chmod permissions example linux acl
You can specify the list of permissions in two different ways. One way uses permission symbols and is referred to as the symbolic method. The other uses what is known as a “binary mask” and is referred to as either the absolute or the relative method.
Symbolic Method
The symbolic method of setting permissions uses the characters r, w, and x for read, write, and execute, respectively. Any of these permissions can be added or removed. The symbol to add a permission is the plus sign, +. The symbol to remove a permission is the minus sign, -.chmod :- File Permissions in Symbolic Method
| Description | |
| r | Read |
| w | Write |
| x | Execute (also gives permission to change into a directory) |
| X | Execute only if it is a directory or has execute permission for some user |
| s | Set user or group ID on execution |
| t | Sticky bit |
| u | Permissions granted to user who owns the file |
| g | Permissions granted to users in the file's group |
| o | Permissions granted to owner of the group and users in the file's group |
r w x permissions
The first three (r, w, x) are clear. Use them to set read, write, and execute permissions.s permission
The s permission is used on directories to keep the user or group ID for a file created in the directory. To set the user ID for any new files created in the directory to the owner of the directory, use the chmod u+s <directory> command. To set the group ID for any new files created in the directory to the directory's group, use the chmod g+s <directory> command.t permission
t is a special permission which provides greater security on directories. Sticky bit is used for directories to protect files within them. Files in a directory with the sticky bit set can only be deleted or renamed by the root user or the owner of the directory.Sticky Bit Permission Using Symbols
The sticky bit permission symbol is t. The sticky bit shows up as a t in the execute position of the other permissions. A program with read and execute permissions with the sticky bit has its permissions displayed as r-t.#chmod +t /home/vinita/account_detail #ls -l /home/vinita/account_detail -rwxr-xr-t 1 root root 4096 /home/vinita/account_detail
u g o permission
The last three permissions (u, g, o) are only used with the = operator to set permissions for the owner, group, others, or everyone equal to the existing permissions for the owner, group, others, or everyone. For example, chmod g=u [filename] sets the group permissions to the current permissions for the owner of the file.Examples of symbolic method
Absolute Permissions: Binary Masks
The absolute method changes all the permissions at once, instead of specifying one or the other. It uses a binary mask that references all the permissions in each category.Binary Masks
When dealing with a binary mask, you need to specify three digits for all three categories, as well as their permissions. This makes a binary mask less flexible than the permission symbols.
Digits permission 0 none 1 execute 2 write 4 read 3 (1+2) write and execute 5 (1+4) read and execute
7 (1+2+4) read write execute
| Value | Meaning |
| 777 | (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting. |
| 755 | (rwxr-xr-x) The file’s owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users. |
| 700 | (rwx——) The file’s owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others. |
| 666 | (rw-rw-rw-) All users may read and write the file. |
| 644 | (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change. |
| 600 | (rw——-) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private. |
Defaults Permission : umask
Whenever you create a file or directory, it is given default permissions. You can display the current defaults or change them with the umask command. The permissions are displayed in binary or symbolic format. The default permissions include any execute permissions that are applied to a directory. Execute permission for a file is turned off by default when you create it because standard data files do not use the executable permissions (to make a file executable like a script, you have to manually set its execute permission). To display the current default permissions, use the umask command with no arguments.The -S option uses the symbolic format.
#umask -S u=rwx,g=rx,o=rx
You can set a new default by specifying permissions in either symbolic or binary format. To specify the new permissions, use the -S option. The following example denies others read permission, while allowing user and group read access, which results in permissions of rwxr-x---:
#umask -S u=rwx,g=rx,o=
The following example shows the mask for the permission defaults rwx, rx, and rx (rw, r, and r for files):
#umask 0022
#umask 0027
Change in umask from RHEL6
From RHEL6 no matter what the value of umask, new files can no longer be automatically created with executable permissions. For example, a umask value of 0454 leads to identical permissions on new files as a umask value of 0545. You need to use commands such as chmod to set executable permissions on a specific file.Default value of umask is set in /etc/bashrc file.
Chmod Example
In this article we will practically implements whatever you have learnt so far in file permissions. This article is a sequential of last article if you have missed last article we suggest you to review them before going through this first.
Create 3 user a b c without password. Use for loop despite of creating them separately. You have learnt about this in our advance user managements assignments.
#for user in a b c >do >useradd $USER >passwd –d $USER >done
Now create a group example and add user a and b to in.
