Pages

Showing posts with label selinux. Show all posts
Showing posts with label selinux. Show all posts

Wednesday, February 21, 2024

News : SELinux wizzard tool !

I found today in Fedora linux this tool for SELinux with a GUI that allows creating linux security policies.
I will write a little about this system because it is a very good solution.
When I started studying selinux, it was not very well implemented and it seems that the interest of users to be protected is higher.
As you well know, the starting points are network security and data protection and kernel-level intrusions into software.
For those who don't know, SELinux is a system that allows limiting defined resources and allowing other actions or not.
I tested the tool and I can say that it solves only the standard file creation part without the possibility of selecting the SELinux bools variables.
If the one who created this tool will continue to be a very good tool.
It's currently a wizzard interface, I'd call it a Node Editor to allow the assembly of different processing blocks (nodes) into combinations that feed data to each other along connections you specify to produce complex effects.
After completing the steps in the wizard, you will have some default files.
I used the name firefox because the security of the browser is very low at the moment.
Here are some images of this tool:

Monday, December 26, 2022

Fedora 37 : SeLinux alert detection from Trend Micro HouseCall.

If you use the tool from Trend Micro HouseCall for Home Networks, then it is possible that the SELinux tool from Fedora Linux will warn you with an alert.
It can be easily fixed with the following commands.
[root@fedora mythcat]# ausearch -c 'journal-offline' --raw | audit2allow -M my-journaloffline
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-journaloffline.pp

[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
libsemanage.semanage_get_lock: Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Resource temporarily unavailable).
Because I got an access error to the resource, I used some Linux commands that checked the status of my selinux, I searched and stopped the process that doesn't let me access the resource and restarted the command:
[root@fedora mythcat]# cat /etc/selinux/config


SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted




[root@fedora mythcat]# ps aux | grep semodule
root        3974  4.2  5.2 211904 209952 pts/0   T    13:29   0:17 semodule -X 300 -i my-journaloffline.pp
root        4032  0.0  0.0 222424  2288 pts/0    S+   13:36   0:00 grep --color=auto semodule
[root@fedora mythcat]# kill -9 3974
[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
[1]+  Killed                  semodule -X 300 -i my-journaloffline.pp
[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
This is how the Selinux alert appears in the environment of the Fedora 37 Linux distribution.

Wednesday, September 30, 2020

Fedora 32 : Can be better? part 014.

The GTK documentation for C # is not very up to date, I tried to use a button to change a label and I failed first time. The Fedora team could improve this to develop the development side. Here's what I've managed to do so far with GTK.

I fixed the source code with this, but I would have preferred a better method:

my_Button.Clicked += delegate {
my_Label.Text = "Use delegate!";
};

Mono is a free and open source implementation of the .NET Framework.

The most popular build tool for Mono is NAnt.

NUnit is very useful for test driven development.

[root@desk mythcat]# dnf install mono-devel
Last metadata expiration check: 0:15:26 ago on Wed 30 Sep 2020 09:04:30 PM EEST.
Package mono-devel-6.6.0-8.fc32.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@desk mythcat]# dnf install nant
...
Installed:
  log4net-2.0.8-10.fc32.x86_64            nant-1:0.92-25.fc32.x86_64           
  nunit2-2.6.4-24.fc32.x86_64            

Complete!
[root@desk mythcat]# dnf install nunit nunit-gui
Last metadata expiration check: 0:02:09 ago on Wed 30 Sep 2020 09:27:18 PM EEST.
No match for argument: nunit-gui
Error: Unable to find a match: nunit-gui

Installing MonoDevelop:

[root@desk mythcat]# dnf install monodevelop
...
Installed:
  ORBit2-2.14.19-23.fc32.x86_64                                                 
  gamin-0.1.10-36.fc32.x86_64                                                   
  gnome-desktop-sharp-2.26.0-36.fc31.x86_64                                     
  gnome-sharp-2.24.2-25.fc32.x86_64                                             
  gnome-vfs2-2.24.4-30.fc32.x86_64                                              
  gnome-vfs2-common-2.24.4-30.fc32.noarch                                       
  gtk-sharp2-2.12.45-11.fc32.x86_64                                             
  gtk-sharp2-devel-2.12.45-11.fc32.x86_64                                       
  gtksourceview2-2.11.2-31.fc32.x86_64                                          
  libIDL-0.8.14-21.fc32.x86_64                                                  
  libbonobo-2.32.1-18.fc32.x86_64                                               
  libbonoboui-2.24.5-18.fc32.x86_64                                             
  libgnome-2.32.1-20.fc32.x86_64                                                
  libgnome-keyring-3.12.0-19.fc32.x86_64                                        
  libgnomecanvas-2.30.3-19.fc32.x86_64                                          
  libgnomeui-2.24.5-21.fc32.x86_64                                              
  mono-addins-1.1-13.fc32.x86_64                                                
  monodevelop-5.10.0-17.fc32.x86_64                                             
  vte-0.28.2-31.fc32.x86_64                                                     

