 Good morning, good afternoon, good evening. Wherever you're hailing from, welcome to another episode of Red Hat Enterprise Linux Presents. I am Chris Short, executive producer of OpenShift TV. I am joined by the one and only, Scott McBrion. Scott, how are you today? Doing great, Chris. For the audience's benefit, I would like to point out that Scott said, literally 10 seconds before we went on air that what could possibly go wrong? So everything will. I mean, it's a lot of events. So there's always something that goes wrong. It's more exciting. We'll stop. And, you know, we'll see how we roll with it. As long as we don't have, you know, 10 potentials and meltdowns, it's probably fine. Yeah, I'm sure we'll get through it, no matter what. It is Linux, after all. True, true, true. So what are we talking about today? So I thought today might, this is her last show. We talked about directories and file systems a little bit. And I thought that maybe a good kind of dovetail to that subject would be SE Linux because they're kind of related. Yeah, so while we just start off with just a little bit about what SE Linux is, SE Linux is a component of the Red Hat and Res Linux kernel that applies contexts to files, ports, and processes on the system and then has a just enormous rule set that describes what should be given access to whom. So like if you are a web server process, you're running with context. And based off of that context, there's rules that say web server processes should be allowed access to the following kinds of files and be able to open and connect to them this type of port on the system. Yes. And so we manage that just enormous set of rules through something called the SE Linux policy. And then all the little components kind of fall into place and so on. Just start diving into that if you would like. Yeah, I just wanna point out folks that the most recent Kubernetes or Run-C vulnerability, Run-C being the container runtime underneath everything that basically runs in a container these days. The vulnerability was stopped dead in its tracks if SE Linux was running in an enforced mode. So, or enforcing mode, I should say. SE Linux is an awesomely powerful tool and if you master it, you will have done yourself a great service or not even master it, but just like be handy with it, right? Right, but I mean, first thing is don't set in force zero, which is the opposite of Chris's shirt. Set in force one folks. So we're talking about today. I will share the link and so forth as, yeah. Yeah, so if it's all in enforcing, I think that you're halfway there. Right, like it's gonna stop a lot of things dead in its tracks, yeah. Right. A lot of bad things I should say. The other thing that will make your life easier is if you recognize that you should just put things where they're expected. Like if you do that and run things where they're expected, right? So don't have your web server attaching you some wonky port number because that's gonna create problems. But if you attach it to port 80, port 443, things will just work based off of the default as the next policy. And if you wanna veer from those defaults, you can, but you need to know more. Yeah, and I think it's worth saying that a lot of people don't run web servers on port 80 or 443 nowadays just kind of because they're running multiple web servers on a system often. And that's entirely possible too, that you'll need to say, hey, port 8080, port 8081, 8082, 8083, right? Like so using that example, what do you wanna go through? Oh, well, why don't we just start with the basics here? Let me share my screen. Maybe. You can do it, I believe. Oh, it's hard. I know. Just the green button. You're gonna make fun of my tabs again. I'm not gonna make fun of your tabs this time. That was pre-show. The audience will now. That's. Oh, dear. All right. So first I will say, let's just take a look here. SC status. Status, yeah, my favorite command. So like what's going on with the system? This is usually one of the things I run. Right, so I think this one is probably the most important right here, right? We're running an enabled mode. The other thing that would be important is the policy that you're using. Again, this is the set of rules that get loaded. We ship with several, but the default policy that we use is called targeted because it targets specific services, but leaves anything outside that list as unconfined, right? So processes that don't come with well are gonna run without any SC Linux context applied to them. And if you're not familiar with the interface Scott's using right now, this is called cockpit. It's part of RHEL and has been part of Fedora for a while now. It gives you a web-based terminal as well as, as you can see everything on the left, a number of like options that you can choose from to tweak your system as desired. Yeah, and you'll notice there is an SC Linux option down here. There is. Which actually like gives you some stuff. So for this one, right? SC status was what we used on the command line. You can just look here to see whether SC Linux is turned on or off, right? And we'll get to some of these errors in a minute, but. So then if you are wanting to look around it, kind of what the components of system are, there's an extra option included in a lot of the commands that would interact with SC Linux, capital Z, that will show you the SC Linux context. So for example, I