SELinux commands cheatsheet

A comprehensive list of SELinux commands with descriptions.

avcstat
Display short Selinux AVC statistical numbers (lookups, hits, misses, allocs, reclaims, frees).

avcstat

audit2allow
Automatically create rules to allow actions based on deny logs from SELinux.

cat /var/log/audit/audit.log | audit2allow
cat /var/log/audit/audit.log | grep apache | audit2allow

audit2why
Get more detailed output (human readable) from the SELinux log.

cat /var/log/audit/audit.log | audit2why

chcon
Change the SELinux context of a file or directory temporarily.
Upon reboot or reset (restorecon), the context will be changed back again.

chcon user_home_t /home/user
chcon -R -t user_home_t /home/*

checkpolicy

fixfiles

genhomedircon

getsebool

getenforce

matchpathcon

newrole

restorecon

run_init

selinuxenabled

sestatus

setfiles

setsebool

setenforce

SELinux: Run a command or script in a specific context

In this howto I will show you a quick sample on how to run a command or script in a specific file-, role- and user-context.

This is usefull if you need to test something before applying a permanent rule.

Use the following command:

runcon -t initrc_t -r system_r -u user_u yourcommandhere

-t is the file context.
-r is the role context.
-u is the user context.

SELinux: Permanently change file context of files and folders

This is a quick howto on changing the file context of files and folders in SELinux.

In this example I want to allow my webserver access to the www folder inside every users home:

unconfined_u:object_r:user_home_dir_t:SystemLow /home/user/www

Right now the current context of user_home_dir_t wont allow the webserver to read or write from the www folder.

In order to allow access to the folder, the context must be changed to httpd_user_rw_content_t or httpd_user_content_t, the latter will only allow read access:

semanage fcontext -a -t httpd_user_rw_content_t '/home/[^/]*/www(/.+)?'

Next, run this command to effectuate the new context rule:

restorecon -R /home

That’s it :)

SELinux: Creating a rule to allow a transition

This is a quick howto on creating a custom SELinux rule to allow transition from one file-context to another.

In this example I will allow the init script of php5-fpm to transition from initrc_t to httpd_php_t.

This is the file context of the init script:

system_u:object_r:initrc_exec_t:SystemLow /etc/init.d/php5-fpm

The init script will execute php5-fpm, which has the following file context:

system_u:object_r:httpd_php_exec_t:SystemLow /usr/sbin/php5-fpm

Right now, if I run the init script to launch php5-fpm, the process will end up with the following context:

system_u:system_r:initrc_t:s0 23182 ? Ss 0:00 php-fpm: master process

As you can see, the process is not transitioning properly to the correct context which is httpd_php_t.

In order to allow the transition, we must create a selinux module.
Create a new file (you may use a different name, just end it with .te) /etc/selinux/httpd_php.te, then fill it with the following content:

module httpd_php_t;
require {
    type initrc_t;
    type httpd_php_exec_t;
    type httpd_php_t;
    class file entrypoint;
    class process transition;
}
type_transition initrc_t httpd_php_exec_t :process httpd_php_t;
allow httpd_php_t httpd_php_exec_t :file entrypoint;
allow initrc_t httpd_php_t :process transition;

Now, run the following commands to generate the selinux module (remember to use the correct filename if you changed it):

checkmodule -M -m /etc/selinux/httpd_php.te -o /etc/selinux/httpd_php.mod
semodule_package -o /etc/selinux/httpd_php.pp -m /etc/selinux/httpd_php.mod
semodule -i /etc/selinux/httpd_php.pp

Thats it, now you can restart php5-fpm and the process should transition properly:

system_u:system_r:httpd_php_t:s0 23182 ? Ss 0:00 php-fpm: master process

Setting up OpenVPN on Debian

Setting_up_OpenVPN_on_DebianIn this tutorial I will explain how to install, configure and use a OpenVPN server on Debian, quick and painless :)

I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.

