Part A - V7 Exam Questions: 1. Configure SELINUX

Part A V7 Exam Questions
1. Configure SELINUX
Modify the state of SElinux to Enforcing mode
Use VIM /etc/selinux
Solutions:
vim /etc/selinux/config
SELINUX=enforcing
:wq
reboot
2. Configure the SSH Access
Configure the SSH Access as required:
Users can visit your two virtual machine systems via clients of domain group3.example.com through
SSH remote
Solution 1:
Modify file /etc/hosts.allow
Add a line: sshd: 172.24.11.
Modify file /etc/hosts.deny
Add a line: sshd: 172.25.0.
Both of them need to be configured
Solution 2:
Add a firewall
firewall-cmd zone=block --add-source=172.25.11.0/24 --permanent
firewall-cmd reload
Both of them need to be configured

3. Custom User Environment
Create a custom command on system1 and system2 named as qstat, this custom command will
execute the following commands:
/bin/ps - Ao pid,tt,user,fname,rsz
This command is valid for all users in the system
Solutions:
vim /etc/bashrc // restart and keep valid
alias qstat=/bin/ps -Ao pid,tt,user,fname,rsz
:wq
source /etc/bashrc
alias // check if there is a qstat
qstat // execute
Both have to do
4. Configure Port Forwarding
Configure port forwarding on the system1, as required:
1. Systems in the network 172.24.11.0/24, local port 5423 will be ported to 80 when visiting system1
2. This setting must be valid permanently
Solutions:
Use Graphical interface to configure
Use firewall-config to open the Graphical interface in
CLI Adjust the configuration: drop-down menu to
permanent Adding a strategy to the port forward of
the public region
systemctl restart firewalld.service
// reload the firewall strategy

5. Configure the Link Aggregation
Configure a link between system1. group3.example.com and system2. group3.example.com as
required:
1. This link use interface eth1 and eth2
2. This link still can work when one interface failed
3. This link use the following address 172.16.3.20/255.255.255.0 in system1
4. This link use the following address 172.16.3.25/255.255.255.0 in in system2
5. This link remains normal after the system is restarted
Solutions:
If forget how to write the name, can search examples in /var/share/doc/team-1.9/example_configs/
nmcli connection add con-name team0 type team ifname team0 config
'{"runner: {"name":"activebackup"}}'
nmcli con modify team0 ipv4.addresses '172.16.11.25/24'
nmcli connection modify team0 ipv4.method manual
nmcli connection add type team-slave con-name team0-p1 ifname eth1 master
team0
team0
nmcli connection up team0
nmcli con up team0-p1

6. Configure IPV6 Address
Configure interface eth0 on your test system, using the following IPV6 addresses:
1. System1 address should be: 2003:acl8::305/64
2. System2 address should be: 2003:acl8::30a/64
3. Both the two systems must can communicate with systems in network 2003:acl8/64
4. Addresses must be valid after the restart
5. Both the two systems must keep the current IPV4 address and can communicate
Solutions:
nmcli con mod eth0 ipv6.addresses 2003:ac18::305/64
nmcli con mod eth0 ipv6.method manual
systemctl restart network
nmcli con mod eth0 ipv6.addresses 2003:ac18::30a/64
ping6 2003:ac18::30a
7. Configure the local mail service
Configure the mail service on system1 and system2, as required:
1. These systems do not accept external send mails
2. Any mails sent locally are automatically routed to rhgls.domain11.example.com
3. Mails sent from these systems will be displayed from rhgls.domain11.example.com
4. You can send mail to local user author to test your configuration system
rhgls.domain11.example.com
5. Have already configured to transfer this users mails to the following URL
rhgls.domain11.example.com/received_mail/11
Solutions:
postconf -e local_transport=err:XX
vim /etc/postfix/main.cf
relayhost=[rhgls.domain11.exmaple.com]
systemctl restart postfix
echo aaa | mail -S hello dave
Open rhgls.domain11.example.com/received_mail/11 in the browser
8. Share directories via SMB
Configure the SMB service on the system1
Your SMB server must be a member of the work group STAFF
Share /common and share name must be common

Only clients of domain11.example.com can access the common share
Common must be able to browse
User andy must be able to read the content of the share, if necessary, verification code is redhat
Solutions:
system1:
yum -y install samba samba-client
firewall-cmd --add-service=samba --permanent
firewall-cmd --add-service=mountd permanent
systemctl restart firewalld
vim /etc/samba/smb.conf
workgroup = STAFF
[common]
path = /common
hosts allow = 172.24.11.
browseable = yes
:wq
mkdir /common
chcon R t samba_share_t /common/
systemctl start smb
systemctl enable samba
system2:
yum install y cifs-utils samba-client
9. Configure Multi-User Mount
Share the directory /devops through SMB on the system1, as required:
1. Share name is devops
2. The shared directory devops just can be used by clients in domain11.example.com
3. The shared directory devops must be able to be browsed

