Knowledge Base (Posts about selinux)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Tue, 17 May 2022 12:45:35 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssGit hook post-receive run restoreconhttps://bgstack15.ddns.net/blog/posts/2022/05/17/git-hoook-post-receive-run-restorecon/bgstack15<p>I use <a href="https://git.zx2c4.com/cgit/about/">cgit</a> for myself, which is available at <a href="https://bgstack15.ddns.net/cgit/">/cgit</a>. I wrote about it previously about a year ago:</p> <ul> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/21/cgit-solution-for-my-network/">2021/04/21/Cgit solution for my network</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/25/populating-my-new-cgit-instance/">2021/04/25/Populating my new cgit instance</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2021/04/29/adding-redirect-from-git-to-cgit-for-web-browsers/">2021/04/29/Adding redirect from /git to /cgit for web browsers</a></li> </ul> <p>And I have now improved my process with a post-receive hook. This task runs every time the server handles an upload. My hook does a few things:</p> <pre class="code literal-block"><span></span><code><span class="o">*</span><span class="w"> </span><span class="n">generates</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">most</span><span class="o">-</span><span class="n">recently</span><span class="o">-</span><span class="n">modified</span><span class="w"> </span><span class="kt">timestamp</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">repo</span><span class="p">,</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">sorting</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">cgit</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">view</span><span class="p">.</span><span class="w"></span> <span class="o">*</span><span class="w"> </span><span class="n">runs</span><span class="w"> </span><span class="n n-Quoted">`restorecon`</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">get</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">proper</span><span class="w"> </span><span class="k">context</span><span class="p">,</span><span class="w"> </span><span class="n">so</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">branches</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="k">visible</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">cgit</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">view</span><span class="p">.</span><span class="w"></span> </code></pre> <h3>Configure SELinux</h3> <p>Of course I use SELinux, so I need a custom policy for my git-hook to work. I used the standard mechanisms to troubleshoot SELinux.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span><span class="w"> </span><span class="n">setenforce</span><span class="w"> </span><span class="mi">0</span><span class="w"></span> <span class="n">semodule</span><span class="w"> </span><span class="o">--</span><span class="n">disable_dontaudit</span><span class="w"> </span><span class="o">--</span><span class="n">build</span><span class="w"></span> <span class="n">echo</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">tee</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="w"> </span><span class="mi">1</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span><span class="w"></span> <span class="c1"># perform a large number of git and cgit operations</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="n">n15000</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">audit2allow</span><span class="w"> </span><span class="o">-</span><span class="n">M</span><span class="w"> </span><span class="n">foo</span><span class="w"></span> <span class="c1"># manually merge any new entries into cgitstackrpms.te</span><span class="w"></span> <span class="n">semodule</span><span class="w"> </span><span class="o">--</span><span class="n">build</span><span class="w"></span> <span class="n">_func</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">checkmodule</span><span class="w"> </span><span class="o">-</span><span class="n">M</span><span class="w"> </span><span class="o">-</span><span class="n">m</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">mod</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">te</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">semodule_package</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">pp</span><span class="w"> </span><span class="o">-</span><span class="n">m</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">mod</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">semodule</span><span class="w"> </span><span class="o">-</span><span class="n">i</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="o">.</span><span class="n">pp</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">_func</span><span class="w"></span> </code></pre> <p>Final asset is <strong>cgitstackrpms.te</strong> which can be loaded and installed with the last line of the above command block. The most recent version includes the rules for the restorecon invocation from the post-receive git hook.</p> <pre class="code literal-block"><span></span><code><span class="n">module</span><span class="w"> </span><span class="n">cgitstackrpms</span><span class="w"> </span><span class="mf">1.2</span><span class="p">;</span><span class="w"></span> <span class="n">require</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">default_context_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">git_script_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">httpd_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">initrc_var_run_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">selinux_config_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">shadow_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">sssd_conf_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">systemd_logind_sessions_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">var_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">capability</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">audit_write</span><span class="w"> </span><span class="n">fowner</span><span class="w"> </span><span class="n">net_admin</span><span class="w"> </span><span class="n">sys_resource</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">relabelfrom</span><span class="w"> </span><span class="n">relabelto</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">fifo_file</span><span class="w"> </span><span class="n">write</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">map</span><span class="w"> </span><span class="n">lock</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">relabelfrom</span><span class="w"> </span><span class="n">relabelto</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">netlink_audit_socket</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">nlmsg_relay</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">write</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">setrlimit</span><span class="w"> </span><span class="n">noatsecure</span><span class="w"> </span><span class="n">rlimitinh</span><span class="w"> </span><span class="n">siginh</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="p">}</span><span class="w"></span> <span class="c1">#============= git_script_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">var_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">read</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">var_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">map</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">git_script_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">search</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="c1">#============= httpd_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">git_script_t</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">noatsecure</span><span class="w"> </span><span class="n">rlimitinh</span><span class="w"> </span><span class="n">siginh</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">default_context_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">relabelto</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="n">relabelto</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">:</span><span class="n">dir</span><span class="w"> </span><span class="n">relabelfrom</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">httpd_sys_rw_content_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="n">relabelfrom</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">initrc_var_run_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">lock</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">capability</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">net_admin</span><span class="w"> </span><span class="n">audit_write</span><span class="w"> </span><span class="n">fowner</span><span class="w"> </span><span class="n">sys_resource</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">netlink_audit_socket</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">nlmsg_relay</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">write</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="bp">self</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="n">setrlimit</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">selinux_config_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">shadow_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">sssd_conf_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">systemd_logind_sessions_t</span><span class="p">:</span><span class="n">fifo_file</span><span class="w"> </span><span class="n">write</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">httpd_t</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="p">:</span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> <span class="c1">#============= systemd_logind_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">systemd_logind_t</span><span class="w"> </span><span class="n">httpd_t</span><span class="p">:</span><span class="n">dbus</span><span class="w"> </span><span class="n">send_msg</span><span class="p">;</span><span class="w"></span> </code></pre> <p>I already had a file context for my entire www directory.</p> <pre class="code literal-block"><span></span><code><span class="n">semanage</span><span class="w"> </span><span class="n">fcontext</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="n">httpd_sys_content_t</span><span class="w"> </span><span class="s1">'/var/server1/shares/public/www(/.*)?'</span><span class="w"></span> </code></pre> <h5>Running restorecon after each push</h5> <p>The git hook for post-receive runs after every push to this cgit instance. Sometimes new files are buitl with incorrect selinux file contexts, but a restorecon will fix the contexts. Special permissions are needed, in the selinux policy above, and also for sudo.</p> <p>My environment uses FreeIPA, so I can make a rule in the domain for this. Even though of course <code>apache</code> is a local user, I want to make a domain user so I can make a sudoers rule for it. Sudo reads usernames from sudoers entries, and not uids, so this will work for a local user <code>apache</code> on the target host.</p> <pre class="code literal-block"><span></span><code><span class="c1"># gid 960600013 is my preexisting service-accounts group</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">user</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">--</span><span class="n">homedir</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">httpd</span><span class="w"> </span><span class="o">--</span><span class="n">shell</span><span class="w"> </span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">nologin</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span><span class="o">--</span><span class="n">first</span><span class="o">=</span><span class="n">apache</span><span class="w"> </span><span class="o">--</span><span class="n">last</span><span class="o">=</span><span class="s2">"domain user"</span><span class="w"> </span><span class="o">--</span><span class="n">gidnumber</span><span class="o">=</span><span class="mi">960600013</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">group</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">member</span><span class="w"> </span><span class="n">service</span><span class="o">-</span><span class="n">accounts</span><span class="w"> </span><span class="o">--</span><span class="n">users</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -R /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rv /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudocmd</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rvn /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">host</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">hosts</span><span class="w"> </span><span class="n">server1</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -R /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rv /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">allow</span><span class="o">-</span><span class="n">command</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudocmds</span><span class="w"> </span><span class="s1">'/sbin/restorecon -Rvn /var/www/git'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">option</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudooption</span><span class="w"> </span><span class="s1">'!requiretty'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">option</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">sudooption</span><span class="w"> </span><span class="s1">'!authenticate'</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">add</span><span class="o">-</span><span class="n">user</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">users</span><span class="w"> </span><span class="n">apache</span><span class="w"></span> <span class="n">ipa</span><span class="w"> </span><span class="n">sudorule</span><span class="o">-</span><span class="n">mod</span><span class="w"> </span><span class="n">apache</span><span class="o">-</span><span class="n">restorecon</span><span class="o">-</span><span class="n">cgit</span><span class="w"> </span><span class="o">--</span><span class="n">desc</span><span class="o">=</span><span class="s2">"Apache can run restorecon /var/www/git on server1"</span><span class="w"></span> </code></pre> <p>If you are using plain sudo, use these contents.</p> <pre class="code literal-block"><span></span><code><span class="c1"># File /etc/sudoers.d/60_git-hook_post-receive_sudo</span><span class="w"></span> <span class="n">Defaults</span><span class="o">&gt;</span><span class="n">apache</span><span class="w"> </span><span class="o">!</span><span class="n">requiretty</span><span class="w"></span> <span class="n">apache</span><span class="w"> </span><span class="n">server1</span><span class="o">=</span><span class="p">(</span><span class="n">root</span><span class="p">)</span><span class="w"> </span><span class="n">NOPASSWD</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="p">,</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">Rv</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="p">,</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">restorecon</span><span class="w"> </span><span class="o">-</span><span class="n">Rvn</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="w"></span> </code></pre> <p>With all of these steps, the user apache can now run restorecon on that directory as part of the git-hook for <code>post-receive</code>.</p> <p>All of that, to explain one line in the following git hook file, <code>/usr/local/bin/git-hooks/post-receive</code>.</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: post-receive</span> <span class="c1"># Project: cgit-Internal</span> <span class="c1"># Startdate: 2022-01-27</span> <span class="c1"># History:</span> <span class="c1"># 2022-05-11 added restorecon</span> <span class="c1"># Ripped directly from https://landchad.net/cgit</span> <span class="c1"># Dependencies:</span> <span class="c1"># sudoers rule in freeipa</span> <span class="c1">#exec 1&gt;&gt;/tmp/asdf2</span> <span class="c1">#exec 2&gt;&amp;1</span> <span class="c1">#exec 3&gt;&amp;1</span> <span class="nb">set</span> -x <span class="nv">agefile</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>git rev-parse --git-dir<span class="k">)</span><span class="s2">"</span>/info/web/last-modified date <span class="s2">"+%FT%T used post-receive"</span> &gt;&gt; /tmp/asdf2 mkdir -p <span class="s2">"</span><span class="k">$(</span>dirname <span class="s2">"</span><span class="nv">$agefile</span><span class="s2">"</span><span class="k">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> git <span class="k">for</span>-each-ref <span class="se">\</span> --sort<span class="o">=</span>-authordate --count<span class="o">=</span><span class="m">1</span> <span class="se">\</span> --format<span class="o">=</span><span class="s1">'%(authordate:iso8601)'</span> <span class="se">\</span> &gt;<span class="s2">"</span><span class="nv">$agefile</span><span class="s2">"</span> sudo --non-interactive /usr/sbin/restorecon -R /var/www/git <span class="m">1</span>&gt;/dev/null <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">&amp;</span> </code></pre> </td></tr></table> <p>This git hook can be established for all future git repositories established as part of my documented solution, by modifying the skeleton git hooks directory to store it:</p> <pre class="code literal-block"><span></span><code>sudo ln -sf /usr/local/bin/git-hooks/post-receive /usr/share/git-core/templates/hooks/post-receive </code></pre> <h2>Operations</h2> <p>An additional operation is available for the cgit-Internal solution.