A VPN is used to provide an encrypted “tunnel” between you, the VPN-Server, and possibly other clients who are also connected to the same VPN-Server.
All traffic passing between you and the VPN-Server is encrypted, thus preventing a third party/hacker from eavesdropping on your connection and stealing sensitive information from you.

A VPN can be very usefull if you are connected to a potentially unsafe internet connection on a public wifi-hotspot like an airport, coffe shop, restaurant, hotel, where a malicious user may be trying to steal your personal information.

A VPN can also be used if you want to hide your IP-address, or appear to be in a different country in order to bypass a firewall or access region restricted content (netflix, youtube..).
 
 

1. Install software

Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.

root@debian:~# apt-get install -y openvpn bind9

If you are wondering why we also install software called “bind9”, this is a DNS-server which is required in order to have all traffic pass through the VPN.

If you only want certain traffic going to a service within the VPN-network, but normal traffic to go outside the VPN, you dont need bind9 and can skip it.
 
 

2. Generate Certificates for OpenVPN

Copy the files needed to generate SSL certificates and keys:

root@debian:~# cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Start generating the CA (Certificate Authority) files:

root@debian:~# cd /etc/openvpn/easy-rsa/2.0/
root@debian:~# source ./vars
root@debian:~# ./clean-all
root@debian:~# ./build-ca

You will be asked to enter several pieces of information before the files are generated.
It really makes no difference what you type here, so just hit “enter” without typing anything.

Generate a private key for your server: (change “myserver” to your servername)

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-key-server myserver

Again, you will be asked for information. Just keep hitting enter until the last two questions, where you must type “y” and hit “enter” on both.

Generate a Diffie Hellman key:

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-dh

Generate an certificate for each client/computer that is going to connect to your server: (change “client” to an unique name for each client)

root@debian:~# sudo . /etc/openvpn/easy-rsa/2.0/build-key client

Run this command once for each client, and change the “client” name each time, because each client must have an unique name.

Now it’s time to copy all the files we generated to the OpenVPN config folder:

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/ca* /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.crt /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.key /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn

Copy the client certicate(s) to your regular user account: (change “myuser” to your regular user account)

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.key /home/myuser
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.crt /home/myuser

 

3. Configure OpenVPN Server

We start by decompressing a sample config file for the server

root@debian:~# gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

Copy the file to the OpenVPN config folder:

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

Copy a sample config file which will be used by each client connecting to the VPN: (change “myuser” to your regular user account)

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/myuser

This file must be downloaded to each VPN-client later.

Open the server configuration file: /etc/openvpn/server.conf

Change the following lines to reflect the servername you chose when you generated the certificates: (I used the name “myserver”)

cert server.crt
key server.key

Uncomment the following line, by removing the “;” preceding the line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

;push "redirect-gateway def1 bypass-dhcp"

Add the following line anywhere in the file:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

push "dhcp-option DNS 10.8.0.1"

Uncomment the following line, by removing the “;” preceding the line: (enable VPN clients to communicate with eachother through the VPN)

;client-to-client

That’s it. Save and close the file.
 
 
Edit /etc/sysctl.conf and uncomment the following line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

#net.ipv4.ip_forward=1

This will allow all IP traffic to pass through the VPN.
 
Restart the networking service:

root@debian:~# service networking restart

Restart the OpenVPN server:

root@debian:~# service openvpn restart

 
Create some iptables rules needed to forward the traffic:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

root@debian:~# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@debian:~# iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

 

4. Setting up the OpenVPN client

If you are planning to have multiple clients, you must create a unique config file for each client and make the following changes..

Open the client configuration file that you copied to your regular user account earlier: /home/myuser/client.conf

Change “my-server” on the following line, to the IP of your OpenVPN-server:

root@debian:~# remote my-server-1 1194

Change these lines to reflect the name you chose for your client when you create the certificates:

cert client.crt
key client.key

That’s it. Save and close the file.
 
 
Now it’s time to install the VPN client software on your client computer(s).
This should be very straight forward, so im not going into detail on this.