4. User silene must can be able to access this share through read, access code is redhat
5. User akira must can be able to access this share through read and write, access code is redhat
6. This share permanently mount to system2. domain11.example.com the user /mnt/dev, make
user silene as authentication any users can get temporary write permissions from akira
Solutions:
system1:
mkdir /devops
chcon -R -t samba_share_t /devops/
chmod o+w /devops/
[devops]
path = /devops
browseable = yes
writable = no
write list = akira
systemctl restart smb
smbpasswd -a silene
smbpasswd -a akira
system2:
mkdir /mnt/dev
smbclient -L /system1/ -U silene
vim /etc/fstab
//system1/devops /mnt/dev cifs
defaults,multiuser,username=silene,password=redhat,sec=ntlmssp 0 0
df hT
Test:
Switch to user akira on the system2, access to /mnt/dev and view files
su akira cd
/mnt/dev ls
cifscreds add system1
touch 1
10. Configure NFS service
Configure the NFS service on the system1, as required:
1. Share the directory /public in read only way, just can be accessed by systems in
domain11.example.com at the same time
2. Share the directory /protected in rad and write way, Kerberos security encryption required, you
can use the key provided by the following
URL: http://host.domain11.example.com/materials/nfs_server.keytab
3. Directory /protected should contain the sub directory named project and deepak;
Solutions:
system1:
vim /etc/exports
/protected 172.24.11.0/24(rw,sync,sec=krb5p)
/public 172.24.11.0/24(ro,sync)
wget -O /etc/krb5.keytab
http://host.domain11.example.com/materials/nfs_server.keytab
vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2 "
:wq
systemctl restart nfs
systemctl start nfs-secure-server
systemctl enable nfs-secure-server
exportfs ra
showmount e
firewall-cmd --add-service=nfs permanent
firewall-cmd --add-service=rpc-bind permanent
firewall-cmd --add-service=mountdpermanent
systemc tl restart fiewalld
mkdir -p /protected/project
chown deepak /protected/project/
ll /protected/
chcon -R -t public_content_t /protected/project/

11. Mount a NFS Share
Mount a NFS share to system1.domain11.example.com on the system2, as required:
2. Mount the /protected to the directory /mnt/nfssecure, in a security way, key download URL:
http://host.domain11.example.com/materials/nfs_client.keytab
3. User deepak can create files on /mnt/nfssecure/project
4. These file systems automatically hang up when the system is started
Solutions:
system2:
showmount -e system1
mkdir -p /mnt/nfsmount
vim /etc/fstab
system1:/public /mnt/nfsmount nfs defaults 0 0
mount a
df h
mkdir /mnt/nfssecure
wget -O
/etc/krb5.keytab
vim /etc/fstab
system1:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0
:wq
mount a
12. Implement a web server
13. Configure security web service
14. Configure the Virtual Host
15. Configure Web Content Access
16. Dynamic WEB content
17. Create a script
18. Create a script to add users
19. Configure the ISCS Server
20. Configure ISCISI Clients
21. Configure a database
22. Database Query
Exam Environment:
Take examinations on a real system with a pre-installed virtual machine. All exams must be
completed in the virtual machine. Network must be well configured. If the network cannot be
accessed, you will not pass the exam. In the iptables configuration, if you need to refuse the access,
please use Reject. (The default is set as ACCEPT.)
Note:
1. All the software package is stored at http://ip/dir/cdom.
2. You can use the real machine to verify whether the examination experiment is correctly
completed in the virtual machine.
3. The network environment:
Host name: station.domainX0.example.com
IP Address: 172.24.X0.5/24 (If your machine is No.1, X0 is 10.)
Gateway: 172.24.10.254
4. You can use a real machine to verify the configuration of the virtual machine is properly completed:
(different exam not the same Network domain, please look the situation)
dn10.ws.com domain is 172.28.10.0/24 network.
tk.com domain is 172.18.0.0/16 network.
Generally, the network is required to be rejected in exam.
Complete the task before the exam:
1. Reset root password
(1) Press any key to enter the menu within 5 seconds.
(2) Enter e to edit the commands.
(3) Choose the line of begin with kernel 1/.

(4) Select the kernel and sends a parameter: " 1 , " s ", or " single ". These parameters are means
that the system will start to enter single-user mode.
(5) Press the "Enter" key, return to the start menu. Now press the letter "b" key to boot the system.
(6) Into single-user mode and reset the root password.

PS: In the in RHEL6 system, modify root password directly is invalid, you need to temporarily turn
off SELinux. This is a bug in rhel6 system.
Here the detail of commands:
runlevel: View the current run level, check whether on the single-user mode
passwd: Change the root password
getenforce: Check whether to enable SELinux, forced mode (Enforcing)
setenforce 0: temporary disable SELinux protection, to change the root password
init 5: Restart, and direct into run level 5, the graphical interface
2. Configure your Host Name, IP Address, Gateway and DNS

Host name: dtop5.dn.ws.com
IP Address: 172.28.10.5/24
Gateway: 172.28.10.1
DNS: 172.28.10.1
Answers:
(1) Configure Host Name.
# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=dtop5.dn.ws.com
GATEWAY=172.28.10.1
(2) Configure IP Address, Gateway and DNS.
Configure the network by Network Manager:
Note: Please remember to choose two options:
* Connect automatically
* Available to all users
Click "Apply", save and exit, and restart your network services:
# Service network restart
(3) Validate these profiles:
a) Check gateway: # vim / etc / sysconfig / network
b) Check Host Name: # vim /etc/hosts
c) Check DNS: # vim /etc/resolv.conf
d) Check Gateway: # vim /etc/sysconfig/network-scripts/ifcfg-eth0

