RHCSA (037): Season 2 - Scenario 12: Archive Management

Episode 037 Executive Summary

In this Archive Management RHCSA lab scenario, I start performing the lab after a 6 minute introduction by the podcast hosts. You will get the most out of this lab if you listen to the entire show and then try to practice the lab several times, either along with me or by yourself. Managing files through the shell is an essential skill for any system administrator, and doing it securely is even more critical.

Candidates often struggle with the interaction between basic shell operations and mandatory access controls. In this scenario, the objective seems to be a simple archiving task, but standard permissions and SELinux contexts will block the operation if not configured correctly. The operational goal is to seamlessly integrate file compression with security policies.

The core challenge revolves around using shell wildcards to select specific logs and archiving them into a secure directory. We will use tools like tar, useradd, and semanage to align the system state with our security requirements. Finally, we will verify the archive contents and confirm the SELinux context is maintained.

Keywords: shell, tar, selinux, context, rhcsa, linux, sysadmin

EPISODE 037: Archive Management

  • Season: 2 | Difficulty: High
  • Objectives: Primary 1.1, 1.6; Secondary 9.1, 10.5
  • Lab Focus: shell, tar, selinux, context, rhcsa, linux, sysadmin
  • URL: https://djere.com/rhcsa-037-season-2-scenario-12-archive-management.html

1. SCENARIO BRIEF (THE PROBLEM)

You have been tasked with archiving a specific set of application logs on app-server. A service account named backup-manager must perform this action. The logs need to be selected using shell wildcards and bundled into a compressed tar archive in a custom directory. However, the directory must have a specific SELinux context to allow the backup service to read it later. You must configure the user, adjust the SELinux context, and execute the archiving operation correctly.

2. TASK ANALYSIS (THE "WHY")

  • 1.1 (Shell): Utilizing wildcards enables efficient, dynamic file selection without hardcoding filenames.
  • 1.6 (Archive/Tar): Compression reduces storage footprint while preserving file metadata during transfers.
  • 9.1 (Create/Delete/Modify): Proper user separation ensures least privilege for the backup operation.
  • 10.5 (SELinux Contexts): Explicitly defining file contexts prevents unauthorized processes from reading sensitive backups.

3. SOLUTION STEPS

Step 1: Environment Setup (Root Only)

# Verify if tar and policycoreutils-python-utils are installed and install them if missing
rpm -q tar || dnf install -y tar
rpm -q policycoreutils-python-utils || dnf install -y policycoreutils-python-utils

# Create the user required for the archiving task
useradd backup-manager

# Create the source and destination directories for the lab
mkdir -p /var/log/app-server /opt/backups

# Generate dummy log files to be archived
touch /var/log/app-server/app-{1..5}.log
touch /var/log/app-server/error-{1..5}.log

# Assign ownership of the directories to the backup-manager user
chown -R backup-manager:backup-manager /var/log/app-server /opt/backups

Step 2: Core Implementation (Execute as Root)

# Set the default SELinux context for the backup directory to var_log_t
semanage fcontext -a -t var_log_t "/opt/backups(/.*)?"

# Apply the new SELinux context to the directory tree using the recursive and verbose flags
restorecon -Rv /opt/backups

# Switch to the backup-manager user to execute the core task
su - backup-manager

# Use tar with the czf flags to create a gzip-compressed archive, and shell wildcards to target only app logs
tar -czf /opt/backups/app-logs.tar.gz /var/log/app-server/app-*.log

# Return to root session
exit

Technical Breakdown: The tar command uses -c to create, -z to compress via gzip, and -f to specify the filename. Shell expansion natively resolves app-*.log before passing it to tar.

Pro-Tip: Remember that restorecon must be run after semanage fcontext, otherwise the policy changes are not applied to existing directories.

Step 3: Verification (The "Proof of Work")

# List the contents of the newly created archive using the -t flag to confirm the correct files were selected
tar -tf /opt/backups/app-logs.tar.gz
* EXPECTED: A list of files matching /var/log/app-server/app-1.log through app-5.log.

# Verify the SELinux context of the generated archive file using the -Z flag
ls -Z /opt/backups/app-logs.tar.gz
* EXPECTED: unconfined_u:object_r:var_log_t:s0 /opt/backups/app-logs.tar.gz

4. COMPREHENSIVE CLEANUP (ZERO-TRACE)

# Remove the directories and all their contents recursively
rm -rf /var/log/app-server /opt/backups

# Delete the backup-manager user and its home directory
userdel -r backup-manager

# Remove the custom SELinux file context policy
semanage fcontext -d -t var_log_t "/opt/backups(/.*)?"

You should also read:

RHCSA Series (004): Managing Memory

Mind Map RHCSA_Series_4_Managing_Memory_Mind_Map │ ├── Alphabetical_List_of_Abbreviations │ ├── CPU = Central Processing Unit │ ├── cron = Chron Table (scheduler) │ ├── dstat…

RHCSA Series (003): Managing Processes

Mind Map RHCSA_Series_3_Managing_Processes_Mind_Map │ ├── Alphabetical_List_of_Abbreviations │ ├── CPU = Central Processing Unit │ ├── GNU = GNU's Not Unix │ ├── I/O…