#groupadd example #usermod –G example a #usermod –G example b
now create a test directory on root partition and change ownership to user a and group to example.
Now logon in 3 separate terminals form these users.
From root set permission to
#chmod 700 /test
This will set permissions to
owner a full group example ( a ,b ) none other c none
$cd /test $cat > a_file This is a file of user a $ls a_file
user a will be able to do all three task read write execute as owner have all three permission Now try to change /test directory form user b . It will deny. Because user b remain in example group. and group have no permissions.
Now try to change /test directory form user c. it will also deny. Because user c is other for this directory and other have no permissions.
#chmod 710 /test
This will give full permission to owner a. And execute to b ( b is in the group of a which is example) User c (other ) still have no permissions.
To verify try change directoy form user b to /test it would be success but he will not be able to list the contain of directory.
$cd /test $ls
Also verify the permission of c ( other ) by changing the directory to /test
$cd /test
#chmod 751 /test
This will give full permission to owner a. execute and read to b ( b is in the group of a which is example) User c (other ) now have execute permissions.
To verify try to list form user b to /test it would be success but he will not be able to write in directory.
$ls $cat > b_file
Also verify the permission of c ( other ) by changing the directory to /test
$cd /test $ls
Now change permission from root to
#chmod 775 /test
This will give full permission to owner a b ( b is in the group of a which is example) User c (other ) now have read and execute permissions.
To verify try make new file form user b to /test it would be success.
$cd /test $ls $ cat > b_file This file is created by b
Also verify the permission of c ( other ) by listing the directory to /test
$cd /test $ls
Now change permission from root to
#chmod 777 /test
This will give full permission to owner a b and c. User c (other ) now have full permissions.
To verify make file form user c
$ cat > c_file This file is created by user c
how to set sticky bit
Ownership issue
In some case you want to grant permission to other user while keeping ownership to self.s permission
is used to deal with this situations. s options is used to add both user ID and group ID permission to a file.
The following example add's user ID permission to the pppd program, which is owned by the root user. When an ordinary user runs pppd, the root user retains ownership, allowing the pppd program to change root-owned files.
# chmod +s /usr/sbin/pppd
# ls -l /usr/sbin/pppd -rwsr-sr-x 1 root root 18666 Jan 12 12:48 /usr/sbin/pppd
Sticky Bit Permissions
Sticky Bit is used for directories to protect files within them. Files in a directory with the sticky bit set can only be deleted or renamed by the root user or the owner of the directory.Sticky Bit Permission Using Symbols
The sticky bit permission symbol is t. The sticky bit shows up as a t in the execute position of the other permissions. A program with read and execute permissions with the sticky bit has its permissions displayed as r-t.# chmod +t /home/vinita/data # ls -l /home/vinita/data -rwxr-xr-t 1 root root 4096 /home/vinita/data
Sticky Bit Permission Using the Binary Method
As with ownership, for sticky bit permissions, you add another octal number to the beginning of the octal digits. The octal digit for the sticky bit is 1 (001). The following example sets the sticky bit for the data directory:# chmod 1755 /home/vinita/data
# chmod 5755 /usr/bin/newprogs # ls -l /usr/bin/newprogs drwsr-xr-t 1 root root 4096 /usr/bin/newprogs
Sticky bit example of practically implementations
USER ID and GROUP ID Permissions
To understand sticky bit and user permission in more depth let's take an example. Create two user named vinita and nikita. And a example directory on root partitions.#useradd vinita #passwd –d vinita #useradd nikita #passwd –d nikita #mkdir /example
As example directory is created by root so the owner and group of this directory will root. By default permission will be inherited to all other object created in this directory to root owner. Now we will use symbolic method to change the ownership issue to this directory.
#chmod ugo+rwxs /example #ls –ld /example
As you can see in image s bit is set in owner and group filed which will automatically set owner and group to their respective owner and group. To verify login form user nikita and change directory to example and creates a file.
$cd /example $cat > nikita_file This is the file of nikita $ls –l
As you can see owner filed is changed to user nikita.
Now create a file form user vinita.
$cd /example $cat > vinita_file This is file of Vinita $ls –ld
Now you can understand what s bit do in chmod command. This is best options when users are working on some shared project. As they will gets ownership of their files automatically.
Implementation of sticky bit
But this could create other problem. User can accidentally or intensely delete other user’s files and folder as all user have full permission on this shared folder. Go on terminal where user Vinita is logged in and delete the file of nikita.
To control this behaviors switch to root user and set sticky bit on /example folder.
