tutorials, tips, tricks, commands, programming, linux, windows, database, sql, python, programming language, Fedora, drawing, painting, tutorial, tutorials
Saturday, October 19, 2024
Fedora 42 : Still in the development without some features ...
Wednesday, February 21, 2024
News : SELinux wizzard tool !
Monday, December 26, 2022
Fedora 37 : SeLinux alert detection from Trend Micro HouseCall.
[root@fedora mythcat]# ausearch -c 'journal-offline' --raw | audit2allow -M my-journaloffline
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-journaloffline.pp
[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
libsemanage.semanage_get_lock: Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Resource temporarily unavailable).
[root@fedora mythcat]# cat /etc/selinux/config
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@fedora mythcat]# ps aux | grep semodule
root 3974 4.2 5.2 211904 209952 pts/0 T 13:29 0:17 semodule -X 300 -i my-journaloffline.pp
root 4032 0.0 0.0 222424 2288 pts/0 S+ 13:36 0:00 grep --color=auto semodule
[root@fedora mythcat]# kill -9 3974
[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
[1]+ Killed semodule -X 300 -i my-journaloffline.pp
[root@fedora mythcat]# semodule -X 300 -i my-journaloffline.pp
Wednesday, September 30, 2020
Fedora 32 : Can be better? part 014.
The GTK documentation for C # is not very up to date, I tried to use a button to change a label and I failed first time. The Fedora team could improve this to develop the development side. Here's what I've managed to do so far with GTK.
I fixed the source code with this, but I would have preferred a better method:
my_Button.Clicked += delegate {
my_Label.Text = "Use delegate!";
};
Mono is a free and open source implementation of the .NET Framework.
The most popular build tool for Mono is NAnt.
NUnit is very useful for test driven development.
[root@desk mythcat]# dnf install mono-devel
Last metadata expiration check: 0:15:26 ago on Wed 30 Sep 2020 09:04:30 PM EEST.
Package mono-devel-6.6.0-8.fc32.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@desk mythcat]# dnf install nant
...
Installed:
log4net-2.0.8-10.fc32.x86_64 nant-1:0.92-25.fc32.x86_64
nunit2-2.6.4-24.fc32.x86_64
Complete!
[root@desk mythcat]# dnf install nunit nunit-gui
Last metadata expiration check: 0:02:09 ago on Wed 30 Sep 2020 09:27:18 PM EEST.
No match for argument: nunit-gui
Error: Unable to find a match: nunit-gui
Installing MonoDevelop:
[root@desk mythcat]# dnf install monodevelop
...
Installed:
ORBit2-2.14.19-23.fc32.x86_64
gamin-0.1.10-36.fc32.x86_64
gnome-desktop-sharp-2.26.0-36.fc31.x86_64
gnome-sharp-2.24.2-25.fc32.x86_64
gnome-vfs2-2.24.4-30.fc32.x86_64
gnome-vfs2-common-2.24.4-30.fc32.noarch
gtk-sharp2-2.12.45-11.fc32.x86_64
gtk-sharp2-devel-2.12.45-11.fc32.x86_64
gtksourceview2-2.11.2-31.fc32.x86_64
libIDL-0.8.14-21.fc32.x86_64
libbonobo-2.32.1-18.fc32.x86_64
libbonoboui-2.24.5-18.fc32.x86_64
libgnome-2.32.1-20.fc32.x86_64
libgnome-keyring-3.12.0-19.fc32.x86_64
libgnomecanvas-2.30.3-19.fc32.x86_64
libgnomeui-2.24.5-21.fc32.x86_64
mono-addins-1.1-13.fc32.x86_64
monodevelop-5.10.0-17.fc32.x86_64
vte-0.28.2-31.fc32.x86_64
Complete!
Install the .NET Core. This is a general-purpose, modular, cross-platform and open-source development Platform.
[root@desk mythcat]# dnf copr enable @dotnet-sig/dotnet
Enabling a Copr repository. Please note that this repository is not part
of the main distribution, and quality may vary.
