Build selinux policy from AVC denials in audit.log

Assumes you have run something like the following

setenforce 0 && rm -f /var/log/audit/audit.log && touch /var/log/audit/audit.log && service auditd stop && service auditd start

Then recreated the avc denials (i.e systemctl restart haproxy if haproxy listens on an unusual port, curl http://localhost/example.php if your SQL database is a remote target etc)

cat /var/log/audit/audit.log | audit2allow -M local && semodule -i local.pp && setenforce 1

Then you should be able to repeat process 2 without avc denials. Edge cases might occur beyond simply restarting the daemon though so its worth simulating a workload for a few seconds in case some arbritrary subroutine causes a denial: example HAProxy logging to a NFS target = avc denial about 5 seconds after the restart.

Certainly less clumsy ways of doing it but this works well for my use case of short lived, usually single function VMs used for elastic scaling different worker pools on a large video sharing site. Very decent audit2allow tutorial here.

Certbot and HAProxy + automated .well-known ACME renewal

Links nginx.conf gist… haproxy.cfg (initial)… letsencrypt command… certbot eff certbot nginx.conf for letsencrypt… haproxy.cfg w/letsencrypt… Lets Encrypt Scripts Someone elses… mine… Final haproxy.cfg…

Debian cloud-init userdata

When you spin up a cloud VM at Google Compute or Digital Ocean there’s an option to specify user data, this is my goto script to update Debian and setup a  2G swapfile.

#!/usr/bin/env bash
dd if=/dev/zero of=/swap bs=1M count=2048
chmod 600 /swap
mkswap /swap
swapon /swap
echo "/swap swap swap defaults 0 0" >> /etc/fstab
apt update
apt -y upgrade
shutdown -r now