</p> <h4>Refreshing last-modified date for all repos</h4> <p>If for some reason the the repositories should get refreshed <code>info/web/last-modified</code> contents, you can run the hook manually. This command will switch to user apache so the permissions are preserved on the info/web/last-modified files.</p> <p>On server1:</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span><span class="w"> </span><span class="n">chown</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="n">apache</span><span class="o">.</span><span class="n">admins</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span><span class="o">/</span><span class="p">{</span><span class="o">*</span><span class="p">,</span><span class="o">*/*</span><span class="p">}</span><span class="o">/</span><span class="n">info</span><span class="o">/</span><span class="n">web</span><span class="w"></span> <span class="n">su</span><span class="w"> </span><span class="n">apache</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">bash</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="s1">'cd /var/www/git ; for word in {*,*/*}/hooks/post-receive ; do ( cd "$( dirname "${word}" )" ; sh "./$( basename "${word}" )" ; ) ; done'</span><span class="w"></span> </code></pre>githookselinuxhttps://bgstack15.ddns.net/blog/posts/2022/05/17/git-hoook-post-receive-run-restorecon/Tue, 17 May 2022 12:36:48 GMTCgit solution for my networkhttps://bgstack15.ddns.net/blog/posts/2021/04/21/cgit-solution-for-my-network/bgstack15<h3>History</h3> <p>Experimentation using gitweb and cgit was carried out on d2-02a at some point before 2020-10. Cgit on Devuan (d2-02a) was examined after investigating a key <a href="https://stackoverflow.com/questions/26734933/how-to-set-up-git-over-http">Stackoverflow post</a> and determined to meet my needs.</p> <h3>Overview</h3> <p>Git-scm itself provides native mechanisms to allow operations through http, and basic Apache httpd configuration examples abound. Adding a decent web frontend with cgit is a small additional step. This setup also uses Apache httpd basic auth to limit read and write access to the true git projects, but not the cgit simple http clone operations.</p> <h3>Prerequisites</h3> <p>Apache httpd is installed. TLS certificate exists and is already in use.</p> <h3>Installing entire cgit solution</h3> <h4>Installing and configuring cgit</h4> <p>Install cgit from stackrpms repo for el8, which uses <a href="https://src.fedoraproject.org/fork/tmz/rpms/cgit">https://src.fedoraproject.org/fork/tmz/rpms/cgit</a> or <a href="https://src.fedoraproject.org/forks/tmz/rpms/cgit.git">https://src.fedoraproject.org/forks/tmz/rpms/cgit.git</a> to build the rpm. Tmz is the Fedora maintainer of this package, so his adaptation of it for el8 is trustworthy.</p> <pre class="code literal-block"><span></span><code>sudo dnf install cgit </code></pre> <p>Modify <code>/etc/cgitrc</code> with my own customizations. See internal file /mnt/public/Support/Programs/cgit/files/cgitrc for the original configuration. Install a few dependencies. Python3-markdown is also from stackrpms for el8, because I had to build it on my <a href="https://copr.fedorainfracloud.org/coprs/bgstack15/stackrpms/package/python-markdown/">copr</a>, also from its source <a href="https://src.fedoraproject.org/rpms/python-markdown">https://src.fedoraproject.org/rpms/python-markdown</a>.</p> <pre class="code literal-block"><span></span><code>sudo dnf install python3-pygments python3-markdown </code></pre> <p>These dependencies support displaying markdown (.md) files as the cgit and repo "about" pages. I tend to use markdown for these types of files. Copy in a logo file for myself to <code>/usr/share/cgit/bgstack15_64.png</code>. The top-level readme file is configured in the example cgitrc to <code>/var/www/git/readme.md</code></p> <h4>Configuring httpd</h4> <p>Set up file <code>/etc/git_access.conf</code> with snippets that will be included by the httpd config. This file will control access to the git repositories over git itself, not the cgit web presentation.</p> <pre class="code literal-block"><span></span><code># <span class="nv">File</span> <span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">git_access</span>.<span class="nv">conf</span> # <span class="nv">Part</span> <span class="nv">of</span> <span class="nv">cgit</span> <span class="nv">solution</span> <span class="k">for</span> <span class="nv">Mersey</span> <span class="nv">network</span>, <span class="mi">2021</span><span class="o">-</span><span class="mi">04</span><span class="o">-</span><span class="mi">15</span> # <span class="nv">The</span> <span class="nv">last</span> <span class="nv">phrase</span> <span class="nv">can</span> <span class="nv">be</span> <span class="s2">"</span><span class="s">all granted</span><span class="s2">"</span> <span class="nv">to</span> <span class="nv">allow</span> <span class="nv">anybody</span> <span class="nv">to</span> <span class="nv">read</span>. # <span class="nv">Use</span> <span class="nv">httpd</span> <span class="s2">"</span><span class="s">Require</span><span class="s2">"</span> <span class="nv">strings</span> <span class="k">for</span> <span class="nb">param2</span>, <span class="nb">param3</span>. <span class="nb">Param2</span> <span class="nv">grants</span> <span class="nv">read</span><span class="o">/</span><span class="nv">write</span> <span class="nv">permission</span>, <span class="nb">Param3</span> <span class="nv">is</span> <span class="nv">read</span><span class="o">-</span><span class="nv">only</span>. #<span class="nv">Use</span> <span class="nv">Project</span> <span class="k">dirname</span> <span class="s2">"</span><span class="s">user alice bob charlie</span><span class="s2">"</span> <span class="s2">"</span><span class="s">all granted</span><span class="s2">"</span> #<span class="nv">Use</span> <span class="nv">Project</span> <span class="k">dirname</span> <span class="s2">"</span><span class="s">user charlie</span><span class="s2">"</span> <span class="s2">"</span><span class="s">user bob alice</span><span class="s2">"</span> <span class="nv">Use</span> <span class="nv">Project</span> <span class="nv">certreq</span> <span class="s2">"</span><span class="s">user bgstack15</span><span class="s2">"</span> <span class="s2">"</span><span class="s">all granted</span><span class="s2">"</span> </code></pre> <p>In the above example, the "certreq" is a project name (directory name under /var/www/git). The second and third parameters, the "user bgstack15" and "all granted" will be passed to Apache "Require" directives. They represent "read- write access" and "read-only access" respectively. Apache interprets the example, resolved "Required all granted" as anonymous read access is allowed. One of the main operations described under the Operations heading below is adding new entries to this list of projects. Set up file <code>/etc/gitweb.conf</code> which is traditionally for gitweb, a different implementation of serving git repos over http, but can also be used here.</p> <pre class="code literal-block"><span></span><code><span class="nv">$export_auth_hook</span> <span class="o">=</span> <span class="k">sub</span> <span class="p">{</span> <span class="k">my</span> <span class="nv">$repo</span> <span class="o">=</span> <span class="nb">shift</span><span class="p">;</span> <span class="k">my</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$cgi</span><span class="o">-&gt;</span><span class="n">remote_user</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nv">$repo</span> <span class="o">=~</span> <span class="sr">s/\/var\/www\/git\///</span><span class="p">)</span> <span class="p">{</span> <span class="nb">open</span> <span class="n">FILE</span><span class="p">,</span> <span class="s">'/etc/git_access.conf'</span><span class="p">;</span> <span class="k">while</span><span class="p">(</span><span class="sr">&lt;FILE&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$_</span> <span class="o">=~</span> <span class="sr">m/Use Project $repo \"(.*)\" \"(.*)\"/</span><span class="p">)</span> <span class="p">{</span> <span class="k">my</span> <span class="nv">$users</span> <span class="o">=</span> <span class="nv">$1</span> <span class="o">.</span> <span class="s">' '</span> <span class="o">.</span> <span class="nv">$2</span><span class="p">;</span> <span class="nv">$users</span> <span class="o">=~</span> <span class="sr">s/all granted/$user/</span><span class="p">;</span> <span class="nv">$users</span> <span class="o">=~</span> <span class="sr">s/user//</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="nv">$users</span> <span class="o">=~</span> <span class="sr">m/$user/</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">};</span> </code></pre> <p>I do not understand this perl file: It came straight from <a href="https://stackoverflow.com/a/50317063/3569534">reference 2</a>. Set up file <code>/etc/git_access</code> with htpasswd(1).</p> <pre class="code literal-block"><span></span><code>sudo htpasswd -c /etc/git_access bgstack15 </code></pre> <p>Set up file <code>/etc/httpd/conf.d/cgit.conf</code> with modifications. This file is laid down by the cgit rpm, but might need some adjustments. The exact contents as of the time of this writing are the following.</p> <pre class="code literal-block"><span></span><code>Alias /cgit-data /usr/share/cgit ScriptAlias /cgit /var/www/cgi-bin/cgit RedirectMatch ^/cgit$ /git/ <span class="nt">&lt;Directory</span> <span class="err">"/usr/share/cgit/"</span><span class="nt">&gt;</span> AllowOverride None Require all granted <span class="nt">&lt;/Directory&gt;</span> </code></pre> <p>Set up the apache virtualhost. For server storage1, this means modifying extant file <code>/etc/httpd/conf.d/local_mirror.conf</code>. Inside the main VirtualHost definition (the port 80 one), add contents:</p> <pre class="code literal-block"><span></span><code># cgit + git. See /mnt/public/Support/Programs/cgit/cgit-README.md SetEnv GIT_PROJECT_ROOT /var/www/git SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER SetEnv GITWEB_CONFIG /etc/gitweb.conf ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ <span class="nt">&lt;Directory</span> <span class="err">"/usr/libexec/git-core*"</span><span class="nt">&gt;</span> Options +ExecCGI +Indexes Order allow,deny Allow from all Require all granted <span class="nt">&lt;/Directory&gt;</span> # a2enmod macro # for Devuan <span class="nt">&lt;Macro</span> <span class="err">Project</span> <span class="err">$repository</span> <span class="err">$rwstring</span> <span class="err">$rostring</span><span class="nt">&gt;</span> <span class="nt">&lt;LocationMatch</span> <span class="err">"^/git/$repository.*$"</span><span class="nt">&gt;</span> AuthType Basic AuthName "Git Access" AuthUserFile /etc/git_access Require $rwstring Require $rostring <span class="nt">&lt;/LocationMatch&gt;</span> <span class="nt">&lt;LocationMatch</span> <span class="err">"^/git/$repository/git-receive-pack$"</span><span class="nt">&gt;</span> AuthType Basic AuthName "Git Access" AuthUserFile /etc/git_access Require $rwstring <span class="nt">&lt;/LocationMatch&gt;</span> <span class="nt">&lt;/Macro&gt;</span> # Devuan apache2 works with IncludeOptional but EL8 httpd doesn't work with it. Include /etc/git_access.conf # https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/ # depends on conf-enabled/cgit.conf (available as cgit.conf.devuan) <span class="nt">&lt;Directory</span> <span class="err">"/usr/share/cgit/"</span><span class="nt">&gt;</span> SetEnv CGIT_CONFIG /etc/cgitrc SetEnv GIT_URL cgit AllowOverride all Options +ExecCGI +FollowSymLinks +Indexes DirectoryIndex cgit.cgi AddHandler cgi-script .cgi RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) /cgit/cgit.cgi/$1 [END,QSA] <span class="nt">&lt;/Directory&gt;</span> </code></pre> <p>After making changes to these files, test (sudo httpd -t), and then reload or restart httpd.</p> <h3>Configure SELinux</h3> <p>I used the standard mechanisms to troubleshoot SELinux.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">setenforce</span> <span class="mi">0</span> <span class="n">semodule</span> <span class="o">--</span><span class="n">disable_dontaudit</span> <span class="o">--</span><span class="n">build</span> <span class="n">echo</span> <span class="s2">""</span> <span class="o">|</span> <span class="n">sudo</span> <span class="n">tee</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="mi">1</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span> <span class="c1"># perform a large number of git and cgit operations</span> <span class="n">sudo</span> <span class="n">tail</span> <span class="o">-</span><span class="n">n15000</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="o">|</span> <span class="n">audit2allow</span> <span class="o">-</span><span class="n">M</span> <span class="n">foo</span> <span class="c1"># manually merge any new entries into cgitmersey.te</span> <span class="n">semodule</span> <span class="o">--</span><span class="n">build</span> <span class="n">_func</span><span class="p">()</span> <span class="p">{</span><span class="n">sudo</span> <span class="n">checkmodule</span> <span class="o">-</span><span class="n">M</span> <span class="o">-</span><span class="n">m</span> <span class="o">-</span><span class="n">o</span> <span class="n">cgitmersey</span><span class="o">.</span><span class="n">mod</span> <span class="n">cgitmersey</span><span class="o">.</span><span class="n">te</span> <span class="o">&amp;&amp;</span> <span class="n">sudo</span> <span class="n">semodule_package</span> <span class="o">-</span><span class="n">o</span> <span class="n">cgitmersey</span><span class="o">.</span><span class="n">pp</span> <span class="o">-</span><span class="n">m</span> <span class="n">cgitmersey</span><span class="o">.</span><span class="n">mod</span> <span class="o">&amp;&amp;</span> <span class="n">sudo</span> <span class="n">semodule</span> <span class="o">-</span><span class="n">i</span> <span class="n">cgitmersey</span><span class="o">.</span><span class="n">pp</span> <span class="p">;</span> <span class="p">}</span> <span class="p">;</span> <span class="n">time</span> <span class="n">_func</span> </code></pre> <p>Final asset is <code>cgitmersey.te</code> which can be loaded and installed with the last line of the above command block.</p> <pre class="code literal-block"><span></span><code><span class="n">module</span> <span class="n">cgitmersey</span> <span class="mf">1.0</span><span class="p">;</span> <span class="n">require</span> <span class="p">{</span> <span class="n">type</span> <span class="n">git_script_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_cache_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">var_t</span><span class="p">;</span> <span class="k">class</span> <span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">siginh</span> <span class="p">};</span> <span class="k">class</span> <span class="n">file</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">map</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="k">class</span> <span class="n">dir</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="n">search</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">#============= git_script_t ==============</span> <span class="n">allow</span> <span class="n">git_script_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">dir</span> <span class="n">read</span><span class="p">;</span> <span class="n">allow</span> <span class="n">git_script_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">read</span> <span class="n">getattr</span> <span class="n">open</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">git_script_t</span> <span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">dir</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="n">search</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">git_script_t</span> <span class="n">httpd_cache_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">map</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="c1">#============= httpd_t ==============</span> <span class="n">allow</span> <span class="n">httpd_t</span> <span class="n">git_script_t</span><span class="p">:</span><span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">siginh</span> <span class="p">};</span> </code></pre> <h3>Populating cgit with my content</h3> <p>See separate blog post <a href="https://bgstack15.ddns.net/blog/posts/2021/04/25/populating-my-new-cgit-instance/">Populating my New Cgit Instance</a> for this whole task.