1. Firewall Basics on Linux

Iptables and Firewalld

Basic Concepts:

Firewalls in Linux operate through Netfilter (networking kernel component)
Netfilter cannot be configured directly; requires tools
Two main firewall demons: Iptables and Firewalld
Cannot run simultaneously on same system

Iptables:

Older system
May become deprecated
Still installable and functional
Located in /sbin directory

Firewalld:

Newer system
Different security metaphor
Generally easier to configure

Checking Iptables Status:

Use command: sudo -s (enter root session)
Check status: systemctl status iptables
If installed but not running, will show “not found”
Verify installation: ls /sbin/iptables

Managing Iptables: Steps to prepare system for Firewalld: a) Check if Iptables is running:
- systemctl status iptables b) If running, stop it:
- systemctl stop iptables c) Mask Iptables to prevent automatic startup:
- systemctl mask iptables
User Session Indicators:

$ symbol: regular user session
# symbol: root session
Username displayed at prompt

Note: These steps are necessary preparation before configuring and running Firewalld.

Installing and Configuring Firewalld

Basic Firewalld Installation

Use DNF command (YUM replacement): dnf install firewalld
Three main components installed:
- Firewalld
- Python (required as Firewalld is written in Python)
- Related dependencies

Installing Firewalld GUI Controls (Workstation)

Command: sudo dnf install firewalld
For GUI interface, install firewall-config
Installation process:
- Run firewall-config command
- System will prompt to install necessary packages
- Confirm installation
- GUI interface will launch showing connections and interfaces

Installing GUI Controls on Server (No GUI)

Same command can be run on Fedora Server without GUI
Command: dnf install firewall-config
System will show available updates
Recommended to install updates (approximately 1MB)
Updates ensure consistent experience across systems

Important Notes:

Firewalld comes pre-installed on Fedora 25
GUI controls are not installed by default, even with Firewalld
Installation process differs between workstation (with GUI) and server (without GUI)
Running system updates is recommended before proceeding with configuration

Firewalld Zones

DEFINITION & CONCEPT

Firewalld zone: Defines level of trust for network connections
One-to-many relationship: A connection can belong to only one zone, but a zone can have multiple connections

VIEWING ZONES

List Supported Zones Command:
```
firewall-cmd --get-zones
```
Default zones include:
- Fedora Server
- Fedora Workstation
- block
- dmz
- drop
- external
- home
- internal
- public
- trusted
- work
List Zones with Enabled Features Command:
```
firewall-cmd --list-all-zones
```
- Shows detailed, space-separated information for each zone
- All zones are pre-created during installation
- Comes by default with Firewalld installation

KEY POINTS

Zones are fundamental to Firewalld configuration
Similar to zones in other technologies (e.g., DNS zones)
Acts as a collection of connection types
Zones are automatically created during installation
No manual zone creation required initially

Understanding Firewalld Services

Definition:

FirewallD service: A list of local ports, destinations, and firewall helper modules that load automatically when enabled

Key Points:

Purpose:
- Provides list of commonly used TCP/UDP ports
- Helps identify ports/protocols used by different services
- Simplifies firewall configuration for services
Viewing Services:
- Command: firewall-cmd –get-services
- Must be run as root or with sudo
- Shows pre-configured services installed by default
Examples of Pre-configured Services:
- Bitcoin
- XMPP servers (chat)
- Samba (Windows file sharing)
- POP3 (mail)
- K-Admin (Kerberos)
- LDAP (directory services)
- Apache (web server, ports 80 and 443)
Benefits:
- Eliminates need to memorize port numbers
- Simplifies configuration for unfamiliar services
- Makes administrative tasks more efficient
- Helps in quick firewall rule configuration

Note: Services feature is designed to streamline firewall management by providing pre-configured port and protocol settings for common services.