Part 1
The next day, preparation of RHCE. Attention, in the exam, Internet and system environment have
been done in advance so you just need to operate directly. Remember the following several points:
(1) Remembering just operate on Virtual machine, dont do anything on physical machine.
(2) Remembering your fire wall MUST BE emptied or bear your own consequences.
(3) Remembering to start using all the services. (chkconfig)
Question 1
In accordance with the following requirements to deploy ssh login service:
(1) harry belongs to example.com which can remote login your systems.
(2) However, users of remote.test cannot use ssh login to your machine.
Answer:
[root@server1 ~]# grep sshd /etc/hosts.allow
sshd:.example.com
[root@server1 ~]# grep sshd /etc/hosts.deny
sshd:.remote.test
Notice:
tcp_wrappers has two configuration files and their priority level is
/etc/hosts.allow->/etc/hosts.deny
Question 2
Via nfs service share the /common directory in your system, just doing ONE share in example.com
domain.
Answer:
[root@server1 ~]# grep common /etc/exports
/common *.example.com(ro,sync)
Question 3
According to the following requirements, deploying your ftp login rule:
(1) Users in example.com domain must be able to login to your ftp server as an anonymous user.
(2) But users outside the example.com domain are unable to login to your server.
Answer:
[root@server1 ~]# grep vsftpd /etc/hosts.deny
vsftpd:.example.com
[root@server1 ~]# grep vsftpd /etc/hosts.deny
vsftpd:ALL
/etc/vsftpd/vsftpd.conf:
anonymous_enable=YES
Question 4
Deploying your exam system: linking to the iscsi target in the instructor.example.com and
distinguish it well, then formatted as ext3 file system. You must can be able to mout the file system
of the iscsi target to the /mnt/iscsi directory in your own system and make this file system can
automatically mount (permanently mount) after system restart.
Answer:
[root@server1 ~]# iscsiadm --mode discoverydb --type sendtargets --
portal
instructor.example.com --discover
192.168.0.254:3260,1 iqn.2010-09.com.example:rdisks.server1
[root@server1 ~]# iscsiadm --mode node -targetname
iqn.2010-09.com.example:rdisks.server1
--portal instructor.example.com --login
Logging in to [iface: default, target:
iqn.2010-09.com.example:rdisks.server1, portal:
192.168.0.254,3260] (multiple)
Login to [iface: default, target:
iqn.2010-09.com.example:rdisks.server1, portal:
192.168.0.254,3260] successful.
Notice:
This part also need to be formatted and modify /etc/fstab mount
Question 5
In accordance with the following requirements, sharing /common directory through smb
service.
-- your sub service must be in the SAMBA working-set
-- the shared name of common is common
-- the common share just can be shared by the customers in the example.com domain
-- the common must can be available for browsing
-- mary must can login to the smb share and for read operation, password is the secret code if it
need to be verified
Answer:
[root@server1 iscsi]# grep -v "^\s*#" /etc/samba/smb.conf | grep -v
"^\s*;" | grep -v "^\s*$"
[global]
workgroup = SAMBA
server string = Samba Server Version %v
hosts allow = 127. 192.168.0.
security = user
passdb backend = tdbsam
[common]
comment = Public Stuff
path = /common
public = no
browseable = yes
printable = no
read only = mary
Add SMB Mary users
smbpasswd -a mary
Modify the security context of /common directory
chcon -R -t samba_share_t /common
Question 6
Arrange a web service address is: http://serverX.example.com, X is the number of your exam
machine. Deploy it in accordance with the following requirements:
-- Download ftp//instructor.example.com/pub/rhce/server.html
-- Cannot do any modification to file documwent server.html
-- Rename file document server.html as index.html
-- Copy the file document server.html to DocumentRoot
Answer:
[root@server1 common]# cd /var/www/html/
[root@server1 html]# lftp instructor.example.com
lftp instructor.example.com:~> cd pub/rhce
cd ok, cwd=/pub/rhce
lftp instructor.example.com:/pub/rhce> get server.html
20 bytes transferred
[root@server1 html]# mv server.html index.html
[root@server1 html]# restorecon -Rv /var/www/html/
[root@server1 html]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@server1 html]# chkconfig httpd on
Question 7
Expand your web service including a virtual hosting, address ishttp://wwwX.example.com, X is
the number of your exam machine. However, requiring you do as the following:
-- Set up the DocumentRoot of this virtual hosting as /var/http/virtual
-- Download ftp//instructor.example.com/pub/rhce/www.html
-- Rename www.html file document as index.html
-- Move this file document to this virtual hostings DocumentRoot
-- Don't do any changes to this document
-- Making sure that harry users are able to create project in /var/http/virtual
Attention: Original web address is http://serverX.example.com must also can be browsed.
The DNS of the Server instructor.example.com has already been analyzed as the domain
wwwX.example.com.
Answer:
[root@server1 html]# mkdir -p /var/http/virtual
[root@server1 html]# cd /var/http/virtual/
[root@server1 virtual]# lftp instructor.example.com
lftp instructor.example.com:~> cd pub/rhce
lftp instructor.example.com:/pub/rhce> get www.html
17 bytes transferred
lftp instructor.example.com:/pub/rhce> quit
[root@server1 virtual]# mv www.html index.html
[root@server1 virtual]# useradd harry
[root@server1 virtual]# chgrp harry .
[root@server1 virtual]# chmod 775.
Edit /etc/httpd/conf/httpd.conf, add the follow content:
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/http/virtual
ServerName www1.example.com
<Directory /var/http/virtual/limited>
Options Indexes MultiViews FollowSymlinks
order deny,allow
deny from all
allow from 192.168.0.
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/
ServerName server1.example.com
Part 2
Question 14
Please set the SElinux status as enforcing.
Answer:
# getenforce 1
# vim /etc/sysconfig/selinux
SELINUX=enforcing
Question 15
Please open the ip_forward, and take effect permanently.
Answer:
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -w (takes effect immediately)
If no sysctl.conf option, use these commands:
# sysctl -a |grep net.ipv4
# sysctl -P net.ipv4.ip_forward = 1
# sysctl -w
Question 16
Configure ssh to allow user harry to access, reject the domain t3gg.com (172.25.0.0/16) to access.
Answer:
# yum install -y sshd
# chkconfig sshd on
# vim /etc/hosts.deny
sshd: 172.25.0.0/16
# service sshd restart
Use iptables:
# chkconfig iptables on
# iptables -F
# iptables -X
# iptables -Z
# iptables -nvL
# iptables -A INPUT -s 172.25.0.0/16 -p tcp --dport 22 -j REJECT
# services iptables save
# iptables -nvL
# cat /etc/services (check port)
Question 17
Configure the ftp to allow anonymously download the directory /var/ftp/pub, and reject the domain
t3gg.com to access.
Answer:
# yum install -y vsftpd
# chkconfig vsftpd on
# services vsftpd start
# vim /etc/hosts.deny
vsftpd: 172.25.0.0/16
OR
# iptables -A INPUT -s 172.25.0.0/16 -p tcp -dport 20:21 -j REJECT
# services iptables save
Question 18
Shutdown the /root/cdrom.iso under /opt/data, and set as boot automatically mount.
Answer:
# cd /opt/
# mkdir data
# mount -t iso9660 -o loop /root/cdrom.iso /opt/data
# vim /etc/fstab/root/cdrom.iso /opt/data iso9660 defaults,loop 0 0
# mount -a
# mount
Question 19
Configure the web server, which can be accessed by:
http://st ation. dom ain30. exa m ple.com .
Answer:
