SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.
SELinux configuration file /etc/selinux/config :
# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Toggling SELinux modes (Temporarily)
To switch between the SELinux modes temporarily we can use the setenforce command as shown below :
# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing
Verify the current mode of SELinux :
# getenforce Enforcing
or we can also use the sestatus command to get a detailed status :
# sestatus SELinux status: enabled SELinuxfs mount: /selinux --> virtual FS similar to /proc Current mode: enforcing --> current mode of operation Mode from config file: permissive --> mode set in the /etc/sysconfig/selinux file. Policy version: 24 Policy from config file: targeted
Toggling SELinux modes (Permanently) [reboot require]
SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options
1. editing /etc/selinux/config file
to set SELinux to permissive, set the below line in the file /etc/selinux/config to :
vi /etc/selinux/config .... SELINUX=permissive ...
Similarly the mode can be set to enforcing/disable by setting the mode in the same line.
2. editing kernel boot options
Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:
title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp) root (hd0,0) kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0 initrd /initrd-2.6.9-42.ELsmp.img
Reboot the server.
# shutdown -r now
Forcing reboot on changing mode
We can force a reboot on changing the selinux mode :
# setsebool secure_mode_policyload on
The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.
How to know when a file has ACL attached to it
ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.
# ls -l -rw-r--r-+ 1 root root 0 Sep 19 14:41 file
To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::
# getfacl /tmp/test # file: test # owner: root # group: root user::rw- user:john:rw- user:sam:rwx group::r-- mask::rwx other:---
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :
# getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r--
Creating and Managing FACLs
The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :
# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :
# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :
# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.
To create a default FACL on a directory :
# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :
# getfacl accounts/ # file: accounts/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:john:rw- default:group::r-x default:mask::rwx default:other::r-x
To remove ACLs, use the setfacl command with -x option :
# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :
# setfacl -b /tmp/test
password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :
# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.
# chage oracle Changing the aging information for oracle Enter the new value, or press ENTER for the default Minimum Password Age : Maximum Password Age : Last Password Change (YYYY-MM-DD) [2016-08-23]: Password Expiration Warning : Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.
# grep oracle /etc/shadow oracle:$6$H28sLVDL$iNvp/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.
Number of options are available in chage command. To list aging information :
# chage -l geek Last password change : Sep 18, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :
# chage –d 0 geek
The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:
# authconfig --test | grep hashing password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.
# authconfig --passalgo=md5 --update
/etc/login.defs file provides default user account settings. Default values include:
- Location of user mailboxes
- Password aging controls
- Values for automatic UID selection
- Values for automatic GID selection
- User home directory creation options
- Encryption method used to encrypt passwords
Sample /etc/login.defs file :
# cat /etc/login.defs ..... PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 ...... GID_MIN 1000 GID_MAX 60000 ..... UID_MIN 1000 UID_MAX 60000
– Use the groupadd command to add a new group :
# groupadd [options] group_name
– Use the groupmod command to modify an existing group :
# groupmod [options] group_name
– Use groupdel to delete the group. You can remove a group even if there are users in the group. But you can not remove the primary group of an existing user. You must remove the user before removing the group.
# groupdel group_name
– Use the gpasswd command to administer the groups :
# gpasswd [options] group_name
For example : to add user test in group student –
# gpasswd -a test student
The groups command displays the group the user belongs to. For example the user oracle as shown below belongs to multiple groups which can be displayed using the groups command :
# groups oracle oracle : oinstall dba asm asmdba oper # grep oracle /etc/group oinstall:x:5004:oracle dba:x:5005:oracle asm:x:5006:oracle asmdba:x:5007:oracle oper:x:5008:oracle
The newgroup command executes a new shell and changes a user’s real group information. For example,
Before executing newgrp command
$ id uid=5004(oracle) gid=5004(oinstall) groups=5004(oinstall),5005(dba) ...
$ ps PID TTY TIME CMD 106591 pts/0 00:00:00 bash 106672 pts/0 00:00:00 ps
After executing newgrp command
$ newgrp dba
Note the gid for the user has changed to that of the student group :
$ id uid=5004(oracle) gid=5005(dba) groups=5005(dba),5004(oinstall) ...
Also note that a new shell has been executed.