</p> <h3>Summary of associated files</h3> <ul> <li>/etc/gitweb.conf</li> <li>/usr/share/cgit/bgstack15_64.png</li> <li>/etc/git_access.conf</li> <li>/etc/git_access</li> <li> <p>/etc/cgitrc </p> <pre class="code literal-block"><span></span><code>cache-size=300 </code></pre> <p>clone-prefix=https://www.example.com/git css=/cgit-data/cgit.css</p> <h2>Disable owner on index page</h2> <p>enable-index-owner=0 enable-index-links=1</p> <h2>Allow http transport git clone</h2> <p>enable-http-clone=1</p> <h2>Show extra links for each repository on the index page</h2> <h2>enable-index-links=0</h2> <h2>Enable blame page and create links to it from tree page</h2> <h2>enable-blame=0</h2> <h2>Enable ASCII art commit history graph on the log pages</h2> <h2>enable-commit-graph=0</h2> <h2>Show number of affected files per commit on the log pages</h2> <h2>enable-log-filecount=0</h2> <h2>Show number of added/removed lines per commit on the log pages</h2> <h2>enable-log-linecount=0</h2> <h2>Sort branches by age or name</h2> <h2>branch-sort=name</h2> <h2>favicon=/favicon.ico</h2> <h2>Use a custom logo</h2> <p>logo=/cgit-data/bgstack15_64.png</p> <h2>Enable statistics per week, month, quarter, or year</h2> <h2>max-stats=</h2> <h2>Set the title and heading of the repository index page</h2> <p>root-title=Stackrpms git root-readme=/var/www/git/readme.md root-desc=Bgstack15 local repos</p> <h2>Allow download of tar.gz, tar.bz2 and zip-files</h2> <p>snapshots=tar.gz tar.bz2 zip mimetype.gif=image/gif mimetype.html=text/html mimetype.jpg=image/jpeg mimetype.jpeg=image/jpeg mimetype.pdf=application/pdf mimetype.png=image/png mimetype.svg=image/svg+xml</p> <h2>Enable syntax highlighting (requires the highlight package)</h2> <p>source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh</p> <h2>Format markdown, restructuredtext, manpages, text files, and html files</h2> <h2>through the right converters</h2> <p>about-filter=/usr/libexec/cgit/filters/about-formatting.sh readme=:README.md readme=:readme.md readme=:README.mkd readme=:readme.mkd readme=:README.rst readme=:readme.rst readme=:README.html readme=:readme.html readme=:README.htm readme=:readme.htm readme=:README.txt readme=:readme.txt readme=:README readme=:readme readme=:INSTALL.md readme=:install.md readme=:INSTALL.mkd readme=:install.mkd readme=:INSTALL.rst readme=:install.rst readme=:INSTALL.html readme=:install.html readme=:INSTALL.htm readme=:install.htm readme=:INSTALL.txt readme=:install.txt readme=:INSTALL readme=:install section-from-path=1 enable-subject-links=1 virtual-root=/cgit/ scan-path=/var/www/git/</p> </li> <li> <p>/etc/httpd/conf.d/cgit.conf</p> </li> <li>/var/www/git/readme.md</li> <li>/mnt/public/Support/Programs/cgit/cgitmersey.te</li> </ul> <h3>Operations</h3> <p>Some useful operations are described here.</p> <h4>Making a new project</h4> <p>To set up a new project that can receive pushes, you need to initialize a new git bare repo. Make the "newname" project in /var/www/git, and grant access to the apache user.</p> <pre class="code literal-block"><span></span><code><span class="n">cd</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">git</span> <span class="p">;</span> <span class="n">git</span> <span class="n">init</span> <span class="o">--</span><span class="n">bare</span> <span class="n">newname</span> <span class="p">;</span> <span class="n">sudo</span> <span class="n">chgrp</span> <span class="n">apache</span> <span class="o">-</span><span class="n">R</span> <span class="n">newname</span> </code></pre> <p>Set up permissions for the new project in <code>/etc/git_access.conf</code>. For example:</p> <pre class="code literal-block"><span></span><code>Use Project "newname" "user adminuser1 adminuser2 adminuser3" "user1 user2 user3" </code></pre> <p>After making changes, ensure httpd accepts the new config (because it loads /etc/git_access.conf as an included file), and then reload httpd.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">httpd</span> <span class="o">-</span><span class="n">t</span> <span class="n">sudo</span> <span class="n">systemctl</span> <span class="n">reload</span> <span class="n">httpd</span> </code></pre> <h4>Changing cgit-related attributes of a project</h4> <p>Cgit can be configured to read a file named <code>cgitrc</code> within a git repository. I tend to use just the top directory of these bare git repos, so for project certreq, use <code>/var/www/git/certreq/cgitrc</code>. See cgitrc(5) for more info, but a brief list of useful attributes (var=value) include: defbranch, desc, hide, homepage, ignore, logo, name, owner, readme, section, url. For the description of a repo that appears in the main index, use regular file in a git bare repo: <code>description</code>.</p> <h4>Adding a new user</h4> <p>Use regular htpasswd mechanism to add users or change passwords. See htpasswd(1).</p> <pre class="code literal-block"><span></span><code>htpasswd /etc/git_access bgstack15 </code></pre> <h4>Removing a project</h4> <p>Just delete the project directory.</p> <h4>Changing cgitrc values</h4> <p>Changing cgitrc values take effect immediately (when caching is set to 0); no httpd reload is necessary.</p> <h3>References</h3> <ol> <li><a href="https://stackoverflow.com/questions/26734933/how-to-set-up-git-over-http">https://stackoverflow.com/questions/26734933/how-to-set-up-git-over-http</a> git_access.conf</li> <li><a href="https://stackoverflow.com/a/50317063/3569534">https://stackoverflow.com/a/50317063/3569534</a> /etc/gitweb.conf and httpd.conf macro and other snippets</li> <li><a href="https://stackoverflow.com/questions/40924641/setting-up-git-http-backend-with-apache-2-4">https://stackoverflow.com/questions/40924641/setting-up-git-http-backend-with-apache-2-4</a></li> <li><a href="https://stackoverflow.com/a/2200662/3569534">https://stackoverflow.com/a/2200662/3569534</a> had to convert my sample project to a bare git one</li> </ol> <h4>Auxiliary reading</h4> <ol> <li><a href="https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/">https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/</a></li> </ol> <h4>Alternatives</h4> <h6>added 2022-01-18</h6> <ol> <li><a href="https://shreyasminocha.me/blog/replacing-gitea/">Shreyas Minocha's Replacing Gitea</a></li> </ol>cgitgithttpdselfhostingselinuxhttps://bgstack15.ddns.net/blog/posts/2021/04/21/cgit-solution-for-my-network/Wed, 21 Apr 2021 12:36:21 GMTWeb gallery solutionhttps://bgstack15.ddns.net/blog/posts/2021/02/02/web-gallery-solution/bgstack15<p>A while back, I was inspired by Thealaskalinuxuser's <a href="https://thealaskalinuxuser.wordpress.com/2019/07/23/home-photo-server-part-2-apache-phpalbum-and-piwigo/">article</a> about how he set up his photo sharing server at home. I experimented briefly with piwigo back when I read that, but ended up stopping that project. When I returned to this topic, I realized I just didn't want to deal with php. I applaud his stamina and commitment, but I want something with fewer dependencies. Here is my solution. So, here is my internal documentation that is my alternative to Google Photos.</p> <h2>Gallery solution for internal network</h2> <h3>Overview</h3> <p>As part of my goals to run self-hosted services for myself and my family, I intend to maintain a web gallery of photos and videos. This solution consists of several parts.</p> <ul> <li>Tools that create symlink forests to the original image files, in a specific location</li> <li>Static site generator <a href="http://sigal.saimon.org/">sigal</a></li> <li>Customized theme for sigal</li> <li>Customized sigal config for that theme</li> <li>Gallery id table</li> <li>SELinux rules</li> <li>CGI scripts for Apache httpd</li> </ul> <h3>Architecture</h3> <p>The solution runs on server1, the main file server for the internal network.</p> <h4>Tools that create symlink forests for the gallery source directories</h4> <p><a href="https://gitlab.com/bgstack15/gallery/-/blob/master/generate.sh">Generate.sh</a> is what I used for the proof of concept. This needs to be rewritten in python, and to handle files without exif data. My python implementation will show up on this blog at a later date.</p> <h4>Static site generator</h4> <p>The <a href="http://sigal.saimon.org/">sigal</a> site generator is installed with pip3, under local service account <code>sigal</code> on server1. A special script, <strong>/usr/local/bin/sigal.bin</strong> will generate the static pages for a site. To use this script, pass a parameter of the source directory where the sigal.conf.py exists.</p> <pre class="code literal-block"><span></span><code>/usr/local/bin/sigal.bin /mnt/public/www/example/images/.gallery </code></pre> <p>Sigal depends on <strong>ffmpeg</strong> for video thumbnailing and conversions. On CentOS 8, ffmpeg is in repository powertools. File <a href="https://gitlab.com/bgstack15/gallery/-/blob/master/sigal.bin">sigal.bin</a></p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span> <span class="normal">31</span> <span class="normal">32</span> <span class="normal">33</span> <span class="normal">34</span> <span class="normal">35</span> <span class="normal">36</span> <span class="normal">37</span> <span class="normal">38</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: /usr/local/bin/sigal.bin</span> <span class="c1"># Author: bgstack15@gmail.com</span> <span class="c1"># Startdate: 2021-01-24</span> <span class="c1"># Title: Run sigal static site generator</span> <span class="c1"># Purpose: run sigal static site generator for provided path</span> <span class="c1"># History:</span> <span class="c1"># Usage:</span> <span class="c1"># called by regen.cgi, or by hand</span> <span class="c1"># Dependencies:</span> <span class="c1"># 60_regen_gallery_sudo</span> <span class="c1"># gallery.te</span> <span class="c1"># service account "sigal" with `pip3 install --user sigal`</span> <span class="c1"># Reverse dependencies:</span> <span class="c1"># httpd conf </span> <span class="nv">sigal_home</span><span class="o">=</span>~sigal <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">GALLERY_ID</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">1</span><span class="si">}</span><span class="s2">"</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Pass to this script the gallery_id or directory path to a sigal.conf.py. Aborted."</span> <span class="m">1</span>&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> <span class="p">;</span> <span class="o">}</span> <span class="k">if</span> <span class="nb">test</span> -d <span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span> <span class="p">;</span> <span class="k">then</span> <span class="nb">cd</span> <span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span> <span class="k">else</span> <span class="k">if</span> <span class="nb">test</span> -e /etc/gallery-cgi.conf <span class="p">;</span> <span class="k">then</span> . /etc/gallery-cgi.conf <span class="k">else</span> <span class="c1"># no gallery_id listing exists.</span> <span class="nb">echo</span> <span class="s2">"No gallery_id table exists. Aborted."</span> <span class="m">1</span>&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> <span class="k">fi</span> <span class="k">fi</span> <span class="k">if</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"init"</span> <span class="p">;</span> <span class="k">then</span> sudo su sigal -s /bin/bash -c <span class="s2">"</span><span class="si">${</span><span class="nv">sigal_home</span><span class="si">}</span><span class="s2">/.local/bin/sigal init"</span> <span class="k">else</span> <span class="nb">eval</span> <span class="nb">cd</span> <span class="se">\"\$</span><span class="o">{</span><span class="s2">"</span><span class="si">${</span><span class="nv">GALLERY_ID</span><span class="si">}</span><span class="s2">"</span><span class="o">}</span><span class="se">\"</span> sudo su sigal -s /bin/bash -c <span class="s2">"</span><span class="si">${</span><span class="nv">sigal_home</span><span class="si">}</span><span class="s2">/.local/bin/sigal build"</span> <span class="k">fi</span> </code></pre> </td></tr></table> <h4>Customized theme for sigal</h4> <p>Use theme <strong>bgstack15-gallery-theme</strong> , in any location. You just need to put its full path as the value of the theme in a sigal.conf.py for a gallery. This is a fork of the default, included <a href="https://github.com/saimn/sigal/tree/master/sigal/themes/colorbox">colorbox</a> theme. The full theme is available in this project directory, as well as a diff of it to the original as of sigal version 2.1.1. The main changes are adding extra metadata handlers and link logic for the custom links related to editing metadata.</p> <h4>Customized sigal config for that theme</h4> <p>When you <strong>run sigal init</strong> in a directory, it generates a default config you can modify. The example theme, and this whole solution, depends on adding a number of settings. A summary of the specific options is here, but the full example file is in this project directory.</p> <pre class="code literal-block"><span></span><code><span class="n">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'/var/www/gallery/.my2018'</span><span class="w"></span> <span class="n">destination</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'/var/www/gallery/my2018'</span><span class="w"></span> <span class="n">use_orig</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">True</span><span class="w"></span> <span class="n">edit_cgi_script</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"/cgi-bin/gallery/edit.cgi"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">path</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">edit</span><span class="p">.</span><span class="n">cgi</span><span class="w"></span> <span class="n">edit_enabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">False</span><span class="w"></span> <span class="n">edit_password</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"makeupapassword"</span><span class="w"></span> <span class="n">edit_string</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'[edit]'</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nc">text</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="n">metadata</span><span class="w"></span> <span class="n">toggle_enable_string</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"Enable editing"</span><span class="w"></span> <span class="n">toggle_disable_string</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"Disable editing"</span><span class="w"></span> <span class="n">toggle_link</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"/cgi-bin/gallery/toggle-editing.cgi"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="k">path</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">toggle</span><span class="o">-</span><span class="n">editing</span><span class="p">.</span><span class="n">cgi</span><span class="w"></span> <span class="n">toggle_editing</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">[</span><span class="n"></span> <span class="n"> (False, 'Enable editing'),</span> <span class="n"> (True, 'Disable editing')</span> <span class="n"> </span><span class="o">]</span><span class="w"></span> <span class="n">gallery_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"example_images"</span><span class="w"></span> <span class="err">#</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">links</span><span class="w"> </span><span class="p">(</span><span class="n">tuples</span><span class="w"> </span><span class="p">(</span><span class="n">title</span><span class="p">,</span><span class="w"> </span><span class="n">URL</span><span class="p">))</span><span class="w"></span> <span class="err">#</span><span class="w"> </span><span class="n">links</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">[</span><span class="n">('Example link', 'http://example.org'),</span> <span class="n"># ('Another link', 'http://example.org')</span><span class="o">]</span><span class="w"></span> <span class="n">links</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">[</span><span class="n"></span> <span class="n"> ('Regenerate pages', '/cgi-bin/gallery/regen.cgi?id=' + gallery_id)</span> <span class="n"> </span><span class="o">]</span><span class="w"></span> </code></pre> <p>The <code>gallery_id</code> is very important, because the cgi scripts and theme rely on it.</p> <h4>Gallery id table</h4> <p>File <strong>/etc/gallery-cgi.conf</strong> contains a list of <strong>gallery_id</strong> translations to directories with sigal.conf.py rules.</p> <pre class="code literal-block"><span></span><code>example_images=/mnt/public/www/example/images/.gallery </code></pre> <h4>SELinux rules</h4> <p>The reference system, server1, runs SELinux. A custom selinux module is needed to allow all the operations that are a part of this gallery solution, which include the following. File <strong>gallery.te</strong> can be installed as an enabled selinux module.