Although Ansible provides support for managing firewall rules via module, I still find initial setup is best done with a tested batch of firewall rules instead of adding them one-by-one. Since I’m migrating CentOS 7 servers to CentOS 8 now, I decided to convert iptables into nftables.

Will probably post a Unix Tutorial Project about this, but today I’m just capturing notes.

What is nftables?

nftables is the next (current) generation of NetFilter based firewall solutions, replacing iptables and providing backward compatible tools with iptables syntax.

If all you used before is iptables, you can continue using familiar commands – but in CentOS 8 this means that on the firewall level there’s no longer iptables running, all the functionality is provided by NFT.

How To Save iptables rules/chains into a file

# iptables-save > /etc/sysconfig/iptables.current

How to Convert iptables rules into nftables rules

# iptables-restore-translate -f /etc/sysconfig/iptables.current > nft-rules.txt

IMPORTANT: make sure you put this into some nft-rules.txt file outside of the /etc/sysconfig location – if things go wrong, you’ll just reboot server via hosting console and regain access.

Try/Check NFT Ruleset

Now comes the moment to disable iptables and try NFT tables in their place.

I did the following: flushed IPtables (removed any rules) and then applied NFT rules.

Flush iptables

# iptables -F

Apply NFT rules from nft-rules.txt file

# nft -f nft-rules.txt

We can now have a look at the list of active NFT rules:

# nft list ruleset

Configure nftables Rules to Apply upon Reboot

Assuming everything works as expected, we can now move the nfs-rules.txt file into default location that will be used by NFT upon reboot:

# mv nft-rules.txt /etc/sysconfig/nftables.conf

Make sure it belongs to root and has correct permissions (it’s not a script so needs no execution bits):

root@s1:~ # ls -lad /etc/sysconfig/nftables.conf
 -rw-------. 1 root root 5227 Mar 12 01:48 /etc/sysconfig/nftables.conf

See Also

• Migrate to nftables
• Using nftables
• keep iptables after reboot
• Book review: iptables pocket reference
• Protect SSH with fail2ban
• Unix Tutorial Projects
• Ansible: getting started

Great news, CentOS 8 is released now. Even better – there’s now a step in between Fedora and RHEL, called CentOS Stream.

Have you tried them yet? I’ll be upgrading to CentOS 8 this week and am also thinking of downloading and installing CentOS Stream in a KVM VM.

Let me know what you think!

See Also

• CentOS
• Download CentOS Linux
• RHEL 8
• Red Hat Linux
• Upgrading to CentOS 7.7

CentOS 7.7 has just been released a few days ago and with any luck CentOS 8 will be released next week. I decided to quickly upgrade one of my dedicated servers from CentOS 7.6 to CentOS 7.7.

Confirm CentOS Version

Just a couple of steps to check what CentOS release we’re running:

root@s2:~ # cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

There should also be a package reflecting CentOS release already installed on your system. This package will be upgraded along with the rest of the OS when we’re stepping up to CentOS 7.7:

root@s2:~ # rpm -qa | grep centos-release
 centos-release-7-6.1810.2.el7.centos.x86_64

Check Available CentOS Upgrades

yum command has the check-update option for verifying if any packages are available for updating:

root@s2:~ # yum check-update

This will return a rather long list. To be super-sure we’ll actually get the CentOS 7.7 upgrade, look for the same centos-release package:

root@s2:~ # yum check-update | grep centos-release
 centos-release.x86_64                    7-7.1908.0.el7.centos           base

Upgrade CentOS 7.6 to CentOS 7.7

We need the yum update command here. After you run it it will resolve dependencies and report something like this, prompting for your confirmation:

Transaction Summary
===============================================================
Install    3 Packages (+25 Dependent packages)
Upgrade  406 Packages
Total download size: 577 M
Is this ok [y/d/N]:

Sounds about right! We’ll press Y and let the server download and apply all the updates…

On my hosting it took about 1min to download all the packages!

