Sweet firewalld and selinux with no sweat

How many times you heard of the cliche to turn off the firewalld and disable selinux after any fresh machine spinning up?
This post is a minimal how-to not to do so and as a personal reference and the lookalikes stumbling here….
lets get dirty:
Note: all the instruction presume that you are on a CentOS7 with root privileges.
First things first: install epel repository by:
yum install epel-release && yum update

selinux
Selinux is important as it blocks any processes to run outside defined dirs or utilizing ports. Having it said, Ill get to the core of scenarios that you need to know to smooth up its operation.
Scenario1: Due to the requirements raised, you need to add a new drive partition it and completely assign it to the /var/log as the box generates a lot of log or it is a centralized rsyslog for other boxes. Once added and present under the blkid and mounted to a temp location like /mnt/temp you rsync -av /var/log/ /mnt/temp, then modify the /etc/fstab so that new drive is mounted to /var/log and reboot. You are spitted out with a lot of errors at boot and your box goes to emergency mode even…
solution to scenario1
Give password to modify the /etc/fstab and commenting the new drive to /var/log and reboot.
Install policycoreuyils by:
yum install policycoreutils-python ;which is by the way in eple repo
Issue the below command to reset all the necessary selinux value for the new dir:
chcon -v -R --reference /the/model/dir /the/target/dir/or/file
In our case that will be:
chcon -v -R --reference /var/log/ /mnt/temp ;presuming that you mounted the new drive is mounted to /mnt/temp;uncomment the entry on /etc/fstab and time to reboot only normally ….
Scenario 2
You have nginx installed to proxy-pass your application. However browsing to the nginx serving port shows nothing. you check firewall all the nginx and all is pristine…tailing /var/log/audit/audit.log is where your catch some interesting output
cat /var/log/audit/audit.log |grep nginx|grep blocked
solution to scenario2
Just run this command,resuming you have already install policycoreutils
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginx
It asks you to activate it so run it as well:
semodule -i nginx.pp

Firwalld

You want to allow a certain range of IP to be trusted outside the scope of zones for the reasons that arouse in clusters where the applications are complex and communicating with multiple different ports happen like a cluster of NDB.

Create an ipset(here are targetting individual ips not network):
$firewall-cmd --new-ipset=databaseNodes --type=hash:ip --permanent
$firewall-cmd --reload

Add individual or group of ips to the created ipset here called:databaseNodes:
$firewall-cmd --ipset=databaseNodes --add-entry=192.168.122.1 --permanent
or
$firewall-cmd --ipset=databaseNodes --add-entry={192.168.122.2,192.168.122.3} --permanent

Create a rich rule and referring to the ipset to accept all connection from the group:
$firewall-cmd --add-rich-rule 'rule family="ipv4" source ipset=databaseNodes accept' --permanent

Check the firewalld status for the rules:
$firewall-cmd --list-all
Finally get the specific database firewall richrule:
$firewall-cmd --info-ipset=databaseNodes

Ill add to the above scenario as I go and it is a work-in-progress since the tricks in the field are alot…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.