Category Archives: Linux

wordpress file owner and permission with nginx on Centos 7 (SElinux on)

As a security tool, SElinux is great. Howere, it gives me nightmares when I setup a wordpress sites with nginx.

File owner and permission setup:

  • I set the owner of all wordpress files as MY_USER_NAME
  • I add MY_USER_NAME to nginx group
  • I set all wordpress files to group-readable and group-writable, (so that nginx can read and write)
sudo usermod -a -G nginx MY_USER_NAME

sudo chown -R MY_USER_NAME:nginx *

sudo find . -type d -exec chmod 775 {} \;
sudo find . -type f -exec chmod 664 {} \;

Problem 1: cannot upload media file
Problem 2: cannot install plugin (wordpress asks for FTP)

Fix 1:

chcon -t httpd_sys_rw_content_t html

maybe: 
sudo chcon --reference=html example.com
sudo chcon --reference=html example.com/html

When I check SElinux log with:

sudo sealert -a /var/log/audit/audit.log

I find SElinux prevents nginx/php-fpm write example.com/html.

But I did not get any warning when I start nginx. As I remember, starting Apache without this fix will fail?

Fix 2:

sudo chown -R nginx wp-content
sudo chown -R nginx wp-admin

maybe:
sudo chcon --reference=../html wp-content

I though changing the owner of wp-content should be enough, but no, it does not work. I have to change the owner of wp-admin as well.

On Fedora 25:
selinux blocks php-fpm for access of mysql port, to enable this access:

setsebool -P httpd_can_network_connect_db 1

For memcache:

setsebool -P httpd_can_network_memcache 1

More details are HERE.

Google Compute Engine (GCE) firewall and iptables at VM host

After I click “Allow HTTP” and “Allow HTTPS” in the settings of Centos 7 vm, I can get http or https pages of my site. What? I thought I need to explicitly allow port 80 and port 443 in iptables like I did in other servers. Why don’t I need to touch iptables in this case?

sudo iptables -L -n | less

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
...
Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_trusted  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted  all  --  0.0.0.0/0            0.0.0.0/0 
...
Chain IN_trusted (2 references)
target     prot opt source               destination         
IN_trusted_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0    
...

The last line “ACCEPT all” does not look right to me. In Chain IN_trusted, iptables does IN_trusted_{log,deny,allow} and “ACCEPT all” for the rest. Should it DROP all the others by default for security?

(Since GCE has its own firewall and it blocks all except for things allowed, “ACCEPT all” here in iptables probably won’t bring any security issues.)

When I delete the last rule, I cannot get access to my sites by port 80.

[X ~]$ sudo iptables -L IN_trusted --line-numbers

Chain IN_trusted (2 references)
num  target     prot opt source               destination         
1    IN_trusted_log  all  --  anywhere             anywhere            
2    IN_trusted_deny  all  --  anywhere             anywhere            
3    IN_trusted_allow  all  --  anywhere             anywhere            
4    ACCEPT     all  --  anywhere             anywhere

[X ~]$ sudo iptables -D IN_trusted 4
[X ~]$ sudo iptables -L IN_trusted --line-numbers

Chain IN_trusted (2 references)
num  target     prot opt source               destination         
1    IN_trusted_log  all  --  anywhere             anywhere            
2    IN_trusted_deny  all  --  anywhere             anywhere            
3    IN_trusted_allow  all  --  anywhere             anywhere 

I checked other server images, in Fedora 25 server edition:

Chain FWDI_FedoraServer (2 references)
target     prot opt source               destination         
FWDI_FedoraServer_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 

It only accepts icmp for the rests, which make much more sense to me.

Linux cannot boot, only shows grub prompt

Today, after a reboot, my laptop (Fedora 25) cannot boot and only shows grub prompt. I have no idea what happened or what changes I made to the system.

