SELinux commands cheatsheet

A comprehensive list of SELinux commands with descriptions.

avcstat
Display short Selinux AVC statistical numbers (lookups, hits, misses, allocs, reclaims, frees).

avcstat

audit2allow
Automatically create rules to allow actions based on deny logs from SELinux.

cat /var/log/audit/audit.log | audit2allow
cat /var/log/audit/audit.log | grep apache | audit2allow

audit2why
Get more detailed output (human readable) from the SELinux log.

cat /var/log/audit/audit.log | audit2why

chcon
Change the SELinux context of a file or directory temporarily.
Upon reboot or reset (restorecon), the context will be changed back again.

chcon user_home_t /home/user
chcon -R -t user_home_t /home/*

checkpolicy

fixfiles

genhomedircon

getsebool

getenforce

matchpathcon

newrole

restorecon

run_init

selinuxenabled

sestatus

setfiles

setsebool

setenforce

SELinux: Run a command or script in a specific context

In this howto I will show you a quick sample on how to run a command or script in a specific file-, role- and user-context.

This is usefull if you need to test something before applying a permanent rule.

Use the following command:

runcon -t initrc_t -r system_r -u user_u yourcommandhere

-t is the file context.
-r is the role context.
-u is the user context.

Setting up OpenVPN on Debian

Setting_up_OpenVPN_on_DebianIn this tutorial I will explain how to install, configure and use a OpenVPN server on Debian, quick and painless :)

I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.

A VPN is used to provide an encrypted “tunnel” between you, the VPN-Server, and possibly other clients who are also connected to the same VPN-Server.
All traffic passing between you and the VPN-Server is encrypted, thus preventing a third party/hacker from eavesdropping on your connection and stealing sensitive information from you.

A VPN can be very usefull if you are connected to a potentially unsafe internet connection on a public wifi-hotspot like an airport, coffe shop, restaurant, hotel, where a malicious user may be trying to steal your personal information.

A VPN can also be used if you want to hide your IP-address, or appear to be in a different country in order to bypass a firewall or access region restricted content (netflix, youtube..).
 
 

1. Install software

Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.

root@debian:~# apt-get install -y openvpn bind9

If you are wondering why we also install software called “bind9”, this is a DNS-server which is required in order to have all traffic pass through the VPN.

If you only want certain traffic going to a service within the VPN-network, but normal traffic to go outside the VPN, you dont need bind9 and can skip it.
 
 

2. Generate Certificates for OpenVPN

Copy the files needed to generate SSL certificates and keys:

root@debian:~# cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Start generating the CA (Certificate Authority) files:

root@debian:~# cd /etc/openvpn/easy-rsa/2.0/
root@debian:~# source ./vars
root@debian:~# ./clean-all
root@debian:~# ./build-ca

You will be asked to enter several pieces of information before the files are generated.
It really makes no difference what you type here, so just hit “enter” without typing anything.

Generate a private key for your server: (change “myserver” to your servername)

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-key-server myserver

Again, you will be asked for information. Just keep hitting enter until the last two questions, where you must type “y” and hit “enter” on both.

Generate a Diffie Hellman key:

root@debian:~# . /etc/openvpn/easy-rsa/2.0/build-dh

Generate an certificate for each client/computer that is going to connect to your server: (change “client” to an unique name for each client)

root@debian:~# sudo . /etc/openvpn/easy-rsa/2.0/build-key client

Run this command once for each client, and change the “client” name each time, because each client must have an unique name.

Now it’s time to copy all the files we generated to the OpenVPN config folder:

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/ca* /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.crt /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/myserver.key /etc/openvpn
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn

Copy the client certicate(s) to your regular user account: (change “myuser” to your regular user account)

root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.key /home/myuser
root@debian:~# cp /etc/openvpn/easy-rsa/2.0/keys/client.crt /home/myuser

 

3. Configure OpenVPN Server

We start by decompressing a sample config file for the server

root@debian:~# gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

Copy the file to the OpenVPN config folder:

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

Copy a sample config file which will be used by each client connecting to the VPN: (change “myuser” to your regular user account)

root@debian:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/myuser

This file must be downloaded to each VPN-client later.

Open the server configuration file: /etc/openvpn/server.conf

Change the following lines to reflect the servername you chose when you generated the certificates: (I used the name “myserver”)

cert server.crt
key server.key

Uncomment the following line, by removing the “;” preceding the line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

;push "redirect-gateway def1 bypass-dhcp"

Add the following line anywhere in the file:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

push "dhcp-option DNS 10.8.0.1"

Uncomment the following line, by removing the “;” preceding the line: (enable VPN clients to communicate with eachother through the VPN)

;client-to-client

That’s it. Save and close the file.
 