# yum install -y httpd
# chkconfig httpd on
# cd /etc/httpd/conf/
# vim httpd.conf
NameVirtualHost 172.24.30.5:80
<VirtualHost 172.24.30.5:80>
ServerName tation.domain30.example.com
</VirtualHost>
# service httpd restart
Question 20
Configure the web server, and implement the virtual host. http://www.domain30.example.com can
access the pages under the directory: http ://ip/ dir/ exam ple.htm l. And make sure,
http://station.domain30.example.com can also access the previous content.
Answer:
# mkdir -p /www/virtual
# cd /www/virtual
# wget http://ip/dir/example.com
# cp example.com index.html
# se manage fcontext -a -t httpd_sys_content_t /www/.*)?
restorecon -vRF /www
# vim /etc/httpd/conf/httpd.conf (Add new VirtualHost)
<VirtualHost 172.24.30.5:80>
DocumentRoot /www/virtual/
ServerName www.domain30.example.com
</VirtualHost>
# chcon -R --reference=/var/www/html/ /www/
OR
Use elinks to test.
# mkdir -p /www/virtual
# cd /www/virtual
# wget http://ip/dir/example.html
# mv example.html index.html
# chcon -R --reference=/var/www/html/ /www/
# ls -ldZ /www/virtual
# vim /etc/httpd/conf/httpd.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName station.domain30.example.com
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /www/virtual/
ServerName www.domain30.example.com
</VirtualHost>
Question 21
Download file from http://ip/dir/restircted.html, and the local user harry can access it by
http://station.domain30.example.com/restircted.html, and cannot be accessed by t3gg.com.
Answer:
# cd /var/www/html
# wget http://ip/dir/restircted.htm
# iptables -A INPUT -s 172.25.0.0/16 -p tcp -dport 80 -j REJECT
# service iptables save
OR
# yum install httpd
# chkconfig httpd on
# cd /var/www/html
# wget http://ip/dir/restricted.html
# iptables -A INPUT 172.25.0.0/16 -p tcp --dport 80 -j REJECT
# service iptables save
# service iptables restart
# elinks http://station.domain30.example.com/restricted.html
Part 3
Question 30
There are two different networks 192.168.0.0/24 and 192.168.1.0/24. Where 192.168.0.254 and
192.168.1.254 IP Address are assigned on Server. Verify your network settings by pinging
192.168.1.0/24 Network's Host.
Answer:
1. vi /etc/sysconfing/network
NETWORKING=yes
HOSTNAME=station?.example.com
GATEWAY=192.168.0.254
2. service network restart
Or
1. vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=X.X.X.X
NETMASK=X.X.X.X
GATEWAY=192.168.0.254
2. ifdown eth0
3. ifup eth0
Question 31
One Logical Volume is created named as myvol under vo volume group and is mounted. The Initial
Size of that Logical Volume is 400MB. Make successfully that the size of Logical Volume 200MB
without losing any data. The size of logical volume 200MB to 210MB will be acceptable.
Answer:
1. First check the size of Logical Volume: lvdisplay /dev/vo/myvol
2. Make sure that the filesystem is in a consistent state before reducing:
# fsck -f /dev/vo/myvol
3. Now reduce the filesystem by 200MB.
# resize2fs /dev/vo/myvol 200M
4. It is now possible to reduce the logical volume.
#lvreduce /dev/vo/myvol -L 200M
4. Verify the Size of Logical Volume: lvdisplay /dev/vo/myvol
5. Verify that the size comes in online or not: df h
Question 32
You are giving RHCE exam. Examiner gave you the Boot related problem and told to you that make
successfully boot the System. When you started the system, System automatically asking the root
password for maintenance. How will you fix that problem?
Answer:
Maintenance mode also known as emergency mode. System boots on emergency mode when file
system error occurred. It is due to unknown partition, bad filesystem specified in /etc/fstab. To solve
follow the steps:
1. Give the Root password
2. fdisk -l Verify the Number of parathions
3. Identify the Root partition, e2label /dev/hda1, e2label /dev/hda2
4. Remount the root partition on rw mode: mount -o remount,defaults
/dev/hda6/
5. vi /etc/fstab
Correct all partitions, mount point, mount options, file system etc.
6. Press Ctrl+d
Question 33
You are working as an Administrator. There is a common data shared (/data) from 192.168.0.254
to all users in your local LAN. When user's system start, shared data should automatically mount
on /common directory.
Answer:
To automatically mount at boot time, we use the /etc/fstab file. Because /etc/rc.d/rc.sysinit file reads
and mount all file system specified in /etc/fstab. To mount Network Sharing Files also use the
/etc/fstab but filesystem is nfs.
1. vi /etc/fstab
192.168.0.254:/data / common nfs defaults 0 0
2. reboot the system
Question 34
Create the group named sysusers.
Answer:
1. groupadd sysusers
groupadd command is used to create the group and all group information is stored in /etc/group file.
Question 35
Create the user named jeff, marion, harold
Answer:
1. useradd jeff
2. useradd marion
3. useradd harold
useradd command is used to create the user.
All user's information stores in /etc/passwd and users shadow password stores in /etc/shadow.
Question 36
Make Secondary belongs the jeff and marion users on sysusers group. But harold user should not
belongs to sysusers group.
Answer:
1. usermod -G sysusers jeff
2. usermod -G sysuser marion
3. Verify by reading /etc/group file
Using usermod command we can make user belongs to different group. There are two types of
group one primary and another is secondary. Primary group can be only one but user can belongs
to more than one group as secondary.
usermod -g groupname username to change the primary group of the user
usermod -G groupname username to make user belongs to secondary group.
Question 37
Create the directory /storage and group owner should be the sysusers group.
Answer:
1. chgrp sysusers /storage
2. Verify using ls -ld /storage command
You should get like drwxr-x--- 2 root sysusers 4096 Mar 16 17:59 /storage chgrp command is used
to change the group ownership of particular files or directory.
Another way you can use the chown command.
chown root:sysusers /storage
Question 38
Make on /storage directory that only the user owner and group owner member can fully access.
Answer:
1. chmod 770 /storage
2. Verify using: ls -ld /storage
Preview should be like:
drwxrwx- 2 root sysusers 4096 Mar 16 18:08 /storage
To change the permission on directory we use the chmod command. According to the question that
only the owner user (root) and group member (sysusers) can fully access the directory so: chmod
770 /archive
RHCE Test Configuration Instructions
Information for the two systems you will use in test is the following:
system1.group3.example.com: is one of the main sever.
system2.group3.example.com: mainly used as a client.
Password for both of the two systems is atenorth
Systems IP is provided by DHCP, you can regard it as normal, or you can reset to Static IP in
accordance with the following requirements:
system1.group3.example.com: 172.24.3.5
system2.group3.example.com: 172.24.3.10
The subnet mask is 255.255.255.0
Your system is a member of DNS domain group3.example.com. All systems in DNS domain
group3.example.com are all in subnet 172.24.3.0/255.255.255.0, the same all systems in this
subnet are also in group3.example.com, unless specialized, all network services required to be
configured can be accessed by systems of domain group3.
host.group3.example.com provides a centralized authentication service domain
GROUP3.EXAMPLE.COM, both system1 and system2 have already been pre-configured to be the
client for this domain, this domain provides the following user account:
krishna (password: atenorth)
sergio (password: atenorth)
kaito (password: atenorth)