#chmod o+t /example #ls –ld /example
Sticky bit is defined by t options. As you can see in output other have t bit set in their filed. Now only owner of file and root user can delete file in this folder.
To verify switch Vinita user again and try to delete the files of nikita. This time it will not success this time.
To remove sticky bit use minus sign.
#chmod o-t /example
now Vinita can delete the files owned by nikita verify
Linux ACL Example
However, when these basic file permissions are not enough, access control lists, or ACLs, can be used on linux file system. ACLs expand the basic read, write, and execute permissions to more categories of users and groups.
Before you start configuration of ACL , you need to enable ACL on filesystem. For testing we would implement ACL on /home partition.
Check current status of ACL
To confirm that the /home directory is mounted with the acl option, run the mount command alone, without switches or options
if directory is mounted with acl it would show in output. As output show acl is not configured on directory. So first we need to remount this directory with ACL
Remount partition with ACL
use following command to remount partition with ACL
To make sure this is the way /home is mounted on the next reboot, edit /etc/fstab.
locate the partition entry and add acl keyword just after the default keyword separate with a comma and save the file.
.Once the change is made to /etc/fstab, you can activate it with the following command:
# mount -o remount /home
Now you can start working with ACL commands to set secondary access controls on desired files and directories.
In addition to permissions for the owner and group for the file, ACLs allow for permissions to be set for any user, any user group, and the group of all users not in the group for the user.
Consider a situation where you want to grant write permission only to two users from a group of ten users. If you set permission from chmod all other users from group will get write access on file. In such a situation ACLs works.
Categories of ACLs
There are four categories of ACLs per file:- For an individual user,
- For a user group,
- Via the effective rights mask
- For users not in the user group associated with the file.
getfacl <file>
# file: accounts # owner: Shweta # group: Shweta user::rwx group::r-x mask::rwx other::---
To understand acl more clearly let’s take a simple example of acl.
Create three users named Shweta Vinita and Niddhi
#for USER in Shweta Vinita Niddhi > do >useradd $USER >passwd –d $USER >done
Now make them the member of goswami groups
#groupadd goswami #usermod –G goswami Shweta #usermod –G goswami Vinita #usermod –G goswami Niddhi
Now create a /example directory and change the ownership to Shweta
#mkdir /example #chown Shweta /example
Now logon form Shweta on other terminals and create a folder
$cd /example $mkdir /accounts
Now Shweta want to grant write permission only to Vinita. Niddhi will also get writes access on directory if Shewta sets write permission on groups as she is also the member of goswami group. So Shweta will use acl to grant write access to Vinita.
$setfacl –m u:Shweta:rwx accounts $setfacl –m u:Vinita:rwx accounts $setfacl –m other:--- accounts $getfacl accounts
To verify execute getfacl commands on accounts folder
As in output you can see that user Shweta and Vinita have full permission over accounts folder. All other user except Shweta and Vinita have no permission over accounts folder. To verify this acl login form Vinita on other terminal and change directory to example.
Now make a test directory in account folder it should be successful as Vinita user have full permission over account folder.
Now go other terminals and login form user Niddhi and change directory to example
Try to change directory to account she will denied as she have no permission over accounts
Linux chattr commands
| Attribute | keyword | Description |
| append only | (a) | Prevents deletion, but allows appending to a file |
| no dump | (d) | Disallows backups of the configured file with the dump command. |
| extent format | (e) | Set with the ext4 filesystem; an attribute that could not be removed. Would not work on ext3 filesystem |
| immutable | (i) | Prevents deletion or any other kind of change to a file. |
| indexed | (I) | Set on directories for indexing with hashed trees; an attribute that could not be removed. |
#chattr [operator] [switch] [file name]
-R
Recursively change attributes of directories and their contents. Symbolic links encountered during recursive directory traversals are ignored.
-a
A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser can set or clear this attribute.
-i
A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.
Let's take a simple example
Create a file from root user and set full permission on this file form chmod and verify it
#cat > test This test file #chmod 777 test #ls –l
now secure this file with +i options
#chattr +i test
#chattr +a test
To secure entire directory use –R switch. Directory secured with -R option can be reset only with –R switch.
how to refuses a local login
Example Questions:-
You are the administrator of example.com domain. Configure to deny local login to all normal users on your domain server. As well as allow to root login only on First Terminal.To accomplish this task follow this step by step guide
Login from root user and run these command
#touch /etc/nologin #vi /etc/securetty
If /etc/nologin file is created, then pam modules pan_nologin deny to all non-root users to login locally. As you can see in third line of /etc/pam.d/login file
We have made necessary change in configuration files. Now root user can login locally only from terminal 1. All other users are denied from login locally except root. root user in itself can use only terminal 1. He will be denied from login locally same as other user if he try to login locally from other terminals except terminal 1.