...
Do you really want to enable copr.fedorainfracloud.org/@dotnet-sig/dotnet? [y/N]: y
Repository successfully enabled.
[root@desk mythcat]# dnf install dotnet
Copr repo for dotnet owned by @dotnet-sig 5.4 kB/s | 3.3 kB 00:00
Package dotnet-3.1.108-1.fc32.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Let's start with a GTK project using the MonoDevelop I.D.E.
[mythcat@desk ProjectsCSharp]$ monodevelop
I use a new solution from .NET with GTK# 2.0 Project template.
The default source code is this:
using System;
using Gtk;
namespace MonoDevelopGTK_001
{
class MainClass
{
public static void Main (string[] args)
{
Application.Init ();
MainWindow win = new MainWindow ();
win.Show ();
Application.Run ();
}
}
}
The result is an simple window form.
For a complex form with entry ,label and one button, you can see the next example:
using System;
using Gtk;
namespace MonoDevelopGTK_001
{
class MainClass
{
public static void Main (string[] args)
{
// define here Entry and Button
Entry name;
Button my_Button;
Application.Init ();
MainWindow win = new MainWindow ();
// change the size of window
win.SetDefaultSize (640, 480);
// this will close application
win.DeleteEvent += new DeleteEventHandler (Window_Delete);
// use of VBox or HBox
VBox global_vbox = new VBox();
win.Add(global_vbox);
name = new Entry();
global_vbox.PackStart(name, false, false, 0);
win.Add(name);
VBox label_vbox = new VBox();
global_vbox.Add (label_vbox);
//Define here a label and put some text in it.
Label my_Label = new Label();
my_Label.Text = "Hello World!";
label_vbox.PackStart(my_Label, false, false, 0);
//Add the label to the form
win.Add(my_Label);
VBox button_vbox = new VBox();
global_vbox.Add (button_vbox);
my_Button = new Button("Ok!");
my_Button.Clicked += OnButtonClicked;
button_vbox.PackStart(my_Button, false, false, 0);
win.Add(my_Button);
// ShowAll is used to see all labels, buttons
win.ShowAll();
//win.Show ();
Application.Run ();
}
public static void OnButtonClicked (object obj, EventArgs args)
{
//Label my_Label = obj as Gtk.Label;
Console.WriteLine ("Button Clicked !");
}
static void Window_Delete (object obj, DeleteEventArgs args)
{
Application.Quit ();
args.RetVal = true;
}
}
}
Tuesday, September 29, 2020
Fedora 32 : Can be better? part 013.
I would say that I always have a problem with accessing the knowledge base related to errors, errors and configurations in Linux and Fedora distro.
I think it would be very necessary to have as up-to-date documentation as possible in the Fedora distribution system and possibly a database based on questions and answers.
That makes me think of the pilots' manuals ... where all the possible problems are listed.
It would be useful for anyone and especially saves users' memory.
In the age of artificial intelligence, a flow chart for each possible problem generated by Xorg, Network, services that indicate the areas of interaction and possibly the basic checks that a user should make, possible settings depending on the problem or the desired change would be a fantastic map for both a beginner and an advanced user.
After doing some SELinux configurations, my browser did not want to access the internet.
Until the deactivation, the number of SELinux alerts increased dramatically.
The written SELinux policies were not exactly correct.
Obviously I tried to fix the problem by disabling SELinux.
The ping utility sent and received packets to the internet, my browser does not connect to it.
Sometimes a symbolic link or incorrect setting can block your internet access.
I think the problem was generated when disabling SELinux by restarting and shutting down a useful service.
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
Although attention was paid to the possibility of incorrect SELinux settings, a simple check and a restart of the systemd-resolved.service service solved the problem.
[root@desk mythcat]# systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled
Active: inactive (dead)
Docs: man:systemd-resolved.service(8)
[root@desk mythcat]# systemctl start systemd-resolved.service
[root@desk mythcat]# systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled
Active: active (running) since Tue 2020-09-29 22:25:32 EEST; 8s ago
Now I've fixed it.