You can download the OpenVPN client software here:
http://openvpn.net/index.php/open-source/downloads.html
 
 
After you complete installing the OpenVPN client software, copy the following files from the server, to the config path for your VPN client:

/home/myuser/client.key
/home/myuser/client.crt
/home/myuser/client.conf
/etc/openvpn/ca.crt

Note: If you are using the client on Windows, the “client.conf” file must be renamed to “client.ovpn” in order for the file to be loaded automatically.
 
 

5. Finished!

You are now finished! All that remains is to start the OpenVPN client, and it will automatically connect to your VPN-Server.

Setting up LAMP (Linux, Apache, MySQL, PHP) on Debian

Setting_up_LAMP_Linux_Apache_MySQL_PHP_on_debian
In this tutoriaI I will explain how to set up a LAMP-stack on Debian.
LAMP is an acronym for a software bundle consisting of Linux, Apache, MySQL and PHP, all running together in order to power websites.

I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.

1. Install software

Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.

root@debian:~# apt-get install -y mysql-server apache2 libapache2-mod-php5 php5-mysql

You will be asked to choose a password for the root user of MySQL.
We will use this password later to create a database for your website.

2. Configure Apache

Create a file with your domain name, “mydomain.com”, and place it under the following location: /etc/apache2/sites-available/mydomain.com

Put the following content inside the file:


        ServerName www.mydomain.com
        ServerAlias mydomain.com
        DocumentRoot /var/www

        
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        

ServerName is the primary hostname you are going to use.
ServerAlias is variations of the hostname that you also want to resolve to the same content, you can put multiple variations separated by a space ” “.
DocumentRoot is the path to your content.
Directory is the same as DocumentRoot, and specifies permissions and settings for the path.
Options Indexes will display a directory listing of all files, if there is not Index file. You can change this to Options -Indexes if you dont want a directory listing to occur.
Options FollowSymLinks will allow the usage of symlinks to link folders to the DocumentRoot path.
Options MultiViews will try to find the closest match if the specified file is not found.
AllowOverride All will allow custom .htaccess files to be allowed.

Enable the new configuration for your site:

root@debian:~# a2ensite mydomain.com

Enable mod_rewrite:

root@debian:~# a2enmod rewrite

Reload the configuration for apache:

root@debian:~# service apache2 reload

 

3. Configure MySQL

Login as the root user of MySQL, use the password you chose in step #1:

root@debian:/etc/apache2# mysql -u root -p
Enter password:

Create a database:

mysql> create database mydomaincom;
Query OK, 1 row affected (0.00 sec)

Create a username and password to access the new database:

mysql> grant all on mydomaincom.* TO 'user'@'localhost' IDENTIFIED BY 'password';
Query OK, 1 row affected (0.00 sec)

Specifying @’localhost’ after the username, will only allow access from within the server itself, not remote access.
The username and password you choose here will be used by the website in order to use the database.

4. Finished!

Thats it :)
You are now ready to start deploying your website! (WordPress, Joomla, Drupal etc..)

Password management: Keep your passwords safe

keep-your-passwords-safe

Are you following the best practices when it comes to keeping your passwords safe?

In todays Internet ecosystem, password safety is king. You can no longer put trust in any websites keeping your passwords safe.

Even the most secure services such as those provided by Google or Microsoft are not 100% secure.
This has already proven to be true, and both Google and Microsoft has had their services hacked in some shape or form.

Keeping your passwords safe with the best practices.

1. We must assume that every website or online service we register on is unsecure. Therefore everytime we register for a new service, we must choose an unique password.

2. Never use the same password on more than one service. If you are using the same password on several services, and one of your accounts gets hacked, the hacker will have the password to all those services.
Think about it. Most people use the same email-address for all accounts. Having several addresses is just overkill. So all the hacker needs is your password, and he can try logging on with your password and email on all the major services that most people use.

3. Pick a strong password with both uppercase and lowercase letter and numbers. You may even want to use special characters too, such as $ ^ ? . , –
Your password should be at least 8 characters long, and include all the above mixed together. You are probably gonna find it a little bit hard to remember the password, but no worries, I got a way to fix this. Just keep reading.