You can verify it by login normal user on any locally available terminal
Now you have successfully accomplished the task given you its good habit to remove all the change you have made.
First remove the /etc/nologin file
Remove all the comments you placed in /etc/securetty
how to recover root password in linux
How to recover root password
Restart the system and at the beginning of the boot process. It should be counting down at this point and says: "Press any key to enter the menu". In this case you would hit any key.
now would see the grub menu showing current linux version. Press e for edit
on next grub menu you would get three options. Select second kernel option and Hit e to edit the boot kernel options.
You would now edit the main kernel options, adding either single or even just 1 at the end. and press enter
Once you have completed that hit enter, the b for boot.
You are now in single user mode, and be auto logged in as root.
Now you should be allowed to change your root password. change the root password and reboot system
now you could login with new password.
How to secure grub bootloader
You could easily set a password for GRUB bootloader. Do not do it in exam unless you are asked to do. This is only for your knowledge or if you are in practical environment and want to secure grub bootloader.This password would prevent users from entering single user mode or changing settings at boot time. This option forces grub to ask for a password before making any changes or entering into single user mode. You need to type p followed by password.
We would do this on graphic screen as we need to copy and paste md5 hash. On graphic you could easily do it from mouse right click.
Login from root and open two terminal, on first terminal type grub-md5-crypt and press enter, now type password and press enter, retype password and press enter , it would generate password hash
Now on second terminal open /etc/grub.conf
we need to enter md5 password just under the default value line locate default 0
now come on first terminal and copy the md5 hash
paste it just under the default 0 line
save the file with password
now reboot the system
try to change the root password again from same method. On grub menu screen you would see the difference, this time there is edit option. this time you need to press p and give password
press p and try with wrong password
now give correct password
you could remove grub password. for it log in with root user and remove the line password --md5 which we have added from /etc/grub.conf
understanding iptables fundamentals
Understanding iptable
- iptable contains chain.
- chains are the group of rules.
- there are five predefine chains:- INPUT,OUTPUT, FORWARD,PREROUTING, POSTROUTING
| Table | Table Function | Chain | Chain Function |
| Filter | Packet filtering | INPUT | Incoming to firewall. For packets coming to the local server. |
| OUTPUT | Filters packets originating from the firewall | ||
| FORWARD | Packet for another NIC on the local server. For packets routed through the local server. | ||
| Nat | Network Address Translation | PREROUTING | Packets will enter this chain before a routing decision is made. |
| POSTROUTING | Routing decision has been made. Packets enter this chain just before handing them off to the hardware. | ||
| OUTPUT | NAT for locally generated packets on the firewall. | ||
| Mangle | TCP header modification | PREROUTING, POSTROUTING, OUTPUT, INPUT, FORWARD | Modification of the TCP packet quality of service bits before routing occurs. |
IPTABLES RULES PROCESSING FLOW
- Rules are processed from upper to lower.
- Once rules matched criteria no further processing would be done and it goes to the rules specified in the target (or) executes the special values mentioned in the target.
- If the criteria is not matached, it moves on to the next rule.
- At the end of list default value is ACCEPT so if a packet do not meet any criteria it would pass the packet.
Target Values
Following are the possible special values that you can specify in the target.- ACCEPT – Firewall will accept the packet. Default value.
- DROP – Firewall will drop the packet. No message would be sent back to packet sender.
- REJECT – Firewall will reject the packet. A Courtesy message would be sent back to packet sender.
- filter table is the default table.
- table contain chains.
- chains are the group of rules.
- rules have three target values ACCEPT, REJECT,DROP.
- rules in chain are processed from top to bottom.
- in list processing once a criteria matched it goes to rules specified target and no further processing would be done
- in the end of list default value is ACCEPT
iptables -t tabletype [action direction] [packet pattern] -j [what to do]
There are three tabletype options for iptables: filter, nat, mangle
action direction
There are four basic actions associated with iptables rules:
- -A Appends a rule to the end of a chain
- -D Deletes a rule from a chain. Specify the rule by the number
- -L Lists the currently configured rules in the chain.
