Skip to main content

selinux

 context

user:role:type:sensitivity(optional)

example

user_u:user_r:user_t

system_u:object_r:lib_t

  

policy

 

allow user_t bin_t:file { execute };
allow user_t user_bin_t:file { execute };
 

Access controls

type enforcement, role-based access control and user-based access control.

type enforcement 


 selinux rules are written for it.
allow user_t lib_t : file { execute };
access vector contains
- the source context (such as user_t)
- the target context (such as lib_t)
- the class of the target (such as file)
- the activity that is invoked (such as execute)
 
ls /sys/fs/selinux/class 
ls /sys/fs/selinux/class/file/perms/
ls /sys/fs/selinux/class/tcp_socket/perms/
   

Role-based access control

Roles are like caps that a user can put on. A user is always assigned to a role, but can decide to switch roles.In SELinux, roles decide which types a process context can be in.Types for processes are also called domains
user_r,staff_r,sysadm_r,dbadm_r,
seinfo -ruser_r -x
 

User-based access control

immutable ,The SELinux user decides which roles someone is allowed to go to. 
 
seinfo -ustaff_u -x
semanage user -l 
semanage login -l
 
ls -ldZ /home/userA/somefile /home/userB/somefile
-rwx------. userA userA  userA_u:object_r:user_home_t /home/userA/somefile
-rwxrw-rw-. userB userB  userB_u:object_r:user_home_t /home/userB/somefile 
 
  
allow user_t user_home_t:dir { read write execute close open ... };
allow user_t user_home_t:file { read write execute close open ... };
 

Multi-level security(sensitivity)

 
user_u:user_r:user_t:s0
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1024
 
  1. The first part is the sensitivity level, which is an integer representation
  2. The second part is the category set, which are integers as well

s0 is public data, s1 internal, s2 confidential and s3 strictly confidential.

A few examples of category sets are: - c0 meaning category 0 - c0,c4 meaning categories 0 and 4 - c0.c4 meaning categories 0 up to 4 (so 0, 1, 2, 3 and 4)  


sestatus

 

id -Z   ##context of current session

ls -lZ metadata.xml  ## file context

 ps -eZ | grep init  #process context

seinfo --portcon=80  ##port context

 

Manage Label

chcon -t net_conf_t /etc/resolv.conf

restorecon /etc/resolv.conf

semanage fcontext -l | grep resolv

semanage fcontext -a -t net_conf_t /etc/puppet-resolv\.conf

 

 

https://wiki.gentoo.org/wiki/SELinux/Quick_introduction

https://wiki.gentoo.org/wiki/SELinux/Users_and_logins      

 
 

   
  

Comments

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you

fix idm integration on chrome

Chrome Browser Integration I do not see IDM extension in Chrome extensions list. How can I install it?  How to configure IDM extension for Chrome? Please note that all IDM extensions that can be found in Google Store are fake and should not be used. You need to install IDM extension manually from IDM installation folder. Read in step 2 how to do it . 1. Please update IDM to the latest version by using  "IDM Help->Check for updates..."  menu item 2.  I don't see  "IDM Integration module"  extension in the list of extensions in  Chrome . How can I install it? Press on  Chrome  menu ( arrow 1  on the image), select  "Settings"  menu item ( arrow 2  on the image) and then select  "Extensions"  tab ( arrow 3  on the image). After this open IDM installation folder ( "C:\Program Files (x86)\Internet Download Manager"  by default,  arrow 4  on the image) and drag and drop  "IDMGCExt.crx"  ( arrow 5  on the image) file int