Making ntsysv/chkconfig compatible rc scripts

To make a startup/shutdown script that can be used with ntsysv or chkconfig, the script must follow the template:
#!
#
# chkconfig: runlevel startpriority stoppriority
# description: brief, possibly multi-line description \
# follows

For example:
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon


Sharing the GNOME desktop

GNOME now has a built-in VNC service called vino. It's there in Applications->Preferences-> Remote Desktop. Unlike VNC server, the display number used with this desktop is :0.

Resizing mounted partitions

Starting with kernel version 2.6.10, you can resize ext3 partitions using resize2fs program (part of e2fsprogs). While resize2fs could be used to shrink and grow ext3 partitions, the one bundled with e2fsprogs-1.36+ can apparently resize even mounted partitions! Woo hoo!

Configuring X Window

Each distribution seems to have it's own thing for configuring X:

xf86config

Standard X Window configuration tool

system-config-display

Red Hat/Fedora X-window configuration tool

redhat-config-xfree86/Xconfigurator

Older Red Hat and Fedora versions

sax

Suse Linux

CD recording stuff

Detecting the CD recorder

cdrecord -scanbus

To burn a CD

cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject speed=2 archive.iso
Omit the -multi if it's a single session CD.

To burn a multisession CD

First burn:
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session1.iso
For subsequent burn:
First create the ISO
Place the CD in the drive. Execute
cdrecord dev=0,1,0 -msinfo
0,27139
mkisofs -o session2.iso -Jr -V Session2 -C 0,27139 -M 0,0,0 /path/to/files/

Alternately:
mkisofs -o session2.iso -Jr -V Session2 -C $(cdrecord dev=0,1,0 -msinfo) -M 0,0,0 /path/2/files/

Now burn (dropping the -multi for the last burn):
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session2.iso

Simplify the cdrecord command line

To keep the cdrecord command line simple, put common options in /etc/default/cdrecord:
#/etc/default/cdrecord
CDR_DEVICE=0,0,0
CDR_SPEED=2

Now the command line can be greatly simplified to:
cdrecord archive.iso


To erase a CD-RW

cdrecord -v dev=0,0,0 blank=all
where

-v

verbose

dev

cdrom device (detected using cdrecord -scanbus)

blank=all

blanks the entire disk.

Creating a hybrid ISO

mkisofs -a -J -r -v -V vol_label -L -o img1.iso ~/cds/cd0/
where:

-a

Include all files on the ISO9660 file system. Files that contain '~' or '#' will be included.

-r

Use rockridge naming conventions

-J

Generate Joliet directory records in addition to iso9660.

-L

Allow file names to begin with a period.

-o outputfilename

output file name.

Test the created ISO by mounting it with mount -o loop.

Changing role in SELinux enabled FC4

To run a command with a different role, first use newrole to change the role. For example, to switch to the sysadm_r role:
newrole -r sysadm_r

Enabling public_html for Apache in FC4

To enable per-user web directories on SELinux enabled FC3+, edit /etc/httpd/conf/httpd.conf:

• Comment out the line UserDir disable
• Add UserDir public_html.
• Save the file and run service httpd reload

Each user who needs web directories must do the following:

• Create ~/public_html, and populate it.
• Change perms with chmod
• Change the security context of the folder recursively:
  chcon -R -t httpd_user_content_t ~/public_html/


At this point, it should work. If it does not, check to see that the Boolean that enables user home directories is enabled:

• Run system-config-securitylevel
• Under the SELinux tab within the Modify SELinux Policy area: enable Allow HTTPD to read home directories.
• Alternatively, execute
  setsebool httpd_enable_homedirs true

Preventing console message flooding

To prevent kernel messages flooding the console:
dmesg -n 1


SE Linux essentials (FC3)

Bare minimal SElinux:

• SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
  selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
  • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
  The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
• Use system-config-securitylevel to change SELinux based settings.
• The ls command's -Z option will display the security context of a file
• The id command's -Z option will display the security context of a user
• The ps command's -Z option will display the security context of a process.
• Don't take policy switching lightly. Unless of course, it's for learning :)
• To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
• To change the policy manually -
  1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
  2. Set the mode to permissive. SELINUX=permissive.
  3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
  4. Reboot the system.
  5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
  6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
• Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
  star -xattr -H=exustar -c -f ../test.star ./*

• The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
• As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
• To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
• To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
• /usr/sbin/sestatus -v displays status info about SELinux
• To relabel a directory, use restorecon -v -R /path.
• If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
• Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
• To change and load the security policy:
cd /etc/selinux/targeted/src/policy
make clean
make load


Upgrading CentOS 4.0 to CentOS 4.1

CentOS 4 is basically Red Hat Enterprise Linux 4. I just upgraded it to CentOS 4.1 using the rpms using these steps:

• Download the rpms from CentOS/4.1/os on any mirror.
• Download the updates from CentOS/4.1/updates on any mirror.
• Download any extra modules that depend on the kernel version. In my case, I had to download linux-ntfs rpms for the 2.6.11ELhugemem kernel.
• Disable selinux using
  setenforce 0.
  (Failing to do this made the rpm postinstall fail for some rpm files. Off the cuff, I recall the rpms for bzip2-libs, and krb5-* failing.)
• From the directory containing the 4.1 rpms, run
  rpm -Fvh *.rpm
  You do need a lot of free disk space for this to work. Alternately, freshen a few rpms at a time :)
• Now enable selinux with setenforce 1.
  
• Reboot in run level 1 so that no services start up
• Run
  /sbin/fixfiles relabel
  Alternately, to speeden things up, you can also use
  /sbin/restorecon -R pathname
  to recursively restore security context on the specified path - in my case /lib and /usr/lib were definitely affected. I opted for the fixfiles approach rather than weed out directories individually.
• Change to the normal runlevel

That's all there is to it :-)