Complete!

Install the .NET Core. This is a general-purpose, modular, cross-platform and open-source development Platform.

[root@desk mythcat]# dnf copr enable @dotnet-sig/dotnet
Enabling a Copr repository. Please note that this repository is not part
of the main distribution, and quality may vary.
...
Do you really want to enable copr.fedorainfracloud.org/@dotnet-sig/dotnet? [y/N]: y
Repository successfully enabled.
[root@desk mythcat]# dnf install dotnet
Copr repo for dotnet owned by @dotnet-sig             5.4 kB/s | 3.3 kB     00:00    
Package dotnet-3.1.108-1.fc32.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete! 

Let's start with a GTK project using the MonoDevelop I.D.E.

[mythcat@desk ProjectsCSharp]$ monodevelop 
I use a new solution from .NET with GTK# 2.0 Project template. The default source code is this:
using System;
using Gtk;

namespace MonoDevelopGTK_001
{
	class MainClass
	{
		public static void Main (string[] args)
		{
			Application.Init ();
			MainWindow win = new MainWindow ();
			win.Show ();
			Application.Run ();
		}
	}
}
The result is an simple window form. For a complex form with entry ,label and one button, you can see the next example:
using System;
using Gtk;

namespace MonoDevelopGTK_001
{
	
	class MainClass
	{
		public static void Main (string[] args)
		{
			// define here Entry and Button 
			Entry name;
			Button my_Button;

			Application.Init ();
			MainWindow win = new MainWindow ();
			// change the size of window
			win.SetDefaultSize (640, 480);
			// this will close application
			win.DeleteEvent += new DeleteEventHandler (Window_Delete);

			// use of VBox or HBox
			VBox global_vbox = new VBox();
			win.Add(global_vbox);
			name = new Entry();
			global_vbox.PackStart(name, false, false, 0);
			win.Add(name);

			VBox label_vbox = new VBox();
			global_vbox.Add (label_vbox);
			//Define here a label and put some text in it.
			Label my_Label = new Label();
			my_Label.Text = "Hello World!";
			label_vbox.PackStart(my_Label, false, false, 0);
			//Add the label to the form
			win.Add(my_Label);

			VBox button_vbox = new VBox();
			global_vbox.Add (button_vbox);
			my_Button = new Button("Ok!");
			my_Button.Clicked += OnButtonClicked;
			button_vbox.PackStart(my_Button, false, false, 0);
			win.Add(my_Button);
			// ShowAll is used to see all labels, buttons
			win.ShowAll();
			//win.Show ();
			Application.Run ();

		}

		public static void OnButtonClicked (object obj, EventArgs args)
		{
			//Label my_Label = obj as Gtk.Label;
			Console.WriteLine ("Button Clicked !");

		}

		static void Window_Delete (object obj, DeleteEventArgs args)
		{
			Application.Quit ();
			args.RetVal = true;
		}
	}
}

Tuesday, September 29, 2020

Fedora 32 : Can be better? part 013.

I would say that I always have a problem with accessing the knowledge base related to errors, errors and configurations in Linux and Fedora distro.

I think it would be very necessary to have as up-to-date documentation as possible in the Fedora distribution system and possibly a database based on questions and answers.

That makes me think of the pilots' manuals ... where all the possible problems are listed.

It would be useful for anyone and especially saves users' memory.

In the age of artificial intelligence, a flow chart for each possible problem generated by Xorg, Network, services that indicate the areas of interaction and possibly the basic checks that a user should make, possible settings depending on the problem or the desired change would be a fantastic map for both a beginner and an advanced user.