$ ps PID TTY TIME CMD 106591 pts/0 00:00:00 bash 106231 pts/0 00:00:00 bash 106672 pts/0 00:00:00 ps
Adding a user account
Use the useradd command to add new user :
# useradd [options] [username]
The default settings for new user can viewed and modified using the -D option :
# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
For example, to change the default user shell for new user to /bin/ksh :
# useradd -D -s /bin/ksh
To simple add a user with all default options :
# useradd user01
To add user with uid 1099, comment “new user” and default shell as /bin/ksh :
# useradd -u 1099 -c "new user" -s /bin/ksh user01
Check new user’s entry in /etc/passwd file :
grep user01 /etc/passwd user01:x:1099:1099:new user:/home/user01:/bin/ksh
To modify existing user (e.g. changing the comment) :
# usermod -c "modified user" user01
To assign the password to new user:
# passwd user01 Changing password for user user01. New password: Retype new password: passwd: all authentication tokens updated successfully.
View the /etc/shadow file :
# grep user01 /etc/shadow user01:$6$dox84xyJ$89DdMcxSlI9OHxUCyY1ryaFsmG6MSEwbmSbZXJoFY.tHgdEEeQQgQjDV0dD8jEiHusrUjj3p8gtMTKR4sXXN5.:17058:0:45:7:::
To delete the user :
# userdel user01
You can create a user with nologin shell for running services such as SMTP, FTP etc. A user without a login shell can not login to a system and therefore cannot run any command on the system interactively on the system. Processes can run as that users however.
To add new user “test” with shell nologin :
# useradd -s /sbin/nologin test
Make sure the nologin shell is present in the /etc/shells file :
# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /usr/bin/sh /usr/bin/bash /usr/sbin/nologin
RHEL 7 has 3 command-line utilities to configure the system date and time:
Use the date command to display or set the system date and time. Run the date command with no arguments to display the current date and time:
# date Mon Sep 12 19:41:40 IST 2016
The date command provides a variety of output formatting options. You can also time and date in future or past. Few examples are given below.
1. Display day of the week :
# date +%A Monday
2. Display date one year from now :
# date -d "1 year" Mon Sep 12 19:47:49 IST 2017
3. Display 1 month past date :
# date -d "1 month ago" Mon Aug 12 19:49:07 IST 2016
Use the following syntax to change the current date. Replace YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month.
# date +%D -s [YYYY-MM-DD]
Use the following syntax to change the current time. Replace HH with a two-digit hour, MM with a two-digit minute, and SS with a two-digit second. Include either AM or PM. Include the –u option if your system clock is set to use UTC.
# date +%T%p -s [HH:MM:SS]AM|PM –u
Use the hwclock command to query and set the hardware clock, also known as the RTC (real-time clock). This clock runs independently of any control program running in the CPU and even when the machine is powered off. The hwclock command allows you to:
- Display the current time
- Set the hardware clock to a specified time
- Set the system time from the hardware clock (hwclock –s)
- Set the hardware clock to the current system time (hwclock –w)
– The timedatectl utility is part of the systemd system and service manager.
– To display local, universal, and RTC time and time zone, NTP configuration, and DST information:
# timedatectl Local time: Tue 2016-09-13 20:30:26 IST Universal time: Tue 2016-09-13 15:00:26 UTC RTC time: Tue 2016-09-13 15:00:26 Time zone: Asia/Kolkata (IST, +0530) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
– Use the following syntax to change the date and time:
# timedatectl set-time [YYYY-MM-DD] # timedatectl set-time [HH:MM:SS]
– Use the following syntax to change the time zone:
# timedatectl set-timezone [time_zone]
– To list available time zones :
# timedatectl list-timezones Africa/Abidjan Africa/Accra Africa/Addis_Ababa
– To enable clock synchronization over NTP:
# timedatectl set-ntp yes
NTP provides a method of verifying and correcting your computer’s time by synchronizing it with another system.
To install NTP :
# yum install ntp
By default, there are four public server entries in the NTP configuration file, /etc/ntp.conf, which are specified by the server directive.
# grep server /etc/ntp.conf server 0.rhel.pool.ntp.org server 1.rhel.pool.ntp.org server 2.rhel.pool.ntp.org server 3.rhel.pool.ntp.org
Instead of using a predefined public server, you can specify a local reference server in the /etc/ntpd.conf file. For example:
# vi /etc/ntpd.conf server 192.0.2.1
Another directive in the configuration file is driftfile. The default setting is as follows:
This drift file contains one value used to adjust the system clock frequency after every system or service start.