can LS dash capital Z. And what that adds is this field here to our output. And that's the SC Linux contexts of these files. So I did a listing in Roots Home and you can see that they're admin home T type files. And if I did something in. I think one thing worth pointing out here too is notice on the far left where, you know, there's a directory and it shows its permissions. There's a dot after it. The dot also represents that SC Linux is doing something on that directory if I remember correctly. I had never heard that. I think it, I think so because I just think so. Let me double check. I'm pretty sure that is, or at least it used to be the case. It might mean more now. Yeah, I had never heard that, but it's quite possible because I don't know everything. I know that's shocking that I don't know everything. I mean, especially when it comes to RHEL, right? Like you should know that. Because it's a very simple product right at Enterprise Linux. I mean, it's like tiny. All right. So over here. So GULS uses a dot character to indicate a file with an SC Linux security context. There you go. There you go. So over here at today, over here in Etsy, we have Etsy type files. We also have system configuration or system type files. And so these are the SC Linux contexts that have been applied to files throughout the file system. If we do a PS with a Z. Oh, fun. I've never done this before. Yeah, so that adds this field right here. So I said that your processes run with a context and based off of that and the context of the resource they're trying to gain access to, we decide whether they are or aren't according to the policy. So you can see what context your applications are running with. And so let's say, am I even running a web server? I don't know. Ooh. Oh, you don't even know I've installed. Oh, actually, you know, we can't fix that on this box because it's not attached to its satellite server. Why'd you do that? Brazins on second. Like connect to the VPN because we have to make things hard. As I said, what could possibly go wrong? There you go. Right. Here we go. Just keep saying something good will happen eventually, I'm sure. I mean, it's not like I said, break a leg that would be terrible. No, that's actually good luck. I thought I can tell your VPN connected because you froze for a second. Or was that just very still? You don't know. You don't know me? Still, yeah, that's what it was. So while that installs, let's see, what are other basics do we have? Oh, we'll have to know the log file look in and we'll get into reading some of those logs in a minute. So I can only imagine where those logs live. Would they happen to live under VAR log SE Linux? So it is VAR log. But it's not. Oh, is it? No, because that's for auditing. That's for auditing. I think we're gonna look at VAR logs, sure. Ah. If I will work correctly. But we'll take a look. Okay, so. What? A two minute ETA on downloading some metadata? Good night. Good Lord. I have very slow internet squirrels. For sure. You need to give your squirrels some stuff and go faster. And let's see, what other? So we also need to look at ports. I think that'd be a good one to take a look at. And the, I mean, the biggest thing for me has always been like, I've manually put something in a web server directory and it doesn't have a context applied. Right. And that was going to be, and that's why I was actually starting with HTTPD because I think that's a fairly common use case where people don't put stuff in VAR WWW HTML. Instead, they like create their own slash web and then everything just kind of falls apart on them and they get frustrated and do a 740. So maybe we. Usually all it takes is one command to the directory and you're good. So we would have to apply some context. Yeah. To something like that. We could use the SEManage command, I think, to add like what default context should be assigned to stuff put into this weird directory that we just created for our web stuff. So, let's see what happens if we chase that crap down the hole. All right, let's see. Is that just because their custom directory doesn't have the context exactly been? That is exactly correct. That is exactly right. The context matters. And so I'm on a Fedora box. I'm having a hard time finding SEO and X-Logs. I'm legit thinking it's not very well secured because that doesn't even exist here. It's on. It's enforcing. I promise. I'm not making them cry. Maybe you do have a VAR log SEO on X-Tem. No, I don't. It's weird. Well, then you failed. I have failed. Is it just under VAR maybe? No, it doesn't look like it. Hmm, interesting. Oh my dear lord. What are you doing? Downloading the internet? It's that way. See, now someone's calling you out here. If you had less tabs open, this would probably be going faster. Except it's running on another box, which has one browser tab. I'm looking at it. It's got one browser tab. No, actually, the reason it takes so long is because I've been really terrible about being connected to VPN and making sure that I have all the updates. Yeah, and so it's my metadata for YAML. That's probably fairly out of date. And I heard that they push REL 8.4 into our internal satellite repos recently. Oh, if you haven't done that since then, yeah, this is going to be a little bit of a download of metadata. Yeah, although it should be pretty close at this point because we've got an application streams. E-Pool