Difference between revisions of "OPS235 Resources"

From CDOT Wiki
Jump to: navigation, search
(Firewall Configuration)
(SELinux Configuration)
Line 68: Line 68:
 
  Policy from config file:        targeted
 
  Policy from config file:        targeted
  
It is not recommended to turn off SELinux. It is recommended that you should set it to permissive mode if you encounter SELinux policy issue that cannot be resolvced by other means.
+
It is not recommended to turn off SELinux. If you encounter some SELinux policy issues and can not get it resolve, then you should set it to permissive mode.
  
 
To switch SELinux from "permissive" mode to "enforcing" mode, do the following:
 
To switch SELinux from "permissive" mode to "enforcing" mode, do the following:
Line 75: Line 75:
 
  SELinux status:                enabled
 
  SELinux status:                enabled
 
  SELinuxfs mount:                /selinux
 
  SELinuxfs mount:                /selinux
  Current mode:                  permissive
+
  Current mode:                  enforcing
 
  Mode from config file:          enforcing
 
  Mode from config file:          enforcing
 
  Policy version:                24
 
  Policy version:                24

Revision as of 19:46, 25 November 2009

Installation Video

Fedora 12 Installation

F12 Live CD update Tracker

The following table shows the number of packages available for update on a given date on a Live Fedora 12 system.

Date No. of Packages Size Time(min.)
November 25, 2009 100 94MB 5
November 24, 2009 89 87MB 5
Date No of Package Size Time(min.)

Some facts about Fedora 12 Live DVD

Version information

[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 athlon i386 GNU/Linux

Number of packages

[root@localhost ~]# rpm -qa | wc -l
1017

TCP/IP Network Services running on the Live DVD by default

  • cups on port 631 (Common Unix Print Service)
  • smtp on port 25 (Simple Message Transfer protocol, for handling emails exchange between local users)
  • avahi-daemon on port 5353 and 49032
  • bootpc on port 68 (DHCP Client)
[root@localhost ~]# netstat -atup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address   State       PID/Program name   
tcp        0      0 localhost.localdomain:ipp   *:*               LISTEN      1500/cupsd          
tcp        0      0 localhost.localdomain:smtp  *:*               LISTEN      1800/sendmail: acce 
tcp        0      0 localhost6.localdomain6:ipp *:*               LISTEN      1500/cupsd          
udp        0      0 *:mdns                      *:*                           1489/avahi-daemon:  
udp        0      0 *:ipp                       *:*                           1500/cupsd          
udp        0      0 *:49032                     *:*                           1489/avahi-daemon:  
udp        0      0 *:bootpc                    *:*                           1698/dhclient

SELinux Configuration

Security Enhence Linux is enabled by default.

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@localhost ~]# 

To Keep SELinux running but ask it not to enforce the Security Policy, do the following:

[root@localhost ~]# setenforce 0
[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

It is not recommended to turn off SELinux. If you encounter some SELinux policy issues and can not get it resolve, then you should set it to permissive mode.

To switch SELinux from "permissive" mode to "enforcing" mode, do the following:

[root@localhost ~]# setenforce 1
[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Firewall Configuration

Fedora distribution use "netfilter" kernel module for building a Stateful Packet Filtering firewall. Firewall is enable on Fedora Live DVD by default. The default firewall configuration:

[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     udp  --  anywhere             224.0.0.251         state NEW udp dpt:mdns 
5    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination          

  • Incoming packets will be filtered based on firewall rules for the INPUT chain (Chain num 1 to 5)
    • Rule number 1 allows any packets which are related to any packets went out before
    • Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
    • Rule number 3 allows packets coming from the loop back network interface (lo), need to "-v" to show the interface name.
    • Rule number 4 allows packets go to IP address 224.0.0.251 port 5353
    • Rule number 5 blocks all other incoming packets
  • No packet will be forwarded.
  • All outgoing packets is allowed.

Additional Software Package Installation

Apache Manual

Installation using yum

[root@localhost ~]# yum install httpd-manual
Loaded plugins: presto, refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package httpd-manual.noarch 0:2.2.13-4.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch           Version               Repository      Size
================================================================================
Installing:
 httpd-manual         noarch         2.2.13-4.fc12         fedora         767 k 

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s) 

Total download size: 767 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
fedora/prestodelta                                       | 1.3 kB     00:00     
Processing delta metadata
Package(s) data still to download: 767 k
httpd-manual-2.2.13-4.fc12.noarch.rpm                    | 767 kB     00:02     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : httpd-manual-2.2.13-4.fc12.noarch                        1/1 

Installed:
  httpd-manual.noarch 0:2.2.13-4.fc12                                           

Complete!

Starting Apache Server

[root@localhost ~]# service httpd start
Starting httpd:                                            [  OK  ]
[root@localhost ~]# 

To access your Apache Web Server running on the Live DVD