== Introduction and Purpose ==
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a '''database server''' and a '''web server'''. You will install and use a database-backed web application, '''MediaWikiWordpress''', to show that these services have been installed properly. In this assignment, you will attempt to maintain a high level of security, by using '''iptables''' firewall to guard against unauthorized access. You will also configure the '''SELinux''' security system to further enhance the security of your computer system.
'''NOTE: This Do this assignment may be performed using any combination of your inside the fedora3 virtual machines and/or host disk packmachine. '''
== Required Tasks (ASSIGNMENT TOTAL: 70 Marks) == ===A. Installing Packages (Section Total: 8 Marks)=using Yum ==
Install these packages using ''yum'':
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.
* '''php''' - this is the PHP server software. It provides the '''php''' capabilities to the web server and wiki.
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket and TCP port 3306 by default.
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a database such as MySQL locally or on other servers.
===B* '''httpd''' - this is the Apache web server software.* '''php''' - this is the PHP server software, which allows Apache to run more complex websites.* '''mysql-server''' - this is the MySQL database server. Configuring Services ===
====Configuring Apache httpd (Section Total: 10 Marks)====
:# Start the httpd service using the '''systemctl''' (or '''command.# Ensure that the httpd service''') commandstarts automatically during boot.:# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running fedora3 (you can test using '''links''') as well as from another machine on the same networkhost. You should see a test page.:# Configure this software to start when the system is booted using '''systemctl'''Fedora Test Page.:# ?? Create a very simple HTML index page for your system, and place it at <code> /var/www/html/index.html </code>:# Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code>
==== MySQL (Section Total: 6 Marks)====
:# Configure this software to start when the system is booted using '''systemctl'''.
==== MediaWiki (Section Total: 12 Marks)==Installing and Configuring Wordpress ==
:# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>:#* Uncomment the first two <code>Alias</code> lines:#* Reload the httpd configuration using the <code>service</code> command:# Access <code>http://localhost/wiki</code> on the machine on which the Wordpress (like most web server applications) is running (this will not work if done remotelyavailable in the Fedora repositories, unless you use an ssh tunnel so that the access appears to it must be coming from the local host). You will see the MediaWiki welcome page; click on the setup link.:# Enter the setup information for your wiki::#* Enter a name for the wiki:#* Enter your learn e-mail address as the contact information;#* Disable all e-mail features:#* Leave the database host as "localhost":#* Set up a database password:#* Get MediaWiki to set up the superuser account by checking the appropriate box downloaded and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).:# Click the "Install MediaWiki!" button.:# Once the setup is complete, you will need to move a file within the MediaWiki directory (i.e. inside <code>/var/www/wiki</code>). Refer to the directions in the confirmation web pageinstalled manually.
::'''NOTE:''' When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> * Download the latest .tar.gz version from any directly-connected machinewodpress.org into your fedora3 (use wget).*
==== Serving Personal Web Pages (Section Total: 12 Marks)====
{{Admon/tip|Tip: Customizing your WIKI|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or it is a picture you own).}}
=== D. Security with SELinux (10 Marks) ===
== About SELinux ==
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, on top of the settings that any user has configured.
SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
$ ls -lZ
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
[chris@muskoka ~]$ ps -Z
LABEL PID TTY TIME CMD
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
=== SELinux Context Commands ===
There are two main commands used to set the SELinux security context of files:
# chcon - sets the security context of a file to a particular value
#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code>
#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code>
# restorecon - resets the default security context of a file
#* Example: reset the context of one file: <code>restorecon /etc/services</code>
#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code>
You can reset the default security context of the entire system at the next boot with this command:
touch /.autorelabel
=== SELinux Booleans ===
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
{|class="mediawiki sortable" border="1" cellspacing="0"
!Command
!Description
|-
|<code>getsebool -a</code>
|Displays all SELinux booleans
|-
|<code>getsebool ''foo''</code>
|Displays the SELinux boolean ''foo''
|-
|<code>setsebool ''foo'' ''value''</code>
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")
Use the <code>-P</code> option to make the change permanent.
|}
=== SELinux Graphical Tools ===
The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.
{{Admon/tip|Remember|Configure httpd and SELinux to allow your script to be run from the web. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration (possibly including both booleans and SELinux context).}}
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward -- you will need them for the wiki pages you will create later.}}
== Submitting Your Assignment ==