Zones in Firewalld

Zone Types and Functions:

Drop Zone: Silently drops all connections without notification
Block Zone: Rejects connections and sends rejection notification
Fedora Server Zone (Default):
- Active with interface enp0s3
- Services: SSH, dhcpv6-client, cockpit
- IP masquerading disabled

External Zone Features:

Default target configuration
SSH service enabled
IP masquerading enabled
Pre-configured for immediate use upon interface assignment

Command Line Interface:

Accessed through sudo/root
Provides detailed zone information
Shows active interfaces, services, and masquerading status
More immediately readable than GUI

Graphic User Interface (Firewall Configuration Utility):

Access path: Activities → Show Applications → Sundry → Firewall
Shows same information as command line but in graphical format
Features:
- Runtime configuration options
- Zone management
- Service activation
- Port configuration
- ICMP filters
- Rich rules
- Interface assignment

Configuration Management:

Runtime vs. Permanent configurations
Changes in runtime are temporary
Options to convert runtime to permanent settings
Configurations reset on service reload/server restart if not made permanent

Zone Assignment:

Interfaces can be assigned to different zones
Changes can be tested in runtime
Default zones can be modified
Multiple interfaces can be managed independently

Service and Security Features:

Customizable service allowances
Port configuration options
Masquerading settings
Protocol configurations
Source port management

Configuring Firewalld for Local Protection

Firewall-cmd Configuration Preparation

Initial Setup:

Login to Fedora server via command line
Use “sudo -s” for elevated privileges
Transcript uses Fedora 25 Server Edition

Key Commands:

Check Default Zone:
- firewall-cmd –get-default-zone
- Returns “FedoraServer”
Change Default Zone:
- firewall-cmd –set-default-zone=work
- Can be changed back using: firewall-cmd –set-default-zone=FedoraServer
View Active Zones:
- firewall-cmd –get-active-zones
- Shows zone and associated interface (e.g., enp0s3)
Check Zone of Interface:
- firewall-cmd –get-zone-of-interface=enp0s3
Add Interface to Zone:
- firewall-cmd –zone=FedoraServer –add-interface=enp0s3
Configure Service in Zone:
- firewall-cmd –add-service=mdns
- Note: When zone isn’t specified, default zone is used
Verify Configuration:
- firewall-cmd –list-all
- Shows all settings including:
  - Target
  - Interfaces
  - Services (default and added)

Important Notes:

Interface names may vary by system
Default zones can be customized based on needs
Commands assume default zone if not specified
Service names must match available service list
Changes can be temporary (with time specification) or permanent

Default FedoraServer Zone Services:

ssh
dhcpv6-client
cockpit
mdns (after adding)

Setting Up Apache Web Server Firewall Access

Initial Requirements:

Install Apache web server
Configure index.html
Open necessary ports for external access

Command Line Method:

Use firewall command to add services to default zone
Commands:
- Add HTTP: firewall-cmd –add-service=http
- Add HTTPS: firewall-cmd –add-service=https
This enables ports 80 (HTTP) and 443 (HTTPS)
Verify configuration: firewall-cmd –list-all
- Shows services added to FedoraServer zone
- Confirms http/https services on interface emp0s3

Graphic User Interface Method:

Default zone: External
Steps:
- Change zone to FedoraServer
- Scroll to services section
- Select HTTP and HTTPS
- Authenticate when prompted
- Changes apply to runtime environment initially

Making Changes Permanent:

Command Line: Will be covered in later section
GUI Method: Use “Runtime to Permanent” option
- Automatically applies changes to FedoraServer zone
- Makes HTTP/HTTPS access permanent

Note: Both methods achieve the same result of allowing web server access through the firewall, just through different interfaces.

Configuring Firewall for Mail Server Services

Mail Server Components requiring firewall configuration:
- IMAP server
- POP server
- SMTP server
Adding Services Command Structure:
- Use: sudo firewall-cmd –add-service=
- Basic mail services to add:
  - SMTP (regular mail sending)
  - SMTPS (SSL-secured mail sending)
  - SMTP-submission
  - IMAP (regular mail receiving)
  - IMAPS (SSL-secured IMAP)
  - POP3 (regular mail receiving)
  - POP3S (SSL-secured POP3)
Checking Configuration:
- Command: firewall-cmd –list-all
- Shows all enabled services including:
  - MDNS, HTTP, HTTPS
  - Mail-related services
Removing Services:
- Command: firewall-cmd –remove-service=
- Consider removing unsecured services:
  - POP3
  - IMAP
  - HTTP
- Note: SMTP (port 25) might be necessary even with SSL
Important Considerations:
- Default service ports recommended
- Configuration must align with mail server setup
- Can customize services based on specific needs
- Both secured and unsecured options available
- Multiple services/ports may be required
Best Practice:
- Prefer secured services (SMTPS, IMAPS, POP3S)
- Remove unnecessary unsecured services
- Verify configuration after changes

