Fay
Conseiller
Groupe Enode inc.
www.groupe-enode.com

Tel:  418-614-7868, poste 122
Fax: 418-614-7544
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] updates to package

[Bernard Fay]

Hi,

I'ld like to know where or how I can find changes in a package update.
Also, is there a way to find out which package updates are security updates?

thanks

-- 
Bernard
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] updates to package

[Bernard Fay]

Great! Thanks a lot!


On Mon, Apr 11, 2011 at 3:01 PM, Christopher J. Buckley ch...@cjbuckley.net
 wrote:

 On Mon, Apr 11, 2011 at 19:54, Bernard Fay bernard@enodegroup.com
 wrote:
  Hi,
 
  I'ld like to know where or how I can find changes in a package update.

 http://linux.die.net/man/1/yum-changelog
 rpm -qa --changelog foo.bar.rpm

 Cheers,

 --
 Kind Regards,
 Christopher J. Buckley
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Bernard
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos