Reflection:

Reflection:

Reflection in Agile means the team regularly looks back at how the work went and decides how to improve.

In Scrum, the formal event for reflection is the Sprint Retrospective. Sprint Retrospective as one of the five Scrum events, along with Sprint, Sprint Planning, Daily Scrum, and Sprint Review.

Simple definition

TermMeaning
ReflectionThinking back on recent work to learn what went well, what did not go well, and what should be improved.
Sprint RetrospectiveA Scrum meeting held at the end of the sprint where the team reflects on process, teamwork, tools, communication, and improvement actions.
AdaptationChanging the team’s approach based on what was learned from reflection.

Why do we need reflection?

Reflection helps the team improve continuously. It supports one of the Agile principles: teams should regularly reflect and adapt. Your slides mention “regular reflection and team adaptation” as part of the Agile principles.

It helps the team answer:

What worked well?
What problems slowed us down?
What should we change in the next sprint?

What the action looks like

At the end of a sprint, the team may hold a retrospective and discuss:

QuestionExample student/team answer
What went well?We completed most of the high-priority user stories.
What did not go well?Some stories were unclear, so estimation was difficult.
What should we improve?Add better acceptance criteria before sprint planning.
What action will we take next sprint?Product Owner will clarify stories before estimation.

Story Points

Story points are related to time, but they are not the same as time.

A story point is a relative estimate of the size of a user story. It considers:

FactorMeaning
EffortHow much work may be required
ComplexityHow difficult the work is
UncertaintyHow unclear or risky the work is
DependenciesWhether the story depends on other people, teams, systems, or information

Your slides explain that story points are used for relative sizing and consider complexity, effort, uncertainty, and dependencies, while hours are better used for task breakdown inside a sprint.

Simple example

StoryStory pointsPossible meaning
Add a button label change1 pointVery small, low risk
Create login page3 pointsModerate work
Build password reset with email verification5 pointsMore effort and testing
Build recommendation engine13 pointsLarge, complex, uncertain

A 5-point story does not always mean 5 hours. It means the team believes it is roughly bigger than a 3-point story and smaller than an 8-point story.

How story points connect to time

Story points become useful over multiple sprints through velocity.

Velocity = average story points completed per sprint.

For example:

SprintCompleted story points
Sprint 122
Sprint 226
Sprint 324

Average velocity = about 24 story points per sprint.

So if the remaining backlog has 96 story points, the team may estimate:

96 ÷ 24 = 4 sprints

So story points help forecast time at the sprint/release level, not at the individual-hour level.

Explanation

You can say:

Story points are not hours. Story points are a relative measure of story size. After a team completes a few sprints, we can use their average velocity to estimate how many sprints are needed to finish the backlog.

Good classroom warning

Avoid saying:

1 story point = 1 hour

That is usually not correct.

Better:

For this team, based on past performance, 20 story points may usually fit into a 2-week sprint.

So the relationship is:

Story points → help calculate velocity → velocity helps forecast time.

Sprint

Sprint length / iteration length by methodology

MethodologyCorrect termTypical lengthExplanation
AgileIteration / sprint, depending on frameworkUsually 1–4 weeksAgile is a broad mindset, not one fixed process. Different Agile frameworks use different time-boxes.
ScrumSprintUsually 1–4 weeksScrum uses a fixed-length sprint to plan, build, review, and improve. Your slides define a sprint as a time-boxed period of 1–4 weeks that creates a potentially shippable product increment.
XP / Extreme ProgrammingIterationUsually 1–2 weeks, sometimes up to 3 weeksXP uses short iterations to support frequent feedback, continuous integration, testing, refactoring, and small releases.
KanbanNo sprint requiredNo fixed sprint lengthKanban is based on continuous flow. Work is pulled through the board as capacity becomes available, rather than being planned into fixed sprints. Your slides describe Kanban as continuous flow with no fixed iterations.

Simple explanation

A sprint is a fixed time-box used mainly in Scrum. For example, a team may choose a 2-week sprint. At the beginning, they plan the work. During the sprint, they execute and track progress. At the end, they review the completed increment and hold a retrospective.