The ntpd program is the user space daemon that synchronizes the system clock with remote NTP time servers or local reference clocks. The daemon reads the configuration file at system start or when the service is restarted. You also need to open UDP port 123 in the firewall for NTP packets. After editing the /etc/ntp.conf file, use the systemctl command to start the NTP daemon:
# systemctl start ntpd
Use the following command to ensure the NTP daemon starts at boot time:
# systemctl enable ntpd
Other NTP utilities
Use the ntpq command to query the NTP daemon operations and to determine performance. Use the –p option (or peers command) to display a list of peers known to the server as well as a summary of their state. For example:
# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *10.10.0.2 192.168.2.11 2 u 911 1024 377 1.274 0.147 0.355 +10.10.0.3 192.168.2.11 2 u 1026 1024 377 1.161 0.073 0.852
The * indicates your system is synchronized with the 10.10.0.2 server. Use the ntpstat command to show network time synchronization status.
# ntpstat synchronised to NTP server (10.10.0.2) at stratum 3 time correct to within 31 ms polling server every 1024 s
Configuring NTP using chrony
Chrony is a suite of utilities that provides another implementation of NTP. Chrony is designed for mobile systems and virtual machines that are often powered down or disconnected from the network. Systems that are not permanently connected to a network take a relatively long time to adjust their system clocks with the NTP daemon, ntpd.
Chrony consists of chronyd, a daemon that runs in user space, and chronyc, a command- line program for making adjustments to chronyd. The chronyd daemon makes adjustments to the system clock that is running in the kernel. It uses NTP to synchronize with another system when network access is available. When network access is not available, chronyd uses the last calculated drift stored in the drift file to synchronize the system time.
For more information on chrony (installation, configuration, troubleshooting), refer the below posts :
CentOS / RHEL 7 : Tips on Troubleshooting NTP / chrony Issues
– Linux can run tasks automatically, and comes with automated tasks utilities: cron, anacron, at, batch.
– cron jobs can run as often as every minute.
– A scheduled cron job is skipped if the system is down.
– anacron can run a job only once a day.
– Scheduled jobs are remembered and run the next time that the system is up.
– crond daemon searches multiple files and directories for scheduled jobs:
1. /var/spool/cron/ 2. /etc/anacrontab 3. /etc/cron.d
Configuring cron jobs
cron jobs are defined in /etc/crontab.
The crontab entries are of the form:
Minutes Hours Date Month Day-of-Week command
where: Minutes = [0 to 59] Hours = [0 to 23] Date = [1 to 31] Month = [1 to 12] Day-of-Week = [0 to 6] 0=Sunday - 6=Saturday command = a script file or a shell command. Other special characters can be used: - An asterisk (*) can be used to specify all valid values. - A hyphen (-) between integers specifies a range of integers. - A list of values separated by commas (,) specifies a list. - A forward slash (/) can be used to specify step values.
Other cron Directories and Files
– Contains files with same syntax as the /etc/crontab – accessible by root privileges only
– Other cron directories in /etc: –
cron.hourly cron.daily cron.weekly cron.monthly
– Scripts in these directories run hourly, daily, weekly, or monthly, depending on the name of the directory.
– The /etc/cron.allow and /etc/cron.deny files restrict user access to cron. If neither file exists, only root can use cron.
– Users other that root can also configure cron using the crontab utility.
– user defined crontabs are stored in /var/spool/cron/[username].
– To create or edit a crontab entry :
# crontab -e
– To list the entries in the user defined crontab :
# crontab -l
Configuring anacron jobs
– anacron jobs are defined in /etc/anacrontab.
– Jobs are defined by :
Period in days : frequency of execution in days Delay in minutes - Minutes to wait before executing the job job-identifier - A unique name used in logfiles command : a shell script or command to execute
example anacron file :
SHELL=/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # the maximal random delay added to the base delay of the jobs RANDOM_DELAY=45 # the jobs will be started during the following hours only START_HOURS_RANGE=3-22 #period in days delay in minutes job-identifier command 1 5 cron.daily nice run-parts /etc/cron.daily 7 25 cron.weekly nice run-parts /etc/cron.weekly @monthly 45 cron.monthly nice run-parts /etc/cron.monthly
at and batch
– at and batch utilities are used for scheduling one-time tasks.
– the at command executes a task at a specific time.
– the batch command executes a task when system load average is below 0.8.
– the atd service must be running to run at or batch jobs
– at command syntax :
# at time
– The time argument accept multiple formats :
HH:MM MMDDYY,MM/DD/YY or MM.DD.YY month-name day year midnight: At 12:00 AM teatime: At 4:00 PM now + time -- here time can be minutes, hours, days or weeks
– batch command syntax :
# batch (at> promp is displayed)
– The /etc/at.allow and /etc/at.deny files restrict user access to at. If neither file exists, only root can use cron.
systemd service units
– Previous versions of Oracle Linux use scripts in the /etc/rc.d/init.d directory to control services.
