sshd vs selinux

If you're like me and want to use autossh, you'll ideally want to use ~sshd/.ssh/authorized_keys. This doesn't work out of the box on CentOS 7 at least. SELinux prevents sshd from reading its own authorized_keys. The following fixes it.

semanage fcontext --add -t ssh_home_t '/var/empty/sshd/.ssh(/.*)?'
restorecon -vFR .ssh/

Example error message:

setroubleshoot[58151]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 5a9832e8-d7c0-4e5d-af15-a977db1232e9
SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall_labels (83.8 confidence) suggests   *******************#012#012If you want to allow sshd to have read access on the authorized_keys file#012Then you need to change the label on authorized_keys#012Do#012# semanage fcontext -a -t FILE_TYPE 'authorized_keys'#012where FILE_TYPE is one of the following: [huge list goes here]

Automatic backups in Windows

The following powershell script copies all .docx files from $global:SRC to $global:DEST with a timestamp.

Save this file to something like "StartClone.ps1". Then launch it with "[right click] > Run with PowerShell." Minimize the resulting window.

### Configuration - CUSTOMIZE THESE
$global:SRC = "C:\Users\fil\test"
$global:DEST = "C:\Users\fil\backup"
$global:LOGFILE = "C:\Users\fil\log.txt"


### SET FOLDER TO WATCH + FILES TO WATCH + SUBFOLDERS YES/NO
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $global:SRC
$watcher.Filter = "*.docx"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true  

$rv=Test-Path "$global:DEST"
if ($rv -eq $False) {
    New-Item -ItemType "directory" -Path "$global:DEST"
}

function global:logging ($text) {
    $logline = "$(Get-Date -uformat "%Y/%m/%d %H:%M:%S") - $text"
    Add-content $global:LOGFILE -value $logline
}

### DEFINE ACTIONS AFTER AN EVENT IS DETECTED
$action = { 
    $path = $Event.SourceEventArgs.FullPath
    $changeType = $Event.SourceEventArgs.ChangeType
    global:logging "$changeType $path"    
    $file = Split-Path $path -leaf
    $now = "$(Get-Date -uformat "%Y-%m-%d %H.%M.%S")"
    $dest = "$global:DEST\$now $file"
    # global:logging "file=$file now=$now dest=$dest"
    copy-item "$path" "$dest"
}    
### DECIDE WHICH EVENTS SHOULD BE WATCHED 
echo "Hello world $global:LOGFILE"
Register-ObjectEvent $watcher "Created" -Action $action
Register-ObjectEvent $watcher "Changed" -Action $action
# Register-ObjectEvent $watcher "Deleted" -Action $action
# Register-ObjectEvent $watcher "Renamed" -Action $action
global:logging Started
while ($true) {sleep 60}

Laser printer vs UPS

As an extra wrinkle to the previous post, the new Lexmark is on an UPS. Yes, I can hear you screaming "NEVER PUT A LASER PRINTER ON AN UPS" but I'm a professional, I know what I'm doing. Specifically, I over-engineered my solution.

The problem with a laser printer on a UPS is you might be tempted to print something during a black out. And your UPSes battery will never supply the current your fuser needs. My solution is to build a plug with relays connected to an arduino connected to a computer connected to the UPS. When power goes out, apcupsd on the computer runs a small script that sends a command to the arduino via USB to turn off the relays. The arduino also has a momentary switch. When I push the switch, the arduino turns the relays on. I also have small script that sends the command to turn the relays on.

I probably could have avoided the arduino and used a transistor latch. Power off turns the latch and relays off. Only a button press turns the latch and relays on. But then I couldn't do the following.

One annoying """feature""" of the Lexmark is that it has AirPrint and Wi-fi. I have yet to find out how to turn these off. So the printer spends most of its time turned off. So I wrote a CUPS backend that checks if the printer is on, sends the arduino the "turn on" command if it isn't, then chains to the normal socket backend to actually send the data to the printer.