In XP, the idea is similar, but the term iteration is more common. XP iterations are usually short because XP emphasizes quick feedback, frequent releases, testing, and continuous improvement.

In Kanban, there is normally no sprint length because work flows continuously. Instead of saying, “What can we finish in the next two weeks?”, a Kanban team asks, “What is the next highest-priority item we can pull now, based on available capacity and WIP limits?”

For students, you can say:

Scrum works in fixed sprints. XP works in short iterations. Kanban works in continuous flow. Agile is the umbrella concept that can include all of these approaches.

WIP Limits:

WIP limits means Work-In-Progress limits.

In Kanban, a WIP limit sets the maximum number of work items allowed in one workflow stage at the same time. For example, a team may decide that only 3 user stories can be in In Progress at once. Your slides define WIP limits as a constraint-based approach used to optimize flow and prevent overloading the team.

TermMeaning
WIPWork currently started but not yet finished
WIP LimitMaximum number of items allowed in a stage
PurposePrevent too much work from being started at once
BenefitHelps reveal bottlenecks and improves delivery speed
Common Kanban columnsBacklog → To Do → In Progress → Review/Testing → Done

Example:

Kanban ColumnWIP LimitMeaning
To DoNo limitWork waiting to be started
In Progress3Only 3 items can be actively worked on
Review / Testing2Only 2 items can wait for review/testing
DoneNo limitCompleted work

Simple explanation:

WIP limits stop the team from starting too many things at the same time. Instead of everyone beginning new tasks, the team focuses on finishing existing work first.

What the action looks like:

A team has 3 stories already in In Progress, and the WIP limit is 3. A developer cannot pull another story into In Progress until one of the current stories moves to Review or Done.

This helps the team ask:

“Why is work stuck here?”
“Do we need to help finish current work before starting new work?”
“Is testing or review becoming a bottleneck?”

In Jira or a Kanban board, WIP limits usually appear as a number on top of a column, such as:

In Progress 3/3

That means the column is full. The team should finish or move existing work before starting more.

If windows auto-configured IP was difficult to remove

Your screenshot confirms:

IPv4 Address: 192.168.55.20 (Duplicate)
Autoconfiguration IPv4 Address: 169.254.245.211

So Windows is still rejecting 192.168.55.20. Use a different member-server IP, such as:

192.168.55.21

Run these on MEM01/member VM as Administrator.

1. Remove the bad duplicate IP

Get-NetIPAddress -InterfaceAlias "Ethernet" -AddressFamily IPv4 |
Where-Object { $_.IPAddress -like "192.168.55.*" } |
Remove-NetIPAddress -Confirm:$false

2. Restart the adapter

Restart-NetAdapter -Name "Ethernet"

3. Assign a new IP

New-NetIPAddress `
-InterfaceAlias "Ethernet" `
-IPAddress 192.168.55.21 `
-PrefixLength 24

Do not add a default gateway for host-only network.

4. Set DNS to the Domain Controller

Set-DnsClientServerAddress `
-InterfaceAlias "Ethernet" `
-ServerAddresses 192.168.55.10

5. Verify

ipconfig /all

You want:

IPv4 Address: 192.168.55.21
Subnet Mask: 255.255.255.0
DNS Servers: 192.168.55.10

No (Duplicate).

6. Test

ping 192.168.55.10
Resolve-DnsName powershell.local -Server 192.168.55.10

Your final setup becomes:

Windows 11 host: 192.168.55.1
DC01:            192.168.55.10
MEM01:           192.168.55.21

Also make sure no other VM is running with 192.168.55.20. The duplicate message usually means another machine already has that IP, or the clone/network adapter still has a conflict.