– In Oracle Linux 7, these scripts have been replaced by systemd service units.
– Use the systemctl command to list information about service units.
To list all loaded service units:
# systemctl list-units --type service --all
To see which service units are enabled:
# systemctl list-unit-files --type service
Displaying the Status of Services
– systemd service units correspond to system services.
– To display detailed information about the httpd service:
# systemctl status httpd
– To check whether a service is running (active) or not running (inactive):
# systemctl is-active sshd active
– To check whether a service is enabled:
# systemctl is-enabled sshd enabled
Starting and stopping services
|service Utility||systemctl Utility||Description|
|service name start||systemctl start name||Starts a service|
|service name stop||systemctl stop name||Stops a service|
|service name restart||systemctl restart name||Restarts a service|
|service name condrestart||systemctl try- restart name||Restarts a service only if it is running|
|service name reload||systemctl reload name||Reloads a configuration|
|service name status||systemctl status name||Checks whether a service is running|
|service –status- all||systemctl list-units –type service –all||Displays the status of all services|
Enabling and disabling services
|chkconfig Utility||systemctl Utility||Description|
|chkconfig name on||systemctl enable name||Enables a service|
|chkconfig name off||systemctl disable name||Disables a service|
|chkconfig –list name||systemctl status name, systemctl is-enabled name||Checks whether a service is enabled|
|chkconfig –list||systemctl list-unit-files –type service||Lists all services and checks whether they are enabled|
As shown in the diagram soft links or symbolic links simply points to another file. It only contains the pathname of the file to which it is pointing
1. Creation method
# touch file # ln -s file link # ls -l -rw-r--r-- 1 root root 0 Sep 19 14:41 link lrwxrwxrwx 1 root root 5 Sep 19 15:41 link -> file
The “l” in the “ls -l” command output above indicates that the file is a soft link.
2. The size of the soft link created in the example above is the no of characters in the pathname (file), which is 5 (it can be absolute or relative).
3. If you delete the original file (file) the soft link render as useless.
4. Soft links can reside on different file systems.
5. You can create soft links to directories also.
Every file uses atleast one hard link. So when you create a new file a new directory entry is created which is called link count. So when you create a new hard link to this file the link count increaments by 1.
1. creation method
# touch file1 # ls -l -rw-r--r-- 1 root root 0 Sep 23 13:19 file1 # ln file1 file2 # ls -l -rw-r--r-- 2 root root 0 Sep 23 13:19 file1 -rw-r--r-- 2 root root 0 Sep 23 13:19 file2 # ls -li 1282 -rw-r--r-- 2 root 0 root 0 Sep 23 13:19 file1 1282 -rw-r--r-- 2 root 0 root 0 Sep 23 13:19 file2 # find . -inum 1282 ./file1 ./file2
2. The link count increases by one, everytime you create a new hard link to the file as shown above.
3. Even if you delete any one of the file, it has no effect on the other file. Only the link count decrements
4. Hard links can not cross the file system.
5. You can not create hard links to directories.
Three standard file descriptors :
1. stdin 0 - Standard input to the program. 2. stdout 1 - Standard output from the program. 3. stderr 2 - Standard error output from the program.
|redirect std output to filename||> filename or 1> filename|
|append std out to filename||>> filename|
|append std out and std err to filename||>> filename 2>&1 or 1>> filename 2>&1|
|take input from filename||< filename or 0 < filename|
|redirect std error to filename||2> filename|
|redirect std out and std error to filename||1> filename 2>&1 or > filename 2>&1|
Some examples of using I/O redirection
# cat goodfile badfile 1> output 2> errors
This command redirects the normal output (contents of goodfile) to the file output and sends any errors (about badfile not existing, for example) to the file errors.
# mail user_id < textfile 2> errors
This command redirects the input for the mail command to come from file textfile and any errors are redirected to the file errors.
# find / -name xyz -print 1> abc 2>&1
This command redirects the normal output to the file abc. The construct “2>&1” says “send error output to the same place we directed normal output”.
# ( grep Bob filex > out ) 2> err
– any output of the grep command is sent to the file out and any errors are sent to the file err.
# find . -name xyz -print 2>/dev/null
This runs the find command, but sends any error output (due to inaccessible directories, for example), to /dev/null. Use with care, unless error output really is of no interest.