From 4db1b6e56d8fa6a7c124bf543fc479abd1d43acb Mon Sep 17 00:00:00 2001 From: ramon Date: Tue, 1 Mar 2016 10:06:11 +0000 Subject: #736: Script para configurar conrtafuegos FirewallD y seguridad SELinux. git-svn-id: https://opengnsys.es/svn/branches/version1.1@4809 a21b9725-9963-47de-94b9-378ad31fedc9 --- server/lib/security-config | 70 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 server/lib/security-config (limited to 'server') diff --git a/server/lib/security-config b/server/lib/security-config new file mode 100644 index 00000000..0551f867 --- /dev/null +++ b/server/lib/security-config @@ -0,0 +1,70 @@ +#!/bin/bash +#/** +#@file security-config +#@brief OpenGnsys Server security configuration. +#@version 1.1 - Initial version. +#@author Ramón J. Gómez, ETSII Univ. Sevilla +#@date 2016-03-01 +#*/ ## + + +# Variables. +PROG=$(basename "$0") +OPENGNSYS=/opt/opengnsys +# Errors control. +if [ "$USER" != "root" ]; then + echo "$PROG: Need to be root." >&2 + exit 1 +fi + +# FirewallD configuration. +if which firewall-cmd 2>/dev/null; then + # Defining OpenGnsys services. + python -c " +import firewall.core.io.service as ios +s=ios.Service() +s.short = 'OpenGnsys Server' +s.name = 'ogAdmServer' +s.ports = [('2008', 'tcp')] +ios.service_writer(s, '/etc/firewalld/services') +//s.short = 'OpenGnsys Repository' +//s.name = 'ogAdmRepo' +//s.ports = [('2002', 'tcp')] +//ios.service_writer(s, '/etc/firewalld/services')" + # Adding active services. + firewall-cmd --permanent --add-service=dhcp + firewall-cmd --permanent --add-service=https + firewall-cmd --permanent --add-service=mysql --zone internal + #firewall-cmd --permanent --add-service=ogAdmRepo + firewall-cmd --permanent --add-service=ogAdmServer + # Ubuntu 14.04 does not define "rsyncd" service. + firewall-cmd --permanent --add-service=rsyncd || \ + firewall-cmd --permanent --add-port=873/tcp + firewall-cmd --permanent --add-service=samba + firewall-cmd --permanent --add-service=ssh + firewall-cmd --permanent --add-service=tftp + # Adding Multicast ports. + firewall-cmd --permanent --add-port=9000-9051/udp + # Adding Torent ports? + #firewall-cmd --permanent --add-port=6881-6999/udp + # Applying configuration. + firewall-cmd --reload +else + echo "$PROG: Warning: FirewallD won't be configured (firewalld is not installed)." +fi + +# SELinux configuration. +if which setsebool 2>/dev/null; then + # Configuring Apache. + setsebool -P httpd_can_connect_ldap on + semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" + # Configuring Samba. + setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 + semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" + semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" + # Applying configuration. + restorecon -R $OPENGNSYS +else + echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)." +fi + -- cgit v1.2.3-18-g5258