m[ask]:perms Maximum permissions a specific user or a specific group can have on a

file or directory. If this is set to rw-, for example, then no specific user or
group will have more permissions than read and write. o[ther]:perms Permissions
assigned to users not in the owning group.
Table 10-6 ACL Rules The setfacl command provides several switches to use depending
on what we want to achieve. Table 10-7 describes some of them.
Switch Description -b Removes all ACL settings. -d Applies to the default ACLs. -k
Removes all default ACL settings. -m Sets or modifies ACL settings. -R Applies
recursively to all files and sub-directories. -x Removes an ACL setting.
Table 10-7 setfacl Command Switches
We will use some of these switches shortly. The Role of the mask Value The value of
mask determines the maximum allowable permissions placed for a specific user or
group on a file or directory. If it is set to rw, for instance, no specific user or
group will exceed those permissions. The mask value is displayed on a separate line
in the getfacl command output. Each time ACLs are modified for a file or directory,
the mask is recalculated automatically and applied unless we supply our own desired
mask value with the command. On file1, there are no ACLs currently set as shown
below. The �c option instructs the command not to display the header information. #
getfacl �c file1 user::rw- group::r-- other::r-- If we give read and write
permissions to user1 and change the mask to read-only at the same time, the command
will allocate the permissions as mentioned; however, the effective permissions for
the user will only be read-only. # setfacl �m u:user1:rw,m:r file1 # getfacl �c
file1 user::rw- user:user1:rw- #effective:r-- group::r-- mask::r--
other::r-- This means that user1 will not be able to modify this file even though
they appear to have the write permission. The actual permissions for user1 include
both read and write, but only the read bit is in effect. Now, let�s promote the
mask value to include the write bit as well, and observe the result: # setfacl �m
m:rw file1 # getfacl �c file1 user::rw- user:user1:rw- group::r-- mask::rw-
other::r-- The actual permissions for user1 are now promoted to include the write
bit to reflect the new higher mask value.
Exercise 10-13: Determine, Set, and Delete Access ACLs This exercise should be done
on server1. In this exercise, you will create file1 as user1 in /home/user1 and
will check to see if there are any ACL settings on the file. You will check to
ensure that the /home file system is mounted with acl support turned on. You will
apply ACL settings on the file for user3 and allow them full access. You will
observe the change in the mask value. You will add
278
group::r-- mask::rw- other::r-- The actual permissions for user1 are now promoted
to include the write bit to reflect the new higher mask value.
Exercise 10-13: Determine, Set, and Delete Access ACLs This exercise should be done
on server1. In this exercise, you will create file1 as user1 in /home/user1 and
will check to see if there are any ACL settings on the file. You will check to
ensure that the /home file system is mounted with acl support turned on. You will
apply ACL settings on the file for user3 and allow them full access. You will
observe the change in the mask value. You will add user4 to the ACL settings on the
file. You will delete the settings for user3 and then delete all other ACL settings
from the file. 1. Log in as user1 and create file1. Run the ll and getfacl
commands on the file and see if there are any ACL entries placed on it. $ pwd
/home/user1 $ touch file1 $ ll file1 -rw-rw-r--. 1 user1 user1 0 Nov 4 21:12 file1
$ getfacl file1 # file: file1 # owner: user1 # group: user1 user::rw- group::rw-
other::r-- The output indicates an absence of ACL settings on the file. It also
shows the owner and owning group names. The owner and group members have read and
write permissions and everyone else has the read-only permission. 2. Now, log in
as root on a different terminal (or switch into root with the su command) and check
the file system type for /home. If it is an extended file system, run mount | grep
home to determine if acl support is turned on. If not, issue the following to
remount the file system with that support: # mount �o remount,acl /home
EXAM TIP: Modify the /etc/fstab file and replace �defaults� with �acl� (or add
�acl� if other options are listed) in the mount options field for the extended file
system where you want ACLs set up.
There is no need to check this for an XFS file system as the acl support is an
integral part of it. 3. Allocate read/write/execute permissions to user3 with the
setfacl command using the octal notation for permission representation. Run this
command as user1. $ setfacl �m u:user3:7 file1 4. Run the ll command to check if
the + sign has appeared by the permission settings and the getfacl command to check
the new ACL settings: $ ll -rw-rwxr--+ 1 user1 user1 0 Nov 4 21:12 file1 $ getfacl
�c file1 user::rw- user:user3:rwx group::rw- mask::rwx other::r-- A row is added
for user3 showing rwx (7) permissions. Another row showing the mask is also added
and is set to rwx (7) as well. The mask value determines the maximum permissions
assigned to a specific user or group. In this case, the maximum permissions
allocated to user3 are rwx and the mask reflects it.
279
$ setfacl �x u:user3 file1 $ getfacl file1 user::rw- user:user4:rw- group::rw-
mask::rw- other::r-- Notice that the mask value has reduced to read/write, which
reflects the current maximum permissions placed on the specific user user4. 7.
Delete all the ACL entries set on file1: $ setfacl �b file1 Confirm after the
deletion using the getfacl command.
Default ACLs Sometimes it is imperative for several users that belong to different
groups to be able to share the contents of a common directory. They want
permissions set up on this directory in such a way that the files and sub-
directories created underneath inherit its permissions. This way the users do not
have to adjust permissions on each file and sub- directory they create under the
parent directory. Setting default ACLs on a directory fulfills this requirement.
The default ACLs can be described as the maximum discretionary permissions that can
be allocated on a directory. Table 10-8 describes the syntax for applying default
entries with the setfacl command.
ACL Entry Description d[efault]:u:perms Default standard Linux permissions for the
owner. d[efault]:u:UID:perms Default permissions for a specific user (user name or
UID). d[efault]:g:perms Default standard Linux permissions for the owning group.
d[efault]:g:GID:perms Default permissions for a specific group (group name or GID).
d[efault]:o:perms Default permissions for public. d[efault]:m:perms Default maximum
permissions a user or group can have when they create a file in a directory with
default ACLs in place.
Table 10-8 Format for Using Default ACLs Let�s apply the concept in the following
exercise for a better understanding. Exercise 10-14: Set, Confirm, and Delete
Default ACLs This exercise should be done on server1. In this exercise, you will
create a directory /home/user4/projects as user4 and set default ACL entries for
user1 and user3 to allow them read and write permissions on this directory. You
will create a sub-directory prj1 and a file file1 under projects and observe the
effect of default ACLs on them. You will delete all the default entries at the end
of the exercise. 1. Log in as user4 and create projects. Run the getfacl command
and see what the default permissions are on the directory. $ pwd /home/user4 $
mkdir projects $ getfacl projects # file: project # owner: user4 # group: user4
user::rwx group::rwx other::r-x 2. Allocate default read and write permissions to
user1 and user3 with the setfacl command. Run this command as user4 and use octal
notation. $ setfacl �m d:u:user1:6,d:u:user3:6 projects $ getfacl �c projects
280
user::rwx group::rwx other::r-x default:user::rwx default:user:user1:rw-
default:user:user3:rw- default:group::rwx default:mask::rwx default:other::r-x 3.
Create a sub-directory prj1 under projects and observe that it has inherited the
ACL settings from its parent directory: $ cd projects ; mkdir prj1 $ getfacl �c
prj1 user::rwx user:user1:rw- user:user3:rw- group::rwx mask::rwx other::r-x
default:user::rwx default:user:user1:rw- default:user:user3:rw- default:group::rwx
default:mask::rwx default:other::r-x 4. Create a file file1 under projects and
observe the inheritance of ACLs from the parent directory: $ touch file1 $ getfacl
�c file1 user::rw- user:user1:rw- user:user3:rw- group::rwx
;#160;#effective:rw- mask::rw- other::r-- The output indicates that the maximum
permissions the group members have on the file are read and write, and the execute
permission for them is ineffective due to the mask setting. 5. Delete all the
default ACL settings from the directory and confirm: $ setfacl �k project $ getfacl
�c project user::rwx group::rwx other::r-x Confirm the deletion with the getfacl
command. Chapter Summary This chapter discussed local and remote file systems,
AutoFS, swap, and ACLs. We reviewed file system concepts and types, and learned
about extended and xfs file systems. We looked at various file system
administration utilities. We studied the concepts around mounting and unmounting
file systems. We examined the UUID associated with file systems and applied labels
to file systems. We analyzed the file system table and added entries to it to
automatically activate file systems at system reboots. We looked at a tool for
reporting file system usage. We learned about file system check utilities for
determining and fixing issues related to unhealthy file systems. We performed a
number of exercises on file system administration and repair to reinforce the
concepts learned. We looked at mounting and unmounting remote file systems on the
client manually, via the fstab file, and using the AutoFS service. We discussed the
concepts, benefits, and components associated with AutoFS. We performed exercises
to fortify our understanding of mounting remote file systems using the three mount
methods. We studied the concepts around swapping and paging, and looked at how they
worked. We performed exercises on creating, activating, viewing, deactivating, and
removing swap spaces, as well as configuring them for auto-activation at system
reboots.