#!/bin/bash

HWEL=10.0.0.68
LOG=/tmp/hwel-driver.log

if [[ $# == 1 ]] ; then
    exec /usr/lib/cups/backend/socket "$@"
fi

function aping () {
    local host=$1
    if ping -c 1 -q $host >/dev/null ; then
        return 0
    fi
    return 1
}

function ping_wait () {
    local host=$1
    while true ; do
        if ping -c 1 -q $host >/dev/null ; then
            return
        fi
        sleep 2
    done
}


status=$(/sbin/apcaccess status localhost:3552 | grep STATUS | cut -d: -f 2)
if [[ $status =~ ONLINE ]] ; then
    echo "INFO: hwel battery status=$status" | tee -a $LOG >&2
else
    echo "ERROR: hwel battery status=$status" | tee -a $LOG >&2
    exit 17
fi

aping $HWEL || sudo /home/fil/bin/hwel-on
ping_wait $HWEL

export DEVICE_URI=socket://$HWEL:9100
exec /usr/lib/cups/backend/socket "$@"

I put this script in /usr/lib/cups/backend/hwel and tell CUPS to use a new URL.

lpadmin -p hwelraw -v hwel://hwel.localdomain:9100

Yes, my printer is called Hwel. Yes, I name all my printers after Discworld dwarfs.

Windows 10 vs Lexmark

So I have a new Lexmark MB2236adw laser printer. For some reason beyond my ken, Windows 10 keeps saying it's offline, when clearly it isn't. Printer works fine from Linux, so I decided that Windows is going to print via CUPS.

First, create a raw printer on your CUPS host:

lpadmin -p hwelraw -v socket://hwel.localdomain:9100 -E \
     -D "Lexmark on UPS (raw)" -L "Philip's Office" -o raw

Then add the following to cups.conf to allow printing via the network:

<Location /printers>
    Order allow,deny
    Allow localhost
    Allow 10.0.0.*
</Location>

Remember to restart CUPS

service cups reload

Open up the port 631 in iptables.

Now on the windows computer, install the Lexmark drivers.

Then you have to turn on IPP : Control Panel > Programs > Turn Windows Features On or Off > Print and Document Services > Internet Printing Client must be checked.

Now it's time to Add a printer, using the The printer that I want isn’t listed button. You are going to be using an http URL, that will look like http://scott/pritners/hwelraw. Replace scott with your Linux computer's name and hwelraw with the CUPS queue name. Select the printer driver installed previously, print your test page and bask in the glory of getting a computer to do your bidding.

As a bonus step, print a 2 page document to make sure Windows can print double sided because my new printer does cool things like that.

selinux vs searchd

If, like me, you use searchd and mysql then selinux will provoke the following message:

ERROR 1429 (HY000): Unable to connect to foreign data source: failed to connect to searchd (host=127.0.0.1, errno=13, port=931

The solution is simple:

semanage port -a -t mysqld_port_t -p tcp 9312

daemontools vs selinux

While CentOS ships with a policy module for daemontools, it expects you to install things in /admin and /supervised. I don't, I put things in /var/daemontools/admin and /var/daemontools/supervised. So I spent far to much time trying to make a policy module that would work with my setup. My initial attempt worked and gave me hope :

cp /usr/share/selinux/devel/include/contrib/daemontools.{if,te,cf} .
joe daemontools.cf # changed all the dirs to /var/daemontools
make -f /usr/share/selinux/devel/include/Makefile
semodule -i daemontoos.pp

However, this replaced the default daemontools module and might mess with other systems. I'm probably the last person to care about daemontools outside of qmail. Also, I wanted to learn some selinux.

My next thought was that I could create a daemontools_quaero policy module that gave the executables an fcontext from daemontools module. This didn't work and I don't know why.

After turning to IRC and much messing around and back and forth, grift led me to the following solution:

cat - > daemontools_quaero.cil <<'CIL'
(filecon "/var/daemontools/admin/daemontools-0.76/command/envdir" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/envuidgid" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/fghack" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/multilog" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/pgrphack" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/setlock" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/setuidgid" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/softlimit" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/svc" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/svok" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/svscan" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/svscanboot" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/admin/daemontools-0.76/command/supervise" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/prog-log" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/prog-user" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/sudo-user" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/.+/env" dir (system_u object_r svc_conf_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/.+/run" file (system_u object_r bin_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/.+/log/env" dir (system_u object_r svc_conf_t ((s0)(s0))))
(filecon "/var/daemontools/supervised/.+/log/run" file (system_u object_r bin_t ((s0)(s0))))
CIL
sudo semodule -i daemontools_quaero.cil
sudo restorecon -RvF /var/daemontools/admin/daemontools-0.76/command /var/daemontools/supervised/

And there was much rejoicing.

Along the way, I discovered semodule -E, matchpathcon and the policy language as well as sesearch, seinfo, ps auxZ, ls -lZ.