Blog

Bienvenue...

...sur mon blog, j'utilise ce site pour noter les petites choses qui me sont utiles, que ça soit informatique ou autre :)

Il y a 6 years 1 month

A small program doing the job !

And the github repo here

Il y a 6 years 1 month

I've had some problem, after deleting the NAS' account from the "Domain administrators" group (the sysadms didn't want me to have an admin account on the domain... :) ) So we tried putting the NAS account into a simple users group to see if it was working or not :

[...] winbindd[12332]:   unable to initialize domain list

...so everything was broke, Active directory service won't start anymore, no access to the CIFS share...

I've managed to make it working stopping the CIFS service, then I ran an "net ads join" and restarted the CIFS service... weird :P

Il y a 6 years 9 months

I've tried to install passenger to serve the puppetmaster's application on my network.

The installation was easy but running httpd with SElinux was pretty hard, I've found a solution, creating an SEmodule on this website.

I've completed it with an additional rule allowing sock_file write... result down there (file puppet_passenger.te) :

module puppet_passenger 1.10;
 
require {
    type bin_t;
    type devpts_t;
    type httpd_t;
    type passenger_t;
    type passenger_tmp_t;
    type puppet_log_t;
    type puppet_var_lib_t;
    type port_t;
    type proc_net_t;
    type rpm_var_lib_t;
 
    class process { getattr siginh setexec sigchld noatsecure transition rlimitinh };
    class unix_stream_socket { getattr accept read write };
    class capability { sys_resource sys_ptrace };
    class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink };
    class lnk_file { getattr read };
    class udp_socket name_bind;
    class sock_file write;
    class dir { create getattr setattr add_name remove_name search open read write ioctl lock rmdir };
}
 
#============= httpd_t ==============
allow httpd_t passenger_tmp_t:sock_file write;
allow httpd_t port_t:udp_socket name_bind;
 
allow httpd_t proc_net_t:file { read getattr open };
 
allow httpd_t rpm_var_lib_t:dir { search getattr };
allow httpd_t rpm_var_lib_t:file open;
 
allow httpd_t bin_t:file entrypoint;
 
allow httpd_t passenger_t:process sigchld;
allow httpd_t passenger_t:unix_stream_socket { getattr accept read write };
 
puppet_manage_lib(httpd_t)
puppet_search_log(httpd_t)
puppet_search_pid(httpd_t)
allow httpd_t puppet_log_t:dir { setattr };
allow httpd_t puppet_log_t:file { setattr };
allow httpd_t puppet_var_lib_t:dir { create rmdir };
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto };
 
#============= passenger_t ==============
allow passenger_t devpts_t:dir search;
allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure };
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t self:process setexec;
 
ps_process_pattern(passenger_t, httpd_t)
domain_read_all_domains_state(passenger_t)

And to compile it :

make -f /usr/share/selinux/devel/Makefile
Il y a 6 years 9 months

Simply add :

[...],nosharecache,context="system_u:object_r:nfs_t:s0"[...]

...to the declaration in /etc/fstab

See here for details :D

Il y a 6 years 9 months

I've had problems generating a GPG Key Pair, finaly found that it was because I was trying to generate the key with another user than the one I was logged with...

You must have a console opened to be able to generate the key.

...and a little script found here to automatically launch the gpg-agent :

#!/bin/bash
 
# Decide wether to start gpg-agent daemon.
# Create necessary symbolic link in $HOME/.gnupg/S.gpg-agent
 
SOCKET=S.gpg-agent
PIDOF=`pidof gpg-agent`
RETVAL=$?
 
if [ "$RETVAL" -eq 1 ]; then
        echo "Starting gpg-agent daemon."
        eval `gpg-agent --daemon`
else
        echo "Daemon gpg-agent already running."
fi
 
# Nasty way to find gpg-agent's socket file...
GPG_SOCKET_FILE=`find /tmp/gpg-* -name $SOCKET 2> /dev/null`
echo "Updating socket file link."
cp -fs $GPG_SOCKET_FILE $HOME/.gnupg/S.gpg-agent

Another little usefull command generating GPG Key Pair (this entropy stuff whatever...) is :

sudo dd if=/dev/sda of=/dev/zero

When you get "We need to generate a lot of random bytes. It is a good idea to perform <blabla>" open another shell and launch the command, it will accelerate the generation...

Pages