Transaction Summary
===============================================================
Install    3 Packages (+25 Dependent packages)
Upgrade  406 Packages
Total download size: 577 M
Is this ok [y/d/N]:
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Updating   : libgcc-4.8.5-39.el7.x86_64                                                                                                       1/841
 Installing : urw-base35-fonts-common-20170801-10.el7.noarch                                                                                   2/841
 Updating   : 1:grub2-common-2.02-0.80.el7.centos.noarch                                                                                       3/841
 Updating   : centos-release-7-7.1908.0.el7.centos.x86_64                                                                                      4/841
 Updating   : langtable-0.0.31-4.el7.noarch                                                                                                    5/841
 Updating   : libreport-filesystem-2.1.11-43.el7.centos.x86_64                                                                                 6/841
...
yum-plugin-fastestmirror.noarch 0:1.1.31-52.el7                           yum-utils.noarch 0:1.1.31-52.el7
 Replaced:
   urw-fonts.noarch 0:2.4-16.el7
 Complete!

It took less than 10 min to apply all the package updates, so the only things left are to capture current kernel version before and after the reboot:

root@s2:/ # uname -a
Linux s2 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Now let’s reboot:

root@s2:/ # shutdown -r now

… and confirm that we’re running newer Linux Kernel and sporting the CentOS 7.7 release now:

greys@s2:~ $ uname -a
Linux s2 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Hmmm. This does look a bit conservative! It’s 3.10 branch of Linux kernel whereby desktop releases are sporting Linux Kernel 5.x already.

Anyway, that’s server s2 upgraded to CentOS 7.7 successfully!

We’re certainly running the CentOS 7.7 release now:

greys@s2:~ $ cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

See Also

• CentOS Linux
• RHEL8
• screenfetch in CentOS
• How To: install Kernel Source Code in CentOS/Red Hat
• Remove Old Kernels in CentOS
• Disable PortMapper in CentOS
• 5 Ways to Check CentOS version

CentOS and RedHat Linux are still the majority of my Linux servers and so now and then I have a RedHat specific question to investigate. This time around, I’ve explored getting the list of installed packages using yum command.

yum list installed

As hard as it may be to believe it, the actual command I needed is this:

[greys@rhel8 ~]$ yum list installed

That’s right – type it word for word and yum will report the full list of packages installed in your system along with package versions and package group names.

Here’s what Red Hat Enterprise Linux 8 beta VM reports:

[greys@rhel8 ~]$ yum list installed | more
Not root, Subscription Management repositories not updated
2018-10-28 13:33:38,137 [WARNING] yum:31323:MainThread @logutil.py:141 - logging already initialized
Not root, Subscription Management repositories not updated
Installed Packages
GConf2.x86_64 3.2.6-22.el8 @rhel-8-for-x86_64-appstream-beta-rpms
ModemManager.x86_64 1.8.0-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
ModemManager-glib.x86_64 1.8.0-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager.x86_64 1:1.14.0-5.el8 @anaconda
NetworkManager-adsl.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-bluetooth.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-libnm.x86_64 1:1.14.0-5.el8 @anaconda
NetworkManager-ovs.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-team.x86_64 1:1.14.0-5.el8 @anaconda
NetworkManager-tui.x86_64 1:1.14.0-5.el8 @anaconda
NetworkManager-wifi.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-wwan.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
PackageKit.x86_64 1.1.10-6.el8 @rhel-8-for-x86_64-appstream-beta-rpms
PackageKit-command-not-found.x86_64 1.1.10-6.el8 @rhel-8-for-x86_64-appstream-beta-rpms
PackageKit-glib.x86_64 1.1.10-6.el8 @rhel-8-for-x86_64-appstream-beta-rpms
PackageKit-gstreamer-plugin.x86_64 1.1.10-6.el8 @rhel-8-for-x86_64-appstream-beta-rpms
PackageKit-gtk3-module.x86_64 1.1.10-6.el8 @rhel-8-for-x86_64-appstream-beta-rpms
abattis-cantarell-fonts.noarch 0.0.25-4.el8 @rhel-8-for-x86_64-appstream-beta-rpms
accountsservice.x86_64 0.6.50-5.el8 @rhel-8-for-x86_64-appstream-beta-rpms
accountsservice-libs.x86_64 0.6.50-5.el8 @rhel-8-for-x86_64-appstream-beta-rpms
acl.x86_64 2.2.53-1.el8 @anaconda
adcli.x86_64 0.8.2-2.el8 @rhel-8-for-x86_64-baseos-beta-rpms
adobe-mappings-cmap.noarch 20171205-3.el8 @rhel-8-for-x86_64-appstream-beta-rpms
adobe-mappings-cmap-deprecated.noarch 20171205-3.el8 @rhel-8-for-x86_64-appstream-beta-rpms
...

