2

I often need to deploy linux rpm style servers set up as templates for clients at remote sites around the world.

Before selinux I would have a remote admin make a basic server at the same kernel level and with similar partitions to my template.

Then I'd scp over a full-templater server tarfile to the remote. Then I.d just exclude things like: fstab, network, /hoot,grub dirs, passwd/shadow, from a fulll system "tar-file" restore and I could get the remote up and going.

I believe that I also need to make sure that I have the same type of selinux mode (targetted) and I exclude /etc/selinux at the target from being overwritten.

The issue is that the remote will boot and present the motd and ask for login-password it will not let any account in. I do not have console access to the remotes and I cannot boot them from a rescue CD.

My question is what selinux things to I have to do to be able to restore an almost entire source template server onto a remote server from a tarfile?

techraf
  • 4,163
  • 8
  • 27
  • 44
Jim Grot
  • 21
  • 2

2 Answers2

3

I would definitely consider using a config management tool like ansible, salt, chef, or puppet (or others I can't think of just now).

If you have network access, it not only allows you to template out the bits of the system you care about, but keep things up to date easily.

If you have no access, it allows someone who does to download your config management code, the relevant software to make sense of them, and run them locally on the system.

Your actual problem doesn't sound like it is to do with selinux.

It sounds like the password/account may have changed, or the SSH server now only allows key-based logins - that would depend in large part on your specific error message (maybe you can share that), and possibly what else could have happened to the system.

It does sound like quite a bit could go wrong with your approach though - extracting a complete system image to / on the server without knowing what was there before could cause all kinds of issues.

Can you ask someone to check the system locally (and see if they can login and/or see anything on the console), or maybe jump from another system local to it?

iwaseatenbyagrue
  • 3,588
  • 12
  • 22
2

My question is what selinux things to I have to do to be able to restore an almost entire source template server onto a remote server from a tarfile?

  • First of all you need to determine that SELinux is the problem.

It should be fairly simple to create a lab using for example, the free tier of ESXi or KVM (other hypervisors are available) and then generate VMs that you have 'physical' access to.

You can put SELinux into Permissive mode, edit /etc/selinux/config and ensure

 SELINUX=permissive

but be aware that if it's already disabled your problem lies elsewhere.

If setting SELinux to permissive 'solves' the problem then the cause will be found in /var/log/audit/audit.log, look for AVC denied messages.

One quick thing you could try is a restorecon -r / which will relabel the filesystem.

Beyond that it's dig into the logs and adjust the SELinux configuration as required to meet your needs.

It's probably a good idea to start looking into proper configuration management tooling.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • I would kind of disagree on this - SELinux is well worth the effort and occasional bout of swearing, and the protection it offers is generally worth trying to play nice with it. If SELinux is potentially part of the issue, I would personally tend to think using audit2allow is a better alternative than making SELinux permissive. – iwaseatenbyagrue Mar 02 '17 at 09:41
  • @iwaseatenbyagrue Please look at my [selinux profile](http://serverfault.com/search?q=user%3Ame+%5Bselinux%5D) I advocate it's use all the time. Please also carefully read my answer it does not say disable SELinux, it provides methods of determining if it is the problem. – user9517 Mar 02 '17 at 09:49
  • Sorry - I should have chosen my words more carefully: I know permissive != disabled, I was thinking of impact, I guess. We do seem to be basically saying the same thing, I think, we just seem to have a slightly different approach. I have rarely seen someone put SELinux back into enforcing mode after finding setting it to permissive/off fixed their issue, and wanted to avoid that situation. – iwaseatenbyagrue Mar 02 '17 at 09:55