CentOS

Linux Logo

Linux – SELinux – SEModule – Compile .pp module from .te file

0

I recently ran into a situation where I needed to grant access to certain /home dirs in order to get puppetmaster started with SELinux enforcing. And I had to do it in such a way that I could keep the resulting “type enforcement” (.te) file in version control, this would allow me to track human readable changes.

Steps:

$ -> cd ~

$ -> echo > /var/log/audit/audit.log # this ensures a clean log for analysis

$ -> /etc/init.d/puppetmaster start # should fail

$ -> audit2allow -i /var/log/audit/audit.log -m puppetmaster # this will output the perms necessary for puppetmaster to access needed resources, copy and paste this into the file you are using in version control

$ -> checkmodule -M -m -o puppetmaster.mod /path/to/your/version/controlled/puppetmaster.te # this will create a .mod file 

$ -> semodule_package -m puppetmaster.mod -o puppetmaster.pp # this will create a compiled semodule

$ -> semodule -i puppetmaster.pp # this will install the module

At this point, you have added a custom puppetmaster selinux module which will allow you to get through the first issue discovered when trying to start the service. From here there are one of two course of action, depending on whether the service starts or not. If the service starts, you are done. If the service does not start, you will need to repeat the above steps to determine which new permissions are required to allow the service to start, rinse and repeat until your service starts.

Linux Logo

CentOS – sealert – Convert audit messages into human readable (and understandable) format

0

Currently I am working on a project to centralize all syslog entries into one server and have been running into issues due to the fact that I run SELinux and store the rsyslog.conf file in version control. By default you can tail the /var/log/audit/audit.log to see what’s going on, but the message is fairly encrypted and not easily understood. After some research there is an executable sealert which will parse the audit log and convert the messages into human readable format. sealert does not get installed by default on CentOS systems, so you have to do:

yum install setroubleshoot-server

After the install is completed, you can then analyze the audit log by issuing the following command:

sealert -a /var/log/audit/audit.log > /var/log/audit/audit_human_readable.log

It took a few seconds to analyze, but upon completion I was able to open the human readable version, and see entries like:

--------------------------------------------------------------------------------

SELinux is preventing /sbin/rsyslogd from search access on the directory /home.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rsyslogd should be allowed search access on the home directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

So I was able to create the audit policy to allow rsyslogd the access it needed to the config file in order to run properly.

Linux Logo

CentOS – PHP – Install Memcached (with a d) Stack

0

Recently I started retro-fitting the MeLikeDrinks.com drink website to cache frequently used data to improve performance, as such I wrote a light, custom cache API which sits on top of PHP’s Memcached API. Because I follow TDD principles, I wrote out the tests first, which helped me write out the API calls needed to support the application, but when it came time to actually get the memcached service on my CentOS box, I ran into all sorts of confusion, which motivated me to write this article. It is my hope that this article will help alleviate any confusion others may face when they decide to dive into the cache pool.

First, I need to clarify one of the more confusing issues regarding PHP and Memcache, which is, there are two different PHP Apis. Depending on which PHP Memcache API you select, will determine the steps necessary for PHP to gain access to the underlying memcached server. The differences between PHP Memcache and PHP Memcached are outlined here. Regardless of the differences between the two PHP APIs we have to choose from, they both access the same underlying Memcached Service. The only REAL difference, as far as configuration and installation steps are concerned, is that PHP Memcached requires an external library known as libmemcached. In short, the stacks look like this:

PHP (PECL) Memcache

PHP (PECL) Memcached

  •  libevent (dependency)
  • memcached (service)
  • libmemcached
  • zlib (PHP dependency)
  • PHP (PECL) Memcached

As you can see, the stacks are nearly identical, except for the fact that PHP Memcached requires an extra layer; libmemcached. If you opt to use PHP Memcache, and because this article assumes you are using CentOS,  you can simply have YUM install the entire stack for your via `yum install php-memcache`. If your environment requires you to compile PHP, then you can issue a `yum install memcached` command, and YUM will install libevent and memcached, then you can compile PHP (and PHP Memcache module).

If you are still reading, then you want to install and use PHP Memcached, which unfortunately will require a little more work on your end. I will not go over how to install PHP Memcached using PECL, as I do not believe in these types of automated processes. In the past I have had bad experiences with PECL and rather not introduce another layer of complexity, so the following steps will allow you to compile and install the PHP Memcached stack without PECL.

Steps required:

  • libevent (dependency)
    • yum install libevent libevent-devel
  • memcached (service)
    • yum install memcached
  • libmemcached
    • First check which version of PHP Memcached you wish to use, which will determine which version of libmemcached you need. For example; according to PHP PECL Memcached changelog, the latest version of libmemcached you can use is 1.0.4, otherwise if you try to use a newer version of PHP PECL Memcached you may run into unforeseen issues, in other words, you should ALWAYS assume that PHP PECL Memcached is a few versions behind libmemcached.
    • Based on which version of libmemcached you need from the previous step, you can download from libmemcached download page.
    • Extract file and CD into dir
    • $ -> ./configure –with-libevent-prefix=/usr
    • $ -> make
    • $ -> make install
  • PHP PECL Memcached
    • Download the correct version based on which version of libmemcached you compiled and installed via changelog (which links to download) page.
    • Extract file and CD into dir
    • $ -> phpize
    • $ -> ./configure –with-libmemcached-dir=/path/to/where/memcached.h/is/located
    • make
    • make install
  • PHP ini config
    • vi /path/to/php.ini
    • Add: extension=memcached.so
  • Test module installation
    • $ -> php -m
      • You should memcached listed among other modules
    • $ -> php -i | fgrep -irs cache
      • You should see various memcached config settings
  • Finishing touches
    • Restart apache
    • Start memcached
    • Write a test script to test the setting and getting of a value from your cache server via PHP Memcached API.

