[SOLVED] Unable to Customize Keyboard Shortcuts for Switching Between More Than 4 Workspaces in GNOME on CentOS 7 or RHEL 7

I am working on a VM that is running GNOME under RHEL 7 and I typically run with 12 workspaces.  The default GNOME install only has the keyboard shortcut configurations up to “Switch to workspace 4”.

It turns out that the solutions is to use the gsettings cli tool to add additional shorcuts.

$ gsettings set org.gnome.desktop.wm.keybindings switch-to-workspace-5 "[\"<Control>F5\"]"
$ gsettings set org.gnome.desktop.wm.keybindings move-to-workspace-5 "[\"<Alt>5\"]"

How to See SELinux Denials That Do Not Show In the audit.log

Or, otherwise know as: SELinux and Silent Denials.

Sometimes when troubleshooting SELinux issues, you will have added new policies for each of the denial causes written to the audit.log, but SELinux will still be denying access . . . and not giving you any further information about it in the audit.log.

Various processes often execute additional system calls that are above an beyond what they need to do for normal operation.  Many of them are blocked, and in order to keep filling the audit.log with harmless denials they are silently dropped.  These are defined by a set of dontaudit rules.

In order to temporarily disable them, issue the following command as root

 # semodule -DB

The -D option disables dontaudit rules and the B option will rebuild the policy.  After this runs, you should see additional information in the auditlog and with that information use audit2allow -i input-file -M output-file to build your .te and .pp files.

After debugging is complete run the following to re-enable the dontaudit rules.

 # semodule -B

Mounting a Samba Share From Linux Client to Linux Samba Server

In order to be able to access a Samba share on a remote client as a mounted file system execute the following command, as root on the client:

mount -t cifs -o user=<user-on-samba-share>,uid=<uid-on-local-macheine>,gid=<gid-on-local-machine>,rw,workgroup=<your-workgroup> //ip/share /mnt/mount-point-dir

You will be prompted for the password for the user defined on the Samba server.

If you are able to authenticate, and then get the following error:

ls: reading directory .: Permission denied

Check the SELinux context type of the directory on the samba share.  It should be samba_share_t

Solution for Executing Native Process from Java that Requires sudo

If you are building a Java program that requires the ability to execute native commands on the machine which require sudo it requires some additional considerations other than just writing the Java code.

The problem is that sudo, by default, requires a tty for executing sudo such that a password can entered.  Even if you configure sudoers to grant NOPASSWD access to a specific command you will still get the following error

sudo: sorry, you must have a tty to run sudo

In my case, I was writing a set of integration tests in Java that needed to be able to start and stop a service to run a test.

I settled on adding an additional sudoers config file in /etc/sudoers.d.  This ended up be the cleanest and most encapsulated change that did not then require any special considerations in the Java code.

The change simply involved adding a file with the following contents to /etc/sudoers.d which indicates that running sudo for the rchapin user does NOT require a tty and then grants access to the specific commands.

Defaults:rchapin !requiretty
rchapin ALL=(root) NOPASSWD: /bin/systemctl stop rabbitmq-server.service
rchapin ALL=(root) NOPASSWD: /bin/systemctl start rabbitmq-server.service

Blacklisting Kernel Modules

Following is a walkthrough on how to blacklist a kernel module.  The specific example is blacklisting the nouveau driver so that I can install the OEM Nvidia driver.

1. First, blacklist the nouveau driver: Add a line to the textfile /etc/modprobe.d/nouveau-blacklist.conf that contains they keyword ‘blacklist’ and the name of the driver

blacklist nouveau

2. Rebuild the initramfs image file.  First, backup existing initramfs

mv initramfs-3.10.0-327.18.2.el7.x86_64.img initramfs-3.10.0-327.18.2.el7.x86_64.img_2016-06-09.bak

Build new initramfs

dracut -v /boot/initramfs-$(uname -r).img $(uname -r)

3. Reboot the system and confirm that the driver in question is not loaded.

lsmod | fgrep nouveau

Using netcat to Mock a RESTful Webservice that Returns JSON

Let’s say that you are working on a part of a project that needs to consume some JSON data from a forthcoming HTTP service.  That sub-system is being developed by one of your colleagues and is not yet ready for you to stand-up to develop against.

You can use netcat to mock the webservice and return some static JSON data for which you can develop and test against with a simple one-liner.

First, put together your JSON in a file, ‘my.json’ and then run the following command in a terminal:

while true; do echo -e "HTTP/1.1 200 OK\r\n\r\n$(cat my.json)" | nc -l 9998; done

An hitting http://localhost:9998 will return your test JSON data.

How to Use Credentials That Contain Special Characters with curl

In order to execute curl commands to endpoints with passwords that contain special characters, the cleanest way that I have found to do so is to Base64 encode the authentication string for curl and then pass an Authorization request header along with the request.

In this example the credentials are uid ‘rchapin’ and passwd ‘abc123!@#’.  Normally we would pass this to curl as follows:

$ curl -u rchapin:abc123!@# -X GET https://some-endpoint:443

However, this will not work and the password will need to be sent in some other fashion other than ASCII.