Allowing XMPP Server on Firewall

XMPP Server Overview:

Chat service requiring multiple firewall services
Similar to mail services in configuration needs

Identifying Available Services:

Command: firewall-cmd –get-services
XMPP-related services found:
- XMPP-bosh
- XMPP client
- XMPP local
- XMPP server

Enabling Services (Command Line):

Use firewall-cmd to add each XMPP service
Services can be added individually
Verify configuration with ’list all’ command
All XMPP services should appear in the list

GUI Configuration (Workstation):

Access through firewall configuration utility
Select appropriate network connection (EN0)
Choose FedoraServer zone
Enable XMPP services by checking boxes
Authentication required
Test services after configuration

Important Notes:

Detailed service setup beyond course scope
Focus is on firewall port configuration
Configuration possible through both CLI and GUI
Same end result regardless of method used
Minimizes typos by referencing available services list

Allowing SMB Server Through Firewall

SMB/Samba/CIFS Overview:

Standard file-sharing protocol for Windows
Adopted by Mac OS (uses Samba 3)
Popular for Linux file sharing and networking

Command Line Configuration:

Use command: firewall-cmd –get-services
- Lists all available services
- Shows samba and samba-client options
Add services using:
- firewall-cmd –add-service=samba
- firewall-cmd –add-service=samba-client
Verify configuration:
- Use firewall-cmd –list-services
- Confirms samba and samba-client are added to default zone

GUI Configuration (Fedora Workstation):

Access through primary interface
Scroll to find samba and samba-client options
Authentication required for security
Enable both services

Important Notes:

All configurations are initially in Runtime mode
Need to change from Runtime to Permanent for persistent settings
Changes reset on firewall reload/restart if not made permanent
Final chapter covers moving configurations to permanent space

Allowing NFS Server Access in Firewall

NFS vs Samba

NFS competes with Samba on UNIX systems
Has UNIX file sharing roots
High performance
Commonly used in UNIX environments

Adding NFS Service (Command Line)

Check available services: firewall-cmd –get-services
Add NFS: firewall-cmd –add-service=NFS
Verify by listing services

Cleaning Up Unnecessary Services Removed services:

https
smtps
smtp-submission
pop3s
xmpp (client and server)
local

Final Service Configuration Remaining services:

mdns
samba
samba-client
nfs (Represents typical file sharing server setup)

GUI Method (Fedora)

Access through en0 interface
Using Fedora Server zone
Steps:
- Click NFS option
- Enter password
- Verify checkmark appears

Configuration Persistence

Can work in Runtime or Permanent configuration
Recommended: Work in Runtime first
Use “Runtime To Permanent” option when configuration is verified

Note: Only remove services if they’re not actively being used by the server.

Allowing LDAP Server Access

LDAP Server Configuration

Can be Kerberized
May have SSL authentication
May require custom ports
Both LDAP and LDAPS (SSL secured) versions available

Enabling Services

Use ‘get services’ command to view available services
Key services include:
- LDAP and LDAPS
- Kerberos-related services (kadmin, klog, kpassword)
Add services using ‘Adservice’ command

Important Considerations

LDAP doesn’t require Kerberos, but can be integrated
Server administrator must know which services are enabled
Services need appropriate protection

Graphical User Interface (Firewall Configuration Utility)

Access through Fedora Server zone
Enable services by checking appropriate boxes
Test functionality after configuration

Recommended Configuration Process a) Initial Setup:
- Place EN0/active connection in trusted zone
- Configure services completely
- Test client connections

b) Implementation:

Move from trusted zone to Fedora Server zone
Enable required checkboxes
Perform thorough testing
Troubleshoot if needed:
- Check documentation
- Verify required ports
- Confirm protocols

c) Final Steps:

Ensure all services work correctly
Switch from runtime to permanent in options

Troubleshooting Tips

Check for typos if commands fail
Verify all necessary ports are open
Review documentation for additional requirements
Test after each major configuration change

PostgreSQL Server Configuration in Firewall

Service Port Configuration

PostgreSQL and other SQL databases require specific port configurations
Less commonly known port numbers make reference list useful
Similar services include MySQL and MS SQL

