rhce1配置selinux修改狀態(tài)為enforci

使用VIM/etc/selinuxgeten查看當(dāng)前SELINUX模seten1將selinux臨時這只為enforcing模式vim/etc/selinux/config配置SSH 解法1：修改/etc/hosts.allow文件修改/etc/hosts.deny文件添加一行sshd:172.25.0.添加策firewall-cmd–zone=block--add-source=/24--firewall-cmdsystem1和system2qstat/bin/ps–Aovim/ aliasqstat=’/bin/ps–Aosource/etc/bashrcaliasqstatqstat執(zhí)行在CLIfirewall-config開啟圖形化界面將configuration:下拉菜單調(diào)整為permanent在public區(qū)域中的中添加一個策略richsystemctlrestartfirewalld.service重裝載策在 和 eth1和nmcliconnectionaddcon-nameteam0typeteamifnameteam0confignmcliconmodifyteam0ipv4.addresses'5/24'nmcliconnectionmodifyteam0ipv4.methodmanualnmcliconnectionaddtypeteam-slavecon-nameteam0-p1ifnameeth1masterteam0nmcliconnectionaddtypeteam-slavecon-nameteam0-p2ifnameeth2masterteam0nmcliconnectionupteam0nmcliconupteam0-p1nmcliconupteam0-p2#teamdctlteam0state#nmclidevicedisconnect配置IPV6在您的考試系統(tǒng)上配置接口eth0IPV6nmcliconmodeth0ipv6.addresses“2003:ac18::305/64”nmcliconmodeth0ipv6.methodmanualsystemctlrestartnmcliconmodeth0ipv6.addresses“2003:ac18::30a/64”nmcliconmodeth0ipv6.methodmanual62003:ac18::30asystem1和system2從這些系統(tǒng)上發(fā)送的郵件顯示來自于已經(jīng)配置把此用戶的郵件轉(zhuǎn)到下列URL vim/etc/postfix/main.cf postconf-emyorigin=dosystemctlrestartpostfixechoaaa|mail-Sodave在瀏覽器中打開 在system1SMB共享/common 共享名必須為common只有 域內(nèi)的客戶端可以common共common用戶andy必須能夠共享中的內(nèi)容，需要需要的話，驗(yàn)證是yum-yinstallsambafirewall-cmd--add-service=samba--permanentvim/etc/samba/smb.confworkgroup=STAFFpath=browseable=yesmkdirchcon–R–tsamba_share_t/common/smbpasswd-aandysystemctlstartsmbyuminstall–ycifs-utils配置多用戶SMB在systeml共享通過 共 devops只能被 是 是此共享永久掛載在system2.do 為認(rèn)證任何用戶可以通過用戶akira來臨時獲取寫的權(quán)限chcon-R-tsamba_share_t/devops/odo+w/devops/path=browseable=yeswritable=nowritelist=smbpasswd-asilenesmbpasswd-aakirayuminstallcifs-utilsmkdirsmb-L/system1/-Usilenevim/etc/fstab//system1/devops/mnt/devcifsdefaults,multiuser,username=silene,password=redhat,sec=ntp00df–hT在system2akira用戶，進(jìn)入到/mnt/devsutouch1配置NFS在system1NFS /public同時只能被 /protected需要通過Kerberos安全加密，您可以使用下面URL提供的密鑰/materials/nfs_server.keytab/protected應(yīng)該包含名為project.deepak用戶deepak能以讀寫方式vim/protected/publicwget-O/etc/krb5.keytab/materials/nfsserver.keytabrestorecon-vRF/etc/krb5.keytabvim/etc/sysconfig/nfsFSDARGS="-V4.2"systemctlrestartsystemctlstartnfs-secure-serverexportfs–rafirewall-cmd--add-service=nfs–permanentfirewall-cmd--add-service=mountd–permanent tlrestartfiewalldmkdir-p/protected/projectll/protected/chcon-R-tpublic_content_tNFS在system2上掛載一個 的NFS共享,并符合下列要求1、/public掛載在下面 上2、/protected掛載在下面 .keytabshowmount-esystem1vim/etc/fstab$ip_address:/public/mnt/nfsmountnfsdefaults00mount–adfmkdirwget-O/etc/krb5.keytab/materials/nfs_.keytabvim/etc/fstabsystem1:/protected/mnt/nfssecurenfsdefaults,sec=krb5p,v4.20實(shí)現(xiàn)一個web在system1上配置一個站點(diǎn). /然后執(zhí)行下述步驟1、 . 