Grep yum list installed using group name

The output makes is very easy to grep for packages that belong to the same software group, like rhel-8-for-x86_64-baseos-beta-rpms in this example:

[greys@rhel8 ~]$ yum list installed | grep rhel-8-for-x86_64-baseos-beta-rpms | more
2018-10-28 13:40:14,740 [WARNING] yum:31405:MainThread @logutil.py:141 - logging already initialized
ModemManager.x86_64 1.8.0-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
ModemManager-glib.x86_64 1.8.0-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-adsl.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-bluetooth.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-ovs.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-wifi.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
NetworkManager-wwan.x86_64 1:1.14.0-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
adcli.x86_64 0.8.2-2.el8 @rhel-8-for-x86_64-baseos-beta-rpms
at.x86_64 3.1.20-11.el8 @rhel-8-for-x86_64-baseos-beta-rpms
attr.x86_64 2.4.48-3.el8 @rhel-8-for-x86_64-baseos-beta-rpms
augeas-libs.x86_64 1.10.1-3.el8 @rhel-8-for-x86_64-baseos-beta-rpms
avahi.x86_64 0.7-18.el8 @rhel-8-for-x86_64-baseos-beta-rpms
avahi-glib.x86_64 0.7-18.el8 @rhel-8-for-x86_64-baseos-beta-rpms
avahi-libs.x86_64 0.7-18.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bash-completion.noarch 1:2.7-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bc.x86_64 1.07.1-5.el8 @rhel-8-for-x86_64-baseos-beta-rpms
binutils.x86_64 2.30-49.el8 @rhel-8-for-x86_64-baseos-beta-rpms
blktrace.x86_64 1.2.0-9.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bluez.x86_64 5.50-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bluez-libs.x86_64 5.50-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bluez-obexd.x86_64 5.50-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bolt.x86_64 0.4-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bpftool.x86_64 4.18.0-32.el8 @rhel-8-for-x86_64-baseos-beta-rpms
bubblewrap.x86_64 0.3.0-1.el8 @rhel-8-for-x86_64-baseos-beta-rpms

That’s it for today!

See Also

• RHEL 8 Web Console
• yum
• Show installed packages with rpm
• yum: list software groups

From time to time it’s required to compile some Linux kernel specific software on your CentOS/RedHat Linux system. Most often it’s some kind of kernel module specific to a software that requires deep integration with your operating system.

Install Kernel Sources and Headers in RedHat/CentOS

You need to install two packages: kernel sources from kernel-develop and header files from kernel-headers:

root@centos:~ # yum install kernel-devel kernel-headers
Loaded plugins: fastestmirror, langpacks 
Determining fastest mirrors
epel/x86_64/metalink | 28 kB 00:00:00 
* base: centos.quelquesmots.fr
* epel: mirror.in2p3.fr 
* extras: centos.crazyfrogs.org
* updates: centos.quelquesmots.fr 
base | 3.6 kB 00:00:00 
epel | 4.7 kB 00:00:00 
extras | 3.4 kB 00:00:00 
updates | 3.4 kB 00:00:00 
(1/4): epel/x86_64/updateinfo | 998 kB 00:00:00 
(2/4): extras/7/x86_64/primary_db | 201 kB 00:00:00 
(3/4): updates/7/x86_64/primary_db | 5.0 MB 00:00:00 
(4/4): epel/x86_64/primary_db | 6.7 MB 00:00:00 
Resolving Dependencies 
--> Running transaction check 
---> Package kernel-devel.x86_64 0:3.10.0-957.12.2.el7 will be installed 
---> Package kernel-headers.x86_64 0:3.10.0-957.12.2.el7 will be installed 
--> Finished Dependency Resolution 
Dependencies Resolved 
============================================================================
Package Arch Version Repository Size 
============================================================================
Installing: 
kernel-devel x86_64 3.10.0-957.12.2.el7 updates 17 M 
kernel-headers x86_64 3.10.0-957.12.2.el7 updates 8.0 M 