REF: AI Tools/ChatGPT

Check if DNS is working

On the Domain Controller

DNS should be installed and running:

Get-WindowsFeature DNS

Check DNS service:

Get-Service DNS

Check DNS zones:

Get-DnsServerZone

The DC should usually point DNS to itself:

Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses 127.0.0.1

or sometimes to its own IP:

Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses 192.168.56.10

On the Windows client

The client DNS must point to the Domain Controller IP, not Google DNS or router DNS:

Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses 192.168.56.10

Then test:

Resolve-DnsName powershell.local

Test-Connection 192.168.56.10

Test-NetConnection 192.168.56.10 -Port 53

Client Side

Set-DnsClientServerAddress -InterfaceAlias “Ethernet 14” -ServerAddresses 192.168.56.10

Q & A: Linux: Switch Users, Boot Process, File System

Quiz: Root Access, Boot Process, File Systems, Partitions, and Mounting

1. True/False

The root user is the superuser account and has the highest access rights on a Linux system.

Answer: True


2. True/False

It is recommended to stay logged in as root for normal daily work because it is faster.

Answer: False
Explanation: Staying logged in as root is risky because mistakes may affect the entire system.


3. Multiple Choice

Which command is preferred when you need to run one privileged command?

A. su -
B. sudo command
C. exit
D. whoami

Answer: B. sudo command


4. Multiple Choice

What does the command below do?

su -

A. Runs one command as root
B. Opens a login shell as root
C. Shows the current user
D. Lists mounted filesystems

Answer: B. Opens a login shell as root


5. Multiple Choice

Which process is usually started by the kernel as the first userspace process?

A. GRUB
B. BIOS
C. systemd or init
D. fdisk

Answer: C. systemd or init


6. Multiple Choice

Which systemd target usually represents a non-graphical multi-user system?

A. poweroff.target
B. rescue.target
C. multi-user.target
D. graphical.target

Answer: C. multi-user.target


7. Multi-Select

Which of the following are risks of using the root account directly?

Select all that apply.

A. Accidental system-wide file changes
B. Running ordinary tasks with unnecessary privileges
C. Forgetting that you are logged in as root
D. More accountability than sudo
E. Background processes may run with root privilege

Answers: A, B, C, E


8. Multi-Select

Which commands are commonly part of the basic partition, format, mount, and verify workflow?

Select all that apply.

A. lsblk
B. fdisk
C. mkfs
D. mount
E. df -h
F. passwd

Answers: A, B, C, D, E


9. Multi-Select

Which statements about filesystems are correct?

Select all that apply.

A. A filesystem organizes data and metadata on storage
B. Journaling can reduce recovery time after an unclean shutdown
C. ext4 is commonly used on many Linux distributions
D. FAT is a modern Linux-native journaling filesystem
E. NTFS is associated with Microsoft Windows

Answers: A, B, C, E


10. Fill in the Blank with Choices

A filesystem defines how __________ and metadata are organized and accessed on a storage device.

A. users
B. data
C. passwords
D. targets

Answer: B. data


11. Fill in the Blank with Choices

The Linux filesystem table is stored in the file __________.

A. /etc/passwd
B. /etc/fstab
C. /boot/grub
D. /var/log

Answer: B. /etc/fstab


12. Fill in the Blank with Choices

On modern systems, __________ is normally preferred over MBR for large disks unless compatibility requires MBR.

A. FAT
B. GPT
C. ext2
D. BIOS

Answer: B. GPT


13. Matching

Match each FHS directory with its purpose.

DirectoryPurpose
1. /etcA. User home directories
2. /varB. Device files
3. /homeC. System-wide configuration files
4. /devD. Logs and changing data
5. /bootE. Boot loader files and kernels

Answer:

DirectoryCorrect Purpose
/etcC
/varD
/homeA
/devB
/bootE

14. Matching

Match each command with its purpose.

CommandPurpose
1. lsblkA. Format a partition with a filesystem
2. fdiskB. Show block devices
3. mkfsC. Modify partition tables
4. mountD. Attach a filesystem to the Linux directory tree
5. umountE. Detach a mounted filesystem

Answer:

CommandCorrect Purpose
lsblkB
fdiskC
mkfsA
mountD
umountE

15. Ordering

Put the boot stages in the correct order.