</p> <pre class="code literal-block"><span></span><code>sudo checkmodule -M -m -o gallery.mod gallery.te &amp;&amp; sudo semodule_package -o gallery.pp -m gallery.mod &amp;&amp; sudo semodule -i gallery.pp </code></pre> <p>File <a href="https://gitlab.com/bgstack15/gallery/-/blob/master/gallery.te">gallery.te</a>:</p> <pre class="code literal-block"><span></span><code><span class="c1"># Last modified 2021-01-30</span> <span class="n">module</span> <span class="n">gallery</span> <span class="mf">1.0</span><span class="p">;</span> <span class="n">require</span> <span class="p">{</span> <span class="n">type</span> <span class="n">faillog_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">security_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_config_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">init_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">sssd_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">mnt_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">lastlog_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">systemd_logind_sessions_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">initrc_var_run_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">tmpfs_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">gconf_home_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">chkpwd_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">systemd_logind_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">unconfined_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">shadow_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_sys_script_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">sssd_selinux_manager_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">sssd_conf_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">var_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_t</span><span class="p">;</span> <span class="k">class</span> <span class="n">capability</span> <span class="p">{</span> <span class="n">audit_write</span> <span class="n">dac_read_search</span> <span class="n">net_admin</span> <span class="n">setgid</span> <span class="n">setuid</span> <span class="n">sys_resource</span> <span class="p">};</span> <span class="k">class</span> <span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">setrlimit</span> <span class="n">siginh</span> <span class="p">};</span> <span class="k">class</span> <span class="n">netlink_audit_socket</span> <span class="p">{</span> <span class="n">create</span> <span class="n">nlmsg_relay</span> <span class="n">read</span> <span class="n">write</span> <span class="p">};</span> <span class="k">class</span> <span class="n">netlink_selinux_socket</span> <span class="p">{</span> <span class="n">bind</span> <span class="n">create</span> <span class="p">};</span> <span class="k">class</span> <span class="n">passwd</span> <span class="n">rootok</span><span class="p">;</span> <span class="k">class</span> <span class="n">dir</span> <span class="p">{</span> <span class="n">add_name</span> <span class="n">read</span> <span class="n">remove_name</span> <span class="n">search</span> <span class="n">write</span> <span class="p">};</span> <span class="k">class</span> <span class="n">file</span> <span class="p">{</span> <span class="n">create</span> <span class="n">execute</span> <span class="n">execute_no_trans</span> <span class="n">setattr</span> <span class="n">getattr</span> <span class="n">link</span> <span class="n">lock</span> <span class="n">map</span> <span class="n">open</span> <span class="n">read</span> <span class="n">unlink</span> <span class="n">write</span> <span class="n">ioctl</span> <span class="p">};</span> <span class="k">class</span> <span class="n">dbus</span> <span class="n">send_msg</span><span class="p">;</span> <span class="k">class</span> <span class="n">fifo_file</span> <span class="n">write</span><span class="p">;</span> <span class="k">class</span> <span class="n">security</span> <span class="n">compute_av</span><span class="p">;</span> <span class="k">class</span> <span class="n">lnk_file</span> <span class="n">read</span><span class="p">;</span> <span class="k">class</span> <span class="n">filesystem</span> <span class="n">getattr</span><span class="p">;</span> <span class="k">class</span> <span class="n">process</span> <span class="n">setfscreate</span><span class="p">;</span> <span class="p">}</span> <span class="c1">#============= httpd_sys_script_t ==============</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">faillog_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">create</span> <span class="n">ioctl</span> <span class="n">setattr</span> <span class="n">unlink</span> <span class="n">write</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">dir</span> <span class="p">{</span> <span class="n">read</span> <span class="n">add_name</span> <span class="n">remove_name</span> <span class="n">write</span> <span class="p">};</span> <span class="c1">#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">gconf_home_t</span><span class="p">:</span><span class="n">file</span> <span class="n">map</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">gconf_home_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">execute</span> <span class="n">execute_no_trans</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">httpd_config_t</span><span class="p">:</span><span class="n">dir</span> <span class="n">search</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">initrc_var_run_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">lock</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">lastlog_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">open</span> <span class="n">read</span> <span class="n">write</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">mnt_t</span><span class="p">:</span><span class="n">lnk_file</span> <span class="n">read</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">security_t</span><span class="p">:</span><span class="n">dir</span> <span class="n">read</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">security_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="n">write</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">security_t</span><span class="p">:</span><span class="n">security</span> <span class="n">compute_av</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">capability</span> <span class="p">{</span> <span class="n">audit_write</span> <span class="n">dac_read_search</span> <span class="n">net_admin</span> <span class="n">setgid</span> <span class="n">setuid</span> <span class="n">sys_resource</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">netlink_audit_socket</span> <span class="p">{</span> <span class="n">create</span> <span class="n">nlmsg_relay</span> <span class="n">read</span> <span class="n">write</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">netlink_selinux_socket</span> <span class="p">{</span> <span class="n">bind</span> <span class="n">create</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">passwd</span> <span class="n">rootok</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">process</span> <span class="n">setrlimit</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">shadow_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">sssd_conf_t</span><span class="p">:</span><span class="n">dir</span> <span class="n">search</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">sssd_conf_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">systemd_logind_sessions_t</span><span class="p">:</span><span class="n">fifo_file</span> <span class="n">write</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">systemd_logind_t</span><span class="p">:</span><span class="n">dbus</span> <span class="n">send_msg</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">tmpfs_t</span><span class="p">:</span><span class="n">dir</span> <span class="p">{</span> <span class="n">add_name</span> <span class="n">remove_name</span> <span class="n">write</span> <span class="p">};</span> <span class="c1">#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">tmpfs_t</span><span class="p">:</span><span class="n">file</span> <span class="n">map</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">tmpfs_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">create</span> <span class="n">getattr</span> <span class="n">link</span> <span class="n">open</span> <span class="n">read</span> <span class="n">unlink</span> <span class="n">write</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">tmpfs_t</span><span class="p">:</span><span class="n">filesystem</span> <span class="n">getattr</span><span class="p">;</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">process</span> <span class="n">setfscreate</span><span class="p">;</span> <span class="c1">#============= init_t ==============</span> <span class="n">allow</span> <span class="n">init_t</span> <span class="n">chkpwd_t</span><span class="p">:</span><span class="n">process</span> <span class="n">siginh</span><span class="p">;</span> <span class="n">allow</span> <span class="n">init_t</span> <span class="n">unconfined_t</span><span class="p">:</span><span class="n">process</span> <span class="n">siginh</span><span class="p">;</span> <span class="c1">#============= sssd_t ==============</span> <span class="n">allow</span> <span class="n">sssd_t</span> <span class="n">sssd_selinux_manager_t</span><span class="p">:</span><span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">siginh</span> <span class="p">};</span> <span class="c1">#============= systemd_logind_t ==============</span> <span class="n">allow</span> <span class="n">systemd_logind_t</span> <span class="n">httpd_sys_script_t</span><span class="p">:</span><span class="n">dbus</span> <span class="n">send_msg</span><span class="p">;</span> <span class="c1">#============= httpd_t ==============</span> <span class="n">allow</span> <span class="n">httpd_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">getattr</span> <span class="n">map</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> </code></pre> <h4>Sudo rules</h4> <p>For apache httpd to be able to run the sigal.bin, set up sudoers rules. File <strong>60_regen_gallery_sudo</strong> adds the permission necessary.</p> <pre class="code literal-block"><span></span><code><span class="p">#</span> <span class="nl">file:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">sudoers</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="mh">60</span><span class="n">_regen_gallery_sudo</span> <span class="p">#</span> <span class="nl">Reference:</span> <span class="nl">server4:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">sudoers</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="mh">60</span><span class="n">_starbound_sudo</span> <span class="n">apache</span> <span class="n">ALL</span><span class="o">=</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="nl">NOPASSWD:</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">sigal</span><span class="p">.</span><span class="n">bin</span> <span class="o">*</span> </code></pre> <h4>CGI scripts for Apache httpd</h4> <p>The main focus of the gallery project is the ability to edit metadata from the web view. While sigal is great for developers, some users might only care about editing metadata from where they are actually viewing the media.</p> <ul> <li><a href="https://gitlab.com/bgstack15/gallery/-/blob/master/edit.cgi">edit.cgi</a> is called from the custom theme's "edit" links, and includes the form for making changes to media metadata.</li> <li><a href="https://gitlab.com/bgstack15/gallery/-/blob/master/apply.cgi">apply.cgi</a> actually makes the changes, and is called from the edit.cgi form.</li> <li><a href="https://gitlab.com/bgstack15/gallery/-/blob/master/regen.cgi">regen.cgi</a> invokes sigal.bin which re-runs sigal.</li> <li><a href="https://gitlab.com/bgstack15/gallery/-/blob/master/toggle-editing.cgi">toggle-editing.cgi</a> enables or disables editing. Enabling requires a password.</li> </ul> <p>These can be placed anywhere you have enabled CGI for httpd, but the canonical location is <strong>/var/www/cgi-bin/gallery/</strong>.</p> <h3>Operations</h3> <p>I anticipate that more work is needed on an ongoing basis. Here are some processes that can be used.</p> <h4>Make a new gallery</h4> <p>To establish a new gallery, change directory to the source directory for the gallery and run command</p> <pre class="code literal-block"><span></span><code>sigal.bin init </code></pre> <p>Which generates the basic sigal.conf.py. Add the pertinent variables, described in section "Customized sigal config for that theme" above.</p> <h4>Run sigal from command line</h4> <p>While the web links for "regen.cgi" are great for when you are viewing the web, you can also run the sigal.bin from the cli. You need to include a path to the directory that holds a sigal.conf.py, or else a <strong>gallery_id</strong> from /etc/gallery-cgi.conf.</p> <pre class="code literal-block"><span></span><code>sigal.bin example_images </code></pre> <h4>Make metadata changes directly on filesystem</h4> <p>You can of course, as designed by the author of sigal, go edit any <strong>${IMAGENAME%%.jpg}.md</strong> file with the relevant fields. See references 1 and 2 for the available fields. File index.md will be the metadata for the directory itself.</p> <h3>History</h3> <p>In 2020, I installed <a href="https://piwigo.org/">piwigo</a> on a dev system. I didn't want to deal with php, so I dropped it. In January 2021, I started listing various options for self-hosted galleries. Read heading [Related Files] for those. Criteria I assembled includes</p> <ul> <li>Metadata: description, date, comments</li> </ul> <h3>Related Files</h3> <p>These files are important to this gallery project. Check them all out at my <a href="https://gitlab.com/bgstack15/gallery">gitlab</a> space.</p> <ul> <li>/usr/local/bin/sigal.bin</li> <li>/var/www/cgi-bin/apply.cgi</li> <li>/var/www/cgi-bin/edit.cgi</li> <li>/var/www/cgi-bin/regen.cgi</li> <li>/var/www/cgi-bin/toggle-editing.cgi</li> <li>gallery.te</li> <li>/etc/sudoers.d/60_regen_gallery_sudo</li> <li>/etc/gallery-cgi.conf</li> <li>sigal.conf.py</li> <li>bgstack15-gallery-theme/</li> </ul> <h3>Alternatives</h3> <ul> <li><a href="https://piwigo.org/">Piwigo</a> uses PHP which I don't want to maintain.</li> <li><a href="https://github.com/awesome-selfhosted/awesome-selfhosted#photo-and-video-galleries">Awesome selfhosted#photo-and-video-galleries</a> is a whole list.</li> </ul> <p>Ones I considered without trying</p> <ul> <li><a href="http://mediagoblin.org/">mediagoblin</a></li> <li><a href="https://github.com/viktorstrate/photoview">photoview</a></li> <li><a href="https://bpatrik.github.io/pigallery2/">pigallery2</a></li> </ul> <p>Ones I listed as tolerable, but not focused on what I need.</p> <ul> <li><a href="https://lycheeorg.github.io/">lychee</a></li> <li><a href="https://github.com/trebonius0/Photato">photato</a></li> <li><a href="http://blog.zx2c4.com/567">PhotoFloat</a> written by the cgit author. He has a large body of good works.</li> </ul> <h3>References</h3> <h4>Weblinks</h4> <ol> <li><a href="http://sigal.saimon.org/en/latest/album_information.html">http://sigal.saimon.org/en/latest/album_information.html</a></li> <li><a href="http://sigal.saimon.org/en/latest/image_information.html">http://sigal.saimon.org/en/latest/image_information.html</a></li> <li><a href="https://thealaskalinuxuser.wordpress.com/2019/07/23/home-photo-server-part-2-apache-phpalbum-and-piwigo/">Home photo server, part 2: Apache, phpAlbum, and Piwigo | thealaskalinuxuser</a> Thealaskalinuxuser's guide to a home photo server with piwigo</li> </ol>gallerygeneratorpythonselinuxsigalstatichttps://bgstack15.ddns.net/blog/posts/2021/02/02/web-gallery-solution/Tue, 02 Feb 2021 13:43:54 GMTMy experience with certbot on CentOS 8https://bgstack15.ddns.net/blog/posts/2021/01/09/my-experience-with-certbot-on-centos-8/bgstack15<p>I finally bit the bullet and set up Let's Encrypt for myself. The certbot instructions say to use a snap, but that is a hard negative for my environment. Thankfully, CentOS 8 has the certbot package from epel! (And don't hate on me! I had installed CentOS 8 about 2 weeks before the <a href="https://lists.centos.org/pipermail/centos-announce/2020-December/048208.html">fateful news</a>.) So I installed certbot, which pulls in some python dependencies.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">certbot</span> <span class="n">Dependencies</span> <span class="n">resolved</span><span class="o">.</span> <span class="o">======================================================================================================================</span> <span class="n">Package</span> <span class="n">Architecture</span> <span class="n">Version</span> <span class="n">Repository</span> <span class="n">Size</span> <span class="o">======================================================================================================================</span> <span class="n">Installing</span><span class="p">:</span> <span class="n">certbot</span> <span class="n">noarch</span> <span class="mf">1.10</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">49</span> <span class="n">k</span> <span class="n">Installing</span> <span class="n">dependencies</span><span class="p">:</span> <span class="n">python3</span><span class="o">-</span><span class="n">acme</span> <span class="n">noarch</span> <span class="mf">1.10</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">88</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">certbot</span> <span class="n">noarch</span> <span class="mf">1.10</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">387</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">configargparse</span> <span class="n">noarch</span> <span class="mf">0.14</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">6.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">36</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">josepy</span> <span class="n">noarch</span> <span class="mf">1.2</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">5.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">95</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">ndg_httpsclient</span> <span class="n">noarch</span> <span class="mf">0.5</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mf">4.