Following are the steps to pass the credentials as Base64:

1. Using your favorite Base64 encoder, generate and ASCII string of the entire ‘username:password’ string that you would normally pass with the -u option for curl

rchapin:abc123!@# converted = cmNoYXBpbjphYmMxMjMhQCM=

2. Now modify the curl command as follows:

$ curl -H "Authorization: Basic cmNoYXBpbjphYmMxMjMhQCM=" -X GET https://some-endpoint:443

How to Configure a Linux Client for Active Directory Authentication

I am currently working on setting up multiple environments for a new project (DEV, QA, and PROD) and will be integrating all of the servers to an Active Directory Domain Controller for user management.

Following are notes from when I configured a Fedora Core 18 laptop to integrate with an AD server.  It is likely things have changed some from then and I will update this as required for a current version of RHEL7/CentOS 7.

Install the following packages

yum install sssd-tools adcli realmd

sssd will not yet have the /etc/sssd/sssd.conf file installed until you join a domain (see below) so do not try to configure it.

Disable selinux. Perhaps selinux can be re-enabled after joining and configuration?

Search for a realm

realm discover -v
 * Looking up our DHCP domain
 * Discovering for DHCP domain: somedomain.com
 * Searching for kerberos SRV records for domain: _kerberos._udp.somedomain.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.somedomain.com
 * server1.somedomain.com:88 server2.somedomain.com:88 server3.somedomain.com:88
 * Found kerberos DNS records for: somedomain.com
 * Found AD style DNS records for: somedomain.com
 * Successfully discovered: somedomain.com
somedomain.com
  type: kerberos
  realm-name: SOMEDOMAIN.COM
  domain-name: somedomain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: SOMEDOMAIN\%U
  login-policy: allow-any-login

Joined the domain

realm join -U admin --verbose somedomain.com

Allow all users from a given domain to login

realm permit --realm somedomain.com --all

Add the home directory paths

mkdir /home/SOMEDOMAIN

 Start and enable sssd

systemctl enable sssd && systemctl start sssd

Log out from the local user account and then log in as a user in the domain:
    . uid: SOMEDOMAIN\uid
    . This will log you in as that user and create a home account in /home/SOMEDOMAIN/uid

[SOLVED] Delete key not working with x2go server running XFCE

I am working with a development environment whereby I VPN into an environment with an Ubuntu VirtualBox guest and then initiate an x2go client session to a developement workstation server that lives in the development environment.

I had everythining working exactly as I wanted except that the Delete key did not work in the x2go session.

Previously the xev output when pressing the delete key was:

FocusOut event, serial 36, synthetic NO, window 0x2e00001,
    mode NotifyGrab, detail NotifyAncestor

FocusIn event, serial 36, synthetic NO, window 0x2e00001,
    mode NotifyUngrab, detail NotifyAncestor

KeymapNotify event, serial 36, synthetic NO, window 0x0,
    keys:  0   0   0   0   0   0   0   0   0   0   0   0   0   0 0   0
           0   0   0   0   0   0   0   0   0   0   0   0   0   0 0   0

For the given user/X-session, go to Applications Menu -> Settings -> Keyboard

Then under the ‘Layout’ tab, uncheck the ‘Use system defaults’ and specify the keyboard that you are using.  In my case it was:

Keyboard Model: Generic 105-key (Intl) PC
Keyboard Layout: English (US)

NOTE:  the layout had TWO options that were both ‘English (US)’ and I selected the top-most item.

Log out of the X session, which will kill the x2go session and then log back in to a new session and the delete key works as expected.

xev output when pressing delete key is now:

KeyPress event, serial 36, synthetic NO, window 0x3600001,
    root 0x146, subw 0x0, time 2229006870, (-615,43), root:(879,645),
    state 0x10, keycode 107 (keysym 0xffff, Delete), same_screen YES,
    XLookupString gives 1 bytes: (7f) " 
    XmbLookupString gives 1 bytes: (7f) "
    XFilterEvent returns: False

KeyRelease event, serial 36, synthetic NO, window 0x3600001,
    root 0x146, subw 0x0, time 2229006981, (-612,41), root:(882,643),
    state 0x10, keycode 107 (keysym 0xffff, Delete), same_screen YES,
    XLookupString gives 1 bytes: (7f) "
    XFilterEvent returns: False

Looping Through a List of Files with Spaces in the File Name with Bash

If you have a list of files that you want to operate on in a loop in bash and some of them have spaces in the file name the default IFS (Internal Field Separator) will match with the space and tokenize the file.

The simple approach is to temporarily set the IFS as follows.  This can be done in a shell script, but the following example is directly on the command line for ‘one-liner’ usage.

OIFS="$IFS"

IFS=$'\n' 

for i in `find ./ -type f -iname '*some_criteria*'`; do "something with $i"; done

IFS="$OIFS"

The previous commands will:

  1. Save the existing IFS
  2. Update the IFS to a newline char
  3. Execute your loop with the results of a find command
  4. Reset the IFS