A. Kernel starts init/systemd
B. BIOS/UEFI starts
C. GRUB loads the selected kernel
D. System reaches target/services
E. MBR or boot loader code begins the boot manager stage

Correct Order:

  1. B
  2. E
  3. C
  4. A
  5. D

16. Ordering

Put the storage setup steps in the correct order.

A. Format the partition with mkfs
B. Identify the disk with lsblk
C. Mount the filesystem
D. Create a partition using fdisk
E. Verify using df -h

Correct Order:

  1. B
  2. D
  3. A
  4. C
  5. E

17. Short Answer

Explain the difference between sudo and su -.

Sample Answer:
sudo runs a single command with elevated privileges and logs the action. su - opens a new login shell as another user, usually root if no username is provided. sudo is safer for one administrative task, while su - is used when a full shell as another user is needed.


18. Hands-on Short Answer

Write commands to format /dev/sdb1 as ext4, create /mnt/test, mount the partition, and verify it.

Sample Answer:

sudo mkfs -t ext4 /dev/sdb1
sudo mkdir -p /mnt/test
sudo mount -t ext4 /dev/sdb1 /mnt/test
df -h

19. Analytical Short Answer

Why is /dev/sdb commonly used with fdisk, but /dev/sdb1 is commonly used with mkfs?

Sample Answer:
/dev/sdb represents the whole disk, so fdisk uses it to create or modify the disk’s partition table. /dev/sdb1 represents a specific partition, so mkfs formats that partition with a filesystem.


20. Higher-Order Short Answer

A server should automatically mount a new ext4 partition after every reboot. Which file should be configured, and what information does it need?

Sample Answer:
The file /etc/fstab should be configured. It needs the filesystem or UUID, mount point, filesystem type, mount options, dump value, and filesystem check pass value. Example pattern:

UUID=... /mnt/data ext4 defaults 0 2

This allows the system to mount the filesystem automatically during boot.

REF: AI Tools/ChatGPT

Special Permissions: SUID, SGID, sticky bit

Linux Special Permissions: SUID, SGID, and Sticky Bit

Linux normally uses three permission groups:

u = user/owner
g = group
o = others

And three basic permissions:

r = read
w = write
x = execute

Example:

ls -l file.txt

Output:

-rwxr-xr--

But Linux also has special permissions:

SUID       = user +s
SGID       = group +s
Sticky Bit = others +t

They appear in ls -l output as:

s, S, t, or T

1. SUID — Set User ID

Meaning

SUID means:

When an executable file runs, it runs with the permission of the file owner, not the user who started it.

SUID is mainly useful on executable programs, not normal text files.

Set SUID

chmod u+s filename

Numeric form:

chmod 4755 filename

The 4 means SUID.

Remove SUID

chmod u-s filename

Example: /usr/bin/passwd

The passwd command lets a normal user change their own password.

ls -l /usr/bin/passwd

Possible output:

-rwsr-xr-x 1 root root ... /usr/bin/passwd

Notice:

rws

The s appears in the user execute position.

Normal owner permission would be:

rwx

With SUID, it becomes:

rws

Because /usr/bin/passwd is owned by root, when a normal user runs:

passwd

the program temporarily runs with the file owner’s privilege, which is root, but only for the controlled task of changing the password.


SUID: lowercase s vs uppercase S

This is very important.

Lowercase s

Lowercase s means:

SUID is set AND owner execute permission exists.

Example:

touch demo
chmod 755 demo
chmod u+s demo
ls -l demo

Output:

-rwsr-xr-x 1 user user ... demo

Here:

rws

means:

owner has read + write + execute
SUID is also set

Uppercase S

Uppercase S means:

SUID is set BUT owner execute permission is missing.

Example:

touch demo
chmod 644 demo
chmod u+s demo
ls -l demo

Output:

-rwSr--r-- 1 user user ... demo

Here:

rwS

means:

SUID is set
but owner execute permission is missing

So uppercase S usually means the special permission is set, but it is not useful for execution because x is missing.


2. SGID — Set Group ID

Meaning on files

SGID on an executable file means:

When the file runs, it runs with the permission of the file’s group owner.

