SELinux Survival Guide 
Wednesday, 10 October 2018, 12:56 - Linux Stuff, RedHat Stuff
Posted by Administrator
On SELinux enabled systems (default on CentosOS/RHEL 6.x and higher), it may deny access when system utilities are called from a daemon's context used for automation or monitoring purposes.

You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.

So follow this procedure for simply allow things denied by SELinux policies:

Build SELinux Policy


1. Set concerning context to permissive (will still log whitn audit.log:
semanage permissive -a zabbix_agent_t
2. Allow logging even rules are set to dontaudit:
semodule -DB
3. Now let the programme or script do its intended job.

Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!

4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):
ausearch -r -m avc -ts today [HH:MM] | audit2allow -M zabbix_megacli

5. Import policy package:
semodule -i zabbix_megacli.pp

6. Disable permissive mode for context again:
semanage permissive -d zabbix_agent_t

7. Disable logging of rules defined as dontaudit:
semodule -B

8. Test if intended stuff works now!

Adjust policy


When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:

1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!

2. Compile module file:
checkmodule -M -m -o zabbix_megacli.mod zabbix_megacli.te
3. (Re-)create the module package from module file:
semodule_package -o zabbix_megacli.pp -m zabbix_megacli.mod

For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:
semodule -i zabbix_megacli.pp


Apply Policy to other hosts


1. Copy the policy package (<policy>.pp) to the host you want to apply policy

2. Run the following command on every machine to load the package:
semodule -i zabbix_megacli.pp

add comment ( 1602 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1490 )
Integrate new drivers into a RedHat Network Boot Disk  
Tuesday, 23 September 2003, 00:00 - Technology, Linux Stuff, RedHat Stuff
Posted by Administrator
It is possible that the hardware changes with new server models and you cannot boot any more from the RedHat Bootdisk. Then you need to inspect your new hardware and see what new devices are built in and get a driver for it.

For more convenience, I have written some simple scripts, which do the most annoying tasks.

The drivers need to be changed on different locations:

Network drivers must be put on the boot-disk, because all other packages, drivers, etc. are loaded from a network location

Ungzip bootnet.img.gz with:
        gunzip bootnet.img.gz 

Mount the Image as a loop filesystem on /mnt/bootimage:
        unpack_bootimage.sh bootnet.img 

Unpack and mount the inital ramdisk with the following script, give the initrd-file under /mnt/bootimage/ as argument. The inital ramdisk will be mounted under /mnt/initrd:
        unpack_initrd.sh initrd.img 

Unpack the modules with the following script:
       unpack_modules.sh /mnt/initrd/modules/modules.cgz 

Now copy the new driver module(s) to /var/tmp/modules/<kernel-version> directory
Change /mnt/initrd/modules/pcitable and add a new line with the vendor ID, product ID, driver name and description to the file (see example below):
        0x8086  0x1010  "e1000"         "Intel Corporation|PRO/1000"

Change the file /mnt/initrd/modules/module-info and add a line for each the driver name, type and description (see the following example):
        e1000
eth
"Intel EtherExpress Pro 1000"

Add a line for the new driver to the file /mnt/initrd/modules/modules.dep if the new driver module is dependent on othe kernel modules. Mostly not necessary for ethernet adapters.

Re-pack the modules to the archive, kernel-version-directory under /var/tmp/modules as 1st argument, cpio archive file as 2nd argument:
        pack_modules.sh 2.4.20-18.7BOOT /mnt/initrd/modules/modules.cgz 

"exit" from the initrd-mount, if you are there, /mnt/initrd or subdirectories of it musn't be your current dir!

If you also need to update the boot-kernel (when used some modules not for acutal kernel version), copy the new vmlinuz kernel image to /mnt/bootimage
Unmount and pack the initial ramdisk, give the initrd-file under /mnt/bootimage to be updated as argument:
        pack_initrd.sh initrd.img 

Now unmount the bootimage and write it to a boot floppy with this script:
        pack_bootimage.sh bootnet.img 

Most other drivers, like for SCSI-Controllers are in the stage2 Image
Mount the Stage 2 image (network-connected part of the installation):
        mount -o loop /install/cdrom/RedHat/base/stage2.img /mnt/image 

Unpack the modules with the following script:
        unpack_modules.sh /mnt/image/modules/modules.cgz 

Now copy the new driver module(s) to /var/tmp/<kernel-version> directory

Important: If the new modules are built for another kernel version as the one on the boodisk, the bootdisk image must be updated with the corresponding kernel image. Further, all modules need to be replaced by one's of the same kernel version as the kernel image!

Change /mnt/image/modules/pcitable and add a new line with the vendor ID, product ID, driver name and description to the file (see example below):
        0x9005  0x801f  "aic79xx"       "Adaptec|AIC7902 Ultra 320 SCSI Adapter" 

Change the file /mnt/initrd/modules/module-info and add a line for each the driver name, type and description (see the following example):
        aic79xx
scsi
"Adaptec AIC79xx Ultra 320 SCSI Host Adapter"

Add a line for the new driver to the file /mnt/image/modules/modules.dep if the new driver module is dependent on other kernel modules. Example:

        aic79xx: scsi_mod 


Re-pack the modules to the archive, kernel-version-directory under /var/tmp/ as 1st argument (see /var/tmp/modules), cpio archive file as 2nd argument:
        pack_modules.sh <kernel-version> /mnt/image/modules/modules.cgz 

Leave the mountpoint of the image (/mnt/image or subdirectories of it musn't be your current dir!)

Unmount the image:
        umount /mnt/image 


add comment ( 3272 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1166 )

| 1 |