Chronicles of SELinux: Dealing with web content in unusual directories

I’ve decided to start a series of posts called “Chronicles of SELinux” where I hope to educate more users on how to handle SELinux denials with finesse rather than simply disabling it entirely. To kick things off, I’ll be talking about dealing with web content in the first post. First steps If you’d like to follow along, simply hop onto a system running Fedora 21 (or later), CentOS 7 or Red Hat Enterprise Linux 7....

2015-09-10 · 7 min · Major Hayden

Understanding systemd’s predictable network device names

I talked a bit about systemd’s network device name in my earlier post about systemd-networkd and bonding and I received some questions about how systemd rolls through the possible names of network devices to choose the final name. These predictable network device names threw me a curveball last summer when I couldn’t figure out how the names were constructed. Let’s walk through this process. What’s in a name? Back in the systemd-networkd bonding post, I dug into a dual port Intel network card that showed up in a hotplug slot:...

2015-08-21 · 7 min · Major Hayden

Research Paper: Securing Linux Containers

It seems like there’s a new way to run containers every week. The advantages and drawbacks of each approach are argued about on mailing lists, in IRC channels, and in person, around the world. However, the largest amount of confusion seems to be around security. Launching secure containers I’ve written about launching secure containers on this blog many times before: Launch secure LXC containers on Fedora 20 using SELinux and sVirt Improving LXC template security Try out LXC with an Ansible playbook CoreOS vs....

2015-08-14 · 3 min · Major Hayden

Automated testing for Ansible CIS playbook on RHEL/CentOS 6

I started working on the Ansible CIS playbook for CentOS and RHEL 6 back in 2014 and I’ve made a few changes to increase quality and make it easier to use. First off, the role itself is no longer a submodule. You can now just clone the repository and get rolling. This should reduce the time it takes to get started. Also, all pull requests to the repository now go through integration testing at Rackspace....

2015-08-05 · 1 min · Major Hayden

Allow new windows to steal focus in GNOME 3

GNOME 3 generally works well for me but it has some quirks. One of those quirks is that new windows don’t actually pop up on the screen with focus as they do in Windows and OS X. When opening a new window, you get a “[Windowname] is ready” notification: My preference is for new windows to pop in front and steal focus. I can see why that’s not the default since it might cause you to type something in another window where you weren’t expecting to....

2015-07-06 · 2 min · Major Hayden

Improving LXC template security

I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL). During some of this work, I stumbled upon a group of Red Hat Bugzilla tickets talking about LXC template security. The gist of the problem is that there’s a wide variance in how users and user credentials are handled by the different LXC templates....

2015-06-18 · 2 min · Major Hayden

Keep old kernels with yum and dnf

When you upgrade packages on Red Hat, CentOS and Fedora systems, the newer package replaces the older package. That means that files managed by RPM from the old package are removed and replaced with files from the newer package. There’s one exception here: kernel packages. Upgrading a kernel package with yum and dnf leaves the older kernel package on the system just in case you need it again. This is handy if the new kernel introduces a bug on your system or if you need to work through a compile of a custom kernel module....

2015-05-18 · 1 min · Major Hayden

Creating a bridge for virtual machines using systemd-networkd

There are plenty of guides out there for making ethernet bridges in Linux to support virtual machines using built-in network scripts or NetworkManager. I decided to try my hand with creating a bridge using only systemd-networkd and it was surprisingly easy. First off, you’ll need a version of systemd with networkd support. Fedora 20 and 21 will work just fine. RHEL/CentOS 7 and Arch Linux should also work. Much of the networkd support has been in systemd for quite a while, but if you’re looking for fancier network settings, like bonding, you’ll want at least systemd 216....

2015-03-26 · 3 min · Major Hayden

Install sysstat on Fedora 21

One of the first tools I learned about after working with Red Hat was sysstat. It can write down historical records about your server at regular intervals. This can help you diagnose CPU usage, RAM usage, or network usage problems. In addition, sysstat also provides some handy command line utilities like vmstat, iostat, and pidstat that give you a live view of what your system is doing. On Debian-based systems (including Ubuntu), you install the sysstat package and enable it with a quick edit to /etc/default/sysstat and the cron job takes it from there....

2014-12-12 · 2 min · Major Hayden

httpry 0.1.8 available for RHEL and CentOS 7

Red Hat Enterprise Linux and CentOS 7 users can now install httpry 0.1.8 in EPEL 7 Beta. The new httpry version is also available for RHEL/CentOS 6 and supported Fedora versions (19, 20, 21 branched, and rawhide). Configuring EPEL on a RHEL/CentOS server is easy. Follow the instructions on EPEL’s site and install the epel-release RPM that matches your OS release version. If you haven’t used httpry before, check the output on Jason Bittel’s site....

2014-08-13 · 1 min · Major Hayden