Transaction Summary
============================================================================
Install 2 Packages

Total download size: 25 M
Installed size: 41 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/2): kernel-headers-3.10.0-957.12.2.el7.x86_64.rpm | 8.0 MB 00:00:00 
(2/2): kernel-devel-3.10.0-957.12.2.el7.x86_64.rpm | 17 MB 00:00:00 
------------------------------------------------------------------------------------------------------------------------
Total 55 MB/s | 25 MB 00:00:00 
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : kernel-devel-3.10.0-957.12.2.el7.x86_64 1/2
Installing : kernel-headers-3.10.0-957.12.2.el7.x86_64 2/2 
Verifying : kernel-headers-3.10.0-957.12.2.el7.x86_64 1/2 
Verifying : kernel-devel-3.10.0-957.12.2.el7.x86_64 2/2

Installed:
kernel-devel.x86_64 0:3.10.0-957.12.2.el7 kernel-headers.x86_64 0:3.10.0-957.12.2.el7

Complete!

I just realised that the same packages will most obviously be needed if you ever decide to compile your Linux kernel.

Why Kernel Source is Old Version in Your OS

Most Linux distros lag quite a big behing the latest Linux kernel version: this is expected, because their maintainers need time to download and complile the latest kernel and to also complete the full suite of integratory tests. This is done so that most of key software running in a particular distro will still function. Quite possibly, lots of kernel modules specific to a distro are re-compiled at that stage.

What this means is that your Linux distro will not have the latest branch of Kernel sources (5.1 as of May 2019). In this example today, my CentOS 7.6 system is using and downloading Linux Kernel 3.10.0.

Verify If You Have Kernel Sources Installed

Simply look in the /usr/src/kernels directory: you will at least have the just-installed packages but quite possibly older versions as well:

root@s2:~ # ls /usr/src/kernels/
3.10.0-957.12.2.el7.x86_64
root@s2:~ # ls /usr/src/kernels/3.10.0-957.12.2.el7.x86_64/
arch drivers include Kconfig Makefile Module.symvers scripts System.map virt
block firmware init kernel Makefile.qlock net security tools vmlinux.id
crypto fs ipc lib mm samples sound usr

That’s quite a bit of source codes:

root@s2:~ # du -sh /usr/src/kernels/3.10.0-957.12.2.el7.x86_64
74M /usr/src/kernels/3.10.0-957.12.2.el7.x86_64

See Also

• Linux Kernel
• Official Linux Kernel website: Kernel.org
• Red Hat Linux

For dedicated servers and virtual machines that you keep upgrading in-place, you will eventually reach the situation where there’s a number of old kernel packages installed. That’s because when you’re updating OS packages and get new kernel installed, the old ones are not auto-removed – allowing you to fall back if there are issues with the latest kernel.

How To List Old Kernels in CentOS/Red Hat Linux

rpm -q command comes to the resque! just run it for the kernel packages:

root@centos:~ # rpm -q kernel
kernel-3.10.0-327.28.3.el7.x86_64
kernel-3.10.0-327.36.3.el7.x86_64
kernel-3.10.0-693.21.1.el7.x86_64
kernel-3.10.0-957.5.1.el7.x86_64

You can use the uname command to verify the current kernel you’re running:

root@centos:~ # uname -a
Linux centos.ts.fm 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

How To Remove Old Linux Kernels in CentOS

There’s actually a special command for doing this, but it’s probably not installed by default. It’s part of the yum-utils package that you may have to install like this first:

root@centos:~ # yum install yum-utils

Now that it’s installed, we’ll use the package-cleanup command. It takes the number of most recent kernels that you want to keep. So if you want to keep just the currently used kernel, the number should be 1. I recommend you keep 2 kernels – current and the one before it, so the count should be 2.

