SELinux & system troubleshooting & firewall policy management & service management | Cloud computing

1 case 1: enable SELinux protection

1.1 problems

This example requires SELinux to be configured for virtual machines server0 and desktop0:

  1. Make sure SELinux is in force enable mode
  2. This setting must remain valid after each reboot

1.2 scheme

SELinux, security enhanced Linux: it is a set of kernel based enhanced mandatory security protection mechanism provided by the national security agency of NSA, which marks security attributes and implements protective restrictions for users, processes and documents.

SELinux security system is directly integrated into the Linux kernel, including three operation modes:

  • Disabled: completely disabled. The kernel does not load SELinux security system at startup
  • Enforceing: forcibly enabled, the kernel loads SELinux security system and enforces protection policy
  • permissive: loose mode, the kernel loads SELinux security system, only records and does not execute
    Execute getenforce to view the current mode.

The Linux system needs to be restarted when switching between disabled mode, enabling mode and permissive mode; When switching between the enabling mode and the permission mode, you do not need to restart. You can directly execute the setenforce 1|0 operation.

1.3 steps

To implement this case, you need to follow the following steps.

Step 1: adjust the current SELinux operation mode

1) View current mode

[root@server0 ~]# getenforce 
Permissive                                      //Indicates that the current mode is loose

If the result of the above operation is Disabled, it indicates that SELinux mechanism has been Disabled and can only be restarted after modifying the fixed configuration through steps; If the result displayed is forcing, it indicates that it is in forced enabling mode.

2) Switch to forcing enable mode

If the result displayed in action 1) is Permissive, perform the following operation to switch to forced enable:

[root@server0 ~]# Setenforce1 / / forced enable
[root@server0 ~]# getenforce / / confirm the switching result
Enforcing

If the result displayed in action 1) is Disabled, you cannot use the setenforcing command:

[root@desktop0 ~]# getenforce 
Disabled
[root@desktop0 ~]# setenforce 1
setenforce: SELinux is disabled

Step 2: establish a fixed configuration for SELinux operation mode

1) Modify the configuration file / etc/selinux/config

[root@server0 ~]# vim  /etc/selinux/config
SELINUX=enforcing
.. ..

2) Restart verification results

[root@server0 ~]# reboot
.. .. 
[root@server0 ~]# getenforce 
Enforcing

2. Use systemctl tool

2.1 problems

This example requires to master the basic operation of systemctl control tool and complete the following tasks:

  1. Restart httpd, crond and bluetooth services to check the status
  2. Disable the bluetooth service from starting automatically and disable this service
  3. Set the default level to multi user Target and confirm

2.2 scheme

systemd is a more efficient system & Service Manager. Its related features are as follows:

  • Startup services are started in parallel, and the precise dependence between system services
  • Configuration directory: / etc/systemd/system/
  • Service Directory: / lib/systemd/system/
    systemctl is a management tool of systemd, which organizes relevant resources into unit configuration units for management.

Different units determine a set of related startup tasks. service and target are the most commonly used configuration units:

  • Service: background independent service
  • target: a combination of a set of configuration units, similar to the traditional "run level"

2.3 steps

To implement this case, you need to follow the following steps.

Step 1: restart httpd, crond and bluetooth services to check the status

1) Restart system services httpd, crond, bluetooth

[root@svr7 ~]# systemctl  restart  httpd  crond  bluetooth

2) View the status of the above services

[root@svr7 ~]# systemctl  status  httpd  crond  bluetooth 
* httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-01-06 18:18:20 CST; 18s ago
.. ..
* crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-01-06 18:18:19 CST; 19s ago
.. ..
* bluetooth.service - Bluetooth service
   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-01-06 18:18:19 CST; 19s ago
.. ..

Step 2: disable the bluetooth service from starting automatically and disable the service

1) Disable bluetooth service

[root@svr7 ~]# systemctl  stop  bluetooth

2) Disable bluetooth service startup

[root@svr7 ~]# systemctl  disable  bluetooth
Removed symlink /etc/systemd/system/dbus-org.bluez.service.
Removed symlink /etc/systemd/system/bluetooth.target.wants/bluetooth.service.
[root@svr7 ~]# Systemctl is enabled Bluetooth / / check results
disabled

Step 3: set the default level to multi-user Target and confirm

1) View default run level

[root@svr7 ~]# systemctl  get-default 
graphical.target

2) Set the default run level to multi user target

[root@svr7 ~]# systemctl  set-default  multi-user.target 
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.

3) Confirm configuration results

[root@svr7 ~]# systemctl  get-default 
multi-user.target

According to the settings here, the graphical desktop will no longer be available after restarting this virtual machine.

Exercise

1 configure the virtual machine system. SELinux is in loose mode after each boot

[root@server0 ~]# vim  /etc/selinux/config 
SELINUX=permissive                         
.. ..
[root@server0 ~]# reboot

2 what are the preset protection areas in the firewall system and what are their respective functions

public: only a few services such as sshd are allowed to access this machine

trusted: allow any access

Block: block any incoming requests

Drop: drop any incoming packets

3 how to implement permanent policy when setting firewall policy

Add – permanent option

Reload firewall configuration with firewall CMD -- reload

4 set the default running level of Linux system to text mode

1) Modify the default run level (target)

[root@svr7 ~]# systemctl  set-default  multi-user.target 
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.

2) Confirm the modification result

[root@svr7 ~]# systemctl  get-default 
multi-user.target

In case of infringement, please contact the author to delete

Keywords: Linux Operation & Maintenance network server cloud computing

Added by phoenixx on Tue, 04 Jan 2022 05:27:05 +0200

Popular Keywords

©2024 Programming VIP