And there you have it, a memcached stack without using PECL. All things considered it should not have been too painful an installation, however I must make one disclaimer; I customized my memcached stack a bit more than I eluded to in this article, so if you run into an issue, just post a comment and I will try to help you resolve the issue.

Now that you have a memcached service, and an API to use, you should start focusing on the code points of your application with the most overhead, this will give you the most bang for your buck when you start caching data. Good luck, and happy caching.

Linux Logo

Linux – CentOS – Install Mycrypt

0

I have been working with Magento and came across another hurdle. Magento requires the mycrypt PHP module to be compiled, otherwise you will not be able to complete the install process. So naturally I opened up a terminal and typed `yum install mcrypt` only to find that no such libraries existed. Apparently, the default repos don’t provide the mcrypt libraries any more, so I had to use the EPEL repo, which does provide access to the required mcrypt libraries.

The following steps outline how I successfully installed mcrypt libraries on my CentOS (6.x) system:

Localize EPEL Repo

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm

To verify that it was installed correctly, you can type `$ -> yum repolist`

Disable EPEL Repo

I don’t like not knowing what is installed on my system, as such I didn’t want to keep the EPEL repo enabled by default. Rather, I preferred to tell YUM to use EPEL only when I directed it to do so. In order to accomplish this, you need to make the following changes:


# /etc/yum.repos.d/epel.repo

enabled=1

# to

enabled=0

Now, the EPEL repo will not automatically be considered when you go to install a new package. Convenient for ensuring your system stays as “vanilla” as possible.

Install Mcrypt

 $ -> yum install libmcrypt libmcrypt-devel mcrypt --enablerepo=epel

The libmcrypt-devel libraries are only necessary if you are going to install the PHP mcrypt module.

The above command will install the mcrypt libraries as provided by the EPEL repo.

Configure PHP

Now that we have mcrypt installed on our system, we can compile the PHP mcrypt module, first lets find out where mcrypt was installed:


$ -> which mcrypt

/usr/bin/mcrypt

Now that we know where mcrypt is installed we can add the following flag to our PHP configure for compilation: –with-mcrypt=/usr/bin

After configure be sure to run make, and make install, after they are complete you should be able to `php -m` and see mcrypt as a compiled module.

CentosLogo

CentOS – Basic Usage Guide

1

This post will house basic usage commands for CentOS 5.4. It is a ‘living doc’, meaning that it will be updated over time so bookmark if interested.

YUM

Yum is the package manager built into CentOS distros and by package manager I don’t mean your local delivery guy, I mean how you can install, update, and remove software packages from your system.  Listed here are YUM commands you may find useful.

Update package repo:

yum update

View installed packages:

rpm -qa
#OR
yum list installed

View available updates:

yum list updates

Remove existing i386 apps from x64 system (USE WITH CAUTION!)


yum list installed | fgrep i386 > tmp.txt

yum remove $(awk '{print $1}' tmp.txt | xargs)

To only install 64 bit apps, add following line to /etc/yum.conf:

exclude=*.i386 *.i586 *.i686

Install yum-utils. (Useful set of utilities including package-cleanup)

su -c 'yum install yum-utils'

If you ever get a “missing dependency” error when trying to update a package via yum, check to make sure you have the right version installed (i686 vs x86_64). I had this issue when trying to update glibc-common. It wouldn’t update because the version of glibc was i686, which I explicitly removed via the yum.conf file (explained above).

yum list <package name>

Remove a package:

yum remove <package name>

Check available updates:

 yum check-update

Misc

Check CentOS version:

cat /etc/redhat-release

Reboot:

reboot

Delete User (-r will remove home dir):

userdel -r <username>

If user is logged in, force log them out:

pkill -KILL -u <username>

Change timezone:

Note: Personally, I highly recommend you set your system's local timezone to UTC. This will avoid any issues where some logs are in UTC, some are in local time, and will ensure a consistent time construct across all apps and modules such as php and mysql. Not to mention if you happen to move the server to a different timezone...


sudo rm /etc/localtime

sudo ln -s /usr/share/zoneinfo/UTC /etc/localtime

RPMForge

If you need to install apps like irssi you will have to use rpmforge repo. To install follow the instructions @ http://wiki.centos.org/AdditionalResources/Repositories/RPMForge

To keep your system as pristine as possible, I would edit the /etc/yum.repos.d/rpmforge.repo file and change enabled=1 to enabled=0. This will ensure you are not overriding centos approved packages with newer rpmforge packages. To install a package that resided in rpmforge only, do the following:

yum install <some_package> --enablerepo=rpmforge

This will allow you to use rpmforge on a case-by-case basis giving you much more control over what gets onto your system.

IRSSI

In order to get irssi to work on centos you may have to create a symlink:


cd /usr/lib64

ln -s perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so

IPTables

If you are running httpd and can't connect, try disabling IPTables:

/etc/init.d/iptables stop

SELinux

Determine if SELinux is currently running:

sestatus
Go to Top