Difference between revisions of "OPS235 Assignment 2 Tips"
(→To check the current status of SELinux) |
(→Turning SELinux On/Off on CentOS 7) |
||
| Line 39: | Line 39: | ||
Policy deny_unknown status: allowed | Policy deny_unknown status: allowed | ||
Max kernel policy version: 28 | Max kernel policy version: 28 | ||
| + | </pre> | ||
| + | |||
| + | = Listing the RUN-TIME configurable parameter for SELinux = | ||
| + | * getsebool -a | ||
| + | <pre> | ||
| + | abrt_anon_write --> off | ||
| + | abrt_handle_event --> off | ||
| + | abrt_upload_watch_anon_write --> on | ||
| + | antivirus_can_scan_system --> off | ||
| + | antivirus_use_jit --> off | ||
| + | auditadm_exec_content --> on | ||
| + | authlogin_nsswitch_use_ldap --> off | ||
| + | authlogin_radius --> off | ||
| + | authlogin_yubikey --> off | ||
| + | awstats_purge_apache_log_files --> off | ||
| + | boinc_execmem --> on | ||
| + | ... | ||
| + | </pre> | ||
| + | == List of SELinux run-time configurable parameter that control Apache server (httpd)== | ||
| + | * getsebool -a | grep httpd | ||
| + | <pre> | ||
| + | httpd_anon_write --> off | ||
| + | httpd_builtin_scripting --> on | ||
| + | httpd_can_check_spam --> off | ||
| + | httpd_can_connect_ftp --> off | ||
| + | httpd_can_connect_ldap --> off | ||
| + | httpd_can_connect_mythtv --> off | ||
| + | httpd_can_connect_zabbix --> off | ||
| + | httpd_can_network_connect --> off | ||
| + | httpd_can_network_connect_cobbler --> off | ||
| + | httpd_can_network_connect_db --> off | ||
| + | httpd_can_network_memcache --> off | ||
| + | httpd_can_network_relay --> off | ||
| + | httpd_can_sendmail --> off | ||
| + | httpd_dbus_avahi --> off | ||
| + | httpd_dbus_sssd --> off | ||
| + | httpd_dontaudit_search_dirs --> off | ||
| + | httpd_enable_cgi --> on | ||
| + | httpd_enable_ftp_server --> off | ||
| + | httpd_enable_homedirs --> off | ||
| + | httpd_execmem --> off | ||
| + | httpd_graceful_shutdown --> on | ||
| + | httpd_manage_ipa --> off | ||
| + | httpd_mod_auth_ntlm_winbind --> off | ||
| + | httpd_mod_auth_pam --> off | ||
| + | httpd_read_user_content --> off | ||
| + | httpd_run_preupgrade --> off | ||
| + | httpd_run_stickshift --> off | ||
| + | httpd_serve_cobbler_files --> off | ||
| + | httpd_setrlimit --> off | ||
| + | httpd_ssi_exec --> off | ||
| + | httpd_sys_script_anon_write --> off | ||
| + | httpd_tmp_exec --> off | ||
| + | httpd_tty_comm --> off | ||
| + | httpd_unified --> off | ||
| + | httpd_use_cifs --> off | ||
| + | httpd_use_fusefs --> off | ||
| + | httpd_use_gpg --> off | ||
| + | httpd_use_nfs --> off | ||
| + | httpd_use_openstack --> off | ||
| + | httpd_use_sasl --> off | ||
| + | httpd_verify_dns --> off | ||
</pre> | </pre> | ||
Revision as of 13:26, 29 July 2015
Contents
Turning Firewall On/Off on CentOS 7
To turn it off
- /usr/sbin/iptables -F
- /usr/sbin/iptables -P INPUT ACCEPT
- /usr/sbin/iptables -P OUTPUT ACCEPT
To turn it on
- systemctl restart firewalld.service
Turning SELinux On/Off on CentOS 7
To turn off SELinux temporary into permissive mode
- setenforce 0
To turn SELinx back on from permissive mode
- setenforce 1
To check the current status of SELinux
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
- setenforce 0
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Listing the RUN-TIME configurable parameter for SELinux
- getsebool -a
abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on ...
List of SELinux run-time configurable parameter that control Apache server (httpd)
- getsebool -a | grep httpd
httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
