Feb 102016
 

4x_NvidiaGTX780 GPU

I’ve got Centos 7 based Bacula installation with storage daemon writing to file volumes located on ZFS filesystem. Chown’ing filesystem to user bacula was not enough, SElinux being SElinux didn’t particularly like bacula writing to location chosen by me (/tank/backup) as it expects Bacula to write to /bacula by default.

Lets identify available Bacula contexts and re-label /tank/backup accordingly

# semanage fcontext -l | grep bacula
 /bacula(/.*)? all files system_u:object_r:bacula_store_t:s0
 /etc/bacula.* all files system_u:object_r:bacula_etc_t:s0
 /var/bacula(/.*)? all files system_u:object_r:bacula_store_t:s0
 /var/lib/bacula.* all files system_u:object_r:bacula_var_lib_t:s0
 /var/log/bacula.* all files system_u:object_r:bacula_log_t:s0
 /var/run/bacula.* regular file system_u:object_r:bacula_var_run_t:s0
 /usr/sbin/bacula.* regular file system_u:object_r:bacula_exec_t:s0
 /var/spool/bacula.* all files system_u:object_r:bacula_spool_t:s0
 /var/spool/bacula/log(/.*)? all files system_u:object_r:var_log_t:s0
 /etc/rc\.d/init\.d/bacula.* regular file system_u:object_r:bacula_initrc_exec_t:s0
 /usr/sbin/bat regular file system_u:object_r:bacula_admin_exec_t:s0
 /usr/sbin/bconsole regular file system_u:object_r:bacula_admin_exec_t:s0

Ahh OK, so it’s called “system_u:object_r:bacula_store_t:s0” – lets apply it

chcon system_u:object_r:bacula_store_t:s0 /tank/backup
semanage fcontext -a -t bacula_store_t "/tank/backup(/.*)?"
restorecon -R -v /tank/backup

Same will work if your Centos 7 client will refuse to restore data to /bacula-restores, with message in server log:

26-Sep 14:40 death-star JobId 24822: Error: mkpath.c:138 Cannot create directory /bacula-restores/backup: ERR=Permission denied

and message in client log:

type=AVC msg=audit(1474897201.721:307): avc:  denied  { write } for  pid=26477 comm="bacula-fd" name="bacula-restores" dev="vda1" ino=159551617 scontext=system_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

Simply run:

chcon system_u:object_r:bacula_store_t:s0 /bacula-restores
semanage fcontext -a -t bacula_store_t "/bacula-restores(/.*)?"
restorecon -R -v /bacula-restores
ls -lZ /

and now your restore job will run just fine. Magic.

Dec 172015
 

Come Back Later

These are just examples to pick your imagination, please do refrain from blindly coping and pasting as you can cut yourself off 😀

UFW quick setup (Debian/Ubuntu)

 

aptitude install ufw
ufw allow 22/tcp
ufw allow from 124.111.0.0/16 to any port 22
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow proto tcp from IP.ADD.Here to any port 3306
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow from 10.10.1.0/24
# allow traffic on interface
ufw allow in on em3

ufw enable
ufw status
ufw status numbered
ufw delete 10
# ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. 
# ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.
ufw limit ssh
ufw logging off #once it working stop flooding logs!

# ufw on KVM server, edit /etc/ufw/sysctl.conf
# and make sure we don't filter packets to our libvirt guests
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

firewall-cmd quick setup (RedHat/CentOS 7)

firewall-cmd --get-services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# punch a hole for CIFS
firewall-cmd --permanent --add-service=samba

firewall-cmd --permanent --add-port 5989/tcp
firewall-cmd --list-all-zones
firewall-cmd --list-ports

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-all
firewall-cmd --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=trusted --add-source=10.100.1.18 --permanent
firewall-cmd --reload

Some say firewalld is too complicated for most server type of use, who am I to judge? Alegedly firewalld also requires Network Manager so if Network Manager is disabled then we need to go back. If you want to replace firewalld with good ol’ iptables:

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables