Showing posts with label enable SELinux in RHEL 7. Show all posts
Showing posts with label enable SELinux in RHEL 7. Show all posts

Tuesday, 7 June 2016

RHCE 7 Exam Practice with Solution Part-1 (EX 300)

1) configure your systems that should be running Enforcing

Solution: 
[root@server ~]# vim /etc/selinux/config

SELINUX=enforcing

[root@server ~]# reboot

after reboot check that selinux status using following command

[root@server ~]# getenforce
Enforcing

Do the same for desktop machine also....

2) configure repository
--->create a repository for your virtual machines
--->The url is http://station.network0.example.com/content/rhel7.0/x86_64/dvd
Solution:
[root@server ~]# vim /etc/yum.repos.d/server.repos
[server]
name= Siratun Jannat
baseurl= http://station.network0.example.com/content/rhel7.0/x86_64/dvd
gpgcheck= 0

[root@server ~]# yum clean all
[root@server ~]# yum repolist

Do the same for desktop machine also....


3) ssh configuration
--->configure ssh access on your virtual machines as follows
--->clients witin my22ilt.org shouldnot access to ssh on your systems

Solution: 

[root@server ~]#yum install openssh-server
[root@server ~]#systemctl start sshd
[root@server ~]#yum enable sshd
[root@server ~]#firewall-cmd --permanent --add-service=ssh
[root@server ~]#firewall-cmd --reload
[root@server ~]#firewall-config
-->Permanent
-->Rich Rule
-->add-->ipv4 (family)
 -->element -->service -->ssh
 -->action -->reject
 -->source Address-->172.16.0.0/24    --(my22ilt.org )
--> reload firewalld

Now check firewall list that rules applied or not using following command

[root@server ~]#firewall-cmd --list-all

Do the same for desktop machine also....



       
4) configure port forwarding.

--->configure serverX to forward traffic incoming on port 80/tcp from desktop to port on 5243/tcp.

Solution:

[root@server ~]#firewall-config
-->Permanent
-->Rich Rule
-->add-->ipv4 (family)
 -->element -->port-forward
 -->source-->protocol-->tcp
-->port/port Range 5243
-->Local Forwarding 22
 -->source Address-->172.16.25.0/24    --(Server IP )
--> reload firewalld

[root@server ~]# firewall-cmd --list-all

 rich rules:
        rule family="ipv4" source address="172.16.25.0/24" forward-port port="5243" protocol="tcp" to-port="22"
[root@server ~]#



5) simple command
--->create a command called qsatat on both serverX and desktopX
--->It should able to execute the following command
(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)
---> The command should be executable by all users

Solution:

[root@server ~]#vim /etc/bashrc
qstat()
{
ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
}
[root@server ~]#source /etc/bashrc
[root@server ~]#qstat

Do the same for desktop machine also....


6) configure ipv6 network

--->create eth0 with a static ipv6 addresses as follows
--->configure a static ipv6 address in serverX as fddb:fe2a:ab1e::c0a8:64/64
--->desktop as fddb:fe2a:ab1e::c0a8:02/64

Solution: 

--Server Machine---
[root@server ~]# nmcli connection modify eno16777736 ipv6.addresses fddb:fe2a:ab1e::c0a8:64/64 ipv6.method static connection.autoconnect yes
[root@server ~]# nmcli connection down eno16777736;nmcli connection up eno16777736
[root@server ~]#ping6 fddb:fe2a:ab1e::c0a8:64

--Desktop Machine---

[root@server ~]# nmcli connection modify eno16777736 ipv6.addresses fddb:fe2a:ab1e::c0a8:02/64 ipv6.method static connection.autoconnect yes
[root@server ~]# nmcli connection down eno16777736;nmcli connection up eno16777736
[root@server ~]#ping6 fddb:fe2a:ab1e::c0a8:02

Sunday, 31 January 2016

How to Enable/Disable SELinux in RHEL 7

Security Enhanced  Linux (SELinux)  is an additional  layer of system  security. A  primary  goal of
SELinux  is to  protect  user data from  system services that have been compromised. Most Linux
administrators  are familiar with the standard  user/group/other permission security model. SELinux provides an additional  layer of security that  is object-based and controlled by more  sophisticated  rules, known as mandatory  access  control.

Check the status of SELinux  

[root@rhel7 ~]# getenforce
Enforcing
or
[root@rhel7 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@rhel7 ~]#

Check SELinux context of file

Many  commands that  deal with  files have an option (usually  -Z) to display or set SELinux 
contexts.  For  instance, ps, ls, cp, and mkdir all use the  -Z option to display or set SELinux 
contexts.

[root@rhel7 ~]# ls -l /tmp
total 0
-rw-r--r--. 1 root root  0 Jan 31 15:20 abc
drwx------. 2 root root 23 Jan 31 12:53 ssh-I5w8qAMyFP0V
drwx------. 3 root root 16 Jan  5 10:19 systemd-private-0sxVjO
drwx------. 3 root root 16 Dec 20 12:18 systemd-private-5se4Ud
drwx------. 3 root root 16 Dec 21 18:16 systemd-private-8LmQlv


[root@rhel7 ~]# ls -lZ /tmp

-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 abc
drwx------. root root unconfined_u:object_r:user_tmp_t:s0 ssh-I5w8qAMyFP0V
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-0sxVjO
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-5se4Ud
drwx------. root root system_u:object_r:tmp_t:s0       systemd-private-8LmQlv

SELinux Modes 

SELinux can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

In  Enforcing mode,  SELinux actively denies access to  the web server attempting to  read  files with tmp_t type context.  In enforcing mode, SELinux both  logs and protects.

Permissive mode  is often  used to troubleshoot  issues.  In  permissive mode, SELinux allows  all
interactions, even  if there  is no explicit  rule,  and  it  logs those  interactions  it would have  denied
in enforcing mode. This mode can  be used to temporarily al low access  to content that  SELinux  is
restricting. No  reboot  is required to go from enforcing to  permissive or back  again.

A  third mode,  Disabled,  completely disables SELinux. A  system  reboot  is  required to disable
SELinux entirely,  or to get from disabled mode to enforcing or permissive mode.

Changing SELinux Mode

[root@rhel7 ~]# getenforce
Enforcing
[root@rhel7 ~]# setenforce
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@rhel7 ~]# setenforce 0
[root@rhel7 ~]# getenforce
Permissive

[root@rhel7 ~]# setenforce 1
[root@rhel7 ~]# getenforce
Enforcing

Setting the default SELinux mode

The configuration file that determines what the SELinux mode is at  boot time is /etc/selinux/config. Notice that it contains some useful comments.  /etc/sysconfig/selinux  file is  a  symbolic link that points to /etc/selinux/config


[root@rhel7 ~]# cd /etc/selinux/
[root@rhel7 selinux]# ll
total 12
-rw-r--r--. 1 root root  547 Dec 20 16:58 config
-rw-r--r--. 1 root root 2321 Jan 26  2014 semanage.conf
drwxr-xr-x. 6 root root 4096 Dec 20 17:05 targeted
[root@rhel7 selinux]# cd /etc/sysconfig/
[root@rhel7 sysconfig]# ls -lrt selinux
lrwxrwxrwx. 1 root root 17 Dec 20 16:58 selinux -> ../selinux/config
[root@rhel7 sysconfig]#

To change SELinux mode from Enforcing or Permissive to Disabled

[root@rhel7 sysconfig]# vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing  ---> changed to disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

Now Reboot the OS to disable all policy