4. Use a password manager. This way you wont have to remember all the passwords.
Im not gonna waste your time by listing all the password managers that exist, because that’s not what this article is about.

I will give you the name of the password manager I use which is awesome: Lastpass – www.lastpass.com
Lastpass works in all major Internet Browsers: Internet Explorer, Firefox, Chrome, Opera, Safari. It even works on your cellphone too.
All passwords stored in Lastpass are encrypted with a very strong encryption.

Choosing a domain name for your website

Choosing a domain name for your website

Choosing a domain name for your website or blog can be a daunting task.

The common practice these days is to choose a domain name that includes some keywords that best describe the topic of your website.

There are three reasons for using a keyword:
1. Search engines will rank you higher for the specific keyword.
2. Easier for visitors to remember your address.
3. You may even also get visitors that randomly type your URL in their browser.

If you were blogging about SEO, you might go about choosing a domain name like “theseoguide.com”.
If your topic is Weapons, you might go about choosing a domain name like “weaponsforsale.com”, or just “weapons.com”.
If your topic is Fitness, you might go about choosing a domain name like “fitnessblog.com”.

What if your desired domain is taken?!
Let’s say your topic is “fishing”, and the domain you wanted is taken: “fishing.com”.
Dont panic. The domain is already taken. Nothing to do about that.
Just get something else, like “letsgofishing.com”, or “fishingexpert.com”.
The possibilities are endless!

WHAT TLD? (Top Level Domain: .com .net .org etc.)
The jungle of TLD’s is pretty big. In the old days, just a single TLD like “mywebsite.com” wasn’t enough. People would also add “mywebsite.org”, “mywebsite.net” and maybe “mywebsite.info”.
As you add more TLD variations of your domain, it doesnt take long until this approach starts getting expensive.
Search Engines do not like seeing the same content on several domains. So it certainly doesnt help your SEO to have several variations of your domain.

There’s only one reason to have several TLD’s for your domain, and that is to catch people who manually type your URL in the address bar.
And this reason is no longer relevant.

In todays internet ecosystem, every browser available has autocompletion. Which means that whenever someone who visisted your website earlier tries to type your address manually, the browser will automatically complete the URL for them.

Even though choosing a good domain name is important, dont forget to add content.
It doesnt matter how good your domain name is, if you dont supplement it with quality content.

Now you are ready to get your domain!

Safe browsing: Stay safe while browsing the web

safe-browsing-stay-safe-while-browsing-the-web
Safe browsing is more important than ever.
Most people aren’t aware of all the dangers and risks involved when surfing the web today.

You regularily hear about high-profile and well known websites getting hacked, like newspapers, banks or government websites. So even if you only visit websites that you trust, make no mistake, YOU ARE NOT SAFE!

Getting infected is as easy as clicking on a link, or typing an url in your browser. It’s not like the old days, when you had to download a file and click to run it before your computer was infected. Today viruses install themself on your computer without so much as a small notice. It just happends without you ever knowing.
It’s not like the virus will flash a big sign in front of your face to let you know.

There are many different cinds of viruses. Some more annoying than others. The most dangerous viruses are those you never knew you had. These viruses are designed to monitor your computer 24/7, steal your password, identity and creditcard information.

How do viruses manage to infect your computer so easily?

A virus will infect your computer by exploting a flaw in the software (programs, applications) installed on your computer.
This can be your Internet Browser (Internet Explorer, Chrome, Firefox, Opera..), plugins/addons running in your browser (Java, flash, javascript, Silverlight) or independent software like Adobe or Microsoft Word.
Ofcourse there are viruses targeting other software than the above, but these are the most common programs to find on your average personal computer.

Help! How do I stay safe?

I hope I havent scared you too much by now. The answer is: It’s very easy to stay safe.
A lot of people are already doing it without giving it much tought!

GET A VIRUS SCANNER! Safe browsing.
Most perferably an Internet Security package. Internet Security packages are superior to regular Virus scanners.
An Internet Security package will solve all the above problems and prevent any infection from reaching your computer.
Internet Security packages usually cost a couple of dollars, but it’s worth the money.