I want to know the root dn in ldap, any command?
Here is what I found in /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 6a0e29d2-7341-1036-810b-5902d64537f7
creatorsName: cn=config
createTimestamp: 20170120094900Z
entryCSN: 20170120094900.675648Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170120094900Z
dose that mean the root dn is 'cn=config'?
Many servers expose such parameters as attributes.
You are looking for the namingContexts attribute.(Some servers also have a defaultNamingContext and/or configContext.)
You must use "base" as the search scope
These are operational attributes, which have to be explicitly requested by name or by the + wildcard
ldapsearch -LLL -h <ldaphost> -b "" -s base +
OR if server ask for credentials
ldapsearch -LLL -h <ldaphost> -s base -D "bindDN" -w "bindPassword" -b "" +
Output
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=mydomain
namingContexts: dc=mydomain2,dc=myorg
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
.
.
.
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
.
.
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
.
.
supportedLDAPVersion: 3
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
entryDN:
subschemaSubentry: cn=Subschema
Related
is there a way to check if there is duplicate disk LABEL before mounting it to the system?
i need to make sure that if the user have two external drives, if the two of them have the same label, prompt to the user a warning and asking it to remove the duplicated disk.
my code is in the early stages:
if mountpoint -q "${JOB_MOUNT_DIR}"; then
echo " ${JOB_MOUNT_HD_LABEL} já está montado e está pronto para uso"
else
echo "O dispositivo ""${JOB_MOUNT_HD_LABEL}"" não está montado no diretório ""${JOB_MOUNT_DIR}"""
echo "Deseja montar o diretório?"
echo -n "Qual sua opção? [s/n]: "
read -r "opcao"
if [ "$opcao" == "s" ]; then
mkdir -p "${JOB_MOUNT_DIR}/${JOB_MOUNT_HD_LABEL}"
mount -L "${JOB_MOUNT_HD_LABEL}" "${JOB_MOUNT_DIR}/${JOB_MOUNT_HD_LABEL}"
exit 0
else
echo "Disco não irá ser montado"
exit 0
fi
fi
exit 0
some parts are in pt-br i think that will not be a problem
first it checks if that the disk is already mounted, if not it asks to mount, then there is the problem to know which of the two disk with the same LABEL is to mount
You can use:
lsblk -o name,label
NAME LABEL
mmcblk0
└─mmcblk0p1 eMMC
Or you can use:
blkid
/dev/nvme0n1p1: UUID="36D7-B890" TYPE="vfat" PARTUUID="8614534f-01"
/dev/nvme0n1p5: UUID="65885781-bd9b-4c62-afb0-4a82a0e5759e" TYPE="ext4" PARTUUID="8614534f-05"
/dev/mmcblk0p1: LABEL="eMMC" UUID="79ff33b4-2add-4f2f-844e-d7d242c18578" TYPE="ext4" PARTUUID="d4b36674-ab5f-4f15-bb83-313cce242fe4"
You may need to prefix above commands with sudo
If the above commands get your labels correctly, you can pipe the output roughly as follows to list duplicates:
lsblk -o label | sort | uniq -d
I am trying to create new arrow key bindings in TMUX which is running on a Linux machine. I ssh to that machine from my Mac (Mojave 10.14.6) using the Terminal. These are all combinations that I added in ~/.tmux.conf:
# Use Shift-Arrow to move between panes
bind -T root C-Left select-pane -L
bind -T root C-Right select-pane -R
bind -T root C-Up select-pane -U
bind -T root C-Down select-pane -D
# Use Alt-Shift Left/Right to switch between tabs
bind -T root M-C-Left previous-window
bind -T root M-C-Right next-window
# Use Alt-Shift Up/Down to create/close a tab
bind -T root M-C-Up new-window
bind -T root M-C-Down kill-pane
It works for Ctrl+Left and Ctrl+Right, but not for the others. For the Up/Down arrow combinations it always goes through the Terminal history, so I think that Terminal is overriding these bindings. However, I can not find where it does so, I removed all relevant combinations from Preferences -> Profiles -> Keyboard and also from System Preferences -> Keyboard -> Shortcuts. For the M-C-Left/Right nothing happens.