Adding Database Services to Default Zone Key commands:

firewall-cmd –add-service=postgresql
firewall-cmd –add-service=mysql
firewall-cmd –add-service=mssql

Service Verification

Use “firewall-cmd –get-services” to view all configured services
Default services include:
- ssh
- dhcpv6-client
- mdns
- samba/samba-client
- nfs
- ldap/ldaps
- kerberos
- kadmin

GUI Configuration (Firewall Configuration Utility)

Available on FedoraWorkstation
Requires password authentication
Services can be enabled by clicking checkboxes
Available services include:
- MSSQL
- MySQL
- PostgreSQL

Key Features

Pre-configured service information
Dynamic updates
Simpler than traditional Iptables
No rule hierarchy (unlike Iptables where top rule wins)
Flexible configuration via both CLI and GUI
Interface-to-zone mapping determines service availability

Allowing FTP and SFTP Servers

File Sharing Technologies:

NFS and Samba are secure file sharing options
Samba: Strong authentication and secure transmission
NFS: Can be Kerberized for security

FTP Considerations:

FTP servers should be placed in DMZ (demilitarized zone)
Limited exposure to secure servers/workstations
Not recommended for secure environments
Should be isolated from other secure systems

SFTP:

Subset of SSH protocol
More secure alternative to FTP
Requires enabling SSH, not SFTP specifically
SSH typically pre-activated on Fedora Server

TFTP (Trivial File Transfer Protocol):

Not secure
Available as both server and client versions
Like FTP, should be isolated

Implementation Steps:

Adding services:
- Use command to add FTP
- SSH usually pre-installed
- Add TFTP and TFTP-client separately
GUI Configuration:
- Access firewall configuration
- Enable FTP service
- Ensure SSH is active for SFTP
- Enable TFTP and TFTP-client if needed

Security Best Practices:

FTP servers should run in isolation
Avoid running other services on FTP servers
Place FTP servers in DMZ
Consider SFTP as a secure alternative
Limit network exposure of FTP services

VM Port Forwarding in Oracle VirtualBox

Key Points:

Purpose: Troubleshooting connectivity issues when testing services in VMs with firewalls
VirtualBox Network Settings:
- Access through Settings → Network → Adapter 1
- NAT connection: Virtual network connected to actual network
Port Forwarding Configuration:
- Located in Network settings under NAT
- Required for passing traffic through firewall
- Must create corresponding rules for each service
Rule Components:
- Name: Based on service (e.g., SMTP)
- Protocol: Specify type (e.g., TCP)
- Host Port: Service port number (e.g., 25 for SMTP)
- Guest Port: Usually same as host port
- Host IP: Local machine’s IP address
- Guest IP: Virtual machine’s IP address
Implementation:
- Configure rules for each enabled service
- Enables testing from other computers on local network
- Facilitates traffic flow between host and virtual machine

Note: This configuration is specific to Oracle VirtualBox; other VM software will have different procedures.

ShieldsUP! Panic Mode in Firewalld

Purpose:

Emergency response to system attacks
Alternative when physical access (pulling Ethernet cable) isn’t possible
Completely stops all network traffic

When to Use:

During confirmed network attacks
When immediate investigation time is needed
For systems in data centers or virtualized environments

Commands:

Enable Panic Mode:
- firewall-cmd –panic-on (Note: Command syntax changed after version 0.3.0)
Disable Panic Mode:
- firewall-cmd –panic-off
Check Panic Mode Status:
- firewall-cmd –query-panic
- Returns “yes” if active, “no” if inactive

Effects:

Blocks all network access
Stops all incoming/outgoing traffic
Prevents unauthorized data transfer
Gives admin time to investigate and fix security issues

Usage Process:

Enable panic mode when attack detected
Investigate security issues
Fix compromised services/ports/rules
Disable panic mode once resolved

SELinux Fundamentals

Installing SELinux Utils

System Requirements:

Running on Fedora 25 (server or workstation)
SELinux comes pre-installed by default
Some components may be missing in minimal install

Default SELinux Configuration:

Runs in enforcing mode
Uses targeted policy
Operates as security extensions to kernel and system

Checking SELinux Installation:

