Nov 062015

ACL set codes

Working with permissions on NAS4FREE shell is pleasant and enjoyable experience …. *cough*, *cough*.

$ getfacl /tank/shared

# file: /tank/shared
# owner: aduser
# group: 500
                         [email protected]:rwxpD-a-R-c---:------:allow
                            [email protected]:rwxpD-a-R-c---:------:allow

full_set = rwxpdDaARWcCos = all permissions
modify_set = rwxpdDaARWc–s = all permissions except write_acl, write_owner
read_set = r—–a-R-c— = read_data, read_attributes, read_xattr, read_acl
write_set = -w-p—A-W—- = write_data, append_data, write_attributes, write_xattr
NFSv4 ACL legend (read from top, down and exit on first match)

                 [email protected]:--------------:-------:deny
                 [email protected]:rwxp---A-W-Co-:-------:allow
                 [email protected]:-w-p----------:-------:deny
                 [email protected]:r-x-----------:-------:allow
              [email protected]:-w-p---A-W-Co-:-------:deny
              [email protected]:r-x---a-R-c--s:-------:allow
           (r)read data +|||||||||||||:||||||+ (I)nherited
           (w)rite data -+||||||||||||:|||||+- (F)ailed access (audit)
              e(x)ecute --+|||||||||||:||||+-- (S)uccess access (audit)
               a(p)pend ---+||||||||||:|||+--- (n)o propagate
               (d)elete ----+|||||||||:||+---- (i)nherit only
         (D)elete child -----+||||||||:|+----- (d)irectory inherit
          read (a)ttrib ------+|||||||:+------ (f)ile inherit
         write (A)ttrib -------+||||||
           (R)ead xattr --------+|||||
          (W)rite xattr ---------+||||
             read a(c)l ----------+|||
            write a(C)l -----------+||
         change (o)wner ------------+|
                   sync -------------+


Changing permissions over NAS4FREE console is possible

setfacl -m u:aduser:rwxpdaARWc:fd:allow folderHere
setfacl -m g:adgroup_shared_share_access:rwxpDaARWcCo:fd:allow shared/

But it’s probably easier to manage it from Windows workstation

Pick one responsible user and grant him/her SeDiskOperatorPrivilege

net rpc rights grant aduser SeDiskOperatorPrivilege -U adadmin
net rpc rights list accounts -P
net rpc rights list -P

Also add in NAS4FREE web interface under Services|CIFS/SMB|Share|Edit|Auxiliary parameters

admin users = aduser
valid users = @adgroup_shared_share_access, @"ADgroup Shared Share Access"
write list = @adgroup_shared_share_access, @"ADgroup Shared Share Access"

And just let him do the hard work of dealing with other users.

Useful links

May 072015

These pesky SeLinux commands that are just impossible to remember


We need some tools

yum install policycoreutils-python -y 

Non-default location for homedirs

# say user dyzio comes from AD/LDAP and lives under /users/d/dyzio
mkdir -p /users/{a..z} # precreate home_root_t
chcon -t home_root_t /users
semanage fcontext -a -t home_root_t "/users(/.*)?"
restorecon -R -v /users

# if you need to autocreate home dirs you'll need 
yum install -y oddjob-mkhomedir
# and for AD users "usepasswd=True" in this file
vim /etc/selinux/semanage.conf
# this will check user entry in ldap and set correct security context "user_home_t" on user home


semanage fcontext -a -t samba_share_t "/srv/shared(/.*)?"
restorecon -R -v /srv/shared


setsebool -P httpd_can_sendmail on

Assign the appropriate Selinux security context to our custom web app directories. This grants Apache permissions to access them.

chcon -Rv --type=httpd_sys_content_t /webapps/apps/app1/public_html
chcon -Rv --type=httpd_sys_content_t /webapps/logs/app1/