Sunday, September 20, 2020
Fedora 32 : Can be better? part 010.
In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux.
SELinux uses a policy store to keep track of its loaded policy modules and related settings.
You can see my active policy store name is MLS.
[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name: mls
I want to create policy in the most easy way to denny memory.
I can use many way to do that or find it on SELinux.
If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem.
This is dangerous and the executable should be reported in bugzilla and is is enabled by default.
You must turn on the deny_execmem boolean.
setsebool -P deny_execmem 1
Let's use it:
[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-WebContent.pp
[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp
Let's see if this SELinux is currently loaded:
[root@desk mythcat]# semodule -l | grep Web
my-WebContent
Saturday, September 5, 2020
Fedora 32 : Can be better? part 007.
Let's recap some basic elements specific to SELinux.
Multi Category Security or MCS is a discretionary implementation of the mandatory Multi Level Security
MCS basically tries to use the MLS attributes: Security Levels and Security Compartments.
MCS implemented have one or more extra fields in their Security Context tuple: user_u:role_r:type_t:s0:c0.
You can see this with id -Z.
The MLS Range contains two components, the low (classification and compartments) and high (clearance).
sensitivity label build from the low component: s2 with c1, c2 ...
MCS does have 1024 categories that can be assigned to processes and files.
On an MLS system are two special labels, SystemLow(s0) and SystemHigh (s15:c0.c255).
The upper end of the MCS range is in an MCS environment s0:c0.c1023 is SystemHigh.
By default, everything in an MCS environment has access to SystemLow or s0.
You will able to access files with s0:c122 and s0:c123 categories.
The MLS translation mechanism to give a more literal meaning to the machine-like policy used in the MLS sensitivity and category declaration.
The MLS rule says: "no read up and no write down".
The MLS model is used to enforce confidentiality.
All processes that are forced to operate with Security Level.
The s0 Security Level or SystemLow level is the lower end of the Security Level Range in an MLS environment.
If you do not have the correct configurations then the SELinux setting operation for Enforcing could generate errors in the linux operation after reboot or during Linux operation.
You will need to have the root password and return for new SELinux settings.
Let's solve this issue: put SELinux into Enforce mode but give my user possibility to use command sudo su.
First, you need to see this table:
SELinux user | Description | Used for |
---|---|---|
unconfined_u | SELinux user meant for unrestricted users. Unconfined users have hardly any restrictions in a SELinux context and are meant for systems where only Internet-facing services should run confined (i.e. the targeted SELinux policy store). | All users on a targeted system |
root | The SELinux user meant for the root account | The Linux root account |
sysadm_u | SELinux user with direct system administrative role assigned | Linux accounts that only perform administrative tasks |
staff_u | SELinux user for operators that need to run both non-administrative commands (through the staff_r role) and administrative commands (through the sysadm_r role).
|
Linux accounts used for both end user usage as well as administrative tasks |
user_u | SELinux user for non-privileged accounts | Unprivileged Linux accounts |
system_u | Special SELinux user meant for system services | Not used directly |
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s2:c100 mythcat
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s0-s15:c0.c1023 mythcat
[root@desk mythcat]# semanage login -l
[root@desk mythcat]# setenforce enforcing
[root@desk mythcat]# getenforce
Enforcing
[root@desk mythcat]# semanage login -l
ValueError: Cannot read policy store.
After reboot need some time to load the new changes, first is the last configuration.
[mythcat@desk ~]$ semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[mythcat@desk ~]$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
[mythcat@desk ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Few seconds later all is good:
[mythcat@desk ~]$ sudo su
[sudo] password for mythcat:
bash: /root/.bashrc: Permission denied
bash-5.0# ls
bash-5.0# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
bash-5.0# id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
bash-5.0# exit
exit
[mythcat@desk ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Everything is fine for now, this delay is the reason for using the selinux kernel settings.
More information about Multi-Level Security and Multi-Category Security can be found on this webpage.