After doing some SELinux configurations, my browser did not want to access the internet.

Until the deactivation, the number of SELinux alerts increased dramatically.

The written SELinux policies were not exactly correct.

Obviously I tried to fix the problem by disabling SELinux.

The ping utility sent and received packets to the internet, my browser does not connect to it.

Sometimes a symbolic link or incorrect setting can block your internet access.

I think the problem was generated when disabling SELinux by restarting and shutting down a useful service.

ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
Although attention was paid to the possibility of incorrect SELinux settings, a simple check and a restart of the systemd-resolved.service service solved the problem.
[root@desk mythcat]# systemctl status systemd-resolved.service 
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled
     Active: inactive (dead)
       Docs: man:systemd-resolved.service(8)
[root@desk mythcat]# systemctl start systemd-resolved.service 
[root@desk mythcat]# systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled
     Active: active (running) since Tue 2020-09-29 22:25:32 EEST; 8s ago

Now I've fixed it.

Sunday, September 20, 2020

Fedora 32 : Can be better? part 010.

In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux. 

SELinux uses a policy store to keep track of its loaded policy modules and related settings. 

You can see my active policy store name is MLS.

[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name:             mls

I want to create policy in the most easy way to denny memory. 

I can use many way to do that or find it on SELinux. 

If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem

This is dangerous and the executable should be reported in bugzilla and is is enabled by default. 

You must turn on the deny_execmem boolean.

setsebool -P deny_execmem 1
Let's use it:
[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-WebContent.pp

[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp
Let's see if this SELinux is currently loaded:
[root@desk mythcat]# semodule -l | grep Web
my-WebContent

Saturday, September 5, 2020

Fedora 32 : Can be better? part 007.

Another article in the Can be better? series that deals with a very popular feature called SELinux. Here that in this seventh part I will introduce you to the world of SELinux in my own style of simply explaining some SElinux configurations.
Let's recap some basic elements specific to SELinux.
Multi Category Security or MCS is a discretionary implementation of the mandatory Multi Level Security
MCS basically tries to use the MLS attributes: Security Levels and Security Compartments.
MCS implemented have one or more extra fields in their Security Context tuple: user_u:role_r:type_t:s0:c0.
You can see this with id -Z.
The MLS Range contains two components, the low (classification and compartments) and high (clearance).
sensitivity label build from the low component: s2 with c1, c2 ...
MCS does have 1024 categories that can be assigned to processes and files.
On an MLS system are two special labels, SystemLow(s0) and SystemHigh (s15:c0.c255).
The upper end of the MCS range is in an MCS environment s0:c0.c1023 is SystemHigh.
By default, everything in an MCS environment has access to SystemLow or s0.
You will able to access files with s0:c122 and s0:c123 categories.
The MLS translation mechanism to give a more literal meaning to the machine-like policy used in the MLS sensitivity and category declaration.
The MLS rule says: "no read up and no write down".
The MLS model is used to enforce confidentiality.
All processes that are forced to operate with Security Level.
The s0 Security Level or SystemLow level is the lower end of the Security Level Range in an MLS environment.
If you do not have the correct configurations then the SELinux setting operation for Enforcing could generate errors in the linux operation after reboot or during Linux operation.
You will need to have the root password and return for new SELinux settings.
Let's solve this issue: put SELinux into Enforce mode but give my user possibility to use command sudo su.
First, you need to see this table:
SELinux user Description Used for
unconfined_u SELinux user meant for unrestricted users. Unconfined users have hardly any restrictions in a SELinux context and are meant for systems where only Internet-facing services should run confined (i.e. the targeted SELinux policy store). All users on a targeted system
root The SELinux user meant for the root account The Linux root account
sysadm_u SELinux user with direct system administrative role assigned Linux accounts that only perform administrative tasks
staff_u SELinux user for operators that need to run both non-administrative commands (through the staff_r role) and administrative commands (through the sysadm_r role). Linux accounts used for both end user usage as well as administrative tasks
user_u SELinux user for non-privileged accounts Unprivileged Linux accounts
system_u Special SELinux user meant for system services Not used directly
Is need to change my user mythcat to staff_u with a good MLS Range.
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s2:c100 mythcat
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s0-s15:c0.c1023 mythcat
[root@desk mythcat]# semanage login -l 
[root@desk mythcat]# setenforce enforcing
[root@desk mythcat]# getenforce
Enforcing
[root@desk mythcat]# semanage login -l 
ValueError: Cannot read policy store.
After reboot need some time to load the new changes, first is the last configuration.
[mythcat@desk ~]$ semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[mythcat@desk ~]$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Few seconds later all is good:
[mythcat@desk ~]$ sudo su 
[sudo] password for mythcat: 
bash: /root/.bashrc: Permission denied
bash-5.0# ls
bash-5.0# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
bash-5.0# id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
bash-5.0# exit 
exit
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Everything is fine for now, this delay is the reason for using the selinux kernel settings. More information about Multi-Level Security and Multi-Category Security can be found on this webpage.

