Klaus

Dockerized

 Fri, 09 Dec 2016 19:02:47 +0100 
Nearly all web projects are moved to #Docker containers now. The old infrastructure was mostly based on CentOS6/7 and the main reason for this step was the annoyance of legacy #PHP projects and their PHP version requirement conflicts. I don't need a cluster or swarm, so I have a single instance with #CentOS based #Project Atomic only. The dockerized projects include:
static pages with nginx
#TYPO3 7.6
#Drupal 8.2
#Piwik 2.17
#Revive Adserver 4.x
#OXID eShop 4.[9|10]
...

Here are some completely subjective "best practices":
  • I was a bit disappointed about most available images in Docker's Hub. But make use of the official mariadb, php, drupal, nginx images!
  • Use your Dockerfile and no massive entrypoint scripts.
  • Don't try to build a base images for all your projects, the projects have all too different requirements. Found it much easier to build custom images from the official PHP images directly with only what was really needed for the projects.
  • Think about mail delivery requirements. Does your application requires mail(), or can you configure a SMTP server. Use sSMTP if you need a local MTA.
  • Get your persistent volumes right and use the correct #SELinux labels.
  • A local repository makes deployment much easier.
  • Use #Jenkins to build and deploy new images.
  • Don't use --link, use Docker networks instead!
  • jwilder/nginx-proxy still has some bugs, especially with custom nginx configurations, but a wonderful tool.
  • jrcs/letsencrypt-nginx-proxy-companion and it was never easier to get certificates.
  • Think about reboots. How you want your containers to be managed? Services for systemctl work quite well so far.
  • Redirect your application logs to the right output. Log management I should take a look at again.

Should also get my private projects into containers next.
Klaus

CIL

 Tue, 05 Jul 2016 17:45:29 +0200 
#^SELinuxProject/cil
The #SELinux Common Intermediate Language (CIL) is designed to be a language that sits between one or more high level policy languages (such as the current module language) and the low-level kernel policy representation. The intermediate language provides several benefits:

Enables the creation of multiple high-level languages that can both consume and produce language constructs with more features than the raw kernel policy (e.g., interfaces). Pushing these features into CIL enables cross-language interaction.

Eases the creation of high-level languages, encouraging the creation of more domain specific policy languages (e.g., CDS Framework, Lobster, and Shrimp).

Provides a semantically rich representation suitable for policy analysis, allowing the analysis of the output of multiple high-level languages using a single analysis tool set without losing needed high-level information.
Klaus

Server Weakening done right

 Tue, 19 Jan 2016 17:58:45 +0100 
O_o o_O O_o o_O
#^Server Hardening | Linux Journal
Server hardening. The very words conjure up images of tempering soft steel into an unbreakable blade, or taking soft clay and firing it in a kiln, producing a hardened vessel that will last many years. Indeed, server hardening is very much like that.

The next part made me really :rofl
So suffice it to say, I personally do not trust anything sourced from the NSA, and I turn SELinux off because I'm a fan of warrants and the fourth amendment. The instructions are generally available, but usually all you need to do is make this change to /etc/selinux/config:

# SELINUX=enforcing # comment out
SELINUX=disabled # turn it off, restart the system

If you are more scared about the NSA breaking into your server than some other unwanted visitors and when you believe that they have no other ways than to use a backdoor in #SELinux please go on, otherwise :facepalm
Klaus

Security Enhanced PostgreSQL

 Thu, 05 Feb 2015 16:54:29 +0100 
Schon ziemlich interessant was man mit #SELinux, #SE PostgreSQL und #Mod-SELinux so alles anstellen kann.

#^Mod-SELinux » ADMIN Magazin
Web Application Firewalls wehren bekannte Angriffe ab, bieten jedoch keinen Schutz vor den immer neuen Tricks der Cracker. Mod-SELinux schiebt ihnen den endgültigen Riegel vor.
Klaus

SELinux visual how-to guide

 Fri, 18 Apr 2014 17:46:37 +0200 last edited: Fri, 18 Apr 2014 22:23:32 +0200  
Excellent article by Daniel Walsh explaining the different enforcement policies in #SELinux.

#^Your visual how-to guide for SELinux policy enforcement | opensource.com
Image/photo


Dan Walsh of Red Hat shares a visual how-to guide for SELinux policy enforcement.
Klaus

SELinux and load data infile

 Mon, 20 Jan 2014 23:51:12 +0100 
#SELinux should be simple actually. It is just about labels. o_O But today I am again totally stuck and don't get along. For AppArmor I have found solutions, there is even one documented at Piwik's FAQ http://piwik.org/faq/troubleshooting/#faq_194, but I can not find any satisfying solution for SELinux. I have tried several search engines, but somehow I can not find anything that solves this problem.

Here is my problem:
Try #1: LOAD DATA INFILE : SQLSTATE[HY000]: General error: 13 Can't get stat of '/srv/.../piwik/tmp/assets/piwik_option-29b74e562dbd45071d2667ee8774bdfd.csv' (Errcode: 13)

This should be a common task I think, why I can not find anything appropriate? Either httpd is complaining or mysqld complains it can not access the required files.

audit.log show this:

type=AVC msg=audit(1390235950.375:12795): avc:  denied  { getattr } for  pid=43196 comm="mysqld" path="/srv/.../piwik/tmp/assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12795): arch=c000003e syscall=6 success=no exit=-13 a0=7fed64073930 a1=7fed64073860 a2=7fed64073860 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1390235950.375:12796): avc:  denied  { search } for  pid=43196 comm="mysqld" name="assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12796): arch=c000003e syscall=4 success=no exit=-13 a0=7fed64074fc0 a1=7fed64074eb0 a2=7fed64074eb0 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)

audit2allow gives me this solution:
\#============= mysqld_t ==============
allow mysqld_t httpd_sys_rw_content_t:dir { getattr search };

But this solution seems to grant way too much permissions for mysqld. I only want to allow it for this single folder, not all folders that httpd has rw permissions.