I believe the TERM variable is set correctly:
TERM=xterm-256color
TERM_PROGRAM=Apple_Terminal
TERM_PROGRAM_VERSION=421.2
TERM_SESSION_ID=782B88DE-A8DA-4542-8428-F9D5C1EF6386
The key bindings are also listed when calling tmux list-keys. When pressing the combinations in cat, I get:
cat
^[[A (Ctrl+Up)
^[[B (Ctrl+Down)
^[^[[C (Ctrl+Option+Right)
^[^[[D (Ctrl+Option+Left)
^[^[[A (Ctrl+Option+Up)
^[^[[B (Ctrl+Down)
In the TMUX server log, key bindings seem to be loaded properly. An excerpt when starting TMUX and then trying the key bindings:
1629805569.985046 server started, pid 16654
1629805569.985178 continuing cmdq 0x55797a7cedb0: flags=0, client=-1
1629805569.985192 cmdq 0x55797a7cedb0: bind-key C-b send-prefix
1629805569.985217 continuing cmdq 0x55797a7cedb0: flags=0, client=-1
...
1629805569.986939 socket path /tmp/tmux-1038/default
1629805569.987071 new client 7
1629805569.987113 loading /home/zimmerl/.tmux.conf
1629805569.987142 /home/zimmerl/.tmux.conf: # Move status bar to the top
1629805569.987148 /home/zimmerl/.tmux.conf: set-option -g status-position top
1629805569.987159 /home/zimmerl/.tmux.conf:
1629805569.987165 /home/zimmerl/.tmux.conf: # Change colors
1629805569.987178 /home/zimmerl/.tmux.conf: set -g status-fg green
1629805569.987190 /home/zimmerl/.tmux.conf: set -g status-bg black
1629805569.987201 /home/zimmerl/.tmux.conf:
1629805569.987208 /home/zimmerl/.tmux.conf: # Use Shift-Arrow to move between panes
1629805569.987215 /home/zimmerl/.tmux.conf: bind -T root C-Left select-pane -L
1629805569.987228 /home/zimmerl/.tmux.conf: bind -T root C-Right select-pane -R
1629805569.987239 /home/zimmerl/.tmux.conf: bind -T root C-Up select-pane -U
1629805569.987251 /home/zimmerl/.tmux.conf: bind -T root C-Down select-pane -D
1629805569.987262 /home/zimmerl/.tmux.conf:
1629805569.987269 /home/zimmerl/.tmux.conf: # Use Alt-Shift Left/Right to switch between tabs
1629805569.987276 /home/zimmerl/.tmux.conf: bind -T root M-C-Left previous-window
1629805569.987288 /home/zimmerl/.tmux.conf: bind -T root M-C-Right next-window
1629805569.987299 /home/zimmerl/.tmux.conf:
1629805569.987306 /home/zimmerl/.tmux.conf: # Use Alt-Shift Up/Down to create/close a tab
1629805569.987313 /home/zimmerl/.tmux.conf: bind -T root M-C-Up new-window
1629805569.987323 /home/zimmerl/.tmux.conf: bind -T root M-C-Down kill-pane
1629805569.987330 /home/zimmerl/.tmux.conf:
1629805569.987335 /home/zimmerl/.tmux.conf: # Use Ctrl+b -> h/v to split current pane horizontally/vertically
1629805569.987340 /home/zimmerl/.tmux.conf: bind -T prefix h split-window -h -c "#{pane_current_path}"
1629805569.987354 /home/zimmerl/.tmux.conf: bind -T prefix v split-window -v -c "#{pane_current_path}"
1629805569.987369 continuing cmdq 0x55797a7d4c80: flags=0, client=-1
1629805569.987375 cmdq 0x55797a7d4c80: set-option -g status-position top
1629805569.987390 cmdq 0x55797a7d4c80: set-option -g status-fg green
1629805569.987399 cmdq 0x55797a7d4c80: set-option -g status-bg black
1629805569.987408 cmdq 0x55797a7d4c80: bind-key -T root C-Left select-pane -L
1629805569.987421 cmdq 0x55797a7d4c80: bind-key -T root C-Right select-pane -R
1629805569.987434 cmdq 0x55797a7d4c80: bind-key -T root C-Up select-pane -U
1629805569.987446 cmdq 0x55797a7d4c80: bind-key -T root C-Down select-pane -D
1629805569.987457 cmdq 0x55797a7d4c80: bind-key -T root M-C-Left previous-window
1629805569.987469 cmdq 0x55797a7d4c80: bind-key -T root M-C-Right next-window
1629805569.987480 cmdq 0x55797a7d4c80: bind-key -T root M-C-Up new-window
1629805569.987490 cmdq 0x55797a7d4c80: bind-key -T root M-C-Down kill-pane
1629805569.987504 cmdq 0x55797a7d4c80: bind-key -T prefix h split-window -h -c #{pane_current_path}
1629805569.987518 cmdq 0x55797a7d4c80: bind-key -T prefix v split-window -v -c #{pane_current_path}
1629805569.987529 unref client 7 (2 references)
1629805569.987553 event dispatch enter
1629805569.987591 got 100 from client 7
...