Firewall is enabled by default, you can turn it off when deemed appropriate, other settings about
firewall may be in separate requirements.
Your system will be restarted before scoring, so please ensure that all modifications and service
configurations you made still can be operated after the restart without manual intervention, virtual
machine instances of all examinations must be able to enter the correct multi-user level after restart
without manual assistance, it will be scored zero if the test using virtual machine system cannot be
restarted or be properly restarted.
Corresponding distribution packages for the testing using operating system Red Hat Enterprise
Linux version can be found in the following link: http://server1.group3.example.com/rhel
Part of the requirements include host security, ensure your host security limit does not prevent the
request to allow the host and network, you correctly configured the network service but would have
to allow the host or network is blocked, this also does not score.
You will notice that some requirements which clearly do not allow services be accessed by service
domain my133t.org, systems of this domain are in subnet 172.25.1.0/252.255.255.0, and systems
of these subnets also belong to my 133t.org domain.
PS: Notice that some test questions may depend on other exam questions, for example, you might
be asked to perform a series of restrictions on a user, but this user creation may be required in
other questions. For convenient identification, each exam questions have some radio buttons to
help you identify which questions you have already completed or not completed, Certainly, you do
not need to care these buttons if you dont need them.
1. Configure SELINUX
Modify the state of the SElinux to Enforcing mode
Use VIM /etc/selinux
Answer:
getenforce // View the current SELINUX mode
setenforce 1 // Sets the SElinux temporarily to enforcing mode
vim /etc/selinux/config
SELINUX=enforcing
:wq
getenforce
enforcing
2. Configure SSH Access