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">53</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">parsedatetime</span> <span class="n">noarch</span> <span class="mf">2.5</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">79</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">pyOpenSSL</span> <span class="n">noarch</span> <span class="mf">18.0</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">appstream</span> <span class="mi">103</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">pyrfc3339</span> <span class="n">noarch</span> <span class="mf">1.1</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">19</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">requests</span><span class="o">-</span><span class="n">toolbelt</span> <span class="n">noarch</span> <span class="mf">0.9</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="mf">4.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">91</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">zope</span><span class="o">-</span><span class="n">component</span> <span class="n">noarch</span> <span class="mf">4.3</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">8.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">313</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">zope</span><span class="o">-</span><span class="n">event</span> <span class="n">noarch</span> <span class="mf">4.2</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">12.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">210</span> <span class="n">k</span> <span class="n">python3</span><span class="o">-</span><span class="n">zope</span><span class="o">-</span><span class="n">interface</span> <span class="n">x86_64</span> <span class="mf">4.6</span><span class="o">.</span><span class="mi">0</span><span class="o">-</span><span class="mf">1.</span><span class="n">el8</span> <span class="n">epel</span> <span class="mi">158</span> <span class="n">k</span> <span class="n">Transaction</span> <span class="n">Summary</span> <span class="o">======================================================================================================================</span> <span class="n">Install</span> <span class="mi">13</span> <span class="n">Packages</span> </code></pre> <p>I have experience with apache httpd configs, so I wasn't interested in letting certbot do anything to my configs. So I opted for the webroot challenge mechanism, which just adds the challenge files to underneath your <a href="https://httpd.apache.org/docs/2.4/mod/core.html#documentroot">webroot</a> location. Which, I learned, takes a small amount of manual work. Not a biggie, but worth knowing to simplify the process.</p> <pre class="code literal-block"><span></span><code><span class="n">cd</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span> <span class="n">mkdir</span> <span class="o">-</span><span class="n">p</span> <span class="o">.</span><span class="n">well</span><span class="o">-</span><span class="n">known</span><span class="o">/</span><span class="n">acme</span><span class="o">-</span><span class="n">challenge</span> <span class="n">restorecon</span> <span class="o">-</span><span class="n">Rvn</span> <span class="o">.</span><span class="n">well</span><span class="o">-</span><span class="n">known</span> </code></pre> <p>I suppose it might be a good that even with sudo, certbot does not make directories or restore SELinux contexts. But now I was ready to run for real:</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">certbot</span> <span class="n">certonly</span> <span class="o">--</span><span class="n">webroot</span> <span class="o">-</span><span class="n">w</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">www</span> <span class="o">-</span><span class="n">d</span> <span class="n">www</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> </code></pre> <p>It was fun to watch my apache logs and see the various IP addresses check my acme-challenge responses. It only took 7 seconds before the process was complete and I was issued my certificate!</p> <pre class="code literal-block"><span></span><code> - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.example.com/privkey.pem </code></pre> <p>And now I can configure my httpd confs the way I want to, instead of letting somebody else fiddle with them. And all this because my friends don't know how to trust my root CA cert, let alone actually want to do that.</p> <h2>Operations</h2> <p>I set up my renewal with a shell script and cron.</p> <h2>References</h2> <p>Syntax of automatic command: https://community.letsencrypt.org/t/certonly- enter-a-webroot/27442 https://certbot.eff.org/lets-encrypt/centosrhel7-apache</p>apachecertbothttpdletsencryptselinuxhttps://bgstack15.ddns.net/blog/posts/2021/01/09/my-experience-with-certbot-on-centos-8/Sat, 09 Jan 2021 14:09:07 GMTPlex Activity Logging and Alerting Projecthttps://bgstack15.ddns.net/blog/posts/2020/08/21/plex-activity-logging-and-alerting-project/bgstack15<h3>Overview</h3> <p>Plex media server has the ability to send webhooks when used with a Plex Pass (premium) account. This project documents how to set up a webhook to log and alert on media activity. The design goals include logging all media playing activity (play, stop, pause, resume) on my Plex server, and sending email notifications. Technologies used: apache, shell, selinux, jq, mailx</p> <h3>Architecture</h3> <p>Plex can be configured to point to a webhook, e.g., <strong>http://plex.example.com/cgi-bin/plex-log.cgi</strong>. The webhook file is documented below. The webhook is a script that acts upon the data passed from Plex. The actions include copying important values to different log files, and invoking a separate script that sends an email to the admin.</p> <h3>Involved files</h3> <p>Multiple files are a part of this project.</p> <ul> <li>/var/server1/shares/public/www/cgi-bin/plex-log.cgi</li> <li>/var/server1/shares/public/Support/Systems/server1/var/log/plex-webhook/activity.log</li> <li>/var/server1/shares/public/Support/Systems/server1/var/log/plex-webhook/short.log</li> <li>/usr/local/bin/send-plex-alert.sh</li> <li>/usr/src/selinux/plexlog.te</li> </ul> <h4>Webhook script</h4> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span> <span class="normal">31</span> <span class="normal">32</span> <span class="normal">33</span> <span class="normal">34</span> <span class="normal">35</span> <span class="normal">36</span> <span class="normal">37</span> <span class="normal">38</span> <span class="normal">39</span> <span class="normal">40</span> <span class="normal">41</span> <span class="normal">42</span> <span class="normal">43</span> <span class="normal">44</span> <span class="normal">45</span> <span class="normal">46</span> <span class="normal">47</span> <span class="normal">48</span> <span class="normal">49</span> <span class="normal">50</span> <span class="normal">51</span> <span class="normal">52</span> <span class="normal">53</span> <span class="normal">54</span> <span class="normal">55</span> <span class="normal">56</span> <span class="normal">57</span> <span class="normal">58</span> <span class="normal">59</span> <span class="normal">60</span> <span class="normal">61</span> <span class="normal">62</span> <span class="normal">63</span> <span class="normal">64</span> <span class="normal">65</span> <span class="normal">66</span> <span class="normal">67</span> <span class="normal">68</span> <span class="normal">69</span> <span class="normal">70</span> <span class="normal">71</span> <span class="normal">72</span> <span class="normal">73</span> <span class="normal">74</span> <span class="normal">75</span> <span class="normal">76</span> <span class="normal">77</span> <span class="normal">78</span> <span class="normal">79</span> <span class="normal">80</span> <span class="normal">81</span> <span class="normal">82</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: server1:/var/server1/shares/public/www/cgi-bin/plex-log.cgi</span> <span class="c1"># License: CC-BY-SA 4.0</span> <span class="c1"># Author: bgstack15</span> <span class="c1"># Startdate: 2020-08-06 07:55</span> <span class="c1"># Title: Logging Webhook for Plex</span> <span class="c1"># Project: Plex Activity Logging and Alerting Project</span> <span class="c1"># History:</span> <span class="c1"># References:</span> <span class="c1"># send from bgscripts</span> <span class="c1"># /posts/2017/08/05/send-authenticated-gmail-from-cli-with-mailx/</span> <span class="c1"># Not sure which mail I have https://unix.stackexchange.com/questions/15405/how-do-i-send-html-email-using-linux-mail-command/15463#15463</span> <span class="c1"># Related files:</span> <span class="c1"># /usr/local/bin/send-plex-alert.sh</span> <span class="c1"># Improve:</span> <span class="c1"># Dependencies:</span> <span class="c1"># /usr/local/bin/send-plex-alert.sh</span> <span class="c1"># Webhook functionality of Plex with a Plex Pass account</span> <span class="c1"># apache cgi capability</span> <span class="c1"># Documentation:</span> <span class="c1"># /mnt/public/Support/Programs/Plex/webhooks/palap-readme.md</span> <span class="nv">LOGFILE</span><span class="o">=</span>/var/server1/shares/public/Support/Systems/server1/var/log/plex-webhook/activity.log <span class="nv">LOGFILESHORT</span><span class="o">=</span>/var/server1/shares/public/Support/Systems/server1/var/log/plex-webhook/short.log <span class="nv">VERBOSE</span><span class="o">=</span><span class="m">0</span> <span class="c1"># set to anything to display extra things</span> <span class="nv">ALERT_ON_EVENTS</span><span class="o">=</span><span class="s2">"play:stop:pause:resume"</span> <span class="c1"># options include play stop resume pause, colon separated</span> <span class="nv">NOW</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> date -u <span class="s2">"+%FT%TZ"</span> <span class="k">)</span><span class="s2">"</span> <span class="nv">TMPFILE1</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> mktemp <span class="k">)</span><span class="s2">"</span> <span class="nv">TMPFILE2</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> mktemp <span class="k">)</span><span class="s2">"</span> <span class="nv">TMPFILE3</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> mktemp <span class="k">)</span><span class="s2">"</span> <span class="nb">printf</span> <span class="s2">"%s\n\n"</span> <span class="s2">"Content-type: text/html"</span> <span class="nb">echo</span> <span class="s2">"&lt;html&gt;&lt;head&gt;&lt;title&gt;Plex webhook&lt;/title&gt;"</span> <span class="nb">echo</span> <span class="s2">"&lt;/head&gt;&lt;body&gt;"</span> <span class="nb">echo</span> <span class="s2">"&lt;pre&gt;"</span> cat &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE1</span><span class="si">}</span><span class="s2">"</span> <span class="nv">boundary</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">CONTENT_TYPE</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> awk <span class="s1">'{print $2}'</span> <span class="p">|</span> awk -F<span class="s1">'='</span> <span class="s1">'{print $2}'</span> <span class="k">)</span><span class="s2">"</span> <span class="o">{</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> -gt <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">printf</span> <span class="s2">"%s\n"</span> <span class="s2">""</span> &gt;&gt; <span class="s2">"</span><span class="si">${</span><span class="nv">LOGFILE</span><span class="si">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"REQUEST-START: </span><span class="si">${</span><span class="nv">NOW</span><span class="si">}</span><span class="s2">"</span> env <span class="nb">set</span> <span class="nb">echo</span> <span class="s2">"BEGIN RAW"</span> <span class="o">}</span> sed -r -e <span class="s2">"s/-*</span><span class="si">${</span><span class="nv">boundary</span><span class="si">}</span><span class="s2">-*/\n/g;"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE1</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> tee <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE2</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> <span class="se">\</span> <span class="o">{</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> -gt <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> cat <span class="p">;</span> <span class="o">}</span> <span class="o">||</span> <span class="o">{</span> cat &gt;/dev/null <span class="p">;</span> <span class="o">}</span> <span class="o">}</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> -gt <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"END RAW"</span> <span class="nb">echo</span> <span class="s2">"BEGIN JQ"</span> <span class="o">}</span> <span class="nv">json</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> grep -aE <span class="s2">"^.{0,4}\"event\""</span> <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE2</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> jq -c <span class="s2">". += {timestamp: \"</span><span class="si">${</span><span class="nv">NOW</span><span class="si">}</span><span class="s2">\", useragent: \"</span><span class="si">${</span><span class="nv">HTTP_USER_AGENT</span><span class="si">}</span><span class="s2">\" }"</span> <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="k">)</span><span class="s2">"</span> <span class="c1"># full json for log</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">json</span><span class="si">}</span><span class="s2">"</span> <span class="c1"># send truncated json to mail account for alerts</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">json</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> jq <span class="s1">'{timestamp: .timestamp, event: .event, user: .Account.title, player: .Player.title, ipAddress: .Player.publicAddress, file: {type: .Metadata.type, title: .Metadata.title, parentTitle: .Metadata.parentTitle, grandparentTitle: .Metadata.grandparentTitle } }'</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE3</span><span class="si">}</span><span class="s2">"</span> <span class="c1"># log to short log and send email only if it has contents</span> <span class="nb">printf</span> <span class="s2">"%s"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">json</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> grep -qE <span class="s1">'.'</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> cat <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE3</span><span class="si">}</span><span class="s2">"</span> &gt;&gt; <span class="s2">"</span><span class="si">${</span><span class="nv">LOGFILESHORT</span><span class="si">}</span><span class="s2">"</span> <span class="c1"># only alert if it matches. This syntax relies on the event syntax from Plex to be "media.play" or "media.stop" et al.</span> <span class="nv">alert_regex</span><span class="o">=</span><span class="s2">"(media\.)</span><span class="k">$(</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">${</span><span class="nv">ALERT_ON_EVENTS</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> sed -r -e <span class="s1">'s/^://g;'</span> -e <span class="s1">'s/:$//g;'</span> -e <span class="s1">'s/:+/|/g;'</span> <span class="k">)</span><span class="s2">"</span> <span class="k">if</span> grep -qE <span class="s2">"</span><span class="si">${</span><span class="nv">alert_regex</span><span class="si">}</span><span class="s2">"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE3</span><span class="si">}</span><span class="s2">"</span> <span class="p">;</span> <span class="k">then</span> <span class="c1"># magic to get fixed-width font in gmail by using html pre tags</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"&lt;html&gt;&lt;body&gt;&lt;pre&gt;"</span> <span class="p">;</span> cat <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE3</span><span class="si">}</span><span class="s2">"</span> <span class="p">;</span> <span class="nb">echo</span> <span class="s2">"&lt;/pre&gt;&lt;/html&gt;&lt;/body&gt;"</span> <span class="p">;</span> <span class="o">}</span> <span class="p">|</span> <span class="nv">mailsubject</span><span class="o">=</span><span class="s2">"Media activity</span> <span class="s2">Content-Type: text/html"</span> /usr/local/bin/send-plex-alert.sh STDIN <span class="k">else</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> -gt <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"SKIPPING EMAIL because event does not match </span><span class="si">${</span><span class="nv">ALERT_ON_EVENTS</span><span class="si">}</span><span class="s2">"</span> <span class="o">}</span> <span class="k">fi</span> <span class="o">}</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">VERBOSE</span><span class="si">}</span><span class="s2">"</span> -gt <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"END JQ"</span> <span class="nb">echo</span> <span class="s2">"REQUEST-STOP: </span><span class="si">${</span><span class="nv">NOW</span><span class="si">}</span><span class="s2">"</span> <span class="o">}</span> <span class="o">}</span> <span class="p">|</span> tee -a <span class="s2">"</span><span class="si">${</span><span class="nv">LOGFILE</span><span class="si">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"&lt;/pre&gt;"</span> <span class="nb">echo</span> <span class="s2">"&lt;/body&gt;&lt;/html&gt;"</span> <span class="c1"># clean up</span> rm -f <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE1</span><span class="si">}</span><span class="s2">"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE2</span><span class="si">}</span><span class="s2">"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">TMPFILE3</span><span class="si">}</span><span class="s2">"</span> </code></pre> </td></tr></table> <p>The above webhook script contains its own comments. The <strong>VERBOSE</strong> attribute can be set to a non-zero amount (usually <strong>1</strong> ) to log much more information useful for debugging. Attribute <strong>ALERT_ON_EVENTS</strong> is a colon-separated list of event types passed from Plex that should trigger an email to the admin. This syntax depends on Plex's syntax not changing. The two log files are configured in the main webhook script. The LOGFILE contains the verbose logging (if enabled) and the full json object from Plex. The LOGFILESHORT contains the trimmed contents that will be used for the email.