is an extra repository that I have enabled so I pulled all that. That one's also pretty large. And I think this is the REL 8, including 8.4 metadata. Did you know that LSOF has a dash capital Z flag? I did not. It does? LSOF is like an awesome brand. Yeah, LSOF is really cool. I was checking just to see if it did and I did. And I ran it on my Fedora box behind me here. And yeah, it works. I didn't see you switch over to that other mouse and keyboard there, Chris. How'd you do that? And it's this amazing technology called SSH, Scott. You should try it sometime. What? Sorry, I was giving Chris... I was harassing him because he has physical keyboards scattered around his office. Okay, scattered is probably over... It's not scattered. They have a front desk and a back desk. The back desk is like non-main computer-y. There's a Fedora box and a Mac back there. They are used for specific things. This desk that is on wheels and can move around and has a nice camera and mic attached to it are used for work things like this channel. So I don't want to use a program that would allow me to use the mouse and keyboard on the screen behind me, because I can't see it. I don't have eyes in the back of my head. What? I hear there's medical technology that picks that. I don't know if I want that given all my other medical issues. You have to have a weird haircut to make it work. Yeah, I just want to say, like cousin it or not? All right, so finally we're back on track. So I'm running Apache and you can see that my Apache daemons are running with HTTPT type. And there's the loop here. Hell yes, yeah, deep, there you go. All right, so Apache has given access to several types of files in its context or its SELX policy rules, but one of the types is this HTTPT SysContentT, right? That means it's for web server content. And so I don't remember who was pointing this out in our chat, but if we look at a randomly created directory, it is this type, not HTTPT SysContentT type. So if I go in and I update my configuration for Apache and I told to share content out of this directory, it's not going to work because when it makes the file open requests to go into this directory and start sharing files, it's going to violate the SELX policy. And what's going to happen is the kernel will simply refuse to offer that action that Apache is requesting. All right, and we can see that, let's do this. Let's see what I have now in my home directory. If I move. Quick question here. Yes. From the audience, is DNF faster? So on RHEL 8, which is what I'm using, DNF and YUM are actually the same. I just wanted you to say it, not me. That's all right. So what I have done is I introduced an error. We'll do something really, really dumb. All right, so I've moved this file from my home directory for my home directory over to Apache's web accessible directory. And you could see that I've given all the permissions, which is typically not what you'd see, but I want to prove a point. And what we're going to do is try to pull up that file. And there we go. This is a symlinix at work, right? Because what has actually happened is the Apache daemon requested to open that file so that it could then read it and transmit it through to the web browser, the client connection. And when it made that access request, we looked at the context of the file, which was admin home T. And we looked at the context of the process, which is HTTP DT. And according to the rules and the policy, that's not one of the kinds of contexts HTTP DT type processes are permitted. And so to the requesting application, the Apache server, it was simply told, no, you cannot have that action. And then the Apache server interpreted that return from the kernel as forbidden, which the unknowing might read this error and go, oh, it's a permissions thing, right? Because it's forbidden and that's a permissions error. But when we look at it, it's clearly not a permissions error because all the permissions are there. So let me set the permissions to something more sane. And then let me update the file context to be correct so that it's within the policy for Apache to access this file. All right, if you've not seen it before, RestoreCon, RestoreCon, we'll look at a configuration and we'll look at the holding directory in this case of RWWHTML and go, okay, if someone wants to place a new file in this directory, what context should it be given? And I'll just take that context that I would normally apply to new files and I'll go ahead and adjust this file. You passed me an argument to make sure it's the same. So what we end up with is now, my file has the correct contexts. And if we go over here to our other tab and just reload the page, right, there's the file that before was forbidden. And in fact, I start the server, nothing. Nothing. So that's how it all kind of plays together. The process is given a context, the resources on the system, like files are given a context. And when a request is made of the kernel to do something by the process, it checks to see whether it's permitted or not. And that's why the 1C vulnerability that Chris was talking about earlier was stopped by SC Linux is because when somebody tried to access a resource that they weren't allowed to do through container workload stuff, the kernel said no. And so even though the run seed vulnerability would have allowed them to gain additional access to the system