3-minute fever 三分鐘熱度

This should be the third last topic that I'd like to share related to my RHCE course, but my brain just hang there without any progress. So I proceed with SELinux and firewall first.

I am still trying to understand the networking terms, teaming and bridge are 2 new words that I learned from RH Admin III course. Actually, I still don't quite understand what is the usage for these. When I setup VirtualBox for this series of sharings, I started to understand more for bridge... Anyway, let me stay focus on the topic (how-to).

The Network Manager commands (nmcli) are rather easy to use, if you know what you are trying to do.

Network teaming

I did some hacks to make 2 available interfaces, enp0s8 and enp0s10.


Next, create a team master. This team master will configured to activebackup setting, i.e. one port/link is used while other reserved as backup.


Now create the team slaves (team ports).


Use teamdctl to see the status of the teaming. This is provided in teamd package.


Currently,…

SELinux stands for NSA Security-Enhanced Linux.

By default, the setting for SELinux is set at /etc/selinux/config. Theh default setup is permissive, which if the SELinux policy is violated, warnings will be logged rather than prohibit the service from running properly.

SELinux config file content.


In permissive mode, the log is captured in /var/log/audit/audit.log file.

Port related

Let's do a test.


I set the httpd service also listen to port 1234, which is not a convention port number for httpd. When it is in permissive mode, the httpd service is successfully to restart. However, there's an entry in the audit.log file.


When I set SELinux to enforcing, the service failed to start. This is the snippets of log when I get the status of httpd service.


From the log in audit.log file and also the status log, port 1234 is the culprit. It should be added to related SELinux policy. I am adding the port to http_port_t as well.


Now it can be successfully restarted!


File related

SELinux pol…

By default, firewalld is ready installed when you setup your machine. So, nothing extra needs to be install in order to use this.

Basically, there are a few default zones predefined and by default, the public zone will be set as the default zone.

I got this from man firewalld.


List of predefined zones, and the default zone.


Basic firewall command is to allow external to access local machine services or port.

To list current firewall rules.


To allow a service or port.


To remove the service or port from firewall rule, simply replace the add to remove. Note that, this is just a temporary allowing the service and port. After the firewalld service restarted, these rules will be gone. To make it permanent, run again the commands with additional --permanent option. Another way is, run the command with --permanent option first, then run firewall-cmd --reload.

For a more complicated firewall rule setting, which uses rich language. You may set to drop or reject or accept certain packets. In ad…

This post is about setting up SMB server, and how to setup for client access. The samba daemon is mainly to provide the file/print service for Workgroups or LanManager, which is out of scope for this post. I have no idea how to link to a Windows AD. :D

Install samba and samba-client package in server.

yum install -y samba samba-client
Let's observe the configuration file (/etc/samba/smb.conf.


This is highlighted in RH administration III manual:
workgroup = <WORKGROUP NAME> : act as "the workgroup".
security = user
passdb backend = tdbsam

At this point, or in this post, let's just leave it as default.

Let's share the /data in the server as user share with the name data.


The [data] denotes the new section for user share, and the share name is data.
path specify the path to share
writable set this path can be modify or not, you can also use read only parameter to control.
browseable is for whether this share is visible when user try to list the shares.

Now enable…

This post is about how to setup NFS share, and how to access the NFS from another machine.

Both server and client must have nfs-utils installed.

yum install -y nfs-utils
Enable and start nfs-server on server machine.

systemctl enable nfs-server systemctl start nfs-server
Say /data is to be shared as NFS.

The sharing information needs to be updated in /etc/exports, then reload the configuration. The syntax of /etc/exports is

<path to share> <allowed network>(<options>)

This means, any machine from this network 192.168.56.1/24 can access to it.

You must enable this service in firewall as well.

firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
Let me create a file in the directory.


At client machine, you can set a permanent mount by specifying it in /etc/fstab.


If you create a file from this client machine, you'll get something like this.


There are a few options can be used to control the access level in /etc/exports.

rw : read write access.
ro : read…

This post is mainly about configuring secured web server. Certificates generation related will be discussed in future.

There's a package required to be installed, mod_ssl.

yum install -y mod_ssl
After installation, httpd needs to be restarted, and firewall rule should be updated, if it's meant to be accessible by other machines.

systemctl restart httpd firewall-cmd --permanent --add-service=https firewall-cmd --reload
When you try to access, you'll get this.


You can proceed by Add Exception to view the page.


If I try to access https://test.com (based on the existing setup continue from yesterday virtual web server, I'll get this.


Why? This is because test.com is point to the same IP, and this URL is only set to listen to port 80, not port 443. When a match is not found, it will always refer back to the DocumentRoot in /etc/httpd/conf/httpd.conf.

If additional setting as below is setup, it will point to the "actual" test.com content again.


You'll get this.


…

I am not sure what it is actually called, virtual web server or virtual host, whatever. This configuration is to allow multiple web applications to be hosted in single machine.

The default configuration file of httpd service is at /etc/httpd/conf/httpd.conf. Notable default settings are :

ServerRoot "/etc/httpd" Listen 80 DocumentRoot "/var/www/html"
ServerRoot : where the server configuration/log files are kept.
Listen : listening to which port
DocumentRoot : where the incoming requests will refer to

<ifmodule dir_module> DirectoryIndex index.html </ifmodule>
The above section sets the default file that Apache will serve if a directory is requested.


Another "default" DocumentRoot location to put your hosted files are at /srv/<folder>/www. We will use this location to host our virtual host.

Now, let's proceed to create the configuration file in /etc/httpd/conf.d/


Now, let's create the index.html file. Take note on the file prop…