Sunday, February 16, 2020

Fedora 31 : Can be better? part 006.

I try to use the Selinux MLS with Fedora 31 and I wrote on my last article about Fedora 31 : Can be better? part 005.
After relabeling the files and start the environment I get multiple errors and I ask an answer at fedoraproject lists:
This is an example of the problem of implementing MLS in Fedora and can be remedied because MLS Selinux is old in implementing Selinux.

SELinux is preventing su from open access on the file /var/log/lastlog.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that su should be allowed open access on the lastlog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'su' --raw | audit2allow -M my-su
# semodule -X 300 -i my-su.pp 
I try to fix it but I got this error:
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration...

Sunday, February 2, 2020

Fedora 31 : Can be better? part 005.

Today we have once again dealt with this topic on the possibilities of improving the Fedora distro.
This time the adventure turned to the Selinux system switching to SELinux MLS.
Let's test the SELinux Fedora 31 from default targeted to mls.
First let's see the users:
[root@desk mythcat]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
To use the MLS you need to change this file:
[root@desk mythcat]# vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
The changes are:

#SELINUX=enforcing
SELINUX=permissive
...
#SELINUXTYPE=targeted
SELINUXTYPE=mls
Is need to install these packages:
[root@desk mythcat]# dnf search mls | grep selinux
Last metadata expiration check: 2:45:09 ago on Sun 02 Feb 2020 01:28:54 PM EET.
selinux-policy-mls.noarch : SELinux mls base policy
[root@desk mythcat]# dnf install selinux-policy-mls.noarch
...
Installed:
  mcstrans-2.9-2.fc31.x86_64                                                    
  policycoreutils-newrole-2.9-5.fc31.x86_64                                     
  selinux-policy-mls-3.14.4-45.fc31.noarch                                      

Complete!
These commands will relabel and start the MLS.
[mythcat@desk ~]$ setenforce 0
[mythcat@desk ~]$ getenforce
Permissive
...
[root@desk mythcat]# touch /.autorelabel
[root@desk mythcat]# reboot
If you have problems on boot the add selinux=0 on boot kernel.
After I boot and relabel all files I got errors about Gtk-Messages.
I remove my old Cinnamon with this command:
[root@desk mythcat]# dnf groupremove -y "Cinnnamon"
I list all my group with dnf tool:
[root@desk mythcat]# dnf grouplist -v 
I install the MATE environment:
dnf groupinstall -y "MATE Desktop" --allowerasing
After that the only way to start the environement is this command:
[mythcat@desk ~]$ sudo systemctl restart lightdm.service
Another issue comes from SELinux Alert Browser, where I get multiple alerts and these need to fix manually.
First, these alerts are more than 250.
After I fix some of these now I see only 50.
I think this problem with changing the SELinux type can be improved.

Thursday, August 22, 2019

Fedora 30 : Set up the Linux Malware Detect.

If you have an SELinux warning detection then the details you can see how can be fixed:
[mythcat@desk ~]$ su
Password: 
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.
These modes are USERS|PATHS|FILES.
The options break down as follows:
  • USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
  • PATHS: A comma spaced list of paths to monitor;
  • FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:
[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or 
download from https://github.com/rvoicilas/inotify-tools/wiki/


[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
  inotify-tools-3.14-16.fc30.x86_64                                                                                          

Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Wednesday, March 13, 2019

Fedora 29 : Use Selinux with Firefox.

