selinux test fedora

 

 nano /etc/selinux/config

#SELINUX=enforcing
SELINUX=permissive

 

allow any denied actions that have occurred since the first boot with SELinux using the audit2allow tool 

doas audit2allow -a -l -M firstboot

 

The firstboot.te file is the SELinux policy,

The firstboot.pp file is the compiled SELinux policy

we can load this policy using semodule -i firstboot.pp

 

doas semodule -i firstboot.pp

 

doas usermod kai -Z user_u

Different groups such as user_u, staff_u, sysadm_u, system_u, and more are available.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux

 

 doas dnf install setools-console

 

seinfo -u

Users: 8
   guest_u
   root
   staff_u
   sysadm_u
   system_u
   unconfined_u
   user_u
   xguest_u

 

 

doas semanage login -l 

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
kai                  staff_u              s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *

 

 

id -Z

useradd -Z staff_u example.user

 

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

run  fixfiles -F onboot command as root to create the /.autorelabel file

 containing the -F option to ensure that files are relabeled upon next reboot. 

set enforcing=0 as boot parm or  #SELINUX=enforcing in /etc/selinux/config

package needed selinux-policy-targeted, libselinux-utils, and policycoreutils 

 getenforce

Permissive
 

search denied selinx

ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today

Alternatively, with the setroubleshoot-server package installed, enter:

grep "SELinux is preventing" /var/log/messages

If SELinux is active and the Audit daemon (auditd) is not running on your system,

dmesg | grep -i -e type=1300 -e type=1400

warn 

File-system objects created while SELinux is disabled are not labeled at
 all. This behavior causes problems when changing to enforcing mode 
because SELinux relies on correct labels of file-system objects. 

Before rebooting the system for relabeling, make sure the system will boot in permissive mode,

 for example by using the enforcing=0 kernel option. 

This prevents the system from failing to boot in case the system contains unlabeled files 

required by systemd before launching the selinux-autorelabel service.  

kernel parameters 

enforcing=0

selinux=0

 policycoreutils-python-utils and setroubleshoot-server 

 

 

systemctl status httpd

semanage port -l | grep http

Change the SELinux type of port 3131 to match port 80:
					 

 semanage port -a -t http_port_t -p tcp 3131

 

dnf install  setroubleshoot-server  python3-six

sealert -l "*"

relabel /var

restorecon -Rv /var/

• The semanage(8), matchpathcon(8), and sealert(8) man pages. 

 

getsebool -a

semanage-boolean(8), sepolicy-booleans(8), getsebool(8), setsebool(8), booleans(5), and booleans(8) man pages 

selinux logs location

/var/log/audit/audit.log

. Because the SELinux decisions, such as allowing or 
disallowing access, are cached and this cache is known as the Access 
Vector Cache (AVC), use the AVC and USER_AVC values for the message type parameter, for example:
					

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

 

To temporarily disable dontaudit rules, allowing all denials to be logged:

# semodule -DB

After re-running your denied scenario and finding denial messages using the previous steps, the following command enables dontaudit rules in the policy again:

# semodule -B

policycoreutils-python-utils and setroubleshoot-server

 sealert -l "*"

• Enable full-path auditing to see full paths to accessed objects and to make additional Linux Audit event fields visible:

  # auditctl -w /etc/shadow -p w -k shadow-write

• Clear the setroubleshoot cache:

  # rm -f /var/lib/setroubleshoot/setroubleshoot.xml

• Reproduce the problem.

• Repeat step 1.

  After you finish the process, disable full-path auditing:

  # auditctl -W /etc/shadow -p w -k shadow-write

Writing a custom SELinux policy

Each SELinux policy rule describes an interaction between a process and a system resource:

ALLOW apache_process apache_log:FILE READ;

You can read this example rule as: The Apache process can read its logging file. In this rule, apache_process and apache_log are labels.

SELinux labels are stored as extended attributes of file systems, such as ext2 

  ls -Z /etc/passwd

 system_u:object_r:passwd_file_t:s0 /etc/passwd

Where system_u is an SELinux user, object_r is an example of the SELinux role, 

and passwd_file_t is an SELinux domain.
			

selinux-policy packages has default policies 

 

ps -efZ | grep mydaemon

sepolicy generate --init /usr/local/bin/mydaemon

ausearch -m AVC -ts recent | audit2allow -R

grep -r "logging_write_generic_logs" /usr/share/selinux/devel/include/ | grep .if
/usr/share/selinux/devel/include/system/logging.if:interface(`logging_write_generic_logs',`

 

https://willgu.es/?p=21

 dnf install sudo 

visudo 

%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL