RHCSA-Objective07-07: Diagnose and address routine SELinux policy violations

Checking SELinux status # will only display just the mode getenforce # for additional information including se policy sestatus Log file Location TS and address routine selinux policy violations logs are stored in /var/log/audit/audit.log sealert – will give commands to use to correct the violation yum install setroubleshoot # installs sealert command sealert -a /var/log/audit/audit.log […]

RHCSA-Objective07-06: Use boolean settings to modify system SELinux settings

SELinux – Boolean – a conditional rule that allows modifications of the security policy without having to load a new policy. Ie – allow cgi scripts to be executed – enable httpd_enable_cgi . Man pages: Booleans(8) Selinux(8) Getsebool(8) ## Get bool values getsebool -a semanage boolean -l # more detail enable or disabled selinux setting […]

RHCSA-Objective07-05: Restore default file contexts

to restore context ## Restore context for a single file `restorecon <file>` ## Restore context recursivly `restorecon -Rv <dir>(/.*)?` ## Restore context for all files `touch /.autorelabel` Example – setting up alt directory for httpd named /content/www ## for syntax semanage fcontext -l | grep /var/www ## to add semanage fcontext -a -t httpd_sys_content_t ‘/content/www(/.*)?’ […]

RHCSA-Objective07-04: List and identify SELinux file and process context

Each file/folder , processes , user account, user groups on the system have SELinux context / Security context. Each context consist of 4 colon delimited string. Each string consist of Security attribute## To list file context To list file context `ls -Z /etc/*.conf` ## output: ## -rw-r–r–. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf ## To ID SELinux […]

RHCSA-Objective07-03: Set enforcing and permissive modes for SELinux

SElinux is a Mandatory Access Control(MAC)that is supported on the kernel level. It provides damage control once a system is compromise by isoloating sements relating to the service. So if nginx is compromised only the locations that nginx has SELinux permissions to can be accessed. Its like an application firewall . It defines a set […]

RHCSA-Objective07-01: Configure firewall settings using firewall-config, firewall-cmd, or iptables

Overview: firewall-cmd has the following uses filter packets (in-bound and out-bound) port forwarding routing – NAT aka masquarading (as seen with –list-all output) netfilter is the underlining app that iptables or firewalld is using To install with GUI manager (firewall-config) # to install GUI and firewalld #firewalld is included by default with minimum installation of […]

RHSCA-Objective04-06: Diagnose and correct file permission problems

cannot access a file/folder Check: with ls -al to see if you have permissions. If you see + at the end of permissions for the file use getfacl Correct: with chmod or setfacl Can not delete a file Check: sticky bit / not root user Correct: with chmod Check: use lsattr Correct: with chattr Can […]

RHCSA-Objective04-05: Create and manage Access Control Lists (ACLs)

Info about ACLs: ACLs suppported filesystems ext4 and xfs Good for granting access to a file owned by another group or user that you do not want to be a member of the group You can tell if a file has an acl associated with it by a + at the end of permissions listed […]

RHCSA-Objective04-02: Mount and unmount CIFS and NFS network file systems

CIFS – common internet file system sharing between Windows and Linux Samba is used to create CIFS shares on linux NFS – network file share sharing between Linux systems Tools required yum -y install samba-client cifs-utils nfs-utils psmisc CIFS / SAMBA mount and umount # to find samba/CIFS shares `smbclient -L fileServerIP` # To temp […]