2 3、將文件index.html拷貝到您的web服務(wù)器 此web服5、來自于域的客戶端此web服yumgroupinstallweb\*-ysystemctlstarthttpdsystemctlenablehttpdvim<VirtualHost*:80>Rootwget-Oindex.html/materials/station.htmlsystemctlrestart配置安全web為站點(diǎn)配置TLS加密一個已簽名 /materials/system1.crt獲取此 /materials/system1.key獲取此 /materials/11.crt獲取<virtualhostservernamesystem1.do<VirtualHost*:443>SSLEngineonSSLProtocolall-SSLv2SSLCipherSuiteSSLFile/etc/pki/tls/httpd/system1.crtSSLKeyFile/etc/pki/tls/httpd/system1.keySSLCAFile/etc/pki/tls/httpd/district6.crtServerNamesystem1.disRootsystemctlrestartfirewalld在system1上擴(kuò)展您的web服務(wù)器，為站點(diǎn)創(chuàng)建一個虛擬主機(jī)， Root為從文件重名為index.htmlindex.html 確保andy用戶能夠在 注意：原始站點(diǎn)/必須仍然能 mkdir–p/var/www/virtualcd/var/www/virtualwget–Oindex.htmlvim<virtualhost#ServerAliaswwwsetfacl-mu:andy:rwx/var/www/virtualsuandytouch15.配置web在您的system1上的web服務(wù)器的Root 下創(chuàng)建一個名為private的 從/materials/private.html一個文件副本到這個 并且重命名為index.html.從system1上，任何人都可以瀏覽private的內(nèi)容，但是從其它系統(tǒng)不能這個 cd/var/www/html/privatewget-Oindex.htmlAllowOverridenoneRequirelocal16，WEBsystem1上配置提供動態(tài)web1、動態(tài)內(nèi)容由名為 3、從/materials/webapp.wsgi一個，然后放在適當(dāng)?shù)奈恢?，無論如 :8909/必須能被 yum-yinstallListen80Listen<virtualhost*:8909>WSGIScriptAlias /var/www/html/webapp.wsgicdwgetsystemctlrestartsemanageport-a-thttp_port_t-ptcp8909systemctlrestarthttpd在system1上創(chuàng)建一個名為/root/foo.sh的，讓其提供下列特性當(dāng)運(yùn)行/root/foo.shredhat,當(dāng)運(yùn)行/root/foo.shfedora,/root/foo.sh解法cdvimfoo.shcase$1inechoecho

echo'root/foo.shod+x./foo.sh./foo.sh./foo.sh在system1上創(chuàng)建一個，名為/root/mkusers,此能實(shí)現(xiàn)為系統(tǒng)system1創(chuàng)建本地用戶，并如果提供一個不存在的文件名，此應(yīng)該給出下面的提示信息Inputfilenotfound然后創(chuàng)建的用戶登錄s為此不需要為用戶設(shè)您可以從下面的URL中獲取用戶名列表作為測試用. /materials/userlistvimmkusers.sh #!/bin/bashif[$#-eq0exit1if[!-f$1];echo'Inputfilenotfound'#fornamein$(cat$1); useradd-s/bin/false$linedone<$1od+xwget./mkusers.shid用戶名查看用戶是否添加配置ISCSI配置system1提供一個ISCSI服務(wù)磁盤名 iscsi_store此服務(wù)職能被 />o-/............................................................o-backstores.................................................|o- [StorageObjects:||o- [/dev/vg01/data(3.0GiB)write-thru|o- [StorageObjects:|o- [StorageObjects:|o- [StorageObjects:o- | [TPGs:|o- [no-gen-acls,no- o- [ACLs: | .example.district2:system2[MappedLUNs: |o- [lun0block/b1 o- [LUNs: |o- [block/b1 o- [Portals: o- o- #firewall-cmd--reload[root@system1~]#ss-tunlp|grep fdisk/dev/sdayuminstall-ytargetcli\*cdcd/iscsi cdtpg1/acls/create luns/create/backstores/block/block1systemctlstarttarget配置ISCISI配置system2使其能在system1上提供的 .example.11:system1并符合此分區(qū)掛載在/mnt/datavim/etc/iscsi/initiatorname.iscsi systemctlstartiscsidsystemctlenablemaniscsiadm--modediscoverydb--typesendtargets--portal10--discoveriscsiadm--modenode-- fdisk/dev/sdavim /mnt/dataext4defaults,_netdev00system1上創(chuàng)建一個MariaDBContacts/materials/users.mdb4、root用戶的為redhat，同時不允許空登錄yumgroupinstal-ymariadbmariadb- systemctlrestartmariadbsystemctlenablemariadbwgetmysql-uroot-showuseContacts;CREATEUSERRyuichi@localhostIDENTIFIEDBY‘flectrag’;grantselectonContacts.*toRyuichi@localhost;mysql-uroot-pContacts<mysql