Batch 3: SELinux troubleshooting, etcbackup wrapper, and cleanup

[errnair]

Summary

Completed Batch 3 modernization focusing on SELinux troubleshooting, /etc backup simplification, and deprecating redundant scripts:

• selinux_troubleshoot.sh - Comprehensive SELinux troubleshooting tool (replaces permissive_selinux.sh)
• etcbackup.sh - Simplified wrapper for /etc backups using dirbackup.sh
• DEPRECATED_newuser.sh - Deprecation notice for nginx/newuser.sh

Changes

selinux_troubleshoot.sh (renamed from permissive_selinux.sh)

• Multiple operation modes via commands:
  • status: Show current SELinux mode and configuration
  • denials: Display recent SELinux policy violations from audit log
  • suggest: Analyze denials and provide policy fix recommendations
  • permissive: Set SELinux to permissive mode with warnings
  • enforcing: Re-enable SELinux enforcement
• Strong security warnings before disabling enforcement
• User confirmation required (must type "yes") for permissive mode
• Temporary vs permanent mode options:
  • Temporary: Runtime only (reverts on reboot)
  • Permanent: Updates /etc/selinux/config
• Integration with audit tools:
  • ausearch for finding denials
  • audit2why for explaining denials
  • audit2allow suggestions for policy generation
• Configuration backup before making changes
• Comprehensive troubleshooting workflow guidance
• Common SELinux fixes documentation
• Encourages proper fixes instead of disabling
• Common library integration

etcbackup.sh

• Lightweight wrapper around dirbackup.sh specifically for /etc backups
• Optimized defaults for system configuration backups:
  • 90-day retention (vs 30-day default)
  • gzip compression
  • Verification enabled
• Inherits all dirbackup.sh capabilities:
  • Encryption support
  • Multiple compression formats
  • SHA256 verification
  • Retention policy
  • Email notifications
• Automatic detection and execution of dirbackup.sh
• All dirbackup.sh environment variables work
• Common library integration

DEPRECATED_newuser.sh

• Clear deprecation notice for nginx/newuser.sh
• Functionality replaced by install_flask.sh which provides:
  • Multi-OS support
  • Better security (SELinux, firewall)
  • Gunicorn service setup
  • Optional Nginx integration
  • SSL support
• Migration documentation with command examples
• Scheduled for removal in future release

Migration Notes

selinux_troubleshoot.sh:

• Replaces server_management/CentOS/permissive_selinux.sh
• New location: server_management/selinux_troubleshoot.sh
• Command-based interface (not just permissive mode)
• Usage:
  • Show status: ./selinux_troubleshoot.sh status
  • View denials: ./selinux_troubleshoot.sh denials
  • Get suggestions: ./selinux_troubleshoot.sh suggest
  • Set permissive (temp): ./selinux_troubleshoot.sh permissive
  • Set permissive (perm): MODE=permanent ./selinux_troubleshoot.sh permissive
  • Set enforcing: ./selinux_troubleshoot.sh enforcing

etcbackup.sh:

• Replaces miscellaneous/etcbackup.sh
• New location: utilities/etcbackup.sh
• Now a wrapper around dirbackup.sh (no duplicate code)
• Usage remains simple: ./etcbackup.sh
• All dirbackup.sh options available via environment variables

nginx/newuser.sh:

• Original script moved to DEPRECATED_newuser.sh
• Use installation_scripts/install_flask.sh instead
• New installer handles user creation, webroot, venv, and more

Rationale

Why rename permissive_selinux.sh to selinux_troubleshoot.sh?

• Original name implied the tool's only purpose was to disable SELinux
• New name reflects the tool's primary purpose: troubleshooting
• Disabling enforcement is now just one option among many
• Encourages users to diagnose and fix issues properly

Why make etcbackup.sh a wrapper?

• Eliminates code duplication
• Users get all dirbackup.sh improvements automatically
• Simpler to maintain (one backup implementation)
• Still provides convenient /etc-specific interface

Why deprecate nginx/newuser.sh?

• Functionality completely superseded by install_flask.sh
• install_flask.sh does everything newuser.sh did and much more
• Reduces maintenance burden
• Prevents confusion about which script to use

Testing

All scripts tested for:

• Bash syntax validation (bash -n)
• Common library integration
• Set -euo pipefail safety
• Error handling with trap cleanup

Examples

selinux_troubleshoot.sh:

# Check current SELinux status ./selinux_troubleshoot.sh status # View recent denials ./selinux_troubleshoot.sh denials # Get policy fix suggestions ./selinux_troubleshoot.sh suggest # Set permissive temporarily (reverts on reboot) ./selinux_troubleshoot.sh permissive # Set permissive permanently MODE=permanent ./selinux_troubleshoot.sh permissive # Re-enable enforcement ./selinux_troubleshoot.sh enforcing # Show help ./selinux_troubleshoot.sh help

etcbackup.sh:

# Basic /etc backup (90-day retention) ./etcbackup.sh # Encrypted /etc backup ENCRYPT=yes ./etcbackup.sh # /etc backup with 30-day retention RETENTION_DAYS=30 ./etcbackup.sh # /etc backup with xz compression COMPRESSION=xz ./etcbackup.sh # Custom backup directory BACKUP_DIR=/mnt/backups ./etcbackup.sh