281
studied the concepts around mounting and unmounting file systems. We examined the
UUID associated with file systems and applied labels to file systems. We analyzed
the file system table and added entries to it to automatically activate file
systems at system reboots. We looked at a tool for reporting file system usage. We
learned about file system check utilities for determining and fixing issues related
to unhealthy file systems. We performed a number of exercises on file system
administration and repair to reinforce the concepts learned. We looked at mounting
and unmounting remote file systems on the client manually, via the fstab file, and
using the AutoFS service. We discussed the concepts, benefits, and components
associated with AutoFS. We performed exercises to fortify our understanding of
mounting remote file systems using the three mount methods. We studied the concepts
around swapping and paging, and looked at how they worked. We performed exercises
on creating, activating, viewing, deactivating, and removing swap spaces, as well
as configuring them for auto-activation at system reboots. Finally, we covered ACLs
at length. We learned concepts and the purpose of applying extended security
attributes on files and directories. We performed exercises to strengthen our
understanding. Chapter Review Questions 1. xfs is the default file system type in
RHEL7. True or False? 2. What would the entry � * server10:/home/& � in an AutoFS
indirect map imply? 3. What type of information does the blkid command display? 4.
What is the process of paging out and paging in known as? 5. What would the command
mkswap /dev/vdc2 do? 6. Where does AutoFS automount a DVD? 7. Which two files
contain entries for mounted file systems? 8. What would happen if we mount a file
system on a directory that already contains files in it? 9. What type of AutoFS map
would have the �/- /etc/auto.media� entry in the auto.master file? 10. A UUID is
always assigned to a file system at its creation time. True or False? 11. What
would the command mount �t cifs �o ro //192.168.0.120/cifs1 /cifs1 do? 12. The
difference between the primary and backup superblocks is that the primary
superblock includes pointers to the data blocks where the actual file contents are
stored whereas the backup superblocks don�t. True or False? 13. What would the
command setfacl �m d:u:user1:7,d:u:user4:6,d:o:4 dir do? 14. AutoFS requires root
privileges to automatically mount a network file system. True or False? 15. What
would the command mkfs.ext4 /dev/vgtest/lvoltest do? 16. Arrange the tasks in
correct sequence: umount file system, mount file system, create file system, remove
file system. 17. The parted utility may be used to create LVM logical volumes. True
or False? 18. Which command can we use to create a label for an xfs file system?
19. What is the default timeout value for a file system before AutoFS unmounts it
automatically? 20. What would the mount command do with the �a switch? 21. Name the
four types of maps that AutoFS support. 22. What would the command df �t xfs do?
23. What would happen if we try to apply ACL settings to a file that resides in an
ACL-deactivated file system? 24. What would the command setfacl �m
u::7,g::4,o:4,u:user3:7 file do? 25. What is the difference between the mkfs.ext4
and mke2fs commands? 26. What two commands can be used to determine the total and
used physical memory and swap in the system? 27. Which virtual file contains
information about the current swap? 28. The /etc/fstab file can be used to activate
swap spaces automatically at system reboots. True or False? 29. The xfs_repair
command must be run on a mounted file system. True or False? 30. What is the name
of the AutoFS configuration file and where is it located? 31. Name of the AutoFS
daemon is automountd. True or False? 32. What are the commands to activate and
deactivate swap spaces manually? Write two commands. Answers to Chapter Review
Questions 1. True. 2. This indirect map entry would mount individual user home
directories from server10. 3. The blkid command displays block device file
attributes. 4. The process of paging out and in is known as demand paging. 5. The
command provided will create swap structures in the /dev/vdc2 partition. 6. AutoFS
mounts a DVD under /misc. 7. The /etc/mtab and the /proc/mounts files. 8. The files
in the directory will hide. 9. A direct map. 10. True.