they weren't supposed to, because they're trying to access a resource that was not contexted for container stuff, the SC Linux policy refused that request. Which is like, this is not the first time SC Linux has stopped a Kubernetes vulnerability deadness tracks. Yes. Pretty much gotten them all. Right. All right. So we could have also manually adjusted the context as well. So for that, there's Chikon. And there's actually several components of a context. There's the user component, that's the first piece. The role component, that's the second piece. The third piece is the type. Those are the three big ones. And there's two additional but optional contexts, which is sensitivity and category. Since student category is used if you wanted to maybe have a much more grandiose setup, where in addition to the process being looked at, there should be what user is the process running as or does that user have the right security credentials to access this sensitivity of file. And so in a place where information might be offered at various levels of security clearance, for example, that's where sensitivity and category could come into place. Cause just because you are certified for secret information doesn't necessarily mean you get access to all secret information across the entire organization. You should still only get secret information that's in your specialty or in your purview of ability. So that's what those two things are usually used for. All right. So if I wanted to switch us back to a port state. So I can say that I want to use Chikon to change the context of the file. That's the type field of the context and before it was set to admin, right? And so I have the context updated. This is now incorrect for Apache to be able to access it. So if I go back over to my other tab and I reload it, right? We've reintroduced the problem again. So let me fix it. All right. I like to restore kind of a lot because then I don't have to necessarily know the string that goes with it. Yeah, you don't have to remember all that fun stuff. Right. Which it's all very important and valid at some point in time. And while you're using SCLinux, but like restore con is just like, all right, I'm gonna make sure this entire directory is good to go now off you go, right? Like I can just basically say inherit and go. Yeah. And there's other files that we got in the file system when we installed Apache. So for example, HTTP, so I noticed that they are a specific type of file. Also HTTP, they are a specific type of file. Oops, log right there. But it's also in the assembly as well. Right. And so there's not just one context that it's given access to. There's a variety of them. Then there are some others that you get to like Apache has given access to FCT type files. That's how it's actually able to go into the Etsy directory and we're gonna access it's sub directory of configuration is given access to, oh, public content T type files. That's something that is just like, any service should have access to it. So like FTP server, for example, has access to public content T or NFS server stuff has access to public content T. I was gonna say FTP, please don't use FTP. I'm doing it one quick short, you don't control me. I'm fine, I'm sorry. All right. So earlier. I said that if we created this random directory, it's not in the place where Red Hat normally expects to live, so it's not gonna get contexted correctly. And sure enough, right? It's default T and Apache does not have access to that. We can prove that by going through and like redirecting stuff there, so. Well, okay, you're just gonna do a system model, that's fair. Yeah, because I don't wanna mess around with the virtual stuff right now. Okay. So all I'm gonna do is I'm just gonna update the settings that was directing us to var www.html. And say, hey, put that it slash web, this new directory that I've created for my. Do you wanna do the, the stans are right above it, var www? I could, but it would be overridden by the second stans of that, cause. Yeah, I was about to say, okay. Yeah, so let's just call that good. I'm gonna go over here and it should give me a found not found error now. Yep. Yep. And then, cause now it's serving out a slash web, so I'm gonna go ahead and move my file over there. All right, and let me, actually, instead of moving it. Did you want to send Lincoln? Let me just create one. Something in it, echo and emoji or something. Like this, and you know what? To make things even easier, I'll make that the next file. All right, so now all I have to do is pull out the address. All right, so what I'm expecting right now though, we'll see if it works, is I want it to give me a forbidden message just like before. It didn't, it sent me here, but did not give me the index that I provided. That's why I said, do the, anyway. All right, so earlier when we created the web directory, we had changes context, and then it worked, right? It was getting access to there and everything was cool. When I put a file inside of that directory, it also got this default T context, which Apache is not given access to. So what happened was my client requested the index HTML, the kernel refused it, so Apache then served up the test page instead. So if I change this, so then now it has the right accessible content type. Now if I go back over to my other tab and I reload it, right, there's the file content, right. Okay, but