Configure SSH Access according to the following requirements:
(1) Users can remote access both of your two virtual machine systems through SSH from client of
domain group3.example.com
(2) Clients in domain my133t.org cannnot access both of your virtual machine systems
Answer:
Modify /etc/hosts.allow file
Add sshd: 172.24.11.
Modify /etc/hosts.deny file
Add sshd: 172.25.0.
// You need to configure that on both two virtual machine systems
Or
Add the firewall policy
firewall-cmd zone=block --add-source=172.25.11.0/24 --permanent
firewall-cmd reload
// You need to configure that on both two virtual machine systems
3. Customize the User Environment
Create a custom on system1 and system2 named qstat and this custom command will execute the
following command:
/bin/ps Ao pid,tt,user,fname,rsz
This command is valid for all users in systems.
Answer:
vim /etc/bashrc // Restart remain valid
alias qstat=/bin/ps Ao pid,tt,user,fname,rsz
:wq
source /etc/bashrc
alias // Check if there is qstat
qstat
// You need to configure that on both two systems
4. Configure Port Forwarding

Configure port forwarding on system1, requirements are as follows:
(1) The systems in network 172.24.11.0/24, local port 5423 for accessing system1 will be forwarded
to 80
(2) This setting must be permanent
Answer:
Using graphical interface configuration
In the CLI use firewall config - open graphical
interface Set configuration as permanent
Add a strategy to the public area of the Port
Forwarding
systemctl restart firewalld.service // Restart the firewall policy

5. Configure Link Aggregation
Configure a link between system1.group3.example.com and system2.group.example.com
according to the following requirements:
(1) This link use interfaces eth1 and eth2
(2) This link still can work when one of the interfaces fails
(3) This link use the following address 172.16.3.20/255.255.255.0 on system1
(4) This link use the following address 172.16.3.25/255.255.255.0 on system2
(5) This link still keep normal after system reboot
Answer:
If you don't remember how to write the name you can view the example in /var/share/doc/team -
1.9 / example_configs/
nmcli connection add con-name team0 type team ifname team0 config
'{"runner":{"name":"activebackup"}}'
nmcli con modify team0 ipv4.addresses '172.16.11.25/24'
nmcli connection modify team0 ipv4.method manual
team0
team0
nmcli connection up team0
6. Configure IPV6 Address