Meaning on directories

SGID is especially useful on directories.

On a directory, SGID means:

New files and subdirectories created inside the directory inherit the directory’s group ownership.

This is very useful for shared project folders.


Set SGID

chmod g+s filename_or_directory

Numeric form:

chmod 2755 filename_or_directory

The 2 means SGID.

Remove SGID

chmod g-s filename_or_directory

Example: Shared project directory

Suppose we have a group named developers.

sudo mkdir /project
sudo chgrp developers /project
sudo chmod 2775 /project

Check:

ls -ld /project

Possible output:

drwxrwsr-x 2 root developers ... /project

Notice the group part:

rws

That means:

group has read + write + execute
SGID is set

Now when a user creates a file inside /project, the file can inherit the directory’s group:

touch /project/app.txt
ls -l /project/app.txt

Possible output:

-rw-r--r-- 1 alice developers ... app.txt

Even if Alice’s normal primary group is different, the file is created with the developers group because the parent directory has SGID.


SGID: lowercase s vs uppercase S

Lowercase s

Lowercase s means:

SGID is set AND group execute permission exists.

Example:

mkdir shared
chmod 775 shared
chmod g+s shared
ls -ld shared

Output:

drwxrwsr-x 2 user user ... shared

The group permission part is:

rws

This means SGID is set and the group can enter/search the directory.

Uppercase S

Uppercase S means:

SGID is set BUT group execute permission is missing.

Example:

mkdir shared
chmod 764 shared
chmod g+s shared
ls -ld shared

Output:

drwxrwSr-- 2 user user ... shared

The group permission part is:

rwS

This means SGID is set, but group execute is missing.

For a directory, this is usually a problem because group members need x permission to enter or access items inside the directory.


3. Sticky Bit

Meaning

The Sticky Bit is mostly used on directories.

It means:

Users can create files in the directory, but they can delete only their own files.

This is useful for shared writable directories.


Set Sticky Bit

chmod o+t directory

Numeric form:

chmod 1777 directory

The 1 means Sticky Bit.

Remove Sticky Bit

chmod o-t directory

Example: /tmp

The /tmp directory is shared by many users and programs.

ls -ld /tmp

Possible output:

drwxrwxrwt 10 root root ... /tmp

Notice the last character:

t

That means Sticky Bit is set.

The directory is writable by many users, but one user cannot delete another user’s files.


Example: Create a shared temporary directory

sudo mkdir /sharedtmp
sudo chmod 1777 /sharedtmp
ls -ld /sharedtmp

Output:

drwxrwxrwt 2 root root ... /sharedtmp

Now different users can create files inside /sharedtmp, but they cannot delete files owned by other users.


Sticky Bit: lowercase t vs uppercase T

Sticky Bit uses t or T, not s or S.

Lowercase t

Lowercase t means:

Sticky Bit is set AND others execute permission exists.

Example:

mkdir sharedtmp
chmod 777 sharedtmp
chmod o+t sharedtmp
ls -ld sharedtmp

Output:

drwxrwxrwt 2 user user ... sharedtmp

The others permission part is:

rwt

This means:

others have read + write + execute
Sticky Bit is set

Uppercase T

Uppercase T means:

Sticky Bit is set BUT others execute permission is missing.

Example:

mkdir sharedtmp
chmod 776 sharedtmp
chmod o+t sharedtmp
ls -ld sharedtmp

Output:

drwxrwxrwT 2 user user ... sharedtmp

The others permission part is:

rwT

This means Sticky Bit is set, but others do not have execute permission.

For a directory, this usually means others cannot properly enter or access the directory.


Quick Summary of s, S, t, and T

SymbolLocation in ls -lMeaning
suser execute positionSUID set and user execute exists
Suser execute positionSUID set but user execute missing
sgroup execute positionSGID set and group execute exists
Sgroup execute positionSGID set but group execute missing
tothers execute positionSticky Bit set and others execute exists
Tothers execute positionSticky Bit set but others execute missing

Visual Examples

Normal executable file

-rwxr-xr-x

Owner has execute permission.