Today I tested Selinux with the Firefox browser. The main purpose was to create a policy for this browser. You can use this example to create your own policies. Using Fedora 29 this problem can be resolved easily. Let's start with installing an important packet using the dnf tool.
[root@desk selinux_001]# dnf install policycoreutils-devel
Let's see the other commands used to create policies named firefox.te:
[mythcat@desk ~]$ mkdir selinux_001
[mythcat@desk ~]$ cd selinux_001/
[mythcat@desk selinux_001]$ whereis firefox
firefox: /usr/bin/firefox /usr/lib64/firefox /etc/firefox /usr/share/man/man1/firefox.1.gz
[mythcat@desk selinux_001]$ sepolicy generate --init -n firefox /usr/bin/firefox 
nm: /usr/bin/firefox: file format not recognized
Failed to retrieve rpm info for selinux-policy
Created the following files:
/home/mythcat/selinux_001/firefox.te # Type Enforcement file
/home/mythcat/selinux_001/firefox.if # Interface file
/home/mythcat/selinux_001/firefox.fc # File Contexts file
/home/mythcat/selinux_001/firefox_selinux.spec # Spec file
/home/mythcat/selinux_001/firefox.sh # Setup Script
[mythcat@desk selinux_001]$ cat firefox.te


policy_module(firefox, 1.0.0)

########################################
#
# Declarations
#

type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)

permissive firefox_t;

########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(firefox_t)

files_read_etc_files(firefox_t)

miscfiles_read_localization(firefox_t)
[mythcat@desk selinux_001]$ cat firefox.fc 
/usr/bin/firefox        --    gen_context(system_u:object_r:firefox_exec_t,s0)
I have modified this policy generated by sepolicy by adding my own rules:
[mythcat@desk selinux_001]$ cat firefox.te
policy_module(firefox, 1.0.0)

########################################
#
# Declarations
#

type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)

permissive firefox_t;
# my rules
require {
    type unreserved_port_t;
    type http_port_t;
    class tcp_socket { accept listen name_bind name_connect };
}

########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;

# my rules
allow firefox_t http_port_t:tcp_socket { name_bind name_connect };
allow firefox_t unreserved_port_t:tcp_socket { name_bind name_connect };
allow firefox_t self:tcp_socket { listen accept };

domain_use_interactive_fds(firefox_t)

files_read_etc_files(firefox_t)

miscfiles_read_localization(firefox_t)
I used the following commands to get my own policy:
[mythcat@desk selinux_001]$ make -f /usr/share/selinux/devel/Makefile
Compiling targeted firefox module
/usr/bin/checkmodule:  loading policy configuration from tmp/firefox.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 19) to tmp/firefox.mod
Creating targeted firefox.pp policy package
rm tmp/firefox.mod tmp/firefox.mod.fc
[mythcat@desk selinux_001]$ sudo semodule -i firefox.pp
[sudo] password for mythcat: 
The semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. Let's see the result:
[root@desk selinux_001]# semodule -l | grep firefox
firefox

Thursday, January 24, 2019

Fedora 29 : Selinux and python.

Today I tested the selinux python module with Fedora 29.
The wikipedia page comes with this intro about SELinux: Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). ... A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources.

This kernel module can help you with security the network and running application on your Linux.
This very complex kernel module can be used with your policy configuration files designed to fix your security issues.
First, the install is easy to do with the dnf tool:
[root@desk mythcat]# dnf install python2-libselinux.x86_64 
Last metadata expiration check: 1:31:46 ago on Thu 24 Jan 2019 07:04:16 AM EET.
Dependencies resolved.
...
Installed:
  python2-libselinux-2.8-6.fc29.x86_64                                          

Complete!
I tested this python module with a few simple examples:
[mythcat@desk ~]$ python 
Python 2.7.15 (default, Oct 15 2018, 15:26:09) 
[GCC 8.2.1 20180801 (Red Hat 8.2.1-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import selinux
>>> selinux.is_selinux_enabled()
1
>>> selinux.lgetfilecon_raw(".bashrc")
[37, 'unconfined_u:object_r:user_home_t:s0']
>>> selinux.lgetfilecon_raw(".bashrc")
[37, 'unconfined_u:object_r:user_home_t:s0']
>>> selinux.selinux_getpolicytype()[1]
'targeted'
>>> selinux.selinux_getpolicytype()
[0, 'targeted']

Sunday, September 23, 2018

Fedora 28 : Start a service daemon with Python.