you'll notice that this time I didn't use RestoreCon. No, because... Well, let's see. So RestoreCon restores the file context that would be assigned to new files out to this directory. But we know that for this directory, we put files into it, they're given default T, which is not the context I need. Right. All right, so... Because you didn't set the web directory to be in the correct context either. Why did? You did? Did I miss that? I must have been looking at your question. Oh, no, I didn't. Ah, see. But let's say that I fixed that. Okay, you and the up arrow need to find each other. Or control R, one or the other. The problem is I'm doing like ls-lz and that becomes my last token so like escape. doesn't work anymore. Oh, yeah. All right, so now I've changed the context on slash web. Interesting. Because it's not looking at the context of the directory that owns it. Right. Make the decision. It's actually looking at another set of configuration on the system to figure out what we should do. Because slash web isn't in that other place. It's default T. It's default, yeah. Yeah, so let me figure out the command to look that up. Let's E-manage something. This is where the new elevator music comes in, folks. All right, it is S-manage f-context, I think. Go over here, there we go. Okay. All right, so essentially right here, this is the rule that tells us what context should be assigned by default in a directory. So if you're putting stuff in var www SVN hooks and all the subdirectors and files underneath of that, whoops, they should get this system new object are Httpd sys script exec T type context. And slash web isn't listed in this list, which is why it gets to default. So if I want to add it. Forget the syntax now. I just saw it, too, that's what's saying. Web C slash dot splat or splat dot. Yep. I need to put that in singles. You just give it the Http type, right? My manager to D dash T plus try with dash T and see it makes it happy, right? So now let's do my, there it is. And now that I've added it to the managed file contexts. If you do a RestoreCon now, what happens? Well, why don't we just create a new file first? Oh, there you go. Yeah. So cool. And then then we've got this other one. We need to RestoreCon and now we're cool. All right. So we've set up that kind of mapping between the two. That's awesome. And when I create subdirectories here, because like maybe have some JavaScript app or something else that should live here, that directory and any of its children directories, they'll all get contexted with Httpd sys content T. And if you need to do something like make those script T types, you could create an additional SE manage rule or file context rule for that sub directory that should get a different context to sign the stuff that's put in there. So. So where's the foot gun here? The foot gun. Yes. The thing that you do to shoot yourself in the foot. Oh. The only thing I can think of is that Reg X is involved, right? Like test your Reg X is what I would say. Yeah, but we use a we use a wildcard Reg X on the end, right? And that's to make sure that it's slash web and everything underneath. And you can set up like here, let's do this. So content or exact. Your script, I just saw one. User. Yeah, that's personal. Script exact. Because it's in whole. Yeah. Yeah, let's do this. Control C that. Do our list again and grip it for www. We'll see what it's currently set to in regular Apache. HTTP the script exact team. Okay. Make sure that it actually worked. It did not. So you said everything will be fine. Nope. The bueno. Oh. One second. I think I know the problem. I didn't see it. Nope, still no. All right. Well, I don't know. I'll have to look it up. Interesting. Yeah. It's what I was thinking was that the ordering inside the follow contact settings might be wrong. Like we need to do the more specific directory first. That's why I deleted both and then added them back in the wrong or not adopted order. But that's not, that's not clearly not the problem. So something different. So yeah, maybe that's, maybe that's foot down. Trying to do multiple contexts, things get harder. Or maybe it's that if you do a Chican dash capital R or a restore con dash capital R, things can get a little bit walkier. Weird, yeah. Yeah. Especially Chican, actually restore con probably would be okay. But using Chican dash capital R, we're personally doing it with like Jack with all these sub directors that have their own specific context to work right. And I should point out in the docs, it says you can use individual domains to set things as permissive versus not permissive or enforcing. Again, that's another thing where it's like you're playing with fire if you don't do that right. So, SC Linux is very flexible. You can configure it however you see fit. But as you're doing that, you have to make sure that you're not creating a security hole in the process. Sorry, before we were talking about looking at logs and some trying to introduce error states that we could find where that log is. There you go. Cause that's the other piece. I think that it's important to know, okay, good. I love it when an error means good. So it looks like it goes in viral messages these days. Ah, that's why I couldn't find it. That makes sense though. So this guy right here, this block is actually descriptive about what our problem is. And so the first thing is it