1629805569.987882 continuing cmdq 0x55797a7d3940: flags=0, client=7
1629805569.987891 cmdq 0x55797a7d3940: new-session
1629805569.987901 new term: xterm-256color
1629805569.988166 xterm-256color override: XT
1629805569.988178 xterm-256color override: Ms \033]52;%p1%s;%p2%s\a
1629805569.988187 xterm-256color override: Cs \033]12;%p1%s\a
1629805569.988194 xterm-256color override: Cr \033]112\a
1629805569.988202 xterm-256color override: Ss \033[%p1%d q
1629805569.988209 xterm-256color override: Se \033[2 q
1629805569.988248 new key \033Oo: 0x103c (KP/)
1629805569.988255 new key \033Oj: 0x103d (KP*)
1629805569.988261 new key \033Om: 0x103e (KP-)
1629805569.988267 new key \033Ow: 0x103f (KP7)
1629805569.988273 new key \033Ox: 0x1040 (KP8)
1629805569.988280 new key \033Oy: 0x1041 (KP9)
1629805569.988286 new key \033Ok: 0x1042 (KP+)
1629805569.988292 new key \033Ot: 0x1043 (KP4)
1629805569.988297 new key \033Ou: 0x1044 (KP5)
1629805569.988302 new key \033Ov: 0x1045 (KP6)
1629805569.988307 new key \033Oq: 0x1046 (KP1)
1629805569.988313 new key \033Or: 0x1047 (KP2)
1629805569.988319 new key \033Os: 0x1048 (KP3)
1629805569.988325 new key \033OM: 0x1049 (KPEnter)
1629805569.988330 new key \033Op: 0x104a (KP0)
1629805569.988337 new key \033On: 0x104b (KP.)
1629805569.988342 new key \033OA: 0x1038 (Up)
1629805569.988347 new key \033OB: 0x1039 (Down)
1629805569.988354 new key \033OC: 0x103b (Right)
1629805569.988359 new key \033OD: 0x103a (Left)
1629805569.988365 new key \033[A: 0x1038 (Up)
1629805569.988370 new key \033[B: 0x1039 (Down)
1629805569.988377 new key \033[C: 0x103b (Right)
1629805569.988384 new key \033[D: 0x103a (Left)
1629805569.988390 new key \033OH: 0x1033 (Home)
1629805569.988396 new key \033OF: 0x1034 (End)
1629805569.988402 new key \033[H: 0x1033 (Home)
1629805569.988408 new key \033[F: 0x1034 (End)
1629805569.988413 new key \033Oa: 0x5038 (C-Up)
1629805569.988420 new key \033Ob: 0x5039 (C-Down)
1629805569.988427 new key \033Oc: 0x503b (C-Right)
1629805569.988432 new key \033Od: 0x503a (C-Left)
1629805569.988438 new key \033[a: 0x9038 (S-Up)
1629805569.988444 new key \033[b: 0x9039 (S-Down)
1629805569.988450 new key \033[c: 0x903b (S-Right)
1629805569.988457 new key \033[d: 0x903a (S-Left)
...