Just to be super sure, the package-cleanup -oldkernels command will ask you if you’re positive about removing the listed kernel packages before progressing:

root@centos:~ # package-cleanup --oldkernels --count=2
Loaded plugins: fastestmirror, langpacks
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.28.3.el7 will be erased
---> Package kernel.x86_64 0:3.10.0-327.36.3.el7 will be erased
--> Finished Dependency Resolution
epel/x86_64/metalink | 22 kB 00:00:00

Dependencies Resolved

===============================================================
Package Arch Version Repository Size
=============================================================== 
Removing:
kernel x86_64 3.10.0-327.28.3.el7 @centos-updates 136 M
kernel x86_64 3.10.0-327.36.3.el7 @updates 136 M

Transaction Summary
=============================================================== 
Remove 2 Packages

Installed size: 272 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : kernel.x86_64 1/2
Erasing : kernel.x86_64 2/2
Verifying : kernel-3.10.0-327.36.3.el7.x86_64 1/2
Verifying : kernel-3.10.0-327.28.3.el7.x86_64 2/2

Removed:
kernel.x86_64 0:3.10.0-327.28.3.el7 kernel.x86_64 0:3.10.0-327.36.3.el7

Complete!

… and yes, don’t worry to be left without any Linux kernels! I checked, and specifying count=0 will not result in the package-cleanup killing your operating system:

root@centos:~ # package-cleanup --oldkernels --count=0
Loaded plugins: fastestmirror, langpacks
Error should keep at least 1 kernel!

That’s it for today. Hope you enjoyed the article!

See Also

• yum command
• yum – list and install software groups
• How To: fix corrupted yum database
• How To: use yum behind proxy

Great stuff, I have just installed Linux Mint 19.1 on my Dell XPS 13 laptop! Naturally, one of the first things to be run is the screenFetch utility.

Install screenFetch on Linux Mint

Based on Ubuntu Linux, Linux Mint enjoys abundant software repositories, which means it’s super easy to install screenFetch on the new system:

root@xps:~# apt-get install screenfetch
Reading package lists... Done
Building dependency tree 
Reading state information... Done
Recommended packages:
scrot
The following NEW packages will be installed:
screenfetch
0 upgraded, 1 newly installed, 0 to remove and 245 not upgraded.
Need to get 50.6 kB of archives.
After this operation, 236 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 screenfetch all 3.8.0-8 [50.6 kB]
Fetched 50.6 kB in 0s (308 kB/s) 
Selecting previously unselected package screenfetch.
(Reading database ... 249721 files and directories currently installed.)
Preparing to unpack .../screenfetch_3.8.0-8_all.deb ...
Unpacking screenfetch (3.8.0-8) ...
Setting up screenfetch (3.8.0-8) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

screenFetch in Linux Mint 19.1

This is the output of screenFetch on my laptop:

See Also

• Linux Mint
• screenFetch utility
• screenFetch in CentOS 7
• screenFetch – Red Hat Enterprise Linux 8

When running a SELinux based setup, it might be useful to know how to quickly inspect files and directories to confirm their current SELinux context.

What is SELinux Context?

Every process and file in SELinux based environment can be labeled with additional information that helps fulfill RBAC (Role-Based Access Control), TE (Type Enforcement) and MLS (Multi-Level Security).

SELinux context is the combination of such additional information:

• user
• role
• type
• level

In the following example we can see that unconfined_u is the SELinux user, object_r is the role, user_home_dir_t is the object type (home user directory) and the SELinux sensitivity (MCS terminology) level is s0:

drwx------. 17 greys greys unconfined_u:object_r:user_home_dir_t:s0 4096 Feb 19 12:14 .