says SC Linux preventing HTTP from read access to this file. It gives me the file name. And then if we wanted more information, we could run this SC alert command. One more time. Cause I'm tailing. All right, so let's do this SC alert command. Every violation is given a UUID. And so that gives me a lot of stuff, right? But I think the most important things are this and this, right? The thing that's trying to access the resource, source context is this. And the thing that's trying to access the target context is this. And then it tells me that down here at the bottom that that was denied, the thing that was trying to do and then gives me a little bit further detail on it. And so that's how you can look at your logs and see that there isn't SC Linux problems because you see this giant pile of SC Linux error message. Are you suss out that SC alert and just look at the specific alert message for your thing. And this is the raw log message that you might see on your systems as well. And what it's telling you is here's the command that was making a request. This is the resource that was trying to access. This is the context of the thing that was making a request. This is the target context of the thing that was trying to access. And that mismatch is why you're having an error. And so if you were to update the file context to be HTTP, syscontacty, no more error because that's now allowed according to the policy. The last piece of like kind of fundamental SC Linux permittance is ports. So, and you know, let me grab that. So if you are a HTTP service according to SC Linux policy you're allowed to bind to these ports. Nice. And primarily it's these, right? 80, 443, 8008, 9008, 443. I wonder why 488, well, that makes sense, I guess. Something must have used 488 in the past. Yeah, I guess. Yeah. I mean, all the other ones are like, okay, those make sense. Yeah, you know, like there's reasons for those. That one's interesting. That one got added. Well, and you had mentioned at the top of the broadcast, Chris, that 8080, well, that's in there. And 8443 is in there. But what if we want to do 8081? Okay. 8081's not in there. No. So let's, that would fail epically unless you did something different. So. Oh. Oh, did it not even allow ACPD to start? Correct. It can't bind to it. That's right. So if we do a system CTL status. It's called CTL wrong. Fail to start Apache. Yep. And then we get this permission denied on this make sock connection. Wonder what the log says about that. Well, let's see. Let me go a little bit bigger. The tail's big enough. So. I mean. SCLinux is preventing the daemon process from doing stuff on IPv6. Yeah. Let's get out the SC alert from this pile. Right. So this one is not as straightforward, right? Cause it just says that here's the daemon types. And then it's trying to access a kernel T type thing. Which it turns out is the port. So let's see if there's anything else in this message that might provide a little bit extra. Oh, here we go. A little bit further down in the stuff. If you believe HTTP should be allowed to access port 8081 by default, here's some stuff that you can do. All right. They're actually having to recompile the policy, but I don't wanna do that. No. Yeah. So what we're gonna do is we're gonna do SC manage port 8081. I need to get my list again. So I have the right thing to stick on it. So wait a minute, maybe 80. Yeah. I was about to say. Okay. To the girls. Can't you just do this manage that each one? Not just tell us. Can I do what? SC manage that. It has a lot of usage. Okay. Nevermind. All right. So there it is dash T. So you tell the type and I need to give a little bit more information on the port that I wanna assign. What? Already defined. That it act to do like a non accept. I bet it's applied to a different. That's a good one. There you go. So how don't we look for that one? Okay. So let's use this one instead. Let's just get our list again. And yes, shout out to Ben Dyson who literally typed in does it need a dash T as you were typing dash T for job. Okay. And so there it is. Let me just update my configuration file so that we know we're all good and we're all using the right values everywhere. Much better. Okay. So now it's running again and let's just make sure that's really true. Wait. Go ahead. Oh, I was about to say it. The go back to the terminal listening on port 80 89. But didn't we have to do something to that file for? Let's just make sure it doesn't work. Oh, yes. I had it still with the old context. Yes. I'm here for you. Okay. One more time. There we go. Okay. So when you know what the primitives are, right? Your process context type, your file context type, your port context type and the policy that kind of controls the inner meshings of them. You can then make better decisions on like how to approach fixing this SE Linux related issue besides set for zero. Right. Please don't do that. But please. There's actually a site called StopDisablingSELinux.com. I've shared that in chat a couple of times now. It's actually written on the back of this shirt. The message behind it is quite funny though. If you're not familiar, Dan Walsh at NSA, well, while he was working at NSA, he now works at Red Hat. He actually developed SE Linux so that Linux could be used in more secured environments. If it had not been for Dan's work, SE Linux would not exist or it would be called something completely