 
Edit /etc/sysctl.conf and uncomment the following line:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

#net.ipv4.ip_forward=1

This will allow all IP traffic to pass through the VPN.
 
Restart the networking service:

root@debian:~# service networking restart

Restart the OpenVPN server:

root@debian:~# service openvpn restart

 
Create some iptables rules needed to forward the traffic:
(SKIP this if you want regular traffic to pass outside the VPN, instead of piping everything through the VPN.)

root@debian:~# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@debian:~# iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

 

4. Setting up the OpenVPN client

If you are planning to have multiple clients, you must create a unique config file for each client and make the following changes..

Open the client configuration file that you copied to your regular user account earlier: /home/myuser/client.conf

Change “my-server” on the following line, to the IP of your OpenVPN-server:

root@debian:~# remote my-server-1 1194

Change these lines to reflect the name you chose for your client when you create the certificates:

cert client.crt
key client.key

That’s it. Save and close the file.
 
 
Now it’s time to install the VPN client software on your client computer(s).
This should be very straight forward, so im not going into detail on this.

You can download the OpenVPN client software here:
http://openvpn.net/index.php/open-source/downloads.html
 
 
After you complete installing the OpenVPN client software, copy the following files from the server, to the config path for your VPN client:

/home/myuser/client.key
/home/myuser/client.crt
/home/myuser/client.conf
/etc/openvpn/ca.crt

Note: If you are using the client on Windows, the “client.conf” file must be renamed to “client.ovpn” in order for the file to be loaded automatically.
 
 

5. Finished!

You are now finished! All that remains is to start the OpenVPN client, and it will automatically connect to your VPN-Server.

Setting up LAMP (Linux, Apache, MySQL, PHP) on Debian

Setting_up_LAMP_Linux_Apache_MySQL_PHP_on_debian
In this tutoriaI I will explain how to set up a LAMP-stack on Debian.
LAMP is an acronym for a software bundle consisting of Linux, Apache, MySQL and PHP, all running together in order to power websites.

I will be using Debian “wheezy” 7.7.0, but the instructions will still be viable to newer and earlier releases.

1. Install software

Fire up a shell, and type the following.
Make sure you are logged in as root, or use sudo, when running this command.

root@debian:~# apt-get install -y mysql-server apache2 libapache2-mod-php5 php5-mysql

You will be asked to choose a password for the root user of MySQL.
We will use this password later to create a database for your website.

2. Configure Apache

Create a file with your domain name, “mydomain.com”, and place it under the following location: /etc/apache2/sites-available/mydomain.com

Put the following content inside the file:


        ServerName www.mydomain.com
        ServerAlias mydomain.com
        DocumentRoot /var/www

        
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        

ServerName is the primary hostname you are going to use.
ServerAlias is variations of the hostname that you also want to resolve to the same content, you can put multiple variations separated by a space ” “.
DocumentRoot is the path to your content.
Directory is the same as DocumentRoot, and specifies permissions and settings for the path.
Options Indexes will display a directory listing of all files, if there is not Index file. You can change this to Options -Indexes if you dont want a directory listing to occur.
Options FollowSymLinks will allow the usage of symlinks to link folders to the DocumentRoot path.
Options MultiViews will try to find the closest match if the specified file is not found.
AllowOverride All will allow custom .htaccess files to be allowed.

Enable the new configuration for your site:

root@debian:~# a2ensite mydomain.com

Enable mod_rewrite:

root@debian:~# a2enmod rewrite

Reload the configuration for apache:

root@debian:~# service apache2 reload

 

3. Configure MySQL

Login as the root user of MySQL, use the password you chose in step #1:

root@debian:/etc/apache2# mysql -u root -p
Enter password:

Create a database:

mysql> create database mydomaincom;
Query OK, 1 row affected (0.00 sec)

Create a username and password to access the new database:

mysql> grant all on mydomaincom.* TO 'user'@'localhost' IDENTIFIED BY 'password';
Query OK, 1 row affected (0.00 sec)

Specifying @’localhost’ after the username, will only allow access from within the server itself, not remote access.
The username and password you choose here will be used by the website in order to use the database.

4. Finished!

Thats it :)
You are now ready to start deploying your website! (WordPress, Joomla, Drupal etc..)