Category: Hobbies

Still a pain

Setting up a WordPress instance, I need to use PHP-SMTP for email sending. I knew SELinux was giving me grief!

getsebool httpd_can_sendmail
getsebool httpd_can_network_connect

Then to change the settings:

sudo setsebool -P httpd_can_sendmail 1
sudo setsebool -P httpd_can_network_connect 1

Mind your security.

SELinux is a pain

From “Why does Nginx return a 403 even though all permissions are set properly?

To check if SELinux is running:

# getenforce
To disable SELinux until next reboot:

# setenforce Permissive
Restart Nginx and see if the problem persists. If you would like to permanently alter the settings you can edit /etc/sysconfig/selinux

If SELinux is your problem you can run the following to allow nginx to serve your www directory (make sure you turn SELinux back on before testing this. i.e, # setenforce Enforcing)

# chcon -Rt httpd_sys_content_t /path/to/www
If you’re still having issues take a look at the boolean flags in getsebool -a, in particular you may need to turn on httpd_can_network_connect for network access

# setsebool -P httpd_can_network_connect on
For me it was enough to allow http to serve my www directory.

CentOS 7 Network Bridge

For memory sake, if you need to create a Bridge interface, read this article again. Specifically the following:

chkconfig network on
service network restart
yum -y erase NetworkManager
cp -p /etc/sysconfig/network-scripts/ifcfg-{eth0,br0}
sed -i -e’/HWADDR/d’ -e’/UUID/d’ -e’s/eth0/br0/’ -e’s/Ethernet/Bridge/’ \
echo DELAY=0 >> /etc/sysconfig/network-scripts/ifcfg-br0
echo ‘BOOTPROTO=”none”‘ >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo BRIDGE=br0 >> /etc/sysconfig/network-scripts/ifcfg-eth0
service network restart
brctl show

You should probably comment out anything that starts with IPV4|6 (Not entirely sure, as I still need to read what these vars entail).

SSL Certificates

It is that time of year again to investigate SSL certs and whether paying for one is a better option. The cost is minimal with Namecheap/PositiveSSL, but is it really justified? With LetsEncrypt gaining huge momentum in the past year, I think they have their bugs worked out and will be a worthy choice.

StartSSL is still a no go for me. At least with a paid option, I can revoke it at no charge. Compare that to the aforementioned business model (may have changed, I hear they changed ownership) where you have to pay to revoke your free cert… is unfortunately not included in the rootCA list of many browsers, distros, OSs, so that is not an option either.

Seems like the actual list is narrowing down pretty fast isn’t it?