Skip to content

Entries from November 2013.

10 years of SELinux

Apparently the EL and Fedora world has been using SELinux for 10 years now. It also made it in Debian.
Here's a very nice article about it:
 We are celebrating the SELinux 10th year anversary this year. Hard to believe it.
 SELinux was first introduced in Fedora Core 3 and later in Red Hat Enterprise Linux 4. 
 For those who have never used SELinux, or would like an explanation...

 SElinux is a labeling system. Every process has a label. 
Every file/directory object in the operating system has a label.
Even network ports, devices, and potentially hostnames have labels assigned to them. 
 We write rules to control the access of a process label to an a object label like a file. We call this policy. The kernel enforces the rules.
Sometimes this enforcement is called Mandatory Access Control (MAC). 

 The owner of an object does not have discretion over the security attributes of a object.
Standard Linux access control, owner/group + permission flags like rwx, is often called Discretionary Access Control (DAC).
SELinux has no concept of UID or ownership of files. Everything is controlled by the labels. Meaning an SELinux system can be setup without an all powerful root process.
Read more ...

Setting up Confluence behind mod_proxy

I've recently tried to set up Confluence behind Apache HTTPD (mod_proxy) and it did not go as smoothly as the Atlassian docs suggest.

Here's what needs doing:
1 - Go here and download the 64 bit Linux installer (I'm on Centos 6 64bit)
2 - Make it executable and execute it, use the default values when asked or what you think is appropriate
3 - If you want to use a MySQL DB download this and extract from it mysql-connector-java-5.1.27-bin.jar, putting it in /opt/atlassian/confluence/confluence/WEB-INF/lib/ on the server
4 - Restart Confluence: service confluence restart
5 - Go to http://confluence.example.com:8090 and finish the setup, then go in Confluence Admin -> General Configuration and edit the Site Configuration Edit, updating Server Base Url to match the subdomain you want to use in the end, e.g. http://confluence.example.com or https://confluence.example.com if you want SSL. Save the settings.
6 - Enable proxing in Apache httpd; edit /etc/httpd/conf/httpd.conf and modify your virtualhost such that it looks like this:
<VirtualHost 12.34.56.78:443>
DocumentRoot "/var/www/confluence"
ServerName confluence.example.com
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8090/
ProxyPassReverse / http://127.0.0.1:8090/
</VirtualHost>
7 - Edit /opt/atlassian/confluence/conf/server.xml and add this in the Connector's line: proxyName="confluence.example.com" proxyPort="443" scheme="https" so that it resembles this
8 - Restart both httpd and confluence services
9 - Go to https://confluence.example.com and enjoy!