Command to check: sudo rpm -qa | grep selinux
Look for components like:
- SELinux policy targeted
- Libselinux python
- Libselinux

Required Additional Packages:

setroubleshoot-server
- Includes sealert utility
- Used for troubleshooting denials
- Install command: dnf install setroubleshoot-server
policycoreutils-python
- Install command: dnf install policycoreutils-python
policycoreutils-gui
- Install command: dnf install policycoreutils-gui

Compatible Linux Distributions:

Fedora 25 (recommended for exact course experience)
Gen 2 Linux
RHEL 7
CentOS 7 or later

Final Steps:

Reboot system after installation (recommended)
Alternative: reload services manually

Note: Different Linux distributions may have varying default utilities, but all mentioned distributions come with SELinux pre-installed.

Discretionary vs. Mandatory Access Controls

SELinux Default Behavior

Comes default with Fedora 25 in enforcing mode
Often unnoticed by users as it allows expected conventional actions
Only blocks unusual/unexpected activities

Discretionary Access Controls (DAC)

Traditional file permissions system
Components:
- Owner permissions (rwx)
- Group permissions (r-x)
- Others permissions (r-x)
Limitations:
- Can be changed by root users
- Vulnerable to admin access compromise
- Less secure due to modifiable permissions

Mandatory Access Controls (MAC)

Provided by SELinux
Key features:
- Cannot be changed even by root if policy prevents it
- Organization-provided controls
- More secure than DAC
- Prevents compromise even with physical access

SELinux Labels Example

Viewed using ’ls -FlaZ’ command
Format: system_u:object_r:httpd_modules_t
Components:
- Subject (user)
- Object (resource)
- Service type
Functionality:
- Restricts file access based on process context
- Blocks unauthorized access even with root privileges
- Works alongside DAC permissions

Security Implementation

DAC permissions must be satisfied first
SELinux provides additional security layer
Processes must have correct context to access files
Helps prevent system compromise even if root access is obtained

SELinux Contexts

SELinux Contexts & Labeling:

SELinux manages file system and network ports by examining types labeled on processes, files, and folders
Uses policy to determine allowed operations based on these labels

Context Labels Format:

Format: user_u:role_r:type_t:level(optional)
Components:
- u = user
- r = role
- t = type (most important for enforcement)

Viewing Context Labels:

Use -Z flag with common commands:
- ls -Z: Shows file/directory labels
- ps -Z: Shows process labels
- netstat -Z: Shows network port labels
- Also works with id, cp, etc.

Port Management:

semanage port -l: Shows all ports and associated services in SELinux policy
Services can only use ports defined in policy
Example: http_port_t allows ports 80, 81, 443, 488, 8008, 8009, 8443, 9000

Context Inheritance & Modification:

Files normally inherit context from parent directory
cp maintains proper context inheritance
mv does not inherit context automatically
Tools for context modification:
- chcon: Change context on individual files
- restorecon: Restore default context for entire folder

Key Points:

Type enforcement is primary mechanism for SELinux security
Non-standard ports require Boolean modifications
Default targeted policy comes pre-configured
Context labels critical for proper operation

Installing SELinux Man Pages

Initial Setup

Fedora 25 comes with SELinux but may need additional documentation
Man pages provide comprehensive documentation
Need to install SELinux developer tools first

Installation Process

Login as root using ‘sudo -s’
Install policycoreutils-devel using command: dnf install policycoreutils-devel
Use sepolicy-manpage tool to generate man pages

Man Page Generation

Command: sepolicy manpage -a
Need to specify location for man pages
Default man page hierarchy located in /usr/share/man
Use command: sepolicy manpage -a -p /usr/share/man/man9

Post-Installation Steps

Run ‘mandb’ command to update manual database
Use ‘man -k SELinux’ to search for SELinux-related man pages
Alternative: use ‘apropo’ command for searching

Important Notes

Can target specific domains for documentation
Option to generate all available man pages for every SELinux domain
For boolean values:
- Use -P option for permanent changes
- Without -P, only current boolean value is affected
- Boot-time default settings require -P option

Documentation Access

Multiple man pages available for different SELinux components
Examples include: chcat, booleans, setseboolean
Provides detailed information about various SELinux services and functions

Understanding Booleans in SELinux

Introduction to Booleans

Booleans in SELinux are settings that can be turned on/off
Used when default policy settings need modification
Alternative to rewriting entire policies
Originally developed by NSA for government systems security

Viewing Booleans

Command: getsebool -a (shows all booleans)
Must be run as root
Displays comprehensive list of boolean settings
Includes settings for various services (cron, cups, FTPD, httpd, etc.)