1629805569.989201 replacing key \033OH: 0x1033 (Home)
1629805569.989206 replacing key \033OF: 0x1034 (End)
...
1629805569.989229 replacing key \033OA: 0x1038 (Up)
1629805569.989236 replacing key \033OB: 0x1039 (Down)
1629805569.989242 replacing key \033OD: 0x103a (Left)
1629805569.989247 replacing key \033OC: 0x103b (Right)
...
1629805569.989292 new key \033[1;2B: 0x9039 (S-Down)
1629805569.989297 new key \033[1;3B: 0x3039 (M-Down)
1629805569.989303 new key \033[1;4B: 0xb039 (M-S-Down)
1629805569.989308 new key \033[1;5B: 0x5039 (C-Down)
1629805569.989314 new key \033[1;6B: 0xd039 (C-S-Down)
1629805569.989319 new key \033[1;7B: 0x7039 (C-M-Down)
...
1629805569.989546 new key \033[1;2C: 0x903b (S-Right)
1629805569.989551 new key \033[1;3C: 0x303b (M-Right)
1629805569.989557 new key \033[1;4C: 0xb03b (M-S-Right)
1629805569.989567 new key \033[1;5C: 0x503b (C-Right)
1629805569.989574 new key \033[1;6C: 0xd03b (C-S-Right)
1629805569.989580 new key \033[1;7C: 0x703b (C-M-Right)
1629805569.989943 new key \033[1;2A: 0x9038 (S-Up)
1629805569.990239 new key \033[1;3A: 0x3038 (M-Up)
1629805569.990245 new key \033[1;4A: 0xb038 (M-S-Up)
1629805569.990830 new key \033[1;5A: 0x5038 (C-Up)
1629805569.991122 new key \033[1;6A: 0xd038 (C-S-Up)
1629805569.991440 new key \033[1;7A: 0x7038 (C-M-Up)
1629805569.991544 #0 alerts flags added 0x2
1629805569.991559 spawn: /bin/bash --
...
1629805580.564176 event dispatch enter
1629805580.970822 keys are 3 (\033[A)
1629805580.970848 complete key \033[A 0x1038
1629805580.970859 session 0 not pasting
1629805580.970867 writing key 0x1038 (Up)
1629805580.970873 found key 0x1038: "\033[A"
1629805580.970884 event dispatch exit
....
1629805581.064643 event dispatch enter
1629805582.965826 keys are 3 (\033[B)
1629805582.965857 complete key \033[B 0x1039
1629805582.965870 session 0 not pasting
1629805582.965879 writing key 0x1039 (Down)
1629805582.965887 found key 0x1039: "\033[B"
1629805582.965900 event dispatch exit
Just try to reload the config.
Kill definitely your tmux (tmux kill-server) and launch it with:
tmux source-file ~/.tmux.conf
or simply load the config in tmux command mode (Ctrl+B):
:source-file ~/.tmux.conf
I think you should kill existing sessions after changing the configuration of tmux.
tmux kill-server
Now you can create new sessions which will have Changed configurations.
The default terminal schemes map the left and right arrow keys to control codes, which is why they work.
The up and down arrow keys aren't mapped to control codes, which seems to be why tmux isn't picking them up.
I got this to work by modifying my scheme (Preferences > Profiles > Keyboard) to send the control codes for all the arrow keys.
I'm writing a simple BASH script to generate an LDIF file, which I can then use to add a user to my OpenLDAP server.
