Archive
Posts from 2010
Configuring a Linux NFS server in a SELinux-managed environment
The Linux kernel has supported NFS for as long as I can remember. All of the major distributions (Redhat, CentOS, Fedora, Suse, Ubunut) ship with NFS client and server support and have all of the user land daemons and tools needed to configure and debug NFS. I spent some time this past weekend bringing up a new NFS server in a SELinux-managed environment, and thought I would share my experience with my readers. Setting up a Linux NFS server with SELinux can be done in just a few simple steps: Configure SELinux to allow remote hosts to access content that is exported through NFS…
$ read more →Using TCP Wrappers to protect Linux and Solaris services
I have been using tcp wrappers for years, and it's a very simple way to allow and deny network access to applications. TCP wrapper functionality is built into the system libwrap.so module, which various applications are linked against. To see if a given application supports tcp wrappers, you can use the ldd utility: TCP wrappers is configured through the /etc/hosts.allow and /etc/hosts.deny files. The hosts.allow file allows you to control which services will be accepted, and the hosts.deny file allows you to control which services will be denied…
$ read more →How to debug SELinux service issues
I have been spending a good bit of time playing with SELinux, which has required me to learn how to debug issues that arise due to its use. The most common issues that arise are usually related to security context mismatches. This can occur because somebody modified a file and didn't bother to chcon a file, or because somebody changed the contexts that were once present on a file. To see the SELinux context assigned to a file or directory, you can use the ls "-Z" option: Now say a user approached you because they were getting 403 forbidden messages when they tried to retrieve a file on your Apache web server: The apache error log indicated that there was indeed a permission issue: Though the UNIX permissions on the file were correct…
$ read more →Concert Review KISS
When I was growing up, the people around me were constantly exposing me to various forms of Rock & Roll. It seems like just yesterday I was driving to the store with my cousin, who put a KISS cassette in this stereo and told me give it a good listen. The music resinated with me, and something about the band hit a happy musical note with me. I bought one of their albums, and played it over and over and over …
$ read more →Finding orphaned RPMs on Linux hosts
If you use an RPM-based Linux distribution, you may have run into one or more cases were your system contains orphaned packages. An orphaned package is a package that doesn't have any packages that depend on it, and in a number of cases the package is no longer required for the system to function correctly. To view the list of orphaned packages on your Linux host, you can use the incredibly useful rpmorphan tool. To install it, you can fire up yum: Once installed, you can run it to view the list of orphaned packages on your system: To get additional information on what rpmorphan is doing, you can run it with the "-verbose" option…
$ read more →