- -F Flushes all of the rules in the current iptables chain.
firewalls check packet against this pattern
- -s ip_address packets are checked for a specific source IP address.
- -d ip_address packets are checked for a specific destination IP address.
Once the iptables command finds a packet pattern match, it needs to know what to do with that packet, which leads to the last part of the command, -j. There are three basic options:
- DROP The packet is dropped. No message is sent to the requesting computer.
- REJECT The packet is dropped. An error message is sent to the requesting computer.
- ACCEPT The packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.
how to use iptables commands
- How to check iptables rpm
- How to check iptables service
- How to review current rules
- How to add a rule in iptables chain
- How to add a rules in specific location of iptables rules
- How to delete a rule from list
- How to clear tables in iptables
How to check iptables rpm
iptables rpm is integrated with RHEL. you need not to install it separately. Still you should know How to check iptables rpm for installation. to check rpm installation of iptables use rpm -qa iptables commands
if output show the rpm name with its version means rpm is installed.
How to check iptables service
second step is checking the services. The iptables service may not be running. Make sure to start it. iptables service operate from /etc/init.d/iptables script, you could start,stop, restart iptables from here. You would lost all running rules if you restart the script.
you should make sure firewalls are running after the next reboot, run the following commands:
# chkconfig iptables on
How to list all tables in iptables
If iptables command is running you could check the running tables in iptables commands
How to restore iptables
The rules used by a Red Hat firewall are based on the /etc/sysconfig/iptables file. You should not make direct entry in this file. During the practice of exam you may need to change this file. You should always take backup first before making any change in this file. Use cp command for backup instead of mv command.
During the practice if you made any mistake, you could restore it with iptables-restore command
How to review current rules
To review the current rules use iptables -L command output contains the following fields:
- target – Special target value
- prot – Protocols. for example tcp, udp, icmp, etc.,
- opt – Special options for that specific rule.
- source – Source ip-address of the packet
- destination – Destination ip-address for the packet
you could filter the result even with chains
How to add a rule in iptables chain
to add a rule in iptables use following command
check our previous article for the details of commands . In our previous article we have break down the command with details description.
How to add a rules in specific location of iptables rules
By default new rules are added at the bottom of chain. If you want to add new rules above the last rules or any specific location in list then pass location number in command
for example we have added new rule at top of list in above command
How to delete a rule from list
to delete a rule from list use rules location number in list. For example to delete second rule from list use following command
How to clear tables in iptables
During the practice you need to clear iptables rules several times, to remove current rule use -F switch it would flush all the rules.
iptables example linux
Lab setup
In this practice we would use three systems with following details.System 1 :-
- OS : Linux server
- Hostname : server.example.com
- IP address: 192.168.1.1
- Services : sshd, vsftpd
services must be running on server
System 2:-
- OS : Linux clients
- Hostname: client.example.com
- IP address : 192.168.1.50
System 3:-
- OS : Window server 2003
- Hostname: 192.168.1.100
- Putty : software to connect on ssh or ftp . Download Putty
You could use any other systems for testing purpose on the place of system 2 and system3.
All three systems must be ping each other before you start configuration of firewall.
Make sure to flush old rules before we create new rules.
How to block icmp echo request for a host
We would block icmp echo request for system2. From system2 ping the server.
Now on server add following rules to block system2 for icmp echo.
Now test from system2
We have blocked only system2 so we could ping from system3
How to block ftp access
Now we would block ftp access. We are running vsftpd service on server. Try to connect from system3
On server create a rule to block ftp access for system3
Now try to connect again from system3
How to block ssh
Now block ssh. We are running sshd service on server for ssh. Try to connect from system2
On server create a rule to block ssh for system2
Now try again to connect from server on ssh port from system2.
Now try to connect to from system3, use putty for it
click on open to start ssh
Only practice could make you prefect so do practice until you feel comfort with iptables.
Flush old rules and create new rules and test the result form client computers.
Use /etc/services file to find the port number.
To block entire network use /[subnet mask] value
.
Rules to practices
To block icmp request form specific clientsiptables -A INPUT -s 192.168.1.50 icmp --icmp-type echo request -j REJECT
iptables -A INPUT -s 192.168.1.0/24 icmp --icmp-type echo request -j REJECT
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 21 -j REJECT
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 22 -j REJECT
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 80 -j REJECT
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 21 -j REJECT
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 25 -j REJECT
Change ip 192.168.1.10 with your client ip on that you want to test the firewall.