</p> <h4>Email script</h4> <p>A separate script holds the logic to send the email, file <strong>/usr/local/bin/send-plex-alert.sh</strong>.</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># File: send-plex-alert.sh</span> <span class="c1"># Project: Plex Activity Logging and Alerting Project</span> <span class="c1"># startdate: 2020-08-07 17:21</span> <span class="c1"># Documentation:</span> <span class="c1"># this one worked, but took a while, probably due to ISP smtp relay delay. echo "echo juliet oscar 10" | mailx -S 'from="bgstack15@ipa.example.com"' -S "Subject line" bgstack15@gmail.com ; echo $?</span> <span class="c1"># worked immediately: echo "hotel whiskey zulu 14" | mailx -v -S "Another thread here" -S smtp-use-starttls -S ssl-verify=ignore -S smtp-auth=login -S smtp=smtp://smtp.gmail.com:587 -S from="B Stack &lt;bgstack15@gmail.com&gt;" -S smtp-auth-user="bgstack15@gmail.com" -S smtp-auth-password='FIXME' -S nss-config-dir=/etc/pki/nssdb/ bgstack15@gmail.com</span> <span class="c1"># Improve:</span> <span class="c1"># learn how to use a custom MAILRC env var which holds the "set smtp-user-password=" contents</span> <span class="c1"># Dependencies:</span> <span class="c1"># mailx (mailx-12.5-19.el7.x86_64 @base)</span> <span class="c1"># Google account security set to allow "insecure apps" or similar https://support.google.com/accounts/answer/6010255?authuser=2&amp;p=lsa_blocked&amp;hl=en&amp;authuser=2&amp;visit_id=637324418441299012-2559162990&amp;rd=1</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailmessage</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailmessage</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">1</span><span class="si">}</span><span class="s2">"</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">mailmessage</span><span class="si">}</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"STDIN"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailmessage</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span> cat <span class="m">2</span>&gt;/dev/null <span class="k">)</span><span class="s2">"</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailuser</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailuser</span><span class="o">=</span><span class="s2">"bgstack15@gmail.com"</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailpassword</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailpassword</span><span class="o">=</span><span class="s1">'SUPERSAFESTRING;'</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailfrom</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailfrom</span><span class="o">=</span><span class="s2">"Plex activity &lt;bgstack15@gmail.com&gt;"</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailsubject</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailsubject</span><span class="o">=</span><span class="s2">"Media activity"</span> <span class="nb">test</span> -z <span class="s2">"</span><span class="si">${</span><span class="nv">mailto</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">export</span> <span class="nv">mailto</span><span class="o">=</span>bgstack15@gmail.com <span class="nb">printf</span> <span class="s2">"%s\n"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">mailmessage</span><span class="si">}</span><span class="s2">"</span> <span class="p">|</span> mailx -s <span class="s2">"</span><span class="si">${</span><span class="nv">mailsubject</span><span class="si">}</span><span class="s2">"</span> <span class="se">\</span> -S smtp-use-starttls <span class="se">\</span> -S ssl-verify<span class="o">=</span>ignore <span class="se">\</span> -S <span class="nv">smtp</span><span class="o">=</span>smtp://smtp.gmail.com:587 <span class="se">\</span> -S smtp-auth<span class="o">=</span>login <span class="se">\</span> -S <span class="nv">from</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">mailfrom</span><span class="si">}</span><span class="s2">"</span> <span class="se">\</span> -S smtp-auth-user<span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">mailuser</span><span class="si">}</span><span class="s2">"</span> <span class="se">\</span> -S smtp-auth-password<span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">mailpassword</span><span class="si">}</span><span class="s2">"</span> <span class="se">\</span> -S nss-config-dir<span class="o">=</span>/etc/pki/nssdb <span class="se">\</span> <span class="s2">"</span><span class="si">${</span><span class="nv">mailto</span><span class="si">}</span><span class="s2">"</span> </code></pre> </td></tr></table> <h4>SELinux policy</h4> <p>To use the webhook script and mail script with SELinux enforcing, you need to add a custom policy. File /usr/src/selinux/plexlog.te contains the uncompiled policy.</p> <pre class="code literal-block"><span></span><code><span class="c1"># File: /usr/src/selinux/plexlog.te</span> <span class="c1"># Startdate: 2020-08-07 20:45</span> <span class="c1"># Title: SELinux policy to allow webhook to send email</span> <span class="c1"># Project: Plex Activity Logging and Alerting Project</span> <span class="n">module</span> <span class="n">plexlog</span> <span class="mf">1.0</span><span class="p">;</span> <span class="n">require</span> <span class="p">{</span> <span class="n">type</span> <span class="n">httpd_sys_script_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">init_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">httpd_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">smtp_port_t</span><span class="p">;</span> <span class="n">type</span> <span class="n">var_t</span><span class="p">;</span> <span class="k">class</span> <span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">siginh</span> <span class="p">};</span> <span class="k">class</span> <span class="n">unix_stream_socket</span> <span class="p">{</span> <span class="n">read</span> <span class="n">write</span> <span class="p">};</span> <span class="k">class</span> <span class="n">capability</span> <span class="n">net_admin</span><span class="p">;</span> <span class="k">class</span> <span class="n">file</span> <span class="p">{</span> <span class="n">append</span> <span class="n">execute</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="k">class</span> <span class="n">tcp_socket</span> <span class="n">name_connect</span><span class="p">;</span> <span class="p">}</span> <span class="c1">#============= httpd_sys_script_t ==============</span> <span class="c1">#!!!! WARNING: 'var_t' is a base type.</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">var_t</span><span class="p">:</span><span class="n">file</span> <span class="p">{</span> <span class="n">append</span> <span class="n">execute</span> <span class="n">getattr</span> <span class="n">open</span> <span class="n">read</span> <span class="p">};</span> <span class="c1">#!!!! This avc can be allowed using one of the these booleans:</span> <span class="c1"># httpd_can_network_connect, nis_enabled</span> <span class="n">allow</span> <span class="n">httpd_sys_script_t</span> <span class="n">smtp_port_t</span><span class="p">:</span><span class="n">tcp_socket</span> <span class="n">name_connect</span><span class="p">;</span> <span class="c1">#============= httpd_t ==============</span> <span class="n">allow</span> <span class="n">httpd_t</span> <span class="n">httpd_sys_script_t</span><span class="p">:</span><span class="n">process</span> <span class="p">{</span> <span class="n">noatsecure</span> <span class="n">rlimitinh</span> <span class="n">siginh</span> <span class="p">};</span> <span class="n">allow</span> <span class="n">httpd_t</span> <span class="bp">self</span><span class="p">:</span><span class="n">capability</span> <span class="n">net_admin</span><span class="p">;</span> </code></pre> <p>To use this policy, you need to compile and install it.</p> <pre class="code literal-block"><span></span><code>sudo checkmodule -M -m -o plexlog.mod plexlog.te &amp;&amp; sudo semodule_package -o plexlog.pp -m plexlog.mod &amp;&amp; sudo semodule -i plexlog.pp </code></pre> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://bgstack15.ddns.net/blog/posts/2020/08/05/running-starbound-server-on-centos-7/">Running Starbound server on CentOS 7</a></li> <li><a href="https://ozsoyler.blogspot.com/2018/10/how-to-setupconfigureuse-mailx-for.html">Technical Notes: How to setup/configure/use mailx for Office365 account?</a></li> </ol>logmailplexselinuxhttps://bgstack15.ddns.net/blog/posts/2020/08/21/plex-activity-logging-and-alerting-project/Fri, 21 Aug 2020 12:51:02 GMTRun init script as SELinux type other than initrc_thttps://bgstack15.ddns.net/blog/posts/2019/10/03/run-init-script-as-selinux-type-other-than-initrc_t/bgstack15<p>To run a custom init script as SELinux context other than initrc_t, you can use an SELinux policy that adds a new type for you to use.</p> <pre class="code literal-block"><span></span><code><span class="c1"># Filename: general-local.te</span><span class="w"></span> <span class="c1"># License: CC-BY-SA 4.0</span><span class="w"></span> <span class="c1"># Author: bgstack15</span><span class="w"></span> <span class="c1"># Startdate: 2019-09-19 16:45</span><span class="w"></span> <span class="c1"># Title: SELinux Policy for Custom Process Types from Init Scripts</span><span class="w"></span> <span class="c1"># Purpose: SELinux policy to allow an init script to run a process as a selinux type other than initrc_t</span><span class="w"></span> <span class="c1"># History:</span><span class="w"></span> <span class="c1"># Usage:</span><span class="w"></span> <span class="c1"># When installed, you can run the following command to have the daemon process transition to type unconfined_t:</span><span class="w"></span> <span class="c1"># chcon -t 'local_initrc_exec_t' /etc/init.d/myscript</span><span class="w"></span> <span class="c1"># Reference:</span><span class="w"></span> <span class="c1"># liberal use of tail -n45000 /var/log/audit/audit.log | audit2allow</span><span class="w"></span> <span class="c1"># https://selinuxproject.org/page/ObjectClassesPerms#filesystem</span><span class="w"></span> <span class="c1"># http://www.cse.psu.edu/~trj1/cse543-f07/slides/03-PolicyConcepts.pdf</span><span class="w"></span> <span class="c1"># http://www.billauer.co.il/selinux-policy-module-howto.html</span><span class="w"></span> <span class="c1"># https://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types</span><span class="w"></span> <span class="c1"># https://wiki.centos.org/HowTos/SELinux</span><span class="w"></span> <span class="c1"># /posts/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/</span><span class="w"></span> <span class="c1"># Improve:</span><span class="w"></span> <span class="c1"># Documentation:</span><span class="w"></span> <span class="c1"># Change an init script to context local_initrc_exec_t and then the process will transition to unconfined_t which of course is insecure, but it satisfies the scan that is looking for daemons running as initrc_t.</span><span class="w"></span> <span class="n">module</span><span class="w"> </span><span class="n">general</span><span class="o">-</span><span class="n">local</span><span class="w"> </span><span class="mf">1.0</span><span class="p">;</span><span class="w"></span> <span class="n">require</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">fs_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">initrc_exec_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">init_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">unconfined_t</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">append</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">entrypoint</span><span class="w"> </span><span class="n">execmod</span><span class="w"> </span><span class="n">execute</span><span class="w"> </span><span class="n">execute_no_trans</span><span class="w"> </span><span class="n">getattr</span><span class="w"> </span><span class="n">ioctl</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="n">lock</span><span class="w"> </span><span class="n">mounton</span><span class="w"> </span><span class="n">open</span><span class="w"> </span><span class="n">quotaon</span><span class="w"> </span><span class="n">read</span><span class="w"> </span><span class="n">relabelfrom</span><span class="w"> </span><span class="n">relabelto</span><span class="w"> </span><span class="n">rename</span><span class="w"> </span><span class="n">setattr</span><span class="w"> </span><span class="n">swapon</span><span class="w"> </span><span class="n">unlink</span><span class="w"> </span><span class="n">write</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">filesystem</span><span class="w"> </span><span class="n">associate</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">unconfined</span><span class="w"> </span><span class="n">transition</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">start</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="p">};</span><span class="w"></span> <span class="p">}</span><span class="w"></span> <span class="n">type</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="p">;</span><span class="w"></span> <span class="n">type_transition</span><span class="w"> </span><span class="n">init_t</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="n">unconfined_t</span><span class="w"> </span><span class="p">;</span><span class="w"></span> <span class="c1">#============= init_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">init_t</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="o">*</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">init_t</span><span class="w"> </span><span class="n">unconfined_t</span><span class="p">:</span><span class="n">process</span><span class="w"> </span><span class="n">transition</span><span class="p">;</span><span class="w"></span> <span class="c1">#============= local_initrc_exec_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="w"> </span><span class="n">fs_t</span><span class="p">:</span><span class="n">filesystem</span><span class="w"> </span><span class="n">associate</span><span class="p">;</span><span class="w"></span> <span class="c1">#============= unconfined_t ==============</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">unconfined_t</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="p">:</span><span class="n">file</span><span class="w"> </span><span class="o">*</span><span class="p">;</span><span class="w"></span> <span class="n">allow</span><span class="w"> </span><span class="n">unconfined_t</span><span class="w"> </span><span class="n">local_initrc_exec_t</span><span class="p">:</span><span class="n">service</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">start</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="p">};</span><span class="w"></span> </code></pre> <p>To compile and install this module, you can run the following oneliner.</p> <pre class="code literal-block"><span></span><code>checkmodule -M -m -o general_local.mod general_local.te &amp;&amp; semodule_package -m general_local.mod -o general_local.pp &amp;&amp; semodule -v -i general_local.pp </code></pre> <p>Should you run daemons as unconfined_t? Of course not. But it's different than running it as initrc_t.</p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://selinuxproject.org/page/ObjectClassesPerms#filesystem">ObjectClassesPerms - SELinux Wiki</a></li> <li><a href="http://www.cse.psu.edu/~trj1/cse543-f07/slides/03-PolicyConcepts.pdf">SELinux Policy Concepts and Overview: Security Policy Development Primer for Security Enhanced Linux</a></li> <li><a href="http://www.billauer.co.il/selinux-policy-module-howto.html">Writing a targeted policy module for SELinux (howto tutorial slides)</a></li> <li><a href="https://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types">PackagingDrafts/SELinux - Fedora Project Wiki#Creating_new_types</a></li> <li><a href="https://wiki.centos.org/HowTos/SELinux">HowTos/SELinux - CentOS Wiki</a></li> <li><a href="https://bgstack15.ddns.net/blog/posts/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/">Logrotate, audit.log, selinux, cron, and ansible | Knowledge Base</a></li> </ol>hackinitonelinerselinuxhttps://bgstack15.ddns.net/blog/posts/2019/10/03/run-init-script-as-selinux-type-other-than-initrc_t/Thu, 03 Oct 2019 12:45:46 GMTLogrotate, audit.log, selinux, cron, and ansiblehttps://bgstack15.ddns.net/blog/posts/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/bgstack15<h2>The story</h2> <p>The disk space for /var/log/audit/audit.log tends to get filled up. The <a href="https://linux.die.net/man/8/auditd">audit daemon</a> has an ability to rotate its own logs. See the man page for <a href="https://linux.die.net/man/8/auditd.conf">auditd.conf</a>.