282
21. The AutoFS service supports master, special, direct, and indirect maps. 22. The
command provided will display all mounted file systems of type xfs. 23. The attempt
to apply ACLs to a file located in an ACL-deactivated file system is not allowed.
24. The command provided will assign rwx permissions to file owner and user3, and
read-only permission to everyone else. 25. No difference. 26. The free and vmstat
commands. 27. The /proc/swaps file contains information about the current swap. 28.
True. 29. False. 30. The name of the AutoFS configuration file is autofs and it is
located in the /etc/sysconfig directory. 31. False. 32. The swapon and swapoff
commands. DIY Challenge Labs The following labs are useful to strengthen most of
the concepts and topics learned in this chapter. It is expected that you perform
these labs without any additional help. A step-by-step guide is not provided, as
the implementation of these labs requires the knowledge that has been presented in
this chapter. Use defaults or your own thinking for missing information.
Lab 10-1: Create and Mount an Extended File System Destroy all partitions and
volume groups created on vdb, vdc, vdd, and vde drives in previous labs and
exercises. Create a partition in vdb of size 1GB and initialize it with ext4 file
system structures. Initialize the vdc disk for use in LVM, create a volume group
called vgtest and include the vdc disk in it. Create oravol logical volume of size
1GB in the volume group and initialize it with ext4 file system structures. Create
mount points of your choice, and mount both file systems manually. Apply any label
to the file system created in vdb1 and add both file systems to the fstab file
using the label of vdb1 and the LV name of oravol. Reboot the system and test if it
boots up successfully and mounts both new file systems.
Lab 10-2: Automount a Network File System In Exercise 20-1, a directory called
/common is shared in read/write mode via the NFS protocol. In order to perform this
lab, complete that exercise, and then set AutoFS maps appropriately on the client
to automount /common on /mntauto using a direct map. Set the idle time period to 60
seconds. Reboot the system and test to ensure the automount works as expected.
Remove the direct map configuration and replace it with an indirect map to
automount /common on /mnt/automnt. Test the configuration. Lab 10-3: Create and
Enable Swap Create vdb2 of size 1.2GB and lvswap2 in vgtest of size 1.8GB.
Initialize both for use as swap. Create swap structures in them and add entries to
the file system table so that they are automatically activated at each system
reboot. Use defaults or your own ideas for missing information.
Lab 10-4: Apply ACL Settings Create a file called testfile in user1�s home
directory. Create a directory in user2�s home directory and call it dir1. Ensure
that the /home file system is mounted with acl option activated. Apply settings on
testfile so that user2 gets 7, user3 gets 6, and user4 gets 4 permissions. Apply
default settings on dir1 so that user4 gets 7 and user2 gets 5 permissions on it.
283
Chapter 11
Controlling Access through Firewall and SELinux
This chapter describes the following major topics:
Comprehend iptables firewall for host-based security control
Control iptables and firewalld services
Use iptables command to manage firewall rules
Understand firewalld configuration files and command
Use firewall-cmd command to manage firewall rules
Overview of Firewall Configuration tool
Describe Security Enhanced Linux and its terminology
Understand SELinux contexts for users, processes, files, and ports
What is domain transitioning?
Copy, move, and archive files with SELinux contexts
Overview of SELinux booleans
Manage SELinux via commands
Modify SELinux contexts for users, files, and ports
Overview of SELinux administration tool
View and analyze SELinux alerts
284
RHCSA Objectives: 48. Configure firewall settings using firewall-config, firewall-
cmd, or iptables 50. Set enforcing and permissive modes for SELinux 51. List and
identify SELinux file and process context 52. Restore default file contexts 53. Use
boolean settings to modify system SELinux settings 54. Diagnose and address routine
SELinux policy violations