Use ls -Z to show SELinux Context

Using ls command with -Z option will show the SELinux contexts. This command line option is totally made to be combined with other ls command options:

[greys@rhel8 ~]$ ls -alZ .
total 64
drwx------. 17 greys greys unconfined_u:object_r:user_home_dir_t:s0 4096 Feb 19 12:14 .
drwxr-xr-x. 3 root root system_u:object_r:home_root_t:s0 19 Jan 15 17:34 ..
-rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 2035 Feb 19 12:14 .bash_history
-rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 18 Oct 12 17:56 .bash_logout
-rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 218 Jan 28 17:42 .bash_profile
-rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 312 Oct 12 17:56 .bashrc
drwx------. 12 greys greys unconfined_u:object_r:cache_home_t:s0 4096 Jan 21 06:41 .cache
drwx------. 14 greys greys unconfined_u:object_r:config_home_t:s0 278 Jan 21 06:41 .config
drwx------. 3 greys greys unconfined_u:object_r:dbus_home_t:s0 25 Jan 20 18:28 .dbus
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Desktop
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Documents
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Downloads
-rw-------. 1 greys greys unconfined_u:object_r:pulseaudio_home_t:s0 16 Jan 15 19:15 .esd_auth
-rw-------. 1 greys greys unconfined_u:object_r:iceauth_home_t:s0 1244 Jan 20 18:46 .ICEauthority
-rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 3434 Jan 22 18:06 id_rsa_4k
-rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 737 Jan 22 18:06 id_rsa_4k.pub
-rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 21 Jan 28 17:53 infile2.txt
-rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 38 Jan 22 18:05 .lesshst
drwxr-xr-x. 3 greys greys unconfined_u:object_r:gconf_home_t:s0 19 Jan 20 18:28 .local
drwxr-xr-x. 2 greys greys unconfined_u:object_r:audio_home_t:s0 6 Jan 20 18:28 Music
-rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 0 Jan 22 18:01 newkey
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Pictures
drwxrw----. 3 greys greys unconfined_u:object_r:home_cert_t:s0 19 Jan 20 18:28 .pki
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Public
drwxrwxr-x. 4 greys greys unconfined_u:object_r:user_home_t:s0 165 Jan 16 11:00 screenFetch
-rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 150 Jan 20 18:44 .serverauth.1859
-rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 50 Jan 20 18:39 .serverauth.1893
drwx------. 2 greys greys unconfined_u:object_r:ssh_home_t:s0 70 Jan 22 18:07 .ssh
-rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 0 Jan 21 07:49 system_u:object_r:shell_exec_t:s0
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Templates
drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Videos
-rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 2874 Jan 29 04:40 .viminfo
-rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 260 Feb 19 12:14 .Xauthority

See Also

• Enable SELinux
• Disable SELinux
• Confirm SELinux Status
• Get SELinux mode with getenforce
• Advanced sestatus Usage
• Linux Commands
• SELinux Reference

I had to confirm the most recently installed packages on a Red Hat system recently, and was plesantly surprised that this is a very easy task in Red Hat, Fedora and CentOS Linux systems.

RPM packages sorted by install date

All you need is the –last option for the rpm command.

Here’s how it looks on a CentOS 7.4 server that hasn’t been updated in a month:

root@centos74:~ # rpm -qa --last | more
time-1.7-45.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
ssmtp-2.64-14.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
spax-1.5.2-13.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
redhat-lsb-submod-security-4.1-27.el7.centos.1.x86_64 Mon 10 Dec 2018 12:18:13 GMT
redhat-lsb-core-4.1-27.el7.centos.1.x86_64 Mon 10 Dec 2018 12:18:13 GMT
psmisc-22.20-15.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
patch-2.7.1-10.el7_5.x86_64 Mon 10 Dec 2018 12:18:13 GMT
mailx-12.5-19.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
ed-1.9-4.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
cups-client-1.6.3-35.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
bc-1.06.95-13.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
at-3.1.13-24.el7.x86_64 Mon 10 Dec 2018 12:18:13 GMT
mariadb-5.5.60-1.el7_5.x86_64 Wed 12 Sep 2018 22:22:32 IST
mariadb-libs-5.5.60-1.el7_5.x86_64 Wed 12 Sep 2018 22:22:31 IST
xorg-x11-font-utils-7.5-20.el7.x86_64 Fri 17 Aug 2018 07:44:00 IST
xorg-x11-fonts-Type1-7.5-9.el7.noarch Fri 17 Aug 2018 07:44:00 IST
ttmkfdir-3.0.9-42.el7.x86_64 Fri 17 Aug 2018 07:44:00 IST
libXfont-1.5.2-1.el7.x86_64 Fri 17 Aug 2018 07:44:00 IST
libfontenc-1.1.3-3.el7.x86_64 Fri 17 Aug 2018 07:43:59 IST
xorg-x11-server-utils-7.7-20.el7.x86_64 Thu 16 Aug 2018 18:18:48 IST
libXxf86misc-1.0.3-7.1.el7.x86_64 Thu 16 Aug 2018 18:18:48 IST
libXrandr-1.5.1-2.el7.x86_64 Thu 16 Aug 2018 18:18:48 IST
libXi-1.7.9-1.el7.x86_64 Thu 16 Aug 2018 18:18:48 IST