Configure interface eth0 on your test system, using the following Ipv6 address:
(1) The address of system1 should be 2003:ac18::305/64
(2) The address of system2 should be 2003:ac18::30a/64
(3) Both two systems must be able to communicate with systems in network 2003:ac18/64
(4) The address must still take effect after restart
(5) Bot two systems must maintain the current Ipv4 address and can communicate
Answer:
nmcli con mod eth0 ipv6.addresses 2003:ac18::305/64
nmcli con mod eth0 ipv6.addresses 2003:ac18::30a/64
ping6 2003:ac18::30a
7. Configure Local Mail Service
Configure mail service on system1 and system2, meet the following requirements:
(1) These services do not receive external sending mails
(2) Any mails transmitted by local will be automatically routed to rhgls.domain11.example.com
(3) Mails sent from these systems display from rhgls.domain11.example.com
(4) You can test you configuration by sending mails to local user arthur, system
rhgls.domain11.example.com
(6) You have already configured this users mail to the following URL
rhgls.domain11.example.com/received_mail/11
Answer:
postconf -e local_transport=err:XX
vim /etc/postfix/main.cf
relayhost=[rhgls.domain11.exmaple.com]
postconf -e myorigin=domain11.example.com
systemctl restart postfix
echo aaa | mail -S hello dave
Open in a browser rhgls.domain11.example.com/received_mail/11
8. Configure SMB Shared Folder
Configure the SMB service on system1
Your SMB server must be a member of the STAFF Working Group
Share the folder /common and the name must be common
Only clients of domain11.example.com can access the shared common
common must can be read
User andy must can read the content of the shared, if necessary, verification password is redhat
Answer:
system1:
yum -y install samba samba-client
firewall-cmd --add-service=samba --permanent
firewall-cmd --add-service=mountd permanent
workgroup = STAFF
[common]
path = /common
browseable = yes
:wq
mkdir /common
chcon R t samba_share_t /common/
smbpasswd -a andy
systemctl start smb
systemctl enable samba
system2:
yum install y cifs-utils samba-client
9. Configure Multi-User SMB Mounts
Share directory /devops via SMB and meet the following requirements:
(1) The share name is devops
(2) The shared directory devops can only be used by clients in domain domain11.example.com
(3) The shared directory must can be browsed
(4) User kenji must be able to access this share through reading, accessing password is redhat
(5) User chihiro must be able to access this share through reading and writing, accessing password
is redhat
This share permeant mount to directory /mnt/dev in system2.domain11.example.com, and let user
silene as an authentication that any users can obtain temporary permission to write through user
akira
Answer:
system1:
mkdir /devops
chcon -R -t samba_share_t /devops/
chmod o+w /devops/
[devops]
path = /devops
browseable = yes
writable = no
write list = akira
:wq
systemctl restart smb
smbpasswd -a silene
smbpasswd -a akira
system2:
mkdir /mnt/dev
smbclient -L /system1/ -U silene
vim /etc/fstab
//system1/devops /mnt/dev cifs
defaults,multiuser,username=silene,password=redhat,sec=ntlmssp 0 0
df hT
Testing:
Switch to user akira on system2, enter /mnt/dev and view the file
su akira
cd /mnt/dev
ls
cifscreds add system1
touch 1
10. Configure NFS Service
Configure NFS service on system1, requirements are as follows:
(1) Share the directory /public in read access and only can be accessed by systems in domain
domain11.example.com
(2) Share the directory /protected in read-write access and can be accessed by systems in
domain11.example.com
(3) Access /protected through secure encryption from kerberos, you can use the key from the
following URL http://host.domain11.example.com/materials/nfs_server.keytab
(4) The directory /protected should contain a subdirectory named project and owner is deepak
(5) User deepak can read-write access /protected/project
Answer:
system1:
vim /etc/exports
/protected 172.24.11.0/24(rw,sync,sec=krb5p)
/public 172.24.11.0/24(ro,sync)
http://host.domain11.example.com/materials/nfs_server.keytab
vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2 "
:wq
systemctl restart nfs
systemctl start nfs-secure-server
systemctl enable nfs-secure-server
exportfs ra
showmount e
firewall-cmd --add-service=nfs permanent
firewall-cmd --add-service=rpc-bind permanent
firewall-cmd --add-service=mountdpermanent
systemc tl restart fiewalld
mkdir -p /protected/project
chown deepak /protected/project/
ll /protected/
chcon -R -t public_content_t /protected/project/
11. Mount an NFS Share
Mount an NFS share system1.domain11.example.comon system2, and meet the following
requirements:
(1) Mount /public to the directory /mnt/nfsmount
(2) Mount /protected to the directory /mnt/nfssecure and use a safe mode. Key can download from
the following URL: http://host.domain11.example.com/materials/nfs_client.keytab
(3) User deepak can creat files in /mnt/nfssecure/project
(4) These file systems mount automatically when system start
Answer:
system2:
showmount -e system1
mkdir -p /mnt/nfsmount
vim /etc/fstab
system1:/public /mnt/nfsmount nfs defaults 0 0
mount a
df h
mkdir /mnt/nfssecure
vim /etc/fstab
system1:
/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0
:wq
mount a
12. Configure a Web Service
Configure a web on system1: http://systeml.domain11.example.com/ then implement the following
steps:
(1) Download file from http://rhgls.domain11.example.com/materials/station.html and rename this
file as index.html, dont modify the file contents
(2) Copy the file index.html to your web server's DocumentRoot directory
(3) Clients from domain group3.example.com can access to this web service
(4) Clients from domain my133t.org deny access to this web service
Answer:
yum groupinstall web\* -y
systemctl start httpd
systemctl enable httpd
vim /etc/httpd/conf/httpd.conf
/ServerName
ServerName server1.domain11.example.com:80
systemctl restart httpd
wget -O index.html
http://rhgls.domain11.example.com/materials/station.html
firewall-config
13. Configure Security Web Service

Configure TLS encryption a for the site http://systeml.domain11.example.com, get a signed
certificate from http://host.domain11 .example.com/mater ials/system1.crt , get the key for this
certificate from http://host.domain11.example.com/materials/system1.key, get this certificates
Signature and authorization information from
http://host.domain11.example.com/materials/domain11.crt
Answer:
<virtualhost *:80>
documentroot /var/www/html
servername system1.domain11.example.com
</virtualhost>
<virtualhost *:443>
documentroot /var/www/html
servername system1.domain11.example.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server1.crt
SSLCertificateKeyFile /etc/pki/tls/private/server1.key
SSLCertificateChainFile /etc/pki/tls/certs/domain11.crt
<virtualhost>
systemctl restart httpd
firewall-cmd --add-service=https permanent
14. Configure Virtual Hosts