Here is how I fixed it:

1. use ls command to find the partition that has kernel images,

for example,
ls (hd0,gpt5)

shows something like:
vmlinuz-4.10.5-200.fc25.x86_64
initramfs-4.10.5-200.fc25.x86_64.img

2. select kernel image and boot

(I have UEFI enabled and use lvm partition)

Because of lvm partitionm, I need to specify where the root is. My root partition is mapped as /dev/fedora/root.

set root=(hd0,gpt5)
linuxefi /vmlinuz-4.10.5-200.fc25.x86_64 root=/dev/fedora/root ro
initrdefi /initramfs-4.10.5-200.fc25.x86_64.img
boot

After successfully login, we need regenerate grub.cfg. (for unknown reason, my grub.cfg was an empty file…)

grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

That’s all and everything looks good now.

Reference:
[http://www.terminalinflection.com/manual-grub-boot/]

cmd

open service by allowing addresses with firewall-cmd:
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="dns" log prefix="dns" level="info" accept'

directly add service without filtering addresses:
sudo firewall-cmd --add-service=dns

to make it permanent:
--permanent

move gnome-boxes image to another host

Let’s answer a few questions before we move:

Q: where does gnome-boxes store images?
~/.local/share/gnome-boxes/images

Q: Are there other directories I need to backup?
~/.config/libvirt
~/.config/gnome-boxes

If you do not have any existing gnome-boxes images on your new host, please copy these three directories to your new host. It just works!

If you have existing images at your new host, do NOT directly copy these directories to your new hosts. Otherwise, you will overwrite your existing images and configurations.

Let’s assume the image you want to move is:
~/.local/share/gnome-boxes/images/win10

so there is a config file corresponding to this image:
~/.config/libvirt/qemu/win10.xml

Step 1: copy the above two files to the new host

Step 2: find the correct uuid for your image in: ~/.config/libvirt/qemu/win10.xml

Step 3:
open qemu session file:
~/.config/gnome-boxes/sources/'QEMU Session'
(I think this file is used to display the sessions at gnome-box main window when you open the application)

you will see something like:

[display A-B-C]
last-seen-name=Microsoft Windows 10
uuid=X-Y-Z
access-last-time=1234567890
access-ntimes=1
access-total-time=1

append the corresponding session information with the same uuid to new host at: ~/.config/gnome-boxes/sources/'QEMU Session'

Step 4: restart gnome-boxes and you will see your old VM image

References
[https://ask.fedoraproject.org/en/question/29704/how-do-i-move-a-virtual-machine-in-gnome-boxes-to-another-host]

dual boot fedora 19 or 20 or 21 and windows 7 cleanly

I use Linux a lot and I like it very much. However I just cannot get rid of windows completely because certain applications only run under windows perfectly and natively, such as Microsoft PowerPoint and some games. I don’t want to talk about wine or crossover here, and that should be another post.

It is fairly easy to dual boot any Linux systems (Ubuntu, Fedora, etc.) and Windows. There are tons of resources online. However, I want to make a dual boot installation of Fedora and Windows CLEANLY!

By “cleanly”, I mean:
1. Fedora’s bootloader should not overwirte the Master Boot Record (MBR)
2. Let Windows’s bootloader to boot Fedora
3. You can delete Linux partition inside your windows system without causing any issues of existing Windows

Why do I need this “cleanly”?
Many laptops pre-installed Windows often have a recovery disk partition which you can use to reset your laptop to factory settings. It may be called “one key recovery”. Yes, literally, hitting one key during the system rebooting and that’s it. If Fedora installation overwrites MBR, the “one key recovery” will not work any more. I don’t want to loss this magic.

Fedora used to have an option to let user choose where to install the bootloader during the installation. However, this option is gone for some reason. (Can any one tell me why?)

I searched, searched, and finally found several useful links which are in the end of this post. I summarized how to make it in the following.
(The following commands have been tested on Fedora 19, 20, 21)

1. Assuming you have a laptop installed Windows, you need to make some unused space by either disk management tool coming with windows or other external tools.