This is the script:
#!/bin/bash
#add LDAP user, v1.0, by mbobak, 11/17/2020
if [ $# != 6 ];
then
echo "`basename $0`: error: invalid number of arguments:"
echo "`basename $0` <userid> <firstname> <lastname> <gidnum> <uidnum> <empno>"
exit 1
fi
userid=$1
firstname=$2
lastname=$3
gidnum=$4
uidnum=$5
empno=$6
temppasswd=`slappasswd -s pw4${userid}`
echo ${userid} ${firstname} ${lastname} ${gidnum} ${uidnum} ${empno} ${temppasswd}
sed -e "s/#userid#/${userid}/g" -e "s/#gidnum#/${gidnum}/g" -e "s/#firstname#/${firstname}/g" -e "s/#lastname#/${lastname}/g" -e "s/#uidnum#/${uidnum}/g" -e "s/#empno#/${empno}/g" -e "s/#temppasswd#/${temppasswd}/g" user_tmpl.ldif
I use it with this template:
dn: uid=#userid#,ou=people,dc=nitssolutions,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: #userid#
gidNumber: #gidnum#
givenName: #firstname#
sn: #lastname#
displayName: #firstname# #lastname#
homeDirectory: /home/#userid#
mail: #userid##nitssolutions.com
loginShell: /bin/bash
cn: #firstname# #lastname#
uidNumber: #uidnum#
employeeType: INT-FT
employeeNumber: #empno#
dn: uid=#userid#,ou=people,dc=nitssolutions,dc=com
changetype: modify
add: userPassword
userPassword: #temppasswd#
This seems to work just fine, except when the output of slappasswd contains a / character.
When that happens, I get the following error:
./add_ldap_user.sh jdoe John Doe 123456 123456 NS1234
jdoe John Doe 123456 123456 NS1234 {SSHA}kTwHVDBiK4ub3laqwaqZpAUwILrW/Vw9
sed: -e expression #7, char 51: unknown option to `s'
Again, this only happens when the output of slappasswd contains a /.
I'm sure I'm missing something simple here, but it's not clear to me what the correct answer is. I can't simply escape the entire expression, or my variable reverts to a static string '${temppasswd}', which doesn't help. I need the value of ${temppasswd} even if it contains characters that need to be escaped.
Help?
this only happens when the output of slappasswd contains a /.
Choose a different s command separating character. Like ~ or any other character.
sed -e "s~#userid#~${userid}~g"
In edge cases with GNU sed you can use any byte, for example you may use C escaping $'\x01' to write 0x01 byte:
sed -e $'s\x01#userid#\x01'"${userid}"$'\x01g'
But I recommend not to reinvent the wheel and use existing templating tools. Change to format of the template from #userid# to just ${userid} and you may use use envsubst.
With envsubst and the following redesigned template:
dn: uid=${userid},ou=people,dc=nitssolutions,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ${userid}
gidNumber: ${gidnum}
givenName: ${firstname}
sn: ${lastname}
displayName: ${firstname} ${lastname}
homeDirectory: /home/${userid}
mail: ${userid}#nitssolutions.com
loginShell: /bin/bash
cn: ${firstname} ${lastname}
uidNumber: ${uidnum}
employeeType: INT-FT
employeeNumber: ${empno}
dn: uid=${userid},ou=people,dc=nitssolutions,dc=com
changetype: modify
add: userPassword
userPassword: ${temppasswd}
Processed with: program1
#!/usr/bin/env bash
Iam="${0##*/}" # Basename of myself
if [ $# -ne 6 ];
cat <<ERR >&2
$Iam: error: invalid number of arguments:
Usage:
$Iam <userid> <firstname> <lastname> <gidnum> <uidnum> <empno>
ERR
exit 1
fi
userid="$1" firstname="$2" lastname="$3" \
gidnum="$4" uidnum="$5" empno="$6" \
temppasswd=$(slappasswd -s "pw4$userid") \
envsubst <user_tmpl.ldif
Test run with dummy values:
./program1 foo bar baz 666 42 99
foo bar baz 666 42 99 ciWatEpIcs
Output
dn: uid=foo,ou=people,dc=nitssolutions,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: foo
gidNumber: 666
givenName: bar
sn: baz
displayName: bar baz
homeDirectory: /home/foo
mail: foo#nitssolutions.com
loginShell: /bin/bash
cn: bar baz
uidNumber: 42
employeeType: INT-FT
employeeNumber: 99
dn: uid=foo,ou=people,dc=nitssolutions,dc=com
changetype: modify
add: userPassword
userPassword: ciWatEpIcs
And now with a simple here document, it does not even need envsubst
program2:
#!/usr/bin/env bash
Iam="${0##*/}" # Basename of myself
if [ $# -ne 6 ];
then
cat <<ERR >&2
$Iam: error: invalid number of arguments:
Usage:
$Iam <userid> <firstname> <lastname> <gidnum> <uidnum> <empno>