</p> <pre class="code literal-block"><span></span><code>max_log_file = 100 max_log_file_action = rotate </code></pre> <p>That's swell and all, until you realize that auditd cannot compress its rotated logs. On a small /var/log/audit mount point, you'll fill it up with uncompressed logs.</p> <pre class="code literal-block"><span></span><code><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">mapper</span><span class="o">/</span><span class="n">os</span><span class="o">-</span><span class="n">var_log_audit</span> <span class="mi">2490</span><span class="n">M</span> <span class="mi">2136</span><span class="n">M</span> <span class="mi">355</span><span class="n">M</span> <span class="mi">86</span><span class="o">%</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span> </code></pre> <p>So on a RHEL7 system with logrotate, you can adjust logrotate to handle the audit.log file. Now, logrotate is a finicky application. It has caused me many hours of grief in the past. You would want to set auditd.conf a certain way:</p> <pre class="code literal-block"><span></span><code>max_log_file = 0 max_log_file_action = ignore </code></pre> <p>And set /etc/logrotate.d/audit:</p> <pre class="code literal-block"><span></span><code><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/*.</span><span class="n">log</span> <span class="p">{</span> <span class="n">weekly</span> <span class="n">missingok</span> <span class="n">compress</span> <span class="c1">#copytruncate</span> <span class="n">rotate</span> <span class="mi">30</span> <span class="n">minsize</span> <span class="mi">100</span><span class="n">k</span> <span class="n">maxsize</span> <span class="mi">200</span><span class="n">M</span> <span class="n">postrotate</span> <span class="n">touch</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="o">||</span><span class="p">:</span> <span class="n">chmod</span> <span class="mi">0600</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="o">||</span><span class="p">:</span> <span class="n">service</span> <span class="n">auditd</span> <span class="n">restart</span> <span class="n">endscript</span> <span class="p">}</span> </code></pre> <p>And ensure you've got a /etc/cron.weekly/logrotate:</p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span> <span class="normal">2</span> <span class="normal">3</span> <span class="normal">4</span> <span class="normal">5</span> <span class="normal">6</span> <span class="normal">7</span> <span class="normal">8</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> /usr/sbin/logrotate /etc/logrotate.conf <span class="nv">EXITVALUE</span><span class="o">=</span><span class="nv">$?</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$EXITVALUE</span> !<span class="o">=</span> <span class="m">0</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> /usr/bin/logger -t logrotate <span class="s2">"ALERT exited abnormally with [</span><span class="nv">$EXITVALUE</span><span class="s2">]"</span> <span class="k">fi</span> <span class="nb">exit</span> <span class="m">0</span> </code></pre> </td></tr></table> <p>After a few days, I learned that my logs were getting filled up so fast, the weekly rotation wasn't good enough. So I had to place it in my cron.hourly. And then I learned that it wasn't running every hour. I spent a few days investigating, and eventually learned that some systems use a specific status file for logrotate. I remember in the past logrotate needs an execution with a -f flag to force the rotation the first time and add a new file to the status file. So if a new file was never force-rotated, it won't be added to the status file. My manual logrotate -f command was indeed adding my audit.log log file to the status file, but to the wrong one! Some of my systems use -s /var/lib/logrotate/logrotate.status but the default is /var/lib/logrotate.status. So I had to reflect that in my ansible playbook. Actually, I had to write some logic to find the one used by the cronjob and then use that status file. So I got the correct logrotate status file set up in the ansible playbook. I spent the next week figuring out that logrotate simply couldn't rotate the file when called from cron. I piped the utility to tee, and also included the -v flag on logrotate. I saw a permission denied. With the permission issue, I had no choices left by selinux. I had to use the audit.log file to determine that the audit.log file is not readable by logrotate when called by cron. I finally set captured all the actions performed by logrotate by setting the selinux process context to be permissive:</p> <pre class="code literal-block"><span></span><code><span class="n">semanage</span> <span class="n">permissive</span> <span class="o">-</span><span class="n">a</span> <span class="n">logrotate_t</span> <span class="n">I</span> <span class="n">let</span> <span class="n">it</span> <span class="n">run</span><span class="p">,</span> <span class="ow">and</span> <span class="n">then</span> <span class="n">had</span> <span class="n">to</span> <span class="n">collect</span> <span class="n">all</span> <span class="n">the</span> <span class="n">actions</span> <span class="n">it</span> <span class="n">performed</span><span class="p">,</span> <span class="ow">and</span> <span class="n">saw</span> <span class="n">what</span> <span class="n">had</span> <span class="n">happened</span><span class="o">.</span> <span class="p">{</span> <span class="n">grep</span> <span class="n">logrotate</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="p">;</span> <span class="n">zgrep</span> <span class="n">logrotate</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="mf">1.</span><span class="n">gz</span> <span class="p">;</span> <span class="p">}</span> <span class="o">|</span> <span class="n">audit2why</span> </code></pre> <p>So I used audit2allow to convert it to an selinux policy.</p> <pre class="code literal-block"><span></span><code><span class="p">{</span> <span class="n">grep</span> <span class="n">logrotate</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="p">;</span> <span class="n">zgrep</span> <span class="n">logrotate</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="mf">1.</span><span class="n">gz</span> <span class="p">;</span> <span class="p">}</span> <span class="o">|</span> <span class="n">audit2allow</span> <span class="o">-</span><span class="n">M</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span> </code></pre> <p>And then after some searching online, I learned how I can keep the text definition file, and compile the policy from it when I need to:</p> <pre class="code literal-block"><span></span><code><span class="n">grep</span> <span class="n">logrotate</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="o">|</span> <span class="n">audit2allow</span> <span class="o">-</span><span class="n">m</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span> <span class="c1"># saves to logrotate-audit.te</span> <span class="n">checkmodule</span> <span class="o">-</span><span class="n">M</span> <span class="o">-</span><span class="n">m</span> <span class="o">-</span><span class="n">o</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span><span class="o">.</span><span class="n">mod</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span><span class="o">.</span><span class="n">te</span> <span class="c1"># intermediate step</span> <span class="n">semodule_package</span> <span class="o">-</span><span class="n">o</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span><span class="o">.</span><span class="n">pp</span> <span class="o">-</span><span class="n">m</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span><span class="o">.</span><span class="n">mod</span> <span class="c1"># compiled policy</span> <span class="n">semodule</span> <span class="o">-</span><span class="n">i</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span><span class="o">.</span><span class="n">pp</span> </code></pre> <p>The text definition of logrotate-audit policy:</p> <pre class="code literal-block"><span></span><code><span class="p">#</span><span class="nn">semodule</span> <span class="nt">-i</span> <span class="nt">logrotate-audit</span><span class="p">.</span><span class="nc">pp</span> <span class="nt">module</span> <span class="nt">logrotate-audit</span> <span class="nt">1</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span> <span class="nt">require</span> <span class="p">{</span> <span class="err">type</span> <span class="err">auditd_etc_t</span><span class="p">;</span> <span class="err">type</span> <span class="err">logrotate_t</span><span class="p">;</span> <span class="err">type</span> <span class="err">auditd_log_t</span><span class="p">;</span> <span class="err">class</span> <span class="err">file</span> <span class="err">{</span> <span class="err">create</span> <span class="err">getattr</span> <span class="err">ioctl</span> <span class="err">open</span> <span class="err">read</span> <span class="err">rename</span> <span class="err">setattr</span> <span class="err">unlink</span> <span class="err">write</span> <span class="p">}</span><span class="o">;</span> <span class="nt">class</span> <span class="nt">dir</span> <span class="p">{</span> <span class="err">add_name</span> <span class="err">read</span> <span class="err">remove_name</span> <span class="err">write</span> <span class="p">}</span><span class="o">;</span> <span class="err">}</span> <span class="err">#</span><span class="o">=============</span> <span class="nt">logrotate_t</span> <span class="o">==============</span> <span class="nt">allow</span> <span class="nt">logrotate_t</span> <span class="nt">auditd_etc_t</span><span class="p">:</span><span class="nd">file</span> <span class="nt">getattr</span><span class="o">;</span> <span class="nt">allow</span> <span class="nt">logrotate_t</span> <span class="nt">auditd_log_t</span><span class="p">:</span><span class="nd">dir</span> <span class="p">{</span> <span class="err">read</span> <span class="err">write</span> <span class="err">add_name</span> <span class="err">remove_name</span> <span class="p">}</span><span class="o">;</span> <span class="nt">allow</span> <span class="nt">logrotate_t</span> <span class="nt">auditd_log_t</span><span class="p">:</span><span class="nd">file</span> <span class="p">{</span> <span class="err">create</span> <span class="err">ioctl</span> <span class="err">open</span> <span class="err">read</span> <span class="err">rename</span> <span class="err">getattr</span> <span class="err">setattr</span> <span class="err">unlink</span> <span class="err">write</span> <span class="p">}</span><span class="o">;</span> </code></pre> <p>Now, I wrote a master ansible playbook that performs this whole operation, from loading the .te file and compiling it and installing it, to setting logrotate to watch the audit file, and telling auditd to ignore rotating it. <strong>Note</strong> : It is outside the scope of this task to ensure that the selinux tools are in place on each server. My environment already ensures package libselinux-python is present on each system, which should bring in all the dependencies of this ansible playbook.</p> <pre class="code literal-block"><span></span><code><span class="o">---</span> <span class="c1"># File: /etc/ansible/books/fix_var-log-audit.yml</span> <span class="c1"># Author: bgstack15</span> <span class="c1"># Startdate: 2018-01-24</span> <span class="c1"># Title: Playbook that Fixes the /var/log/audit Space Issue</span> <span class="c1"># Purpose: Logical Disk Free Space is too low</span> <span class="c1"># History:</span> <span class="c1"># Usage:</span> <span class="c1"># ansible-playbook -i /etc/ansible/inv/hosts /etc/ansible/configuration/fix_var-log-audit.yml -l hostwithproblem201</span> <span class="c1"># Use the -l host1,host2 parameter.</span> <span class="c1"># Reference:</span> <span class="c1"># roles/general_conf/tasks/04_selinux.yml</span> <span class="c1"># roles/general_conf/tasks/05_auditd.yml</span> <span class="c1"># Improve:</span> <span class="c1"># Documentation:</span> <span class="c1"># The intention with auditd is to minimize the disk usage of the logs</span> <span class="o">-</span> <span class="n">hosts</span><span class="p">:</span> <span class="n">all</span> <span class="n">remote_user</span><span class="p">:</span> <span class="n">ansible_user</span> <span class="n">become</span><span class="p">:</span> <span class="n">yes</span> <span class="n">vars</span><span class="p">:</span> <span class="n">auditd_conf</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">auditd</span><span class="o">.</span><span class="n">conf</span> <span class="n">auditd_log_cleanup_regex</span><span class="p">:</span> <span class="s1">'.*audit\.log\.[0-9]+'</span> <span class="n">auditd_log_dir</span><span class="p">:</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span> <span class="n">auditd_logrotate_conf</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">logrotate</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">audit</span> <span class="n">tasks</span><span class="p">:</span> <span class="c1"># To make it possible to just drop in files to the files directory and have this module read them automatically, use these two.</span> <span class="c1"># - name: learn full list of semodules available to install, modular list version</span> <span class="c1"># shell: warn=no find /etc/ansible/roles/general_conf/files/selinux/ -regex '.*.te' -printf '%f\n' | sed -r -e 's/\.te$//;'</span> <span class="c1"># register: semodules_list</span> <span class="c1"># changed_when: false</span> <span class="c1"># delegate_to: localhost</span> <span class="c1"># ignore_errors: yes</span> <span class="c1"># - name: learn semodule versions to install, modular list version</span> <span class="c1"># shell: warn=no grep -E '^\s*module\s+{{ item }}\s+[0-9\.]+;\s*$' /etc/ansible/roles/general_conf/files/selinux/{{ item }}.te | awk '{print $3*1000;}'</span> <span class="c1"># register: selinux_pol_versions_target</span> <span class="c1"># changed_when: false</span> <span class="c1"># delegate_to: localhost</span> <span class="c1"># with_items:</span> <span class="c1"># - "{{ semodules_list.stdout_lines }}"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">learn</span> <span class="n">semodule</span> <span class="n">versions</span> <span class="n">to</span> <span class="n">install</span><span class="p">,</span> <span class="k">static</span> <span class="n">version</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s1">'^\s*module\s+{{ item }}\s+[0-9\.]+;\s*$'</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ansible</span><span class="o">/</span><span class="n">templates</span><span class="o">/</span><span class="p">{{</span> <span class="n">item</span> <span class="p">}}</span><span class="o">.</span><span class="n">te</span> <span class="o">|</span> <span class="n">awk</span> <span class="s1">'{print $3*1000;}'</span> <span class="n">register</span><span class="p">:</span> <span class="n">selinux_pol_versions_target</span> <span class="n">changed_when</span><span class="p">:</span> <span class="bp">false</span> <span class="n">delegate_to</span><span class="p">:</span> <span class="n">localhost</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="n">logrotate</span><span class="o">-</span><span class="n">audit</span> <span class="c1">#- debug:</span> <span class="c1"># msg: "{{ item.item }} should be {{ item.stdout }}"</span> <span class="c1"># with_items:</span> <span class="c1"># - "{{ selinux_pol_versions_target.results }}"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">learn</span> <span class="n">current</span> <span class="n">semodule</span> <span class="n">versions</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="n">semodule</span> <span class="o">--</span><span class="n">list</span> <span class="o">|</span> <span class="n">awk</span> <span class="s1">'$1=="{{ item.item }}" {print $2*1000} END {print "0";}'</span> <span class="o">|</span> <span class="n">head</span> <span class="o">-</span><span class="n">n1</span> <span class="n">register</span><span class="p">:</span> <span class="n">selinux_pol_versions_current</span> <span class="n">changed_when</span><span class="p">:</span> <span class="bp">false</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"{{ selinux_pol_versions_target.results }}"</span> <span class="o">-</span> <span class="n">debug</span><span class="p">:</span> <span class="n">msg</span><span class="p">:</span> <span class="s2">"{{ item.item.item }} is currently {{ item.stdout }} and should be {{ item.item.stdout }}"</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"{{ selinux_pol_versions_current.results }}"</span> <span class="c1">#- pause:</span> <span class="c1"># prompt: "Does the above look good?........................"