Topics

  • SELinux contexts
  • File and port labeling
  • SELinux booleans

exercise_01.sh

executable safe: yes
#!/bin/bash
# @type: executable
# @requires: none
# @safe: yes
set -euo pipefail

# Exercise 1: Write the two commands necessary to check the SELinux context (label) 
# for both the running sshd process and the /etc/ssh/sshd_config file.
#
# Task: Display SELinux contexts for process and file.

echo "=== SELinux context for sshd process ==="
ps -eZ | grep sshd

echo ""
echo "=== SELinux context for /etc/ssh/sshd_config ==="
ls -Z /etc/ssh/sshd_config

exercise_02.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 2: You have created a new directory, /srv/www/, which needs to be served by Apache. 
# Write the two commands required to permanently set the context for this directory 
# and all its contents to httpd_sys_content_t.
#
# Task: Set SELinux context for Apache web content directory.

# Add the context rule permanently
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"

# Apply the context to the directory
sudo restorecon -Rv /srv/www

echo ""
echo "SELinux context has been set for /srv/www"

exercise_03.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 3: The company wants to run a secondary HTTP server on port 8988. 
# Write the command to permanently label TCP port 8988 as a valid http_port_t port.
#
# Task: Add a custom port to SELinux http_port_t type.

sudo semanage port -a -t http_port_t -p tcp 8988

echo ""
echo "Port 8988 has been added to http_port_t"
echo ""

sudo semanage port -l | grep http_port_t

exercise_04.sh

executable safe: no requires: root
#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail

# Exercise 4: Find and enable the SELinux boolean permanently that allows the Apache web server to use NFS.
#
# Task: Enable SELinux boolean for Apache NFS access.

echo "Searching for NFS-related Apache booleans..."
sudo semanage boolean -l | grep nfs | grep http

echo ""
echo "Enabling httpd_use_nfs boolean permanently..."
sudo setsebool -P httpd_use_nfs on

echo ""
echo "Boolean has been enabled."