Reference no: EM133110436

Lab - SELINUX

Task 1
Install the Apache Web Server.
Install the httpd package.
The following command installs the httpd package and all of its dependencies.
$ sudodnf install httpd
Enable and start the httpd service
To enable and start the httpd service for immediate access and make the service start automatically after a reboot, run the following command:
$ sudosystemctl enable --now httpd.service
The service starts a web server that listens on TCP port 80 by default. To check the status of the service, run this command:
$ sudosystemctl status httpd(Take a screenshot)
Configure firewall rules (Optional)
If you are using a custom firewall profile or an Oracle Cloud Infrastructure instance, open the firewall port for the Apache web service (80).
These commands enable the firewall port for the Apache web service and reload the default firewall service:
$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --reload
Test your deployment
With your web browser, go to the domain name or IP address of your system.

The Apache web server opens the default test page.

Task 2
Install FTP Server
FTP Server : Installation
Issue the following command to install the FTP server.
# yum install vsftpd
Turn on the FTP server and make sure it starts automatically on reboot.
# service vsftpd start
# chkconfigvsftpd on
The FTP server is now installed and running. The FTP configuration files are located under the "/etc/vsftpd" directory, specifically the "/etc/vsftpd/vsftpd.conf" file. The default directory for anonymous connections is "/var/ftp". Changes to the "/etc/vsftpd/vsftpd.conf" file have to be followed by a reload or a restart of the httpd service.
# service vsftpd reload
# # OR
# service vsftpd restart
2.1 What is the command to check the status of ftp service? (Take a screenshot)
2.2 What is the command enable firewall port for ftp service?
2.3 How do you verify that the ftp service is working? (Take a screenshot)
1. SELINUX
It has three different modes:
1. Enforcing
It denies the access based on policy rules,
2. Permissive
It logs the policy violations but deny allow the access that would otherwise be denied in enforcing mode,
3. Disabled
It completely disables Selinux.
The default configuration file to change these modes is /etc/selinux/config.
Changing Selinux Modes
To find out the current mode, run
$ getenforce
What is the output of the above command? ____________________________________
To change the mode to permissive, run the following command
$ setenforce 0
or for changing the mode from permissive to enforcing, run
$ setenforce 1
If you need to completely disable selinux, it can be done through configuration file,
$ vi /etc/selinux/config
& change the SELINUX field so it should look like
SELINUX=disabled
Configuring Selinux for use
Every file or processes are labelled with a SELinux context that contains additional information such as SELinux user, role, type etc. If you are enabling Selinux for the first time, then we need to fix context & labels first. This process of fixing labels & context is known as ‘Relabeling'. To initiate relabeling, firstly goto configuration file& change mode to permissive.
$ cat /etc/selinux/config (Take a screenshot)
Monitoring Logs
You might have got some errors while relabeling or might be getting some errors while system is up. To check if your Selinux is working properly and is not blocking access to any port, application and etc., we need to monitor the logs. Log file for Selinux is /var/log/audit/audit.log but you don't have to read the whole to check the errors. We can use ‘audit2why' utility to check errors in the logs, run
# audit2why < /var/log/audit/audit.log
& we will get errors as the output. If everything is fine, no output will be reported.

Setting SELINUX Policy
Selinux Policy are set of rules that guides Selinux security engine. Policy defines a set of rules for a particular environment. We will now learn to change policies to allow access to our denied services.
1.1 Booleans
Booleans allows us to make changes to part of policy at runtime without need for having knowledge of policy writing. This allows changes to be implemented without the need to reloading or recompiling a SELinux Policy.
Example:
Let's say we want to share our user's home directory over FTP for read-write access and we have already shared them but while trying to access them, we can't see them. That's because SElinux policy is preventing the FTP daemon from reading & writing in user's home directory. We need change the policy so that ftp can access home directories, to do that we will see if there are any Booleans available to accomplish it by running:
$ semanageboolean -l
It will produce a list of all available Booleans with their current status (on or off) & description. You can refine your search by adding ‘grep', to find results only related to ftp
$ semanageboolean -l | greptftp
& you will following Boolean among others
tftp_home_dir -> off Allow ftp to read & write file in user home directory
Its turned off, so we will turn this Boolean on by using ‘setsebool'
$ setsebooltftp_home_dir on
Now, out tftp daemon will be able to access user's home directory.
Note :- You can also get list of available Booleans by running ""getsebool -a" but it will not show the description of the Boolean.
1.3 Comparing SELinux and Standard Linux User Identities
SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
system_u - System processes
root - System administrator
user_u - All login users

Task 3
Now let's take an example to understand labelling and context in bit detail. Let's say we are using a web-server which is using as document /home/test1/public_html directory rather then /var/www/html/, SElinux will consider this a violation of the policy and you won't be able to view your webpage. That is because we have not set the security context associated with the html files. To check the default security context for html file, use the following procedues:

1. Make a backup copy of /etc/httpd/conf.d/userdir.conf; edit userdir.conf file and make the following changes in green):
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
<IfModulemod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disabled
UserDir enabled test1
UserDir disabled test2

#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDirpublic_html
</IfModule>

#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/home/*/public_html">
AllowOverrideFileInfoAuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatchIncludesNoExec
Require method GET POST OPTIONS
</Directory>

2. Create a directory /home/test1/public_html (note: user name is test1; you may use any user name)

3. Create a index.html file in test1's directory (you may add some html code)
Note: Please make sure that /home/test1 directory has executable permissions
Modify SELINUX permissions

4. # setsebool -P httpd_enable_homedirs true
Restart the httpd daemon

5. systemctl restart http

6. What is the SELINUX context permission for /home/test1/public_htm directory?
# ls -lZ/home/test1/public_htm

Attachment:- Lab - SELINUX.rar