Sunday, February 16, 2020
Fedora 31 : Can be better? part 006.
SELinux is preventing su from open access on the file /var/log/lastlog.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that su should be allowed open access on the lastlog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'su' --raw | audit2allow -M my-su
# semodule -X 300 -i my-su.pp
I try to fix it but I got this error:
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)
or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 ==
mlsfilewriteinrange -Fail-)
and (l1 dom l2 -Fail-) an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-)
and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)
or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 ==
mlsfilewriteinrange -Fail-)
and (l1 dom l2 -Fail-) an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-)
and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration...
Sunday, February 2, 2020
Fedora 31 : Can be better? part 005.
This time the adventure turned to the Selinux system switching to SELinux MLS.
Let's test the SELinux Fedora 31 from default targeted to mls.
First let's see the users:
[root@desk mythcat]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
To use the MLS you need to change this file:
[root@desk mythcat]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The changes are:
#SELINUX=enforcing
SELINUX=permissive
...
#SELINUXTYPE=targeted
SELINUXTYPE=mls
Is need to install these packages:
[root@desk mythcat]# dnf search mls | grep selinux
Last metadata expiration check: 2:45:09 ago on Sun 02 Feb 2020 01:28:54 PM EET.
selinux-policy-mls.noarch : SELinux mls base policy
[root@desk mythcat]# dnf install selinux-policy-mls.noarch
...
Installed:
mcstrans-2.9-2.fc31.x86_64
policycoreutils-newrole-2.9-5.fc31.x86_64
selinux-policy-mls-3.14.4-45.fc31.noarch
Complete!
These commands will relabel and start the MLS.
[mythcat@desk ~]$ setenforce 0
[mythcat@desk ~]$ getenforce
Permissive
...
[root@desk mythcat]# touch /.autorelabel
[root@desk mythcat]# reboot
If you have problems on boot the add selinux=0 on boot kernel.After I boot and relabel all files I got errors about Gtk-Messages.
I remove my old Cinnamon with this command:
[root@desk mythcat]# dnf groupremove -y "Cinnnamon"
I list all my group with dnf tool:
[root@desk mythcat]# dnf grouplist -v
I install the MATE environment:
dnf groupinstall -y "MATE Desktop" --allowerasing
After that the only way to start the environement is this command:
[mythcat@desk ~]$ sudo systemctl restart lightdm.service
Another issue comes from SELinux Alert Browser, where I get multiple alerts and these need to fix manually.First, these alerts are more than 250.
After I fix some of these now I see only 50.
I think this problem with changing the SELinux type can be improved.
Thursday, August 22, 2019
Fedora 30 : Set up the Linux Malware Detect.
[mythcat@desk ~]$ su
Password:
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-systemd.pp
[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.These modes are USERS|PATHS|FILES.
The options break down as follows:
- USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
- PATHS: A comma spaced list of paths to monitor;
- FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks
(C) 2019, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or
download from https://github.com/rvoicilas/inotify-tools/wiki/
[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
inotify-tools-3.14-16.fc30.x86_64
Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks
(C) 2019, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Wednesday, March 13, 2019
Fedora 29 : Use Selinux with Firefox.