Example: Apache (httpd) Booleans

httpd_can_connect_ftp: controls Apache’s ability to connect to FTP
Default setting is usually “off” for security
Can be modified based on specific needs

Modifying Boolean Settings

Command: setsebool [boolean_name] [1/0]
- 1 = on
- 0 = off
Changes are temporary by default (reset after system restart)

Making Boolean Changes Permanent

Command: setsebool -P [boolean_name] [1/0]
-P flag makes the change persistent across reboots
Recommended to test temporary changes before making permanent

Best Practices

Test changes without -P flag first
Verify settings work as expected
Use -P flag only after confirming functionality
Reboot system to ensure changes take effect properly

4. Working with SELinux

SELinux Configuration

Location:

Config file path: /etc/selinux/config

Default Settings:

Mode: Enforcing
Type: Targeted
Comes pre-configured out of the box

SELinux Modes:

Enforcing

Default mode
Full security policy enforcement
Recommended for production

Permissive

Allows all actions but logs warnings
Useful for troubleshooting
Shows what would be blocked in enforcing mode
Good for initial server setup with nonstandard settings

Disabled (Not Recommended)

No SELinux policy loaded
Creates files without security contexts
Requires complete system relabel when re-enabled
Can break type enforcement
Makes troubleshooting harder

SELinux Types:

Targeted (Default)

Protects all targeted processes

Minimum

Modified targeted policy
Protects selected processes only

MLS (Multi Level Security)

Used primarily by government agencies
Not recommended for general use

Best Practices:

Keep SELinux enabled (enforcing mode)
Use permissive mode temporarily for troubleshooting
Stick with targeted type
Use log reading for troubleshooting
Fix security context issues rather than disabling SELinux

Graphical Management Tools for SELinux

Setup Requirements:

Demonstrated on Fedora 25 Workstation (cloned VM)
Required installations:
- setroubleshoot-server
- policycoreutils-python
- policycoreutils-gui

Main Tool: system-config-selinux

Graphical interface for SELinux management
Shows system settings:
- Default enforcing mode
- Current enforcing mode
- Target policy type

Key Features:

Boolean Management

Displays enabled/active booleans
Shows changed settings

File Labeling

Shows SELinux file types
File specifications
File type information

User Management

SELinux user mappings
Links between system login names and SELinux users
Automatic SELinux user creation for new standard users

Network Configuration

Lists network ports
Port policy assignments

Additional Components

Policy module management
Process domain listings

Benefits:

User-friendly interface
Easier navigation compared to command line
Particularly helpful for new administrators
Provides comprehensive view of SELinux settings
Similar interface to firewall-d application

Note: This graphical tool provides same functionality as command line but in a more accessible format for those new to SELinux administration.

Changing SELinux Context Labels

Key Points:

SELinux works smoothly with standard configurations (e.g., web pages in /var/www/html)
Custom configurations require manual context label adjustments

Standard Web Directory Context:

Location: /var/www/html
Default type for web files: httpd_sys_content_t
Files inherit correct context labels automatically

Custom Directory Issues:

Creating non-standard directories (e.g., /web) results in default_t context
Files inherit incorrect context (default_t) making them inaccessible to Apache

Solution Steps:

Using semanage to fix context:
- Method 1: semanage fcontext -a -t httpd_sys_content_t “/web(/.*)?”
- Method 2 (easier): semanage fcontext -a -e /var/www/html /web
Applying Changes:
- Must use restorecon to implement context changes
- Command: restorecon -vR /web
- The -v flag shows verbose output
- The -R flag applies changes recursively

Important Notes:

Changes won’t take effect until restorecon is run
Context inheritance follows directory structure
Semanage command modifies SELinux policy
Restorecon applies the policy changes to files/directories

Changing Ports on Services in SELinux

Port Configuration Basics:

Services can only run on policy-configured port numbers
Changing ports without policy modification causes service startup failure
SELinux blocks unauthorized port changes

