2016/02/29

Fraud alert

If Jonathan Night calls you, leaving a blurry message in an Indian accent claiming you have unethical or illegal activity on your tax return and need to phone him? Yeah, that's fraud.

A simple Google search of the phone number will reveal this.

2016/02/22

SELinux vs SphinxSE

It should be noted that SphinxSE wants to talk to searchd on port 9312. SELinux will prevent this. To enable it:

semanage port -a -t mysqld_port_t -p tcp 9312

2016/02/16

SELinux vs mysql

I'm a strange kind of fool. I maintain my own mysql packages, which makes installing them annoying because everything wants to pull in mysql-libs from the mainline.

I also sometimes want to install mysql in /home/mysql, not /var/lib/mysql as in standard on CentOS. SElinux is set up to prevent just this sort of thing. The short version is that everyhing in /home is has the home_root_t security context, which mysqld and mysqld_safe aren't allowed to interact with.

The solution is the following:

# first we are setting up the directory
mkdir -p /home/mysql/{InnoDB,etc,log,data,tmp,bin,sbin}
mv /etc/my.cnf /home/mysql/etc
ln -s /home/mysql/etc/my.cnf /etc
for n in /usr/bin/my* ; do ln -s $n /home/mysql/bin ; done
for n in /usr/sbin/my* ; do ln -s $n /home/mysql/sbin ; done
chmod 1777 /home/mysql/tmp
chown mysql:mysql -R /home/mysql
joe /home/mysql/etc/my.cnf  # change datadir
joe /etc/init.d/mysql       # change datadir and basedir

# now comes the part where we fight with selinux
semanage fcontext -a -t mysqld_db_t "/home/mysql(/.*)?"
semanage fcontext -a -t etc_t "/home/mysql/etc(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/bin(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/sbin(/.*)?"
semanage fcontext -a -t mysqld_tmp_t "/home/mysql/tmp(/.*)?"
semanage fcontext -a -t mysqld_safe_exec_t "/home/mysql/bin/mysqld_safe" 
restorecon -R -v /home/mysql
service mysql start

But it's still failing, because /home/mysql/bin/mysqld_safe is a symlink. To fix this, I did

grep mysqld /var/log/audit/audit.log | audit2allow -M "mysqlhome"
semodule -i mysqlhome.pp 
service mysql start

Yay! Now it works

2016/02/12

NT_STATUS_ACCESS_DENIED

So I'm setting up SAMBA on a new machine, I can connect correctly but dir listings are failing. The problem is SELinux, because I tried setenable 0 and it worked.

So I ask on IRC and find out I need to do the following:

semodule -BD # turn off ignored AVCs
# redo the directory listing in another window
semodule -B # turn AVCs ignoring on
grep smb audit.log | audit2allow # parse those AVCs
#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw
allow smbd_t user_home_t:dir read;
setsebool -PV samba_enable_home_dirs 1