In this tutorial I will starting one service using systemctl , python and systemd. First, you need to create a file named testpython.service .
[mythcat@desk system]# cd /etc/systemd/system/
[root@desk system]# vim testpython.service
This file is a configuration file for this service.
[Unit]
Description=Python Service
After=multi-user.target
[Service]
Type=simple
ExecStart=/usr/bin/python /home/mythcat/test_service.py
[Install]
WantedBy=multi-user.target
Create the python file for this service. I named test_service.py .
[root@desk system]# exit
exit
[mythcat@desk system]$ cd ~
[mythcat@desk ~]$ vim test_service.py

#!/usr/bin/env python

import logging
import time

logging.basicConfig(level="INFO")

while True:
    logging.info("Hi")
    time.sleep(3)
Change permissions file for this python file and testpython.service, see:
[mythcat@desk ~]$ chmod 764 test_service.py
Because you run this service with systemd then selinux will send you error, fix that:
[mythcat@desk ~]$ chcon -t bin_t ~/test_service.py
Reload all services and start your service with this commands:
[root@desk system]# systemctl daemon-reload
[root@desk system]# systemctl start  testpython.service
[root@desk system]# systemctl status  testpython.service
● testpython.service - Python Service
   Loaded: loaded (/etc/systemd/system/testpython.service; enabled; vendor>
   Active: active (running) since Sat 2018-09-22 21:36:23 EEST; 5s ago
 Main PID: 7213 (python)
    Tasks: 1 (limit: 2102)
   Memory: 5.7M
   CGroup: /system.slice/testpython.service
           └─7213 /usr/bin/python /home/mythcat/test_service.py

Sep 22 21:36:23 desk systemd[1]: Started Python Service.
Sep 22 21:36:24 desk python[7213]: INFO:root:Hi
Sep 22 21:36:27 desk python[7213]: INFO:root:Hi
You can use the journalctl command to see the output of this service:
[root@desk system]# journalctl -u testpython.service 
-- Logs begin at Sat 2018-09-22 20:40:06 EEST, end at Sat 2018-09-22 21:31:07 EEST. --
Sep 22 20:40:06 desk python[6232]: INFO:root:Hi
Sep 22 20:40:09 desk python[6232]: INFO:root:Hi
Sep 22 20:40:12 desk python[6232]: INFO:root:Hi
Sep 22 20:40:15 desk python[6232]: INFO:root:Hi
Sep 22 20:40:18 desk python[6232]: INFO:root:Hi
Sep 22 20:40:21 desk python[6232]: INFO:root:Hi
Sep 22 20:40:24 desk python[6232]: INFO:root:Hi
Sep 22 20:40:27 desk python[6232]: INFO:root:Hi
Sep 22 20:40:30 desk python[6232]: INFO:root:Hi
Let's see the result:

Wednesday, February 21, 2018

Fedora 27 : selinux and getfattr attributes.

In this tutorial I show you how to use the getfattr command to get extended attributes of filesystem objects and security selinux.
One attribute is selinux.security for selinux and other like:

  • security.capability - the security.capability files stores Linux capabilities for the related file and is applies to binaries which are provided one or more capabilities via this file.
  • security.ima - for the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.
  • security.evm - this is similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file ( the different with IMA is that it protects the metadata of the file, not the contents).

Now, about selinux.security :
You can use for example the getfattr command to perform specific security selinux tasks:

# getfattr -m security.selinux -d /etc/passwd
getfattr: Removing leading '/' from absolute path
names
# file: etc/passwd 
security.selinux="system_u:object_r:passwd_file_t:s0"
# getfattr -m security.selinux -d /etc/shadow
...
# getfattr -m security.selinux -d /var/www d /var/www
...
Both getfattr and setfattr commands has provided by the POSIX ACL package (Portable Operating Systems Interface).

Tuesday, December 19, 2017

Fedora 27 : Firefox and selinux : sepolgen tool .

To writing the actual policy for SELinux application, you can get many of the permissions your application needs by running.
First test if is installed into your Fedora distro.
I used Fedora 27 with SELinux set Enforcing.
If your application is named my_app then use this command:
sepolgen --init  /path/to/my_app
The result of this command will be this:
app.fc
my_app.sh
my_app.if
my_app_selinux.spec
my_app.te
If your application will be a rpm package, you can delete app.spec and app.sh.
The file with extension .te is a Type Enforcement file.