For practice follow this method
- Flush all rules from server use iptables -F commands
- Check the status of service on server which you would like to practice for example above I used ftp and ssh services. Service must be run on server.
- First connect from server on that service without firewall configuration you should connect both system2 and system3
- Now configure firewall on server for one pc either system2 or system3.
- check the effect of firewall from client system, now you should not be able to connect from system on which you have applied firewall. But should be able to connect from other system.
- repeat this process until you feel comfort.
Security Enhanced Linux SELinux
The first objective is fundamental to SELinux
Set enforcing/permissive modes for SELinux
The next objective requires that you understand the SELinux contexts defined for different files and processes.
List and identify SELinux file and process contexts
The next objective require that you are able to restore the default file contexts
Restore default file contexts
The last objective require that you configure boolean setting.
Use boolean settings to modify system SELinux settings
In this article we would start from the fundamental of SELinux.
Understanding SELinux
SELinux can be quite complex. So we would start from basic. Before you start working with SELinux you should understated the terminology used in SELinux. Let's start with some of the basics concept:- subject :- subject is a command, process or application witch want to access any linux file.
- object :- object is a linux file or services.
- action :- an action is what may be done by the subject to the object.
- user[take it as subject]
- role[understand it as object]
- domain (also known type, this is action)
- level (new from RHEL6 this level represents the sensitivity level of a file or directory).
Important context values for RHCE Exam
| Contexts | Values | Description |
| User: | unconfined_u | Unprotected user |
| system_u | System user | |
| user_u | Normal user | |
| Role: | object_r | File |
| system_r | Users and processes | |
| Domain: | unconfined_r | Unprotected file or process |
- The first field you see here is system_u, which, you can tell from the table , is a system user.
- The second field contains system_r, which again you can reference to see that it is a user or, in this case, a process.
- The third field shows sshd_t as the domain.
From output you could see
user[subject] system_u (a system user) role[object] object_r(a file) domain[action] etc_t
Now you have basic understanding of SELinux context.
SELinux commands
sestatus
Shows the current status of SELinux
Options:
-b Displays all Booleans and their statuses -v Provides verbose output
getenforce
Shows the enforcing status of SELinux
setenforce
Changes the enforcing status of SELinux
getsebool
Returns the Boolean value of a service option
setsebool
Sets the Boolean value of a service option
-P Makes the changes persistent
chcon
Changes the context of a file, directory, or service
Options:
-f Suppresses error messages -u Sets user context -r Sets role context -t Sets type context (domain) -R Changes recursively -v Provides verbose output
restorecon
Resets the context of an object
Options:
-i Ignores files that don’t exist -p Shows progress -v Shows changes as they happen -F Resets context
semanage
To review the status of current users, run the semanage login -l command
listing context
To see the context of a particular file, run the ls -Z command.To check the SELinux labels associated with service
how to change SELinux mode
- How to set enforcing mode for SELinux
- How to set permissive mode for SELinux
- How to disable SELinux
For SELinux following rpm are required.
- selinux
- policycoreutils
- setroubleshoot
- selinux-policy-targeted
- selinux-policy
- libselinux
- libselinux-python
- libselinux-utils
- policycoreutils-python
- setroubleshoot-server
- setroubleshoot-plugins
rpm -qa | grep selinux rpm -qa | grep policycoreutils rpm -qa | grep setroubleshoot
how to check that SELinux is running
To determine the current status of SELinux use sestatus command
As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.
| disabled | SELinux is turned off and does not restrict any action. |
| permissive | In permissive mode any SELinux security violation would be logged only, it means in permissive mode security violation would not be stopped. |
| enforcing | In enforcing mode any SELinux security violation would be logged and service would stop. Any action that violate SELinux rule would be denied. |
Configuring SELinux
You can change the mode in which SELinux operates by changing the config file. The main config file is /etc/selinux/config.
Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config
open configuration file
set mode to permissive and save file
Now reboot the system.
During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode.
After reboot you could verify that system is in permissive mode
Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot.
If SELinux did not deny actions during the last boot, this command does not return any output.
If there were no denial messages in /var/log/messages, open /etc/selinux/config file
configure SELINUX=enforcing in /etc/selinux/config:
Reboot your system.
After reboot, confirm that the getenforce command returns Enforcing:
or you could sestatus command
disabling of SELinux is straightforward
open configuration file
change the mode to disable in configuration file
reboot the system
after reboot confirm the status
0 comments:
Post a Comment