Security-Enhanced Linux (SELinux) - (3)

-


So We are entering the last session of SELinux in RHCSA level. So before entering you have to remember followings.

Installing a service

  • yum install httpd
  • systemctl enable httpd.service
  • systemctl start httpd.service
  • systemctl status httpd 
  • rpm -qa | grep httpd

SELinux mode

  • sestatus
  • vim /etc/sysconfig/selinux 
  • reboot
After installing httpd service, open firefox and type localhost. Then Welcome page will be loaded.
Root directory is /var/www/html. In here you need to create a file named index.html. You can use touch or vim commands. For an example,
  • cd /var/www/html
  • vim index.html
Then you will get a index.html file to edit. Reason for selecting /var/www/html file path because it was defined as the root directory in /etc/httpd/conf/httpd.conf path
After you creating a index.html file save it and restart the httpd service.
  • systemctl restart httpd.service
------------------------------------------------------------------------------------------------------------------
First check the SELinux status. If it is disabled you can make changes in /etc/sysconfig/selinux to enable SELinux . rpm -qa | grep httpd is used for check whether httpd related services are installed.
Then install httpd service using yum install httpd 
 If it successfully installed, you can see above details.  Now httpd service is successfully installed.
Then check the status of httpd service. Currently it is in inactive state. So wee need to covert it to active state.
Use systemctl enable httpd.service to enable the service. if not you need to start it manually after rebooting every time.
Then start the httpd service using systemctl start httpd.service. 
 So type systemctl status httpd.service to check its status. Now it is in active (running) state.
Then type firefox to open firefox browser. 
 Then type localhost in the search bar. After that you receive this test page. But this page is load because of there are no file in default file path. There are no file called index.html in /var/www/html . It is define in /etc/httpd/conf/httpd.conf file.
  Then you receive this.
These is how document root is set to /var/www/html
 Then change your directory path to /var/www/html and create a file called index.html

 Write some html in this folder and save it. (press i to switch to insert mode and press ESC and type :WQ to save and quit)
Again open a browser and type localhost. It will load our html in /var/www/html/index.html

In here this /var/www/html path is labeled in selinux content type. Thats why index.html load after typing localhost. It inherit to index.html file.


If we not label it lets see what happen. Let assume we are in enforce mode. It only allows to access the file label in SELInux content type and file path should be in /etc/httpd/conf/httpd.conf as Document Root. But this will not effect when the SELinux in permissive mode or disabled mode.

You can use following command to check whether given file path or directory path is labeled with SELinux content type.
  • For files
  • For directories

How to label a file with SELinux?

It is not that much hard. Use semanage fcontext manual page.

Then manual page will open.
Go to example and copy 1 line and replace your new path with /web. 
In there (/.*) used to inherit SELinux content type to files which are going to be created in given path.
After that copy 2 line and replace /web with your path.
Then restart the httpd service. 
So you can access the index.html in different path. 


 Create a file in /var/www/index. Then it will be automatically labeled with SELinux context type.
Move it to the folder that want to. Change /etc/httpd/conf/httpd.conf file. 
Restart the service and type firefox. Then type localhost. It should be worked. 



Comments

Post a Comment

Thank you for your comment

Popular posts from this blog

Basic Configurations in Windows Server 2016 (2)

-
Image
After Installing the windows server '16 , there are some very basic configurations for starting the server. Change the computer name Give IP Address (Static IP) Change the Computer Name    There are 3 ways to change computer name. Using CMD Using POWER SHELL Using GUI (Graphical User Interface)  Using CMD  Command: netdom renamecomputer %computername% /newname: (Type new name here.Dont use this Brakets) After that you have to restart your computer(Virtual Computer) use shutdown /r /t 0 command. Using POWER SHELL Command: rename-computer -newname (Type new name here) After that you have to restart your computer(Virtual Computer) use shutdown /r /t 0 command.     Using GUI  Go to Server Manager → local server → click on the computer name → click on the change → type new name → ok After that you have to restart your computer(Virtual Computer) use shutdown /r /t 0 command. Give IP Address  Follow the following ste...
Read more

Interrupt the kernel to change the fstab - RHCSA

-
Image
What is fstab?  fstab is a file, used enter information about partitions with options. Such as if we want to persistently mount hard disk we add its uuid and file type to fstab. When boot-up process, fstab is read. fstab is in /etc/fstab  You can view it using vim text editor. vim /etc/fstab . Then you will receive following.   If there is an error, boot-up process will be stucked at some point. Then we need to enter the emergency mode.  First Create a partition. Use following steps. I am going too use vdb disk. cat /proc/partitions   fdisk /dev/vdb press n (or m for help) create 100M partition mkfs.ext4 /dev/vdb1 -->Format it using ext4.file system. blkid --> check whether block id is available mkdir /mountPoint ---> create a mount point echo | blkid | grep vdb1 >> /etc/fstab vim /etc/fstab and add uuid , file system , defaults , 0 0    press ESC and type :wq mount -a Reboot the system vim /etc/fstab...
Read more

Controlling the boot process - RHCSA

-
Image
In this chapter we are going to teach about how to interrupt the kernel and break the current password. Why break the password? When current password is lost, we use this mechanism to change root password and log in to the system. Simply we override the current password . If you have sudo privilege, log with another user and change the password. We have several ways to do this. Use live cd - Mount the root file system and edit /etc/shadow file Interrupt the kernal  Interrupt the kernel to break the password Use the following steps.  Reboot the computer While restarting press e to interrupt the kernal After that you need to find a line which was started with "linux". After moving the cursor to that line press END key to go to the end of the line. Then you can delete up to vcconsole.keymap=us . (do not delete it) . There are two letters ro . you need to change it as rw . Simply read only to read write.  Then add rd.break after deleting u...
Read more