ERR
exit 1
fi
userid=$1
firstname=$2
lastname=$3
gidnum=$4
uidnum=$5
empno=$6
temppasswd=$(slappasswd -s "pw4$userid")
cat <<LDIFTEMPLATE
dn: uid=${userid},ou=people,dc=nitssolutions,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ${userid}
gidNumber: ${gidnum}
givenName: ${firstname}
sn: ${lastname}
displayName: ${firstname} ${lastname}
homeDirectory: /home/${userid}
mail: ${userid}#nitssolutions.com
loginShell: /bin/bash
cn: ${firstname} ${lastname}
uidNumber: ${uidnum}
employeeType: INT-FT
employeeNumber: ${empno}
dn: uid=${userid},ou=people,dc=nitssolutions,dc=com
changetype: modify
add: userPassword
userPassword: ${temppasswd}
LDIFTEMPLATE
I am currently trying out Podman on Gentoo Linux:
# grep -i selinux /usr/src/linux-4.19.82-gentoo/.config
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"
# getenforce
Permissive
Unfortunately, it fails while trying to mount shm with SELinux context. I tried it with VFS and fuse-overlayfs:
$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] ExitCode msg: "failed to mount shm tmpfs \"/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm\": invalid argument"
ERRO[0000] failed to mount shm tmpfs "/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm": invalid argument
I patched my Podman for debugging:
gentoo ~/libpod-1.6.3 # git diff | tee /etc/portage/patches/app-emulation/libpod/00.patch
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 471648b..a2c001a 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
## -43,6 +43,11 ## import (
func (c *Container) mountSHM(shmOptions string) error {
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
+ logrus.Debugf("AAAAA %s", c.config.ShmDir)
+ logrus.Debugf("BBBBB %s", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV)
+ logrus.Debugf("CCCCC %s", shmOptions)
+ logrus.Debugf("DDDDD %s", c.config.MountLabel)
+ logrus.Debugf("EEEEE %s", label.FormatMountLabel(shmOptions, c.config.MountLabel))
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
}
return nil
And, got this output:
$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] AAAAA /home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm
DEBU[0000] BBBBB %!s(int=14)
DEBU[0000] CCCCC mode=1777,size=65536000
DEBU[0000] DDDDD system_u:object_r:svirt_lxc_file_t
DEBU[0000] EEEEE mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t"
...
Mounting shm without the context option worked:
# mount -t tmpfs -o mode=1777,size=65536000 shm /mnt/
# mount | grep shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel)
shm on /mnt type tmpfs (rw,relatime,seclabel,size=64000k)
But, it fails with the context option:
# mount -t tmpfs -o mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t" shm /mnt/
mount: /mnt: wrong fs type, bad option, bad superblock on shm, missing codepage or helper program, or other error.
And, running Podman without SELinux works.
Some info on the machine:
vagrant#gentoo ~ $ eix -I libpod
[I] app-emulation/libpod
Available versions: (~)1.6.3^t {apparmor btrfs ostree +rootless selinux}
Installed versions: 1.6.3^t(07:51:44 AM 11/18/2019)(rootless selinux -apparmor -btrfs -ostree)
Homepage: https://github.com/containers/libpod/
Description: Library and podman tool for running OCI-based containers in Pods
vagrant#gentoo ~ $ eix -I install-xattr
[I] sys-apps/install-xattr
Available versions: 0.5 (~)0.7 (~)0.8 **9999*l
Installed versions: 0.8(06:07:20 PM 11/17/2019)
Homepage: https://dev.gentoo.org/~blueness/install-xattr/
Description: Wrapper to coreutil's install to preserve Filesystem Extended Attributes
vagrant#gentoo ~ $ emerge --info
Portage 2.3.76 (python 3.6.9-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-9.2.0, glibc-2.29-r2, 4.19.82-gentoo x86_64)
=================================================================
System uname: Linux-4.19.82-gentoo-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-gentoo-2.6
KiB Mem: 2036312 total, 1846924 free
KiB Swap: 4000764 total, 4000764 free
Timestamp of repository gentoo: Sun, 17 Nov 2019 17:00:01 +0000
Head commit of repository gentoo: 6c3900366099220296f7765bd1f0668d980d0d29