SUID with execute

-rwsr-xr-x

SUID is active and owner execute exists.

SUID without execute

-rwSr-xr-x

SUID is set, but owner execute is missing.


Normal group-executable directory

drwxrwxr-x

Group has execute permission.

SGID directory with execute

drwxrwsr-x

SGID is active and group execute exists.

SGID directory without group execute

drwxrwSr-x

SGID is set, but group execute is missing.


Sticky Bit directory with others execute

drwxrwxrwt

Sticky Bit is active and others execute exists.

Sticky Bit directory without others execute

drwxrwxrwT

Sticky Bit is set, but others execute is missing.


Numeric Permission Summary

Special permissions are added before the normal three permission digits.

PermissionNumeric valueExample
SUID4chmod 4755 program
SGID2chmod 2775 shareddir
Sticky Bit1chmod 1777 sharedtmp

Examples:

chmod 4755 program      # SUID + rwxr-xr-x
chmod 2755 directory    # SGID + rwxr-xr-x
chmod 1777 directory    # Sticky Bit + rwxrwxrwx

You can also combine them:

chmod 6755 program

Here:

6 = 4 + 2

So 6755 means:

SUID + SGID + rwxr-xr-x

Command Summary

Set SUID:

chmod u+s program

Remove SUID:

chmod u-s program

Set SGID:

chmod g+s directory

Remove SGID:

chmod g-s directory

Set Sticky Bit:

chmod o+t directory

Remove Sticky Bit:

chmod o-t directory

Check permissions:

ls -l filename
ls -ld directory

Practical Use Cases

SUID use case

Used when a normal user needs to run a specific program with the file owner’s privileges.

Common example:

ls -l /usr/bin/passwd

Possible output:

-rwsr-xr-x 1 root root ... /usr/bin/passwd

This allows users to change their passwords safely without giving them full root access.


SGID use case

Used for shared team directories.

Example:

sudo mkdir /team
sudo chgrp developers /team
sudo chmod 2775 /team

Result:

drwxrwsr-x root developers /team

Files created inside /team inherit the developers group.


Sticky Bit use case

Used for shared writable directories where users should not delete each other’s files.

Example:

sudo mkdir /publicdrop
sudo chmod 1777 /publicdrop

Result:

drwxrwxrwt root root /publicdrop

Users can create files, but they cannot delete other users’ files.


Final Blog Summary

SUID: Run an executable as the file owner.
SGID: Run an executable as the file group, or make files inherit a directory group.
Sticky Bit: In shared directories, users can delete only their own files.

The lowercase letters mean the related execute permission is present:

s = SUID/SGID + execute
t = Sticky Bit + execute

The uppercase letters mean the special permission is set, but execute is missing:

S = SUID/SGID set, execute missing
T = Sticky Bit set, execute missing

For practical use, lowercase s and t are usually what you expect to see. Uppercase S or T often indicates a permission setup that should be reviewed.

REF: AI Tools/ChatGPT

Why? Max permissions on a file: 666? what if I give 777?

When people say:

Max permissions on a file: 666

they usually mean default maximum permissions when a new regular file is created, not the maximum you can manually set.

1. Default maximum for new files: 666

For a new regular file, Linux normally starts from:

666 = rw-rw-rw-

That means:

owner  = read + write
group  = read + write
others = read + write

No execute permission by default.

Why? Because most new files are text files, data files, documents, config files, etc. They should not automatically be executable.

Example:

touch file1.txt
ls -l file1.txt

You may see something like:

-rw-r--r-- 1 user user file1.txt

The actual permission is affected by the umask.


2. Default maximum for directories: 777

For a new directory, Linux normally starts from:

777 = rwxrwxrwx

Why? Because directories need x permission to be entered or searched.

Example:

mkdir dir1
ls -ld dir1

You may see:

drwxr-xr-x 2 user user dir1

Again, the final permission is affected by the umask.


3. What if I give a file 777?

You can manually give a file 777:

chmod 777 file1.txt
ls -l file1.txt

Output:

-rwxrwxrwx 1 user user file1.txt

This means:

owner  = read + write + execute
group  = read + write + execute
others = read + write + execute

So everyone can read, modify, and execute the file.


