1,234
edits
Changes
→PART 3: YOUR TASKS
And at the end of the day if you screw up the setup of your router: the worst thing that will happen is that your internal service will be inaccessible. From a security point of view that is much better than a screwup with a firewall which can make ''every system and service'' accessible to ''everyone on the internet''.
= SELINUX BASICS =
SELinux is a ridiculously complex topic. Very few people understand it fully, and you're not expected to either. But you need at least to have a grasp of the basics and be able to debug an SELinux-related problem when it's manifest.
We'll use an example as an exercise to help us learn the basic concepts. The example is based on the better illustrated "SELinux Practical Examples" section from [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html ComputerNetworkingNotes].
* You should already have Apache running on lin1, and serving your custom index.html file.
* If you run <code>ls -al /var/www/html</code> you'll find that only root has write access to that directory. Let's change that so it's more realistic.
* Use the chown command to change the ownership of the /var/www/html directory and its contents from root/root to youruser/yourgroup.
* Switch to your regular user in the terminal and go to your home directory.
* Create a file named copytest.html and another called movetest.html with some text inside.
* Run <code>ls -lZ</code> and save the output somewhere (you can write it down in your labbook for example).
* Copy copytest.html to /var/www/html and move movetest.html to the same directory.
* Try to access each file from a web browser. You should be able to access one but not the other.
* Check the web server error log (/var/log/httpd/error_log) - it should tell you there's a problem with permissions.
* Check your permisions with <code>ls -l</code>, they should apear to allow acces for everyone to read movetest.html
** This is a good bit of learning to absorb. When there's a permission denied error that makes no sense - it's quite likely that SELinux is at fault.
* Look for "movetest.html" in the SELinux log /var/log/audit/audit.log
* You should find a line in there with the word "denied" in it. Instead of giving yourself a headache trying to descipher that log line, go and check the SELinux context on the files involved:
** Run <code>ls -lZ</code> on /var/www/html and compare the output to the one you saved earlier.
* The problem is the security context of the movetest.html file. Fix it using the chcon command (read [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html the tutorial]).
= PART 3: YOUR TASKS =
# Set up lin2 (192.168.210.12) the same way you set up lin1. Make sure you have the firewall and networking tools installed, but you don't need Apache on it.
# Set up IPTables on c7host to forward SSH requests to port 2221 to go to the SSH server on lin1, and port 2222 to go to the ssh server on lin2.
# Complete the exercise in the SELinux section of the lab.
= Lab completion =