summaryrefslogtreecommitdiffstats
path: root/server/lib/security-config
blob: 0551f867419186ba6ab22cac3cee1ebe5e44e415 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/bash
#/**
#@file    security-config
#@brief   OpenGnsys Server security configuration.
#@version 1.1 - Initial version.
#@author  Ramón J. Gómez, ETSII Univ. Sevilla
#@date    2016-03-01
#*/ ##


# Variables.
PROG=$(basename "$0")
OPENGNSYS=/opt/opengnsys
# Errors control.
if [ "$USER" != "root" ]; then
	echo "$PROG: Need to be root." >&2
	exit 1
fi

# FirewallD configuration.
if which firewall-cmd 2>/dev/null; then
	# Defining OpenGnsys services.
	python -c "
import firewall.core.io.service as ios
s=ios.Service()
s.short = 'OpenGnsys Server'
s.name = 'ogAdmServer'
s.ports = [('2008', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')
//s.short = 'OpenGnsys Repository'
//s.name = 'ogAdmRepo'
//s.ports = [('2002', 'tcp')]
//ios.service_writer(s, '/etc/firewalld/services')"
	# Adding active services.
	firewall-cmd --permanent --add-service=dhcp
	firewall-cmd --permanent --add-service=https
	firewall-cmd --permanent --add-service=mysql --zone internal
	#firewall-cmd --permanent --add-service=ogAdmRepo
	firewall-cmd --permanent --add-service=ogAdmServer
	# Ubuntu 14.04 does not define "rsyncd" service.
	firewall-cmd --permanent --add-service=rsyncd || \
		firewall-cmd --permanent --add-port=873/tcp
	firewall-cmd --permanent --add-service=samba
	firewall-cmd --permanent --add-service=ssh
	firewall-cmd --permanent --add-service=tftp
	# Adding Multicast ports.
	firewall-cmd --permanent --add-port=9000-9051/udp
	# Adding Torent ports?
	#firewall-cmd --permanent --add-port=6881-6999/udp
	# Applying configuration.
	firewall-cmd --reload
else
	echo "$PROG: Warning: FirewallD won't be configured (firewalld is not installed)."
fi

# SELinux configuration.
if which setsebool 2>/dev/null; then
	# Configuring Apache.
	setsebool -P httpd_can_connect_ldap on
	semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
	# Configuring Samba. 
	setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
	semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
	semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
	# Applying configuration.
	restorecon -R $OPENGNSYS
else
	echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
fi