Skip to main content

selinux test fedora

 

 nano /etc/selinux/config

#SELINUX=enforcing
SELINUX=permissive

 

allow any denied actions that have occurred since the first boot with SELinux using the audit2allow tool 

doas audit2allow -a -l -M firstboot

 

The firstboot.te file is the SELinux policy,

The firstboot.pp file is the compiled SELinux policy

we can load this policy using semodule -i firstboot.pp

 

doas semodule -i firstboot.pp

 

doas usermod kai -Z user_u

Different groups such as user_u, staff_u, sysadm_u, system_u, and more are available.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux

 

 doas dnf install setools-console

 

seinfo -u

Users: 8
   guest_u
   root
   staff_u
   sysadm_u
   system_u
   unconfined_u
   user_u
   xguest_u

 

 

doas semanage login -l 

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
kai                  staff_u              s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *

 

 

id -Z
 
useradd -Z staff_u example.user
  

 

sestatus
SELinux status:                 enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
 
run  fixfiles -F onboot command as root to create the /.autorelabel file
 containing the -F option to ensure that files are relabeled upon next reboot. 
 
set enforcing=0 as boot parm or  #SELINUX=enforcing in /etc/selinux/config
 
package needed selinux-policy-targeted, libselinux-utils, and policycoreutils 
 
 getenforce
Permissive
 
 
 
search denied selinx
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today
 

Alternatively, with the setroubleshoot-server package installed, enter:


grep "SELinux is preventing" /var/log/messages
 
If SELinux is active and the Audit daemon (auditd) is not running on your system,
dmesg | grep -i -e type=1300 -e type=1400
 
warn 
File-system objects created while SELinux is disabled are not labeled at
 all. This behavior causes problems when changing to enforcing mode 
because SELinux relies on correct labels of file-system objects. 
Before rebooting the system for relabeling, make sure the system will boot in permissive mode,
 for example by using the enforcing=0 kernel option. 
This prevents the system from failing to boot in case the system contains unlabeled files 
required by systemd before launching the selinux-autorelabel service.  
 

kernel parameters 

enforcing=0
selinux=0

 policycoreutils-python-utils and setroubleshoot-server 

 

 

systemctl status httpd
semanage port -l | grep http
Change the SELinux type of port 3131 to match port 80:
					 
 semanage port -a -t http_port_t -p tcp 3131

 

dnf install  setroubleshoot-server  python3-six

sealert -l "*"
 
relabel /var
restorecon -Rv /var/
  • The semanage(8), matchpathcon(8), and sealert(8) man pages. 

 

getsebool -a
 
semanage-boolean(8), sepolicy-booleans(8), getsebool(8), setsebool(8), booleans(5), and booleans(8) man pages 
 
 
selinux logs location
/var/log/audit/audit.log
 
. Because the SELinux decisions, such as allowing or 
disallowing access, are cached and this cache is known as the Access 
Vector Cache (AVC), use the AVC and USER_AVC values for the message type parameter, for example:
					
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
 
  

 

To temporarily disable dontaudit rules, allowing all denials to be logged:

# semodule -DB
 

After re-running your denied scenario and finding denial messages using the previous steps, the following command enables dontaudit rules in the policy again:

# semodule -B
 
policycoreutils-python-utils and setroubleshoot-server
 sealert -l "*"
 
  • Enable full-path auditing to see full paths to accessed objects and to make additional Linux Audit event fields visible:

    # auditctl -w /etc/shadow -p w -k shadow-write
  • Clear the setroubleshoot cache:

    # rm -f /var/lib/setroubleshoot/setroubleshoot.xml
  • Reproduce the problem.
  • Repeat step 1.

    After you finish the process, disable full-path auditing:

    # auditctl -W /etc/shadow -p w -k shadow-write
     
     
   

Writing a custom SELinux policy

 

  

Each SELinux policy rule describes an interaction between a process and a system resource:

ALLOW apache_process apache_log:FILE READ;
You can read this example rule as: The Apache process can read its logging file. In this rule, apache_process and apache_log are labels.
 
SELinux labels are stored as extended attributes of file systems, such as ext2 
  ls -Z /etc/passwd
 system_u:object_r:passwd_file_t:s0 /etc/passwd

Where system_u is an SELinux user, object_r is an example of the SELinux role, 
and passwd_file_t is an SELinux domain.
			

selinux-policy packages has default policies 

 

ps -efZ | grep mydaemon
 
sepolicy generate --init /usr/local/bin/mydaemon
 
 
ausearch -m AVC -ts recent | audit2allow -R
grep -r "logging_write_generic_logs" /usr/share/selinux/devel/include/ | grep .if
/usr/share/selinux/devel/include/system/logging.if:interface(`logging_write_generic_logs',`
 
   

 

https://willgu.es/?p=21

 dnf install sudo 

visudo 

%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
 

 


Comments

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you