In this video, Kevn Dankwardt shows the solutions for the challenge to use SELinux, LUKS, ACLs, and disk quotas. How to manipulate SELinux context types, set up partition encryption, and set ACLs.
(mystical ringing) - [Instructor] So we've got a lot to do, so let's just jump right into it. The first challenge has to do with SELinux and we're going to be manipulating the SELinux contexts for etc/motds. So let's first check what it is. And it's etc_t, the standard one. So, I am in the contexts files directory, so let's just remember where we are, that could be handy in a little variable, double check it.
Okay good. Let's make a directory in tmp to make a copy of this. Alright, we copied everything there. Now, let's use semanage to set a new default context type for motd. So semanage, fcontext, alright that seems to be happy. It shouldn't have changed the context yet, let's just double check. It's still etc_t. Well let's see what changed in where we are.
So if we do a recursive diff here in tmp, save. Alright, so we've got a couple of new files here. We've got in the file_contexts.local the entry for the motd. Let's do a restorecon on etc/motd to make sure that our semanage really will make it be bin_t so let's check that.
Sure enough, bin_t. And then we can, instead of restoring the files, we can just use the semanage again to make an entry back to what it's supposed to be for etc/motd. And then a restorecon. There we go. Now let's look at the luks, the encryption stuff for our partition.
So we want to make a new partition and we want to set it up for luks and we want to format and mount it. So let's make a new partition. Got this disk here. Make a new partition. Primary, yes. One, yes. First sector, yes. We want to make it a hundred meg. There we go, we write that out. Good deal. Now we got to do the cryptsetup.
Notice the capital F there on luksFormat. Do we really want to overwrite it? And you got to type YES in capital letters, scary. Now we got to come up with a passphrase. Okay, so let's see if I can get one it's happy with. I think so. See if I can type it again. There we go. Now let's open it, which is what we normally need to do every time we're going to use it.
And what we're going to call it, we'll call it cryptchall for crypt challenge. We're going to enter that passphrase now to be able to get to it. Great. Because we haven't formatted or used it yet but there might be some data on it from before, let's overwrite all that with zeroes. Now I'll keep going until we're done. Okay, so that's all zeroed out. Now let's format it.
Okay, we've got it formatted. Now we can make a directory for mounting it. And let's mount. There we go. We've made a new encrypted partition, formatted it and mounted it. Awesome. Now let's look at doing the acls. We're supposed to add a new person and we're supposed to experiment on acls. So we can just use useradd niceperson.
And we can set an acl for read write on etc/motd. And if we just check, ordinarily users can't write to that. If we check our access control list we set, we see niceperson is supposed to be able to do a read write. So let's switch over and be niceperson.
I am niceperson. And let's see if I can edit motd. Moment of truth. No problem. There we go. So with the acl we are allowing niceperson to edit that file but ordinary other people can't. Now let's get out of being niceperson. Okay, so let's experiment with the quotas.
So let's make a new partition, format it, mount it, and test. We'll make a hundred meg partition. Alright, so we had to do a partprobe. Let's format this new partition. There we go. Let's make sure our mount point's not already mounted. Let's mount with the usrquota option.
There we go. Let's do a quotacheck. There we go. Let's do an edquota on niceperson. Let's give them our limit of a hundred blocks. We'll make both soft and hard hundred blocks.
There we go. Let's turn quotaon. Let's do a quotacheck again. Okay, so it's telling us don't do a quotacheck with quotaon. Okay, that's okay, we did it before. Now let's test. So let's become niceperson.
Let's go to tmp d1 and let's try to create a file and see if we use up our quota. And we got a permission problem. Oops, niceperson was not a sudoer. Alright, let's try it again. There we go, we got a disk quota exceeded.
- Partitioning storage
- Creating, mounting, and unmounting file systems
- Formatting file systems
- Making volumes with LVM
- Adding storage security
- Managing swap spaces
- Backing up and recovering Linux storage systems
- Working with networked file systems like NFS and SSHFS