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">download</span> <span class="n">selinux</span> <span class="n">modules</span> <span class="n">that</span> <span class="n">need</span> <span class="n">to</span> <span class="n">be</span> <span class="n">installed</span> <span class="n">copy</span><span class="p">:</span> <span class="n">src</span><span class="p">:</span> <span class="s2">"/etc/ansible/templates/{{ item.item.item }}.te"</span> <span class="n">dest</span><span class="p">:</span> <span class="s2">"/tmp/{{ item.item.item }}.te"</span> <span class="n">mode</span><span class="p">:</span> <span class="mi">0644</span> <span class="n">owner</span><span class="p">:</span> <span class="n">root</span> <span class="n">group</span><span class="p">:</span> <span class="n">root</span> <span class="n">backup</span><span class="p">:</span> <span class="n">no</span> <span class="n">force</span><span class="p">:</span> <span class="n">yes</span> <span class="n">changed_when</span><span class="p">:</span> <span class="bp">false</span> <span class="n">when</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"item.item.stdout &gt; item.stdout"</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"{{ selinux_pol_versions_current.results }}"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">install</span> <span class="n">selinux</span> <span class="n">modules</span> <span class="n">shell</span><span class="p">:</span> <span class="n">chdir</span><span class="o">=/</span><span class="n">tmp</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">checkmodule</span> <span class="o">-</span><span class="n">M</span> <span class="o">-</span><span class="n">m</span> <span class="o">-</span><span class="n">o</span> <span class="s2">"/tmp/{{ item.item.item }}.mod"</span> <span class="s2">"/tmp/{{ item.item.item }}.te"</span> <span class="o">&amp;&amp;</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">semodule_package</span> <span class="o">-</span><span class="n">m</span> <span class="s2">"/tmp/{{ item.item.item }}.mod"</span> <span class="o">-</span><span class="n">o</span> <span class="s2">"/tmp/{{ item.item.item }}.pp"</span> <span class="o">&amp;&amp;</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">semodule</span> <span class="o">-</span><span class="n">v</span> <span class="o">-</span><span class="n">i</span> <span class="s2">"/tmp/{{ item.item.item }}.pp"</span> <span class="n">when</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"item.item.stdout &gt; item.stdout"</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"{{ selinux_pol_versions_current.results }}"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">clean</span> <span class="n">any</span> <span class="n">temporary</span> <span class="n">selinux</span> <span class="n">modules</span> <span class="n">files</span> <span class="n">file</span><span class="p">:</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"/tmp/{{ item[0].item.item }}.{{ item[1] }}"</span> <span class="n">state</span><span class="p">:</span> <span class="n">absent</span> <span class="n">changed_when</span><span class="p">:</span> <span class="bp">false</span> <span class="n">when</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"item[0].item.stdout &gt; item[0].stdout"</span> <span class="n">with_nested</span><span class="p">:</span> <span class="o">-</span> <span class="s2">"{{ selinux_pol_versions_current.results }}"</span> <span class="o">-</span> <span class="p">[</span> <span class="s1">'te'</span><span class="p">,</span> <span class="s1">'pp'</span><span class="p">,</span> <span class="s1">'mod'</span> <span class="p">]</span> <span class="c1">##### END SELINUX PORTION</span> <span class="c1"># modify auditd.conf which notifies the handler</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">auditd</span> <span class="n">does</span> <span class="ow">not</span> <span class="n">keep</span> <span class="n">logs</span> <span class="n">lineinfile</span><span class="p">:</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"{{ auditd_conf }}"</span> <span class="n">regexp</span><span class="p">:</span> <span class="s2">"{{ item.r }}"</span> <span class="n">backrefs</span><span class="p">:</span> <span class="n">yes</span> <span class="n">line</span><span class="p">:</span> <span class="s2">"{{ item.l }}"</span> <span class="n">create</span><span class="p">:</span> <span class="n">no</span> <span class="n">state</span><span class="p">:</span> <span class="n">present</span> <span class="n">backup</span><span class="p">:</span> <span class="n">yes</span> <span class="c1">#notify: auditd handler</span> <span class="n">with_items</span><span class="p">:</span> <span class="o">-</span> <span class="p">{</span> <span class="n">r</span><span class="p">:</span> <span class="s1">'^max_log_file_action.*$'</span><span class="p">,</span> <span class="n">l</span><span class="p">:</span> <span class="s1">'max_log_file_action = ignore'</span> <span class="p">}</span> <span class="o">-</span> <span class="p">{</span> <span class="n">r</span><span class="p">:</span> <span class="s1">'^max_log_file\s.*$'</span><span class="p">,</span> <span class="n">l</span><span class="p">:</span> <span class="s1">'max_log_file = 0'</span> <span class="p">}</span> <span class="c1"># tarball and cleanup any existing audit.log.1 files</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">list</span> <span class="n">all</span> <span class="n">old</span> <span class="n">auditd</span> <span class="n">logs</span> <span class="n">which</span> <span class="n">need</span> <span class="n">to</span> <span class="n">be</span> <span class="n">compressed</span> <span class="ow">and</span> <span class="n">cleaned</span> <span class="n">up</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="n">find</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">audit</span> <span class="o">-</span><span class="n">regex</span> <span class="p">{{</span> <span class="n">auditd_log_cleanup_regex</span> <span class="p">}}</span> <span class="n">register</span><span class="p">:</span> <span class="n">cleanup_list</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">changed_when</span><span class="p">:</span> <span class="n">cleanup_list</span><span class="o">.</span><span class="n">stdout_lines</span> <span class="o">|</span> <span class="n">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">get</span> <span class="n">archive</span> <span class="n">filename</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="n">echo</span> <span class="s2">"audit.log.{{ ansible_date_time.epoch }}.tgz"</span> <span class="n">register</span><span class="p">:</span> <span class="n">audit_log_tgz</span> <span class="n">changed_when</span><span class="p">:</span> <span class="n">audit_log_tgz</span><span class="o">.</span><span class="n">stdout_lines</span> <span class="o">|</span> <span class="n">length</span> <span class="o">!=</span> <span class="mi">1</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">touch</span> <span class="n">archive</span> <span class="n">file</span> <span class="n">file</span><span class="p">:</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"{{ auditd_log_dir }}/../{{ audit_log_tgz.stdout }}"</span> <span class="n">state</span><span class="p">:</span> <span class="n">touch</span> <span class="n">owner</span><span class="p">:</span> <span class="n">root</span> <span class="n">group</span><span class="p">:</span> <span class="n">root</span> <span class="n">mode</span><span class="p">:</span> <span class="mi">0600</span> <span class="n">when</span><span class="p">:</span> <span class="n">cleanup_list</span><span class="o">.</span><span class="n">stdout_lines</span> <span class="o">|</span> <span class="n">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">archive</span> <span class="ow">and</span> <span class="n">cleanup</span> <span class="n">existing</span> <span class="n">audit</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="mi">1</span> <span class="n">files</span> <span class="n">archive</span><span class="p">:</span> <span class="n">dest</span><span class="p">:</span> <span class="s2">"{{ auditd_log_dir }}/../{{ audit_log_tgz.stdout }}"</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"{{ cleanup_list.stdout_lines }}"</span> <span class="n">format</span><span class="p">:</span> <span class="n">gz</span> <span class="n">owner</span><span class="p">:</span> <span class="n">root</span> <span class="n">group</span><span class="p">:</span> <span class="n">root</span> <span class="n">remove</span><span class="p">:</span> <span class="n">yes</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">when</span><span class="p">:</span> <span class="n">cleanup_list</span><span class="o">.</span><span class="n">stdout_lines</span> <span class="o">|</span> <span class="n">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">check</span> <span class="k">for</span> <span class="n">existence</span> <span class="n">of</span> <span class="n">new</span> <span class="n">tarball</span> <span class="n">stat</span><span class="p">:</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"{{ auditd_log_dir }}/../{{ audit_log_tgz.stdout }}"</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">register</span><span class="p">:</span> <span class="n">audit_log_tarball</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">place</span> <span class="n">audit</span> <span class="nb">log</span> <span class="n">tarball</span> <span class="ow">in</span> <span class="n">auditd_log_dir</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">mv</span> <span class="s2">"{{ auditd_log_dir }}/../{{ audit_log_tgz.stdout }}"</span> <span class="s2">"{{ auditd_log_dir }}/"</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">when</span><span class="p">:</span> <span class="o">-</span> <span class="n">audit_log_tarball</span><span class="o">.</span><span class="n">stat</span><span class="o">.</span><span class="n">exists</span> <span class="k">is</span> <span class="n">defined</span> <span class="o">-</span> <span class="n">audit_log_tarball</span><span class="o">.</span><span class="n">stat</span><span class="o">.</span><span class="n">exists</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">get</span> <span class="n">current</span> <span class="n">size</span> <span class="n">of</span> <span class="n">audit</span> <span class="nb">log</span> <span class="n">stat</span><span class="p">:</span> <span class="n">path</span><span class="p">:</span> <span class="s2">"{{ auditd_log_dir }}/audit.log"</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">register</span><span class="p">:</span> <span class="n">audit_log_stat</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">apply</span> <span class="n">logrotate</span> <span class="n">script</span> <span class="k">for</span> <span class="n">audit</span> <span class="n">copy</span><span class="p">:</span> <span class="n">src</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ansible</span><span class="o">/</span><span class="n">templates</span><span class="o">/</span><span class="n">etc</span><span class="o">-</span><span class="n">logrotate</span><span class="o">.</span><span class="n">d</span><span class="o">-</span><span class="n">audit</span> <span class="n">dest</span><span class="p">:</span> <span class="s2">"{{ auditd_logrotate_conf }}"</span> <span class="n">owner</span><span class="p">:</span> <span class="n">root</span> <span class="n">group</span><span class="p">:</span> <span class="n">root</span> <span class="n">mode</span><span class="p">:</span> <span class="mi">0644</span> <span class="n">backup</span><span class="p">:</span> <span class="n">yes</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">learn</span> <span class="n">the</span> <span class="n">logrotate</span><span class="o">.</span><span class="n">status</span> <span class="n">file</span> <span class="n">to</span> <span class="n">use</span><span class="p">,</span> <span class="k">if</span> <span class="n">any</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="n">grep</span> <span class="o">-</span><span class="n">rE</span> <span class="o">--</span> <span class="s1">'bin\/logrotate\&gt;.*(-s|--state)(\s|=)[\/[A-Za-z0-9\.]+\&gt;'</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="o">.*</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">oE</span> <span class="s1">'(-s|--state)(\s|=)[\/[A-Za-z0-9\.]+\&gt;'</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">|</span> <span class="n">uniq</span> <span class="o">|</span> <span class="n">head</span> <span class="o">-</span><span class="n">n1</span> <span class="n">ignore_errors</span><span class="p">:</span> <span class="n">yes</span> <span class="n">changed_when</span><span class="p">:</span> <span class="bp">false</span> <span class="n">register</span><span class="p">:</span> <span class="n">this_logrotate_flag</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">show</span> <span class="n">which</span> <span class="n">logrotate</span><span class="o">.</span><span class="n">status</span> <span class="n">file</span> <span class="n">to</span> <span class="n">use</span><span class="p">,</span> <span class="k">if</span> <span class="n">any</span> <span class="n">debug</span><span class="p">:</span> <span class="n">msg</span><span class="p">:</span> <span class="s2">"The status file that will be used is {{ this_logrotate_flag.stdout }}"</span> <span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">run</span> <span class="n">logrotate</span> <span class="n">shell</span><span class="p">:</span> <span class="n">warn</span><span class="o">=</span><span class="n">no</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">logrotate</span> <span class="p">{{</span> <span class="n">this_logrotate_flag</span><span class="o">.</span><span class="n">stdout</span> <span class="p">}}</span> <span class="o">-</span><span class="n">f</span> <span class="s2">"{{ auditd_logrotate_conf }}"</span> <span class="n">register</span><span class="p">:</span> <span class="n">run_logrotate</span> <span class="n">when</span><span class="p">:</span> <span class="p">(</span> <span class="n">cleanup_list</span><span class="o">.</span><span class="n">stdout_lines</span> <span class="o">|</span> <span class="n">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">)</span> <span class="ow">or</span> <span class="p">(</span> <span class="n">audit_log_stat</span><span class="o">.</span><span class="n">stat</span><span class="o">.</span><span class="n">exists</span> <span class="ow">and</span> <span class="n">audit_log_stat</span><span class="o">.</span><span class="n">stat</span><span class="o">.</span><span class="n">size</span> <span class="o">&gt;</span> <span class="mi">190000000</span> <span class="p">)</span> <span class="n">handlers</span><span class="p">:</span> <span class="o">...</span> </code></pre> <h2>Summary</h2> <p>So, logrotate can be configured to rotate the audit log. It just takes a few minutes to configure correctly, after about 2 weeks of research and testing.</p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="http://melikedev.com/2013/08/19/linux-selinux-semodule-compile-pp-module-from-te-file/">http://melikedev.com/2013/08/19/linux-selinux-semodule-compile-pp-module-from-te-file/</a></li> <li><a href="https://linux.die.net/man/8/auditd.conf">https://linux.die.net/man/8/auditd.conf</a></li> </ol> <h3>Personal effort</h3> <p>Hours and hours of my original research Years of administering RHEL servers with logrotate</p>ansibleauditcronlinuxlogrotateselinuxhttps://bgstack15.ddns.net/blog/posts/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/Tue, 13 Feb 2018 14:19:44 GMTDocker cannot write to mounted volumehttps://bgstack15.ddns.net/blog/posts/2017/10/12/docker-cannot-write-to-mounted-volume/bgstack15<p>So you've already investigated the permissions, and the selinux context. There are no errors in the audit logs. And if you're using a directory like /var/lib/docker/db, it will have context unconfined_u:object_r:container_var_lib_t:s0. For mounting with <strong>-v /var/lib/docker/db/appname:/opt/application/</strong> and it to be readable, you will need a new context.</p> <pre class="code literal-block"><span></span><code><span class="n">semanage</span> <span class="n">fcontext</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">t</span> <span class="n">svirt_sandbox_file_t</span> <span class="s1">'/var/lib/docker/db(/.*)?'</span> </code></pre>dockermountselinuxhttps://bgstack15.ddns.net/blog/posts/2017/10/12/docker-cannot-write-to-mounted-volume/Thu, 12 Oct 2017 14:50:14 GMTConfigure SELinux to allow Nagios publickey authhttps://bgstack15.ddns.net/blog/posts/2016/04/05/configure-selinux-to-allow-nagios-publickey-auth/bgstack15<p><a href="http://www.nagios.org/">Nagios</a> is a tool for monitoring servers. In a security-minded environment, you need to make allowances for nagios. It operates over ssh using a public key, which SELinux doesn't like. One problem that can occur is that the ~nagios/.ssh/authorized_keys file will not have the right selinux context. Fix that with</p> <pre class="code literal-block"><span></span><code><span class="n">semanage</span> <span class="n">fcontext</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">t</span> <span class="s2">"ssh_home_t"</span> <span class="s2">"/var/spool/nagios(/.*)?"</span> <span class="n">restorecon</span> <span class="o">-</span><span class="n">RvF</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">nagios</span> </code></pre> <p>This will make a new rule in selinux for that directory to have a regular ssh- homedir context, so public keys will work properly. If nagios cannot connect passwordlessly, it will throw fits.</p>selinuxhttps://bgstack15.ddns.net/blog/posts/2016/04/05/configure-selinux-to-allow-nagios-publickey-auth/Tue, 05 Apr 2016 19:56:22 GMT