Sunday, September 20, 2020

Fedora 32 : Can be better? part 010.

In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux. 

SELinux uses a policy store to keep track of its loaded policy modules and related settings. 

You can see my active policy store name is MLS.

[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name:             mls

I want to create policy in the most easy way to denny memory. 

I can use many way to do that or find it on SELinux. 

If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem

This is dangerous and the executable should be reported in bugzilla and is is enabled by default. 

You must turn on the deny_execmem boolean.

setsebool -P deny_execmem 1
Let's use it:
[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-WebContent.pp

[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp
Let's see if this SELinux is currently loaded:
[root@desk mythcat]# semodule -l | grep Web
my-WebContent