Viewing Allowed Ports:

Use semanage utility as root user
Command: semanage port -l | grep http_port_t
Shows allowed ports for HTTP (e.g., tcp 80, 81, 443, 488, 8008, 8009)

Adding New Ports:

Command syntax: semanage port -a -t http_port_t -p tcp [port_number]
Example: Adding port 82
Must configure httpd.conf file separately (Apache administration)
Verify addition using semanage port -l command

Troubleshooting:

Check for other blocking factors (network firewalls)
Can switch SELinux to permissive mode for testing
Permissive mode allows access but logs potential violations
Messages log shows potential problems and solutions

Removing Ports:

Command syntax: semanage port -d -t http_port_t -p tcp [port_number]
Example: Removing port 82
Verify removal using list command

Command Flags:

-l: list ports
-a: add port
-d: delete port
-t: specify type
-p: specify protocol

Best Practices:

Remove non-standard ports when no longer needed
Verify changes after adding or removing ports
Consider security implications of port changes

Copying Files and SELinux Context

Basic Differences between Copy and Move:

Copy (cp): Creates a duplicate file while keeping original
Move (mv): Creates duplicate file and deletes original

SELinux Context Behavior in Copy Operations:

Default: Context of duplicate based on default labeling rules
Context not inherited from original file unless specific flags used
Files in home directories labeled with user_home_t type

Practical Example: a) Initial Setup:

Created file musings.txt in home directory
Default context: user_home_t

b) Basic Copy to /etc:

Without flags: File gets etc_t type label
Follows default SELinux policy for destination directory

Preserving Original Context:

Use flag: –preserve=context
Command: cp –preserve=context source destination
Maintains original context label in new location

Key Commands Demonstrated:

ls -Z: View SELinux context
cp: Basic copy
cp –preserve=context: Copy with context preservation
rm: Remove file

Important Points:

Context preservation requires specific flags
Default behavior applies destination directory’s context
Root privileges needed for certain operations
SELinux policy determines default context labels

Practical Applications:

Important for system administrators
Useful for file server management
Helps maintain security context when needed

Moving Files in SELinux Context

File Movement Behavior:

Files and directories maintain their current SELinux context when moved
This differs from copy operations where context changes based on destination

Demonstration:

Initial Setup:

Created new file “movings.txt” in home directory
File had user_home_t type label

Moving Operation:

Moved file from home to /etc directory using sudo
Command used: mv movings /etc
Result: File retained original user_home_t context
This retention of original context is default behavior for move operations

Fixing Context After Move:

Used restorecon command to reset proper context
Command syntax: restorecon -Rv /etc
Flags used:
- -R: Recursive
- -v: Verbose output
restorecon reset context to appropriate etc_t type

Key Points:

No direct command to make mv preserve destination context like cp does
restorecon is recommended solution for fixing contexts after moves
restorecon resets everything to match loaded SELinux policy
This ensures proper security context in new location

Note: This behavior was demonstrated on Fedora Server 25

5. SELinux Troubleshooting

Sepolicy utility

Purpose and Features:

Suite of tools to query installed SELinux policy
Generates transition reports, man pages, and policy modules
Helps users better understand SELinux policy

Requirements:

Provided by policycoreutils-devel package

Key Arguments/Commands:

Booleans: Lists modifiable policy behaviors
Communicate: Checks communication between SE domains
Generate: Creates SELinux policy templates
GUI: Sets up SELinux graphical user interface/policy reader
Interface: Shows all SELinux Policy interfaces
Manpage: Generates man pages
Network: Looks up network information
Transition: Creates transition reports

Finding Domain Names:

Can be listed using error message
Method: Use command “sepolicy network -d” with random letters
System will display ValueError with complete list of valid domains
Domain list useful for communicate command

Documentation Improvements:

SELinux now better documented
Enhanced error reporting
Provides helpful hints and tips
Makes administration more accessible
Helps understand various components needed for system administration

Note: The utility has become more user-friendly through improved documentation and error messages, making SELinux administration more manageable despite its complexity.