After I run yum update though, you can run the same command and see that a lot of packages have been updated and showing 03 Fed 2019 as their install date:

root@centos74:~ # rpm -qa --last | more
gcc-c++-4.8.5-36.el7.x86_64 Sun 03 Feb 2019 09:14:56 GMT
unzip-6.0-19.el7.x86_64 Sun 03 Feb 2019 09:14:55 GMT
libstdc++-devel-4.8.5-36.el7.i686 Sun 03 Feb 2019 09:14:55 GMT
libstdc++-4.8.5-36.el7.i686 Sun 03 Feb 2019 09:14:55 GMT
dialog-1.2-5.20130523.el7.x86_64 Sun 03 Feb 2019 09:14:55 GMT
datadog-agent-6.9.0-1.x86_64 Sun 03 Feb 2019 09:14:54 GMT
p7zip-16.02-10.el7.x86_64 Sun 03 Feb 2019 09:14:48 GMT
libicu-50.1.2-17.el7.x86_64 Sun 03 Feb 2019 09:14:48 GMT
iprutils-2.4.16.1-1.el7.x86_64 Sun 03 Feb 2019 09:14:48 GMT
xorg-x11-font-utils-7.5-21.el7.x86_64 Sun 03 Feb 2019 09:14:47 GMT
perl-Pod-Escapes-1.04-294.el7_6.noarch Sun 03 Feb 2019 09:14:47 GMT
libXfont-1.5.4-1.el7.x86_64 Sun 03 Feb 2019 09:14:47 GMT
libstdc++-devel-4.8.5-36.el7.x86_64 Sun 03 Feb 2019 09:14:47 GMT
gdisk-0.8.10-2.el7.x86_64 Sun 03 Feb 2019 09:14:47 GMT
yum-utils-1.1.31-50.el7.noarch Sun 03 Feb 2019 09:14:46 GMT
xfsprogs-4.5.0-18.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT
wget-1.14-18.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT
sudo-1.8.23-3.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT
python-urllib3-1.10.2-5.el7.noarch Sun 03 Feb 2019 09:14:46 GMT
python2-psutil-2.2.1-4.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT
pam_ssh_agent_auth-0.10.3-2.16.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT
man-db-2.6.3-11.el7.x86_64 Sun 03 Feb 2019 09:14:46 GMT

See Also

• RPM package manager
• YUM package manager
• Red Hat Linux

I had a server run out of space recently, to the point that it couldn’t complete the yum update. This server ended up corrupting a yum packages database.

Here’s how corrupted YUM database looks

Correctly called rpmdb, packaged database used by YUM looks like this when it can’t be opened:

root@s3:/ # yum update
error: db5 error(11) from dbenv->open: Resource temporarily unavailable
error: cannot open Packages index using db5 - Resource temporarily unavailable (11)
error: cannot open Packages database in /var/lib/rpm
CRITICAL:yum.main:

Error: rpmdb open failed

Rebuilding RPM DB

The fix is to rebuild the RPM database, like this:

root@s3:/ # rpm --rebuilddb

and just to try things, do the same yum update – it should work now:

root@s3:/backup/linux # yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ate.info
* epel: mirror.1000mbps.com
* extras: rep-centos-fr.upress.io
* updates: centos.mirror.ate.info
Resolving Dependencies
...