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.32 p2) 2.32.0
app-shells/bash: 4.4_p23-r1::gentoo
dev-lang/perl: 5.28.2-r1::gentoo
dev-lang/python: 2.7.16::gentoo, 3.6.9::gentoo
dev-util/cmake: 3.14.6::gentoo
sys-apps/baselayout: 2.6-r1::gentoo
sys-apps/openrc: 0.41.2::gentoo
sys-apps/sandbox: 2.13::gentoo
sys-devel/autoconf: 2.69-r4::gentoo
sys-devel/automake: 1.16.1-r1::gentoo
sys-devel/binutils: 2.32-r1::gentoo
sys-devel/gcc: 9.2.0-r2::gentoo
sys-devel/gcc-config: 2.1::gentoo
sys-devel/libtool: 2.4.6-r3::gentoo
sys-devel/make: 4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc: 2.29-r2::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-verify-jobs: 1
sync-rsync-verify-max-age: 24
sync-rsync-verify-metamanifest: yes
sync-rsync-extra-opts:
localrepo
location: /var/db/repos/localrepo
masters: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="#FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=generic -O2 -pipe"
DISTDIR="/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl alsa amd64 bzip2 crypt cxx hardened iconv ipv6 libtirpc ncurses nls nptl open_perms openmp openssl pam pcre peer_perms pie readline seccomp selinux split-usr ssl ssp ubac unicode usb xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="emu efi-32 efi-64 pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6 python2_7" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Late answer here, as noted by duexsco the svirt_lxc_file_t enforcement type is missing which can be installed by emerging sec-policy/selinux-virt on Gentoo.
Why an interface (/usr/share/selinux/strict/include/services/virt.if) from sec-policy/selinux-base uses an enforcement type from sec-policy/selinux-virt is also a rather interesting question.
I am trying to activate IMA appraisal & EVM modules.
After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot option in a first time like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"
and after running this command to generate xattr security.ima and security.evm
find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;
like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"
I try to create digital signature of xattr like it's recommended on this tutorial
Tutorial to IMA & EVM
Every steps have been followed, creating RSA keys, loading them early at boot in initramfs with keyctl.
Session Keyring
-3 --alswrv 0 65534 keyring: _uid_ses.0
977514165 --alswrv 0 65534 \_ keyring: _uid.0
572301790 --alswrv 0 0 \_ user: kmk-user
126316032 --alswrv 0 0 \_ encrypted: evm-key
570886575 --alswrv 0 0 \_ keyring: _ima
304346597 --alswrv 0 0 \_ keyring: _evm
However as soon as I reboot my OS when I try to read a signed and hashed file I get the error "Permission Denied"
Running dmesg tells me :
[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh" dev="sda1" ino=546526 res=0
Have you any idea why i get invalid HMAC ?
They keys are loaded like the tutorial says...
#!/bin/sh -e
PREREQ=""
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
grep -q "ima=off" /proc/cmdline && exit 1
mount -n -t securityfs securityfs /sys/kernel/security
IMA_POLICY=/sys/kernel/security/ima/policy
LSM_POLICY=/etc/ima_policy
grep -v "^#" $LSM_POLICY >$IMA_POLICY
# import EVM HMAC key
keyctl show |grep -q kmk || keyctl add user kmk "testing123" #u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" #u
#keyctl revoke kmk
# import Module public key
mod_id=`keyctl newring _module #u`
evmctl import /etc/keys/pubkey_evm.pem $mod_id
# import IMA public key
ima_id=`keyctl newring _ima #u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm #u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
# enable module checking
#echo "1" > /sys/kernel/security/module_check
Thanks for your help
Solved, new kernel use HMAC v2 and you have to activate asymmetric key when you compile kernel.
cat .config should have this entries:
CONFIG_EVM_HMAC_VERSION=2
CONFIG_ASYMMETRIC_KEY_TYPE=y
Then when you hash or sign a file use
evmctl -u - -x --imasig/--imahash $file
As well you should have create the asymetric keys and load them in _evm and _ima keyring with keyctl with initramfs.