Finding SELinux Logs

Location of Logs:

Main logs are in /var/log directory
Two important log files:
1. /var/log/audit/audit.log
2. /var/log/messages

Audit.log:

Contains SELinux audit trail for security
Records authentications and system activities
Useful for tracking system access and operations
Requires root access to view

Messages Log:

More detailed than audit.log
Provides specific error information
Includes instructions for fixing SELinux issues
Shows:
- Error descriptions
- Module creation instructions
- Specific fix recommendations
- Permissive mode violations

Best Practices:

Use permissive mode to generate logs for troubleshooting
Switch from enforcing to permissive mode to diagnose issues
Review messages log for specific fix instructions
Particularly useful when:
- Setting up web servers
- Configuring file permissions
- Modifying SELinux types
- Troubleshooting service access issues

Access:

Root access required (use sudo -s)
View logs using cat command
Regular monitoring recommended for security maintenance

Making Domains Permissive

SELinux Permissive Mode Basics:

Doesn’t deny access but logs potential denials
Can make individual processes permissive instead of entire system
Useful for troubleshooting specific issues

Domain Permissive Settings:

Can mark specific domains as permissive in new policy modules
Only exposes specific processes, not entire system
Uses semanage command for configuration

Commands for Managing Permissive Domains: a) Making a domain permissive:

Command: semanage permissive -a domain_name
Example: semanage permissive -a httpd_t

b) Viewing permissive domains:

Command: semodule -l | grep permissive
Shows list of currently permissive domains

c) Removing permissive status:

Command: semanage permissive -d domain_name
Example: semanage permissive -d httpd_t

Key Benefits:

Allows focused troubleshooting
Maintains security for rest of system
More precise than making entire system permissive
Temporary solution for specific issues

Command Flags:

-a: Add permissive status
-d: Delete permissive status
-l: List domains

Note: All commands require root privileges (sudo -s)

Disabling and Re-enabling SELinux

Important Considerations:

Don’t disable SELinux unless server downtime is acceptable
Process requires multiple restarts
When disabled: policy not loaded, not enforced, no logging
When re-enabling: starts in permissive mode first, not enforcing

Disabling Process:

Edit /etc/selinux/config file
Change SELINUX=enforcing to SELINUX=disabled
Reboot system
Verify with getenforce command (should show “disabled”)

Effects of Disabled SELinux:

New files/directories created won’t get SELinux context labels
Existing files retain their labels
No security context enforcement

Re-enabling Process:

Change config file from disabled to permissive mode first
Reboot system

System automatically rebuilds security contexts
Modern versions (Fedora 25+) do this automatically
Older systems may require manual intervention

Verify with getenforce (should show “permissive”)

Final Steps:

Monitor for denied actions using journalctl | grep “SELinux is preventing”
Change from permissive to enforcing mode
Edit config file: SELINUX=enforcing
Final reboot
Verify with getenforce (should show “enforcing”)

Best Practices:

Avoid keeping system in disabled state
Use individual domain permissive mode for troubleshooting
Keep system in enforcing mode for normal operation
Consider hardware capabilities when re-enabling (may take longer on older systems)

Chirag Bharambe

Linux - Firewalls & SELinux

1. Firewall Basics on Linux

Iptables and Firewalld

Installing and Configuring Firewalld

Firewalld Zones

Understanding Firewalld Services

Zones in Firewalld

Configuring Firewalld for Local Protection

Firewall-cmd Configuration Preparation

Setting Up Apache Web Server Firewall Access

Configuring Firewall for Mail Server Services

Allowing XMPP Server on Firewall

Allowing SMB Server Through Firewall

Allowing NFS Server Access in Firewall

Allowing LDAP Server Access

PostgreSQL Server Configuration in Firewall

Allowing FTP and SFTP Servers

VM Port Forwarding in Oracle VirtualBox

ShieldsUP! Panic Mode in Firewalld

SELinux Fundamentals

Installing SELinux Utils

Discretionary vs. Mandatory Access Controls

SELinux Contexts

Installing SELinux Man Pages

Understanding Booleans in SELinux

4. Working with SELinux

SELinux Configuration

Graphical Management Tools for SELinux

Changing SELinux Context Labels

Changing Ports on Services in SELinux

Copying Files and SELinux Context

Moving Files in SELinux Context

5. SELinux Troubleshooting

Sepolicy utility

Finding SELinux Logs

Making Domains Permissive

Disabling and Re-enabling SELinux

Categories

Tags