About this five files, the Linux help tells us:

Type Enforcing File NAME.te 
This file can be used to define all the types rules for a particular domain.

Note: Policy generated by sepolicy generate will automatically add a permissive DOMAIN
 to your te file. When you are satisfied that your policy works, you need to remove 
the permissive line from the te file to run your domain in enforcing mode.

Interface File NAME.if 
This file defines the interfaces for the types generated in the te file, which can 
be used by other policy domains.

File Context NAME.fc 
This file defines the default file context for the system, it takes the file types 
created in the te file and associates file paths to the types. Tools like restorecon
 and RPM will use these paths to put down labels.

RPM Spec File NAME_selinux.spec 
This file is an RPM SPEC file that can be used to install the SELinux policy on to
 machines and setup the labeling. The spec file also installs the interface file and
 a man page describing the policy. You can use sepolicy manpage -d NAME to generate 
the man page.

Shell File NAME.sh 
This is a helper shell script to compile, install and fix the labeling on your test 
system. It will also generate a man page based on the installed policy, and compile
 and build an RPM suitable to be installed on other machines
Open the my_app.te file will see something like this:
policy_module(my_app, 1.0.0)

########################################
#
# Declarations
#

type my_app_t;
type my_app_exec_t;
init_daemon_domain(my_app_t, my_app_exec_t)

# Please remove this once your policy works as expected.
permissive my_app_t;

########################################
#
# my_app local policy
#
allow my_app_t self:fifo_file rw_fifo_file_perms;
allow my_app_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(my_app_t)
files_read_etc_files(my_app_t)
auth_use_nsswitch(my_app_t)
miscfiles_read_localization(my_app_t)
sysnet_dns_name_resolve(my_app_t)

The first line uses the name of the binary and will be the name of the policy and the version.
policy_module(my_app, 1.0.0)
The nest rows come with this:

type my_app_t;
type my_app_exec_t;
init_daemon_domain(my_app_t, my_app_exec_t)
- the unique type to describe this application is my_app_t.
- SELinux tells us we’ll be executing this file with my_app_exec_t.
- this program will run as a service: init_daemon_domain(my_app_t, my_app_exec_t).

The next row is about log permission errors ( but let the application continue to run).
permissive my_app_t;

The next rows show how the application use file permissions and if the application will use Unix steam.
Don't change it , you can get a google search to see more examples with this type of allow.
allow my_app_t self:fifo_file rw_fifo_file_perms;
allow my_app_t self:unix_stream_socket create_stream_socket_perms;

Abou this rows:
domain_use_interactive_fds(my_app_t)
files_read_etc_files(my_app_t)
auth_use_nsswitch(my_app_t)
miscfiles_read_localization(my_app_t)
sysnet_dns_name_resolve(my_app_t)

The domain_use_interactive_fds and term_use_all_terms support operations where SSH allocates a tty for the user( example the allow fifo_file supports the opposite).
The my_app want to read from /etc folder with files_read_etc_files.
The auth_use_nsswitch also can adds rules allowing access to NIS/YPBIND ports.
The miscfiles_read_localization is about localization code.

To better understand this tutorial, you can create a folder in your home directory and then test it with a different application from Fedora 27.
One good example: sepolgen --init /opt/firefox .

Friday, December 8, 2017

Fedora 27 : Firefox and selinux intro .

Today I made a summary of selinux.
This is a protection and security utility in linux operating systems.
It is quite complex and requires a little guidance in learning.
The basic thing is to secure a grid that matches the security gaps.
The tutorial today simply exemplifies how you can change these rules.
First, check with these commands for the status of selinux:
#getenforce
#sestatus
#sestatus -b
#cat /etc/selinux/config
#ls -lZ /usr/bin/firefox
#chcon -v -t user_home_t /user/bin/firefox
This will change the selinux target type to user_home_t . That will allow firefox to run with this label (like that users) are allowed to read/write and manage. This is the default label for all content in a users home directory. This last command try to prevent confined applications from being able to read and write this content just from users home.

Friday, November 26, 2010

Savage Server and Selinux under Fedora 14

If you want to install fedora Savage Game Server 14, you will have problems with SELinux.
Use this commands to fix it.
$ chcon -t execmem_exec_t '/home/mythcat/SavageSer/silverback.bin'