Expand your web server on system1, create a virtual host for the site
http://www.domain11.example.com then perform the following steps:
(1) Set the DocumentRoot to /var/www/virtual
(2) Download a file from http://rhgls.domain11.example.com/materials/www.html and renamed as
index.html, dont do any modifications to index.html content
(3) Put the file index.html into the DocumentRoot directory of the virtual host
(4) Ensure user andy can create files under /var/www/virtual
Notice: the original site http://systeml.domian11.example.com/ must still can be accessed, the
name server domain11.example.com provide DNS for host name of www.domain11.example.com
Answer:
mkdir p /var/www/ virtual
cd /var/www/ virtual
wget O index.html http://rhgls.domain11.example.com/materials/www.html
vim /etc/httpd/conf/httpd.conf
<virtualhost *:80>
documentroot /var/www/virtual
servername www.domain11.example.com
</virtualhost>
setfacl -m u:andy:rwx /var/www/virtual
su andy
touch /var/www/virtual/11.html
15. Configure the Access to the Web Content
Create a directory named private under the directory DocumentRoot in the web server of system1,
requirements are the following:
(1) Download a copy of a file to this directory from
http://rhgls.domain11.example.com/materials/private.html and rename as index.htm
(2) Dont do any modifications to this file content
(3) Anyone can browse the content of private in system1, but cannot access this directory through
other systems
Answer:
mkdir /var/www/virtual/private
mkdir /var/www/html/private
cd /var/www/virtual/private
wget -O index.html
http://rhgls.domain11.example.com/materials/private.html
cd /var/www/html/private
wget -O index.html
http://rhgls.domain11.example.com/materials/private.html
<Directory "/var/www/html/private">
AllowOverride none
Require all denied
Require local
</Directory>
<Directory "/var/www/virtual/private">
AllowOverride none
Require local
Require all denied
</Directory>
16. Realize Dynamic Web Content
17. Create a script
18. Create a user Adding Script
19. Configure iSCSI Server
20. Configure iSCSI Client
21. Configure a Database
22. Database Query

Part A - V7 Exam Questions: 1. Configure SELINUX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Part A - V7 Exam Questions: 1. Configure SELINUX

Uploaded by

Copyright:

Available Formats

Part A V7 Exam Questions

Modify the state of SElinux to Enforcing mode

Use VIM /etc/selinux

2. Configure the SSH Access

Configure the SSH Access as required:

Modify file /etc/hosts.allow

Add a line: sshd: 172.24.11.

Modify file /etc/hosts.deny

Add a line: sshd: 172.25.0.

Both of them need to be configured

firewall-cmd zone=block --add-source=172.25.11.0/24 --permanent

Both of them need to be configured

execute the following commands:

This command is valid for all users in the system

vim /etc/bashrc // restart and keep valid

alias qstat=/bin/ps -Ao pid,tt,user,fname,rsz

alias // check if there is a qstat

4. Configure Port Forwarding

Configure port forwarding on the system1, as required:

2. This setting must be valid permanently

Use Graphical interface to configure

Use firewall-config to open the Graphical interface in

CLI Adjust the configuration: drop-down menu to

permanent Adding a strategy to the port forward of

the public region

systemctl restart firewalld.service

// reload the firewall strategy

Configure a link between system1. group3.example.com and system2. group3.example.com as

1. This link use interface eth1 and eth2

2. This link still can work when one interface failed

3. This link use the following address 172.16.3.20/255.255.255.0 in system1

4. This link use the following address 172.16.3.25/255.255.255.0 in in system2

5. This link remains normal after the system is restarted

If forget how to write the name, can search examples in /var/share/doc/team-1.9/example_configs/

nmcli con modify team0 ipv4.addresses '172.16.11.25/24'

nmcli connection modify team0 ipv4.method manual

nmcli connection up team0

nmcli con up team0-p1

nmcli con up team0-p2

1. System1 address should be: 2003:acl8::305/64

2. System2 address should be: 2003:acl8::30a/64

4. Addresses must be valid after the restart

nmcli con mod eth0 ipv6.addresses 2003:ac18::305/64

nmcli con mod eth0 ipv6.method manual

systemctl restart network

nmcli con mod eth0 ipv6.addresses 2003:ac18::30a/64

nmcli con mod eth0 ipv6.method manual

systemctl restart network

Configure the mail service on system1 and system2, as required:

1. These systems do not accept external send mails

2. Any mails sent locally are automatically routed to rhgls.domain11.example.com

3. Mails sent from these systems will be displayed from rhgls.domain11.example.com

systemctl restart postfix

echo aaa | mail -S hello dave

Open rhgls.domain11.example.com/received_mail/11 in the browser

8. Share directories via SMB

Configure the SMB service on the system1

Your SMB server must be a member of the work group STAFF

Share /common and share name must be common

Common must be able to browse

yum -y install samba samba-client

firewall-cmd --add-service=samba --permanent

firewall-cmd --add-service=mountd permanent