Difference between revisions of "OPS235 Assignment 2 Tips"
(Created page with '= Turning Firewall On/Off on CentOS 7 = == To turn it off == * /usr/sbin/iptables -F * /usr/sbin/iptables -P INPUT ACCEPT * /usr/sbin/iptables -P OUTPUT ACCEPT == To turn it on =…') |
|||
(6 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is an archived version. Do not use this in your OPS235 course.'''}} | ||
+ | [[category:OPS235]][[Category:rchan]] | ||
= Turning Firewall On/Off on CentOS 7 = | = Turning Firewall On/Off on CentOS 7 = | ||
== To turn it off == | == To turn it off == | ||
Line 6: | Line 8: | ||
== To turn it on == | == To turn it on == | ||
* systemctl restart firewalld.service | * systemctl restart firewalld.service | ||
+ | |||
+ | = Turning SELinux On/Off on CentOS 7 = | ||
+ | == To turn off SELinux temporary into permissive mode == | ||
+ | * setenforce 0 | ||
+ | == To turn SELinx back on from permissive mode == | ||
+ | * setenforce 1 | ||
+ | == To check the current status of SELinux == | ||
+ | * sestatus | ||
+ | <pre> | ||
+ | SELinux status: enabled | ||
+ | SELinuxfs mount: /sys/fs/selinux | ||
+ | SELinux root directory: /etc/selinux | ||
+ | Loaded policy name: targeted | ||
+ | Current mode: enforcing | ||
+ | Mode from config file: enforcing | ||
+ | Policy MLS status: enabled | ||
+ | Policy deny_unknown status: allowed | ||
+ | Max kernel policy version: 28 | ||
+ | </pre> | ||
+ | |||
+ | * setenforce 0 | ||
+ | * sestatus | ||
+ | <pre> | ||
+ | SELinux status: enabled | ||
+ | SELinuxfs mount: /sys/fs/selinux | ||
+ | SELinux root directory: /etc/selinux | ||
+ | Loaded policy name: targeted | ||
+ | Current mode: permissive | ||
+ | Mode from config file: enforcing | ||
+ | Policy MLS status: enabled | ||
+ | Policy deny_unknown status: allowed | ||
+ | Max kernel policy version: 28 | ||
+ | </pre> | ||
+ | |||
+ | = Listing the RUN-TIME configurable parameter for SELinux = | ||
+ | * getsebool -a | ||
+ | <pre> | ||
+ | abrt_anon_write --> off | ||
+ | abrt_handle_event --> off | ||
+ | abrt_upload_watch_anon_write --> on | ||
+ | antivirus_can_scan_system --> off | ||
+ | antivirus_use_jit --> off | ||
+ | auditadm_exec_content --> on | ||
+ | authlogin_nsswitch_use_ldap --> off | ||
+ | authlogin_radius --> off | ||
+ | authlogin_yubikey --> off | ||
+ | awstats_purge_apache_log_files --> off | ||
+ | boinc_execmem --> on | ||
+ | ... | ||
+ | </pre> | ||
+ | == List of SELinux run-time configurable parameter that control Apache server (httpd)== | ||
+ | * getsebool -a | grep httpd | ||
+ | <pre> | ||
+ | httpd_anon_write --> off | ||
+ | httpd_builtin_scripting --> on | ||
+ | httpd_can_check_spam --> off | ||
+ | httpd_can_connect_ftp --> off | ||
+ | httpd_can_connect_ldap --> off | ||
+ | httpd_can_connect_mythtv --> off | ||
+ | httpd_can_connect_zabbix --> off | ||
+ | httpd_can_network_connect --> off | ||
+ | httpd_can_network_connect_cobbler --> off | ||
+ | httpd_can_network_connect_db --> off | ||
+ | httpd_can_network_memcache --> off | ||
+ | httpd_can_network_relay --> off | ||
+ | httpd_can_sendmail --> off | ||
+ | httpd_dbus_avahi --> off | ||
+ | httpd_dbus_sssd --> off | ||
+ | httpd_dontaudit_search_dirs --> off | ||
+ | httpd_enable_cgi --> on | ||
+ | httpd_enable_ftp_server --> off | ||
+ | httpd_enable_homedirs --> off | ||
+ | httpd_execmem --> off | ||
+ | httpd_graceful_shutdown --> on | ||
+ | httpd_manage_ipa --> off | ||
+ | httpd_mod_auth_ntlm_winbind --> off | ||
+ | httpd_mod_auth_pam --> off | ||
+ | httpd_read_user_content --> off | ||
+ | httpd_run_preupgrade --> off | ||
+ | httpd_run_stickshift --> off | ||
+ | httpd_serve_cobbler_files --> off | ||
+ | httpd_setrlimit --> off | ||
+ | httpd_ssi_exec --> off | ||
+ | httpd_sys_script_anon_write --> off | ||
+ | httpd_tmp_exec --> off | ||
+ | httpd_tty_comm --> off | ||
+ | httpd_unified --> off | ||
+ | httpd_use_cifs --> off | ||
+ | httpd_use_fusefs --> off | ||
+ | httpd_use_gpg --> off | ||
+ | httpd_use_nfs --> off | ||
+ | httpd_use_openstack --> off | ||
+ | httpd_use_sasl --> off | ||
+ | httpd_verify_dns --> off | ||
+ | </pre> | ||
+ | = How to turn on/off a SELinux run-time parameter= | ||
+ | == To turn on a run-time parameter == | ||
+ | For Current session | ||
+ | * setsebool httpd_can_network_connect_db on | ||
+ | For good (even after a reboot) | ||
+ | * setsebool -P httpd_can_network_connect_db on | ||
+ | == To turn off a run-time parameter == | ||
+ | For the current session | ||
+ | * setsebool httpd_can_network_connect_db off | ||
+ | For good (even after a reboot) | ||
+ | * setsebool -P httpd_can_network_connect_db off |
Latest revision as of 12:02, 27 November 2019
Contents
Turning Firewall On/Off on CentOS 7
To turn it off
- /usr/sbin/iptables -F
- /usr/sbin/iptables -P INPUT ACCEPT
- /usr/sbin/iptables -P OUTPUT ACCEPT
To turn it on
- systemctl restart firewalld.service
Turning SELinux On/Off on CentOS 7
To turn off SELinux temporary into permissive mode
- setenforce 0
To turn SELinx back on from permissive mode
- setenforce 1
To check the current status of SELinux
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
- setenforce 0
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Listing the RUN-TIME configurable parameter for SELinux
- getsebool -a
abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on ...
List of SELinux run-time configurable parameter that control Apache server (httpd)
- getsebool -a | grep httpd
httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
How to turn on/off a SELinux run-time parameter
To turn on a run-time parameter
For Current session
- setsebool httpd_can_network_connect_db on
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db on
To turn off a run-time parameter
For the current session
- setsebool httpd_can_network_connect_db off
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db off