4. Is 777 allowed?

Yes, it is allowed.

But it is usually not safe.

For a regular file, 777 means any user can change the file and possibly run it as a program or script.

For example, this is risky:

chmod 777 script.sh

because any user may be able to modify the script and then execute it.


5. Better permissions

For a normal text/config/data file:

chmod 644 file.txt

Meaning:

owner can read/write
group can read
others can read

For a private file:

chmod 600 file.txt

For a script that only the owner should run:

chmod 700 script.sh

For a script others can read and execute but not modify:

chmod 755 script.sh

Simple summary

666 = normal maximum default for new files
777 = normal maximum default for new directories
777 on a file is possible, but usually unsafe

Slide-friendly version:

Linux does not give execute permission to new regular files by default. New files start from a maximum of 666, while directories start from 777 because directories need execute permission to be entered. A file can be changed to 777 manually, but this gives everyone read, write, and execute access, which is usually insecure.

REF: AI Tools/ChatGPT

Define and describe Selinux in general terms

SELinux stands for Security-Enhanced Linux.

It is a Linux security system that adds an extra layer of protection to the operating system. It controls what users, programs, services, and processes are allowed to do.

A simple definition:

SELinux is a security feature in Linux that enforces strict rules about which processes can access which files, directories, ports, and system resources.

General idea

Normal Linux permissions ask:

Does this user have permission to access this file?

SELinux asks an additional question:

Is this process allowed by security policy to access this object?

So even if normal file permissions allow access, SELinux can still block it.

Example

Suppose Apache web server tries to read:

/var/www/html/index.html

Normal permissions may allow it:

-rw-r--r--

But SELinux also checks the file’s security label. If the file has the wrong SELinux label, Apache may be denied access.

Example command:

ls -Z /var/www/html/index.html

This shows SELinux security context labels.

Why SELinux is useful

SELinux helps protect the system if a service is misconfigured or compromised.

For example, if a web server is attacked, SELinux can limit what the web server process is allowed to access. The attacker may control the web server process, but SELinux can still prevent it from reading unrelated system files.

Common SELinux modes

getenforce

Possible outputs:

Enforcing
Permissive
Disabled
ModeMeaning
EnforcingSELinux policy is active and blocks unauthorized actions
PermissiveSELinux does not block, but logs warnings
DisabledSELinux is turned off

Slide-friendly summary

SELinux is a mandatory access control system for Linux. It uses security policies and labels to control what processes can access. It provides extra protection beyond normal Linux permissions.

REF: AI Tools/ChatGPT

Linux: setfacl remove a user completely

To remove a specific user completely from ACL permissions, use setfacl -x.

Remove a user ACL from a file

setfacl -x u:username filename

Example:

setfacl -x u:john report.txt

Check:

getfacl report.txt

Remove a user ACL from a directory

setfacl -x u:username directoryname

Example:

setfacl -x u:john projectdir

If the directory has default ACLs too

For directories, a user may have:

  1. Access ACL — applies to the directory itself
  2. Default ACL — automatically inherited by new files/subdirectories created inside

Remove both:

setfacl -x u:john projectdir
setfacl -x d:u:john projectdir

Or in one command:

setfacl -x u:john,d:u:john projectdir

Remove user ACL recursively

To remove that user from a directory and everything inside it:

setfacl -R -x u:john projectdir

To remove both access ACL and default ACL recursively:

setfacl -R -x u:john,d:u:john projectdir

Important note

This removes the user from the ACL, but it does not delete the Linux user account.

Also, if that user is the owner of the file, removing ACL will not remove owner permissions. You would need chown or chmod for that.

Example:

chown otheruser report.txt
chmod 640 report.txt

Remove all ACL entries from a file

To remove all extended ACLs, not just one user:

setfacl -b filename

Example:

setfacl -b report.txt

Use this carefully because it removes all extra ACL users/groups.

REF: AI Tools/ChatGPT