2. Use liveusb-creator-3.12.0 to create Fedora image with usb

3. insert usb and boot from usb
You can do whatever to partition your fedora disk but you must have a stand alone /boot partition. When installing, you should NOT choose installing bootloader. Pay attention to the size of /boot partition because you may need to find this partition by its size later.

4. After the installation is finished, boot from usb device again.

5. change to root user

su

6. find which partition is /boot, normally it should be 500MB or whatever you set when installing fedora

fdisk -l

in my case, it’s /dev/sda6

7. check logical partition if you have, show logic partitaion, find “lv parth”

lvdisplay

in my case /dev/fedora/root and /dev/fedora/home

8. make a directory to work in:

mkdir /mnt/sysimage

9. mount your filesystems (device nodes are examples, be sure to fill in your own!):

mount /dev/fedora/root /mnt/sysimage
mount /dev/fedora/home /mnt/sysimage/home
mount /dev/sda6 /mnt/sysimage/boot

10. bind mount your system filesystems:

mount --bind /dev /mnt/sysimage/dev
mount --bind /proc /mnt/sysimage/proc
mount --bind /sys /mnt/sysimage/sys

11. chroot

chroot /mnt/sysimage/

12. install bootloader

grub2-install --recheck --force /dev/sda6
grub2-mkconfig -o /boot/grub2/grub.cfg

13. reboot

After all these, you are almost done. You probably see your laptop goes directly into Windows. That’s fine.
The final step is to create an entry in Windows boot menu.

The tool I used is EasyBCD.

choose “Add New Entry”
choose tab “Linux/BSD”
choose type “grub 2”
enter name “Fedora or whatever”
drive: linux 500MB
hit add entry
hit save settings

root windows and you will find a entry for Fedora.

However, you will only see booting in text mode. If you want the fancy animation, you need to edit file /etc/default/grub. (create a new file if it doesn’t exist)

Add the grub options to it (the example file after installing FC 19, FC 20, FC21 with bootloader are shown in the following).
Redo grub2-mkconfig -o /boot/grub2/grub.cfg

Example /etc/default/grub file
FC21:

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

FC 20:

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/swap vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/root $([ -x /usr/sbin/rhcrashkernel-param ] && /usr/sbin/rhcrashkernel-param || :) rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

FC19:

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/swap rd.md=0 rd.dm=0 vconsole.keymap=us $([ -x /usr/sbin/rhcrashkernel-param ] && /usr/sbin/rhcrashkernel-param || :) rd.luks=0 vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/root rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

A complete list of command lines in my case:

sudo mkdir /mnt/sysimage
sudo mount /dev/fedora/root /mnt/sysimage
sudo mount /dev/fedora/home /mnt/sysimage/home
sudo fdisk -l (to get the list of partition to find where is /boot, in my case /dev/sda6)
sudo mount /dev/sda6 /mnt/sysimage/boot
sudo mount --bind /dev /mnt/sysimage/dev
sudo mount --bind /proc /mnt/sysimage/proc
sudo mount --bind /sys /mnt/sysimage/sys
sudo chroot /mnt/sysimage
grub2-install --recheck --force /dev/sda6
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

References
[https://bugzilla.redhat.com/show_bug.cgi?id=872826]
[http://forums.fedoraforum.org/showthread.php?t=286853]
[https://help.ubuntu.com/community/Grub2/Installing#ChRoot]
[http://forums.fedoraforum.org/showthread.php?t=281358]
[http://fedoraproject.org/wiki/Features/Grub2#From_a_DVD_with_Anaconda]
[http://linuxers.org/howto/how-mount-linux-lvm-volume-partitions-linux]
[http://forums.opensuse.org/english/get-technical-help-here/install-boot-login/477980-grub2-update-grub.html]
[http://www.youtube.com/watch?v=kRrfCe79SjU]