Posts under category Linux笔记

Modifying SElinux configure for allowing nginx reverse proxy local site

Author: moon
Date: February 5, 2019
Category: Linux笔记
1 Comment

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    
    module nginxlocalconf 1.0;
    
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    }
    
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i nginxlocalconf.pp
    
    [root]# semodule -i nginxlocalconf.pp

Explaining command su

Author: moon
Date: September 30, 2018
Category: Linux笔记
1 Comment

Running a command with substitute user is the typical use of command su under linux.

Sometimes, use -s option to running the specified shell instead of the default, this option may helps a lot when need to access user whose default shell is /sbin/nologin, usage like su -s /bin/bash jenkins

Explaining file /ets/sudoers

Author: moon
Date: September 30, 2018
Category: Linux笔记
2 Comments

/ets/sudoers configure user(s) who can get root privileges under linux.
440 permission is on this file by default, so chmod +w operation is required before modify file, don't forget chmod -w once modified.

Some typical configs are as follow:

allow jenkins user restart uwsgi service via systemd:

jenkins     ALL  = NOPASSWD    : /bin/systemctl restart uwsgi

explain:

user        host = need passwd?: command 1, shell 2, ...

allow moon user access sudo privileges unconditional:

moon    ALL=(ALL)       NOPASSWD: ALL

从Linux创建稳定运行的Mysql数据库说起

Author: moon
Date: January 3, 2016
Category: Linux笔记
Comment

这周完成了所有站点从阿里云RDS迁到ECS自建数据库的工作。
主要原因是RDS现有计费方式下Mysql最大连接数只有60，完全无法满足我的要求。

阿里云继续作看看能不能把我逼成腾讯云用户。

- Read More -

阿里云Ubuntu和CentOS软件源地址

Author: moon
Date: November 26, 2015
Category: Linux笔记
Comment

CentOS：
镜像文件本地路径
/etc/yum.repos.d/CentOS-Base.repo
阿里云Centos镜像
http://mirrors.aliyun.com/repo/Centos-7.repo(可直接下载替换)
对应不同的CentOS版本需要修改对应的版本号
然后更新镜像 yum makecache

- Read More -

狗窝

狗窝里有一头熊猫和一只狗