Relationship with Fedora, Redhat

Fedora --> Redhat --> Centos, all run by the Redhat company.

1. Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
2. Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
3. CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.

Development SELinux

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts

To make life super easy for the first cut of something

see selinux current settings

sestatus

Disable selinux (till next reboot)

• centos 7

sudo setenforce 0

• RHEL 9

grubby --update-kernel ALL --args selinux=0

Disable firewall

service firewalld stop
systemctl disable firewalld

Disable SELinux

 /etc/selinux/config
 SELINUX=enforcing  --> permissive
 Reboot

Redhat SVC Alerts

grep sealert /var/log/messages

Selinux contexts

• Files --> fcontext
• Ports --> port
• boolean --> boolean

fcontext

show context

$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

user:role:type:level

SELinux user

semanage login -l

level

/etc/selinux/targeted/setrans.conf

copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.

change context (temporary as in will last till default labels are reset

chcon -R -t [fcontext] /dir.

change context (permanant)

semanage fcontext -a -t [context] /dir'(/.*)?'

restorecon -FvR /dir           <----------- REMEMBER TO APPLY the new context

List contexts

semanage fcontext -l | grep [thing]

List temporary customisations (not written to selinux db)

semanage fcontext -l -C

Booleans

getsebool -a
setsebool -P httpd_enable_homedirs on.    (-P permanant)

Interfaces

 vi /etc/sysconfig/network-scripts/ifcfg-eth0

Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows:
DEVICE=eth0.
BOOTPROTO=none.
ONBOOT=yes.
PREFIX=24.
IPADDR=192.168.2.203.
Restart network service: systemctl restart network

VM interfaces

VMWare interfaces are created in the following order

• ens192
• ens224
• ens256
• ens161

Default Route

Temporary

$ route del default gw <default_gateway_ip>
$ route add default gw <default_gateway_ip>

Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>

Static Routes

Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0 ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005

/etc/sysconfig/network-scripts/route-eth0

 172.16.5.0/24 via 10.0.0.101 dev eth0

Remember to bounce the interface after

ifdown eth0
ifup eth0

Blackhole

ip route add blackhole <ip or range>

Dummy Interface

$ cat /etc/modules-load.d/dummy.conf
# Load dummy.ko at boot
dummy
$ cat /etc/modprobe.d/dummy.conf 
install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0
$ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1
NAME=ethdummy1
DEVICE=ethdummy1
MACADDR=00:22:22:ff:ff:ff
IPADDR=10.10.10.1
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
NM_CONTROLLED=no

Process to Port/Sockets

 ps -ef | grep nginx
root     20501     1  0 Mar24 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf

sudo lsof -nnp 20501
OMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
nginx   20501 root  cwd    DIR              253,0      224       64 /
nginx   20501 root  rtd    DIR              253,0      224       64 /
nginx   20501 root  txt    REG              253,0  1342640 50764597 /usr/sbin/nginx
nginx   20501 root    8u  IPv4              61372      0t0      TCP 172.29.17.4:http (LISTEN)

Optics Diagnostics

Output is similar to a Juniper

ethtool -m [interface]

Screen

Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/

Start a 'window' screen or to give the session a name screen -S 'hello_world' To exit exit [enter] To detach from the session ctrl + a , d)

Show windows/terminals screen -ls Re-attach screen -r [number or sesssion_name]

Scrollback start with -h [numlines] to access - use copy mode ctrl-A, Esacpe , [then up/down], Escape to return.

Locale Problems

This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)

export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8

Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.

Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)

sudo locale-gen en_US.UTF-8
sudo update-locale LANG=en_US.UTF-8

Packages / rpms

list installed yum list installed

Remember to stop the service first :)

 systemctl stop httpd

Add a specific package version

Show what versions are available

 yum list httpd --showduplicates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.xnet.co.nz
 * centos-sclo-rh: mirror.xnet.co.nz
 * centos-sclo-sclo: mirror.xnet.co.nz
 * epel: mirror.xnet.co.nz
 * extras: mirror.xnet.co.nz
 * remi-php73: mirrors.mediatemple.net
 * remi-safe: mirrors.mediatemple.net
 * updates: mirror.xnet.co.nz
Available Packages
httpd.x86_64                                                                              2.4.6-90.el7.centos                                                                               base
httpd.x86_64                                                                              2.4.41-4.codeit.el7          

To install a particular one

sudo yum install httpd-2.4.6-90.el7.centos

Use yum to download an rpm and not install it

yum install --downloadonly --downloaddir=<directory> <package>

Extract contents of an rpm

rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv

Downgrade package

yum downgrade vsftpd-2.0.5-12.el5

Creating rpms / packages

https://rpm-packaging-guide.github.io/

Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.

EPEL Packages

Example, source: https://github.com/phaag/nfdump

EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011

Get source rpm and extract

rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv

Logging

To logs going to /var/log/messages for a particular service

sudo journalctl -u openli-provisioner.service

To watch a services logs

sudo journalctl --follow -u openli-provisioner.service

Firewall

firewall-cmd --zone=public --add-port=3000/tcp --permanent
firewall-cmd --reload

systemctl

List all enabled services

sudo systemctl list-unit-files | grep enabled

Selinux Policies

Look at audit log for deny messages

sudo ausearch -c 'process/context' --raw

Readable rules

grep context_t /var/log/audit/audit.log | audit2allow -w

Generate rules

grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy

Refer to the following for possible permissions

cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt

Modify the te file, then place it in a folder and run in the same folder:

make -f /usr/share/selinux/devel/Makefile

Import the policy

sudo semodule -i somepolicy.pp

Temporary

1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:

 setenforce 0

Permanant

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux

Crete a Module

File Types in the module

sepolicy generate --init /usr/local/bin/mydaemon
Created the following files:
/home/example.user/mysepol/mydaemon.te # Type Enforcement file
/home/example.user/mysepol/mydaemon.if # Interface file
/home/example.user/mysepol/mydaemon.fc # File Contexts file
/home/example.user/mysepol/mydaemon_selinux.spec # Spec file
/home/example.user/mysepol/mydaemon.sh # Setup Script

Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/

Networking

USE THIS IPROUTE COMMAND     INSTEAD OF THIS NET-TOOL COMMAND
ip addr                     ifconfig -a
ss                             netstat
ip route                     route
ip maddr                     netstat -g
ip link set eth0 up         ifconfig eth0 up
ip -s neigh                    arp -v
ip link set eth0 mtu 9000    ifconfig eth0 mtu 9000

ntp

sudo sntp -sS ntp_server
sudo sntp -sS 130.217.74.61

can use internetnz (is part of public pool) 202.46.177.18

RHEL 9

• Satellite Server - repo mirror for RHEL Packages

DNF

DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9

yum was based on Python2, dnf is using python3. DNF resolves software dependencies

dnf search all 'web server'
dnf info httpd
dnf provides /var/www/html
dnf history
dnf group install GROUPNAME

dnf repos

Add repos by adding a file under /etc/yum.repos.d/[blah].repo

cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo
[dl.fedoraproject.org_pub_epel_9_Everything_x86_64_]
name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1

[EPEL]
name=EPEL 9
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9

dnf repolist all
dnf config-manager --enable 'reponame'