different and work completely differently maybe. But yeah, thank you, Dan Walsh for SE Linux. I remember reading that original NSA brief when it like Dan first wrote it. So way back in the early 2000s. I vividly remember where I was sitting when I read that. I was like, this is gonna be a game changer. Do you know what Dan works on a lot now? Do you know what Dan works on a lot now? Because he doesn't- Containers. Yeah, containers. It's amazing. We've had him on the channel a couple times now and yeah, it's always insightful when Dan comes on. Yeah, I don't know how he indexes the like vast wealth of information that he contains because I would be like, oh, you know the thing with the stuff and how it all works. See, I think you and I take the Einstein approach of if it's written down somewhere you shouldn't memorize it. Yeah. Because supposedly Albert Einstein didn't even know his mailing address because he would just open a phone book and find it. Interesting. Can't do that nowadays, I bet. Yeah, well, phone books are difficult to come by. I only remember the last time I got a phone book for to be honest with you. So do we have any other questions in chat before we close this out? Let me go back and look here. So, oh, that's what, Openshift Webturner, we talked about that. Other than the fact that you have too many tabs open, no, there's nothing in Significance for Chat that we haven't responded to yet. I prefer to say that I'm wealthy in tabs. Wealthy in tabs, tab wealth. That's right, I have tab wealth. Or is, or would it be tab privilege? It's like Bitcoin, but for tabs. All right, so the one, I think the last... The SELinux context does my Bitcoin miner need. I have no idea. I don't either. The one last thing I think to close the loop is over here on the SELinux through web console, AKA Cockpit. So you could see that there... So you had the vert rules before, now you can see that we've added some. Yes. So that's kind of cool that you can actually get a look at what customization, but then the this box, so that you can then carry them forward. Right, but like view automation script, that's the cool part. Click that little thing up to the top right. Little, oh, that thing, yeah. Ta-da! Nice, nice. It gives it to you in shell, and there's a tab for Ansible as well. Excellent. So if you do end up having to set one of your web servers up, you can use Cockpit here, grab everything you need, deploy it across your entire fleet, off you go. Off you go. The other stuff is we are looking errors through the command line interface and log files on that. And AD suggestions in the logs, and guess what, can apply that. We have similar stuff here in web console. So... Yeah, I really think Cockpit does a great job of enriching the administrator experience. You know, like, I get it. Everybody wants to live on the CLI. I often live on the CLI, but Cockpit really changed that for me. He had really did. So, great work on that, right? Like seriously, shout out to that team. Actually, we're in an article for Home, what is the peer article? HostingAdvice.com. Here, I can give you the link. Yes. On Cockpit. And the journalist was originally asking, like, why did you do this and how did you come about making these decisions? And like, I think at some point, we realized that we were trying to create a Windows-like experience for administration, but Linux is not Windows. Right. Right. And at the same time, you know, Windows and Microsoft were like, wow, it'd be really great if we could have, like, a scripting language that we could apply across all our boxes. And they came up with PowerShell. And so, like, we were trying to do things their way. They're trying to do things our way. And at some point, we were like, wait, why are we trying to do things like that when our operating system is actually kind of lend itself to that method of management? That's like, make user interfaces that kind of make sense for how we manage boxes. Especially on things like storage, so much better than it was in some of the older tools that we were shipping with the graphical desktops. Yeah, but, we thought it was better. But yes, so thank you very much, Scott. Thank you, Chris. I'm glad we have this quote in the can because people can reference it and get good info about SC1X, really. All the stuff I showed you today is across. Seven. Everything, six, five. It's all pretty much the same. Maybe the file location. I was about to say the file locations are probably different than five. But the commands are the same. Yeah, we've done a good job of kind of preserving that lexicon and carrying it forward through every version. Yeah, awesome. Good stuff, man. Cool. Well, folks, thank you for tuning in. Thank you, Scott. Thank you to everybody that has watched the channel today. We are signing off for the day. So please tune in tomorrow morning for the data services office hour. We'll be talking about encryption and using external key management services with the Open Data Foundations Toolkit or OpenShift Container Storage. It's still called, but name is changing and soon to be released version. Yeah, so stay tuned tomorrow, folks. And when in doubt, check out the streaming calendar. Give it a subscribe and that way you can know at any given time where to go to tune into OpenShift TV and when to do it. So thanks, Scott. Appreciate your time today and we will see y'all next time.