Difference between revisions of "OPS235 Assignment 2 Tips"
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is an archived version. Do not use this in your OPS235 course.'''}} | ||
[[category:OPS235]][[Category:rchan]] | [[category:OPS235]][[Category:rchan]] | ||
= Turning Firewall On/Off on CentOS 7 = | = Turning Firewall On/Off on CentOS 7 = | ||
| Line 7: | Line 8: | ||
== To turn it on == | == To turn it on == | ||
* systemctl restart firewalld.service | * systemctl restart firewalld.service | ||
| + | |||
| + | = Turning SELinux On/Off on CentOS 7 = | ||
| + | == To turn off SELinux temporary into permissive mode == | ||
| + | * setenforce 0 | ||
| + | == To turn SELinx back on from permissive mode == | ||
| + | * setenforce 1 | ||
| + | == To check the current status of SELinux == | ||
| + | * sestatus | ||
| + | <pre> | ||
| + | SELinux status: enabled | ||
| + | SELinuxfs mount: /sys/fs/selinux | ||
| + | SELinux root directory: /etc/selinux | ||
| + | Loaded policy name: targeted | ||
| + | Current mode: enforcing | ||
| + | Mode from config file: enforcing | ||
| + | Policy MLS status: enabled | ||
| + | Policy deny_unknown status: allowed | ||
| + | Max kernel policy version: 28 | ||
| + | </pre> | ||
| + | |||
| + | * setenforce 0 | ||
| + | * sestatus | ||
| + | <pre> | ||
| + | SELinux status: enabled | ||
| + | SELinuxfs mount: /sys/fs/selinux | ||
| + | SELinux root directory: /etc/selinux | ||
| + | Loaded policy name: targeted | ||
| + | Current mode: permissive | ||
| + | Mode from config file: enforcing | ||
| + | Policy MLS status: enabled | ||
| + | Policy deny_unknown status: allowed | ||
| + | Max kernel policy version: 28 | ||
| + | </pre> | ||
| + | |||
| + | = Listing the RUN-TIME configurable parameter for SELinux = | ||
| + | * getsebool -a | ||
| + | <pre> | ||
| + | abrt_anon_write --> off | ||
| + | abrt_handle_event --> off | ||
| + | abrt_upload_watch_anon_write --> on | ||
| + | antivirus_can_scan_system --> off | ||
| + | antivirus_use_jit --> off | ||
| + | auditadm_exec_content --> on | ||
| + | authlogin_nsswitch_use_ldap --> off | ||
| + | authlogin_radius --> off | ||
| + | authlogin_yubikey --> off | ||
| + | awstats_purge_apache_log_files --> off | ||
| + | boinc_execmem --> on | ||
| + | ... | ||
| + | </pre> | ||
| + | == List of SELinux run-time configurable parameter that control Apache server (httpd)== | ||
| + | * getsebool -a | grep httpd | ||
| + | <pre> | ||
| + | httpd_anon_write --> off | ||
| + | httpd_builtin_scripting --> on | ||
| + | httpd_can_check_spam --> off | ||
| + | httpd_can_connect_ftp --> off | ||
| + | httpd_can_connect_ldap --> off | ||
| + | httpd_can_connect_mythtv --> off | ||
| + | httpd_can_connect_zabbix --> off | ||
| + | httpd_can_network_connect --> off | ||
| + | httpd_can_network_connect_cobbler --> off | ||
| + | httpd_can_network_connect_db --> off | ||
| + | httpd_can_network_memcache --> off | ||
| + | httpd_can_network_relay --> off | ||
| + | httpd_can_sendmail --> off | ||
| + | httpd_dbus_avahi --> off | ||
| + | httpd_dbus_sssd --> off | ||
| + | httpd_dontaudit_search_dirs --> off | ||
| + | httpd_enable_cgi --> on | ||
| + | httpd_enable_ftp_server --> off | ||
| + | httpd_enable_homedirs --> off | ||
| + | httpd_execmem --> off | ||
| + | httpd_graceful_shutdown --> on | ||
| + | httpd_manage_ipa --> off | ||
| + | httpd_mod_auth_ntlm_winbind --> off | ||
| + | httpd_mod_auth_pam --> off | ||
| + | httpd_read_user_content --> off | ||
| + | httpd_run_preupgrade --> off | ||
| + | httpd_run_stickshift --> off | ||
| + | httpd_serve_cobbler_files --> off | ||
| + | httpd_setrlimit --> off | ||
| + | httpd_ssi_exec --> off | ||
| + | httpd_sys_script_anon_write --> off | ||
| + | httpd_tmp_exec --> off | ||
| + | httpd_tty_comm --> off | ||
| + | httpd_unified --> off | ||
| + | httpd_use_cifs --> off | ||
| + | httpd_use_fusefs --> off | ||
| + | httpd_use_gpg --> off | ||
| + | httpd_use_nfs --> off | ||
| + | httpd_use_openstack --> off | ||
| + | httpd_use_sasl --> off | ||
| + | httpd_verify_dns --> off | ||
| + | </pre> | ||
| + | = How to turn on/off a SELinux run-time parameter= | ||
| + | == To turn on a run-time parameter == | ||
| + | For Current session | ||
| + | * setsebool httpd_can_network_connect_db on | ||
| + | For good (even after a reboot) | ||
| + | * setsebool -P httpd_can_network_connect_db on | ||
| + | == To turn off a run-time parameter == | ||
| + | For the current session | ||
| + | * setsebool httpd_can_network_connect_db off | ||
| + | For good (even after a reboot) | ||
| + | * setsebool -P httpd_can_network_connect_db off | ||
Latest revision as of 12:02, 27 November 2019
.png){kind=small}
THIS IS AN OLD VERSION OF THE ASSIGNMENT
This is an archived version. Do not use this in your OPS235 course.
This is an archived version. Do not use this in your OPS235 course.
Contents
Turning Firewall On/Off on CentOS 7
To turn it off
- /usr/sbin/iptables -F
- /usr/sbin/iptables -P INPUT ACCEPT
- /usr/sbin/iptables -P OUTPUT ACCEPT
To turn it on
- systemctl restart firewalld.service
Turning SELinux On/Off on CentOS 7
To turn off SELinux temporary into permissive mode
- setenforce 0
To turn SELinx back on from permissive mode
- setenforce 1
To check the current status of SELinux
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
- setenforce 0
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Listing the RUN-TIME configurable parameter for SELinux
- getsebool -a
abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on ...
List of SELinux run-time configurable parameter that control Apache server (httpd)
- getsebool -a | grep httpd
httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
How to turn on/off a SELinux run-time parameter
To turn on a run-time parameter
For Current session
- setsebool httpd_can_network_connect_db on
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db on
To turn off a run-time parameter
For the current session
- setsebool httpd_can_network_connect_db off
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db off