[root@desk selinux_001]# dnf install policycoreutils-devel
Let's see the other commands used to create policies named firefox.te:
[mythcat@desk ~]$ mkdir selinux_001
[mythcat@desk ~]$ cd selinux_001/
[mythcat@desk selinux_001]$ whereis firefox
firefox: /usr/bin/firefox /usr/lib64/firefox /etc/firefox /usr/share/man/man1/firefox.1.gz
[mythcat@desk selinux_001]$ sepolicy generate --init -n firefox /usr/bin/firefox
nm: /usr/bin/firefox: file format not recognized
Failed to retrieve rpm info for selinux-policy
Created the following files:
/home/mythcat/selinux_001/firefox.te # Type Enforcement file
/home/mythcat/selinux_001/firefox.if # Interface file
/home/mythcat/selinux_001/firefox.fc # File Contexts file
/home/mythcat/selinux_001/firefox_selinux.spec # Spec file
/home/mythcat/selinux_001/firefox.sh # Setup Script
[mythcat@desk selinux_001]$ cat firefox.te
policy_module(firefox, 1.0.0)
########################################
#
# Declarations
#
type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)
permissive firefox_t;
########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(firefox_t)
files_read_etc_files(firefox_t)
miscfiles_read_localization(firefox_t)
[mythcat@desk selinux_001]$ cat firefox.fc
/usr/bin/firefox -- gen_context(system_u:object_r:firefox_exec_t,s0)
I have modified this policy generated by sepolicy by adding my own rules:
[mythcat@desk selinux_001]$ cat firefox.te
policy_module(firefox, 1.0.0)
########################################
#
# Declarations
#
type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)
permissive firefox_t;
# my rules
require {
type unreserved_port_t;
type http_port_t;
class tcp_socket { accept listen name_bind name_connect };
}
########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;
# my rules
allow firefox_t http_port_t:tcp_socket { name_bind name_connect };
allow firefox_t unreserved_port_t:tcp_socket { name_bind name_connect };
allow firefox_t self:tcp_socket { listen accept };
domain_use_interactive_fds(firefox_t)
files_read_etc_files(firefox_t)
miscfiles_read_localization(firefox_t)
I used the following commands to get my own policy:
[mythcat@desk selinux_001]$ make -f /usr/share/selinux/devel/Makefile
Compiling targeted firefox module
/usr/bin/checkmodule: loading policy configuration from tmp/firefox.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 19) to tmp/firefox.mod
Creating targeted firefox.pp policy package
rm tmp/firefox.mod tmp/firefox.mod.fc
[mythcat@desk selinux_001]$ sudo semodule -i firefox.pp
[sudo] password for mythcat:
The semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules.
Let's see the result:
[root@desk selinux_001]# semodule -l | grep firefox
firefox
Thursday, January 24, 2019
Fedora 29 : Selinux and python.
The wikipedia page comes with this intro about SELinux: Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). ... A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources.
This kernel module can help you with security the network and running application on your Linux.
This very complex kernel module can be used with your policy configuration files designed to fix your security issues.
First, the install is easy to do with the dnf tool:
[root@desk mythcat]# dnf install python2-libselinux.x86_64
Last metadata expiration check: 1:31:46 ago on Thu 24 Jan 2019 07:04:16 AM EET.
Dependencies resolved.
...
Installed:
python2-libselinux-2.8-6.fc29.x86_64
Complete!
I tested this python module with a few simple examples:[mythcat@desk ~]$ python
Python 2.7.15 (default, Oct 15 2018, 15:26:09)
[GCC 8.2.1 20180801 (Red Hat 8.2.1-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import selinux
>>> selinux.is_selinux_enabled()
1
>>> selinux.lgetfilecon_raw(".bashrc")
[37, 'unconfined_u:object_r:user_home_t:s0']
>>> selinux.lgetfilecon_raw(".bashrc")
[37, 'unconfined_u:object_r:user_home_t:s0']
>>> selinux.selinux_getpolicytype()[1]
'targeted'
>>> selinux.selinux_getpolicytype()
[0, 'targeted']
Sunday, September 23, 2018
Fedora 28 : Start a service daemon with Python.
[mythcat@desk system]# cd /etc/systemd/system/
[root@desk system]# vim testpython.service
This file is a configuration file for this service.
[Unit]
Description=Python Service
After=multi-user.target
[Service]
Type=simple
ExecStart=/usr/bin/python /home/mythcat/test_service.py
[Install]
WantedBy=multi-user.target
Create the python file for this service. I named test_service.py .
[root@desk system]# exit
exit
[mythcat@desk system]$ cd ~
[mythcat@desk ~]$ vim test_service.py
#!/usr/bin/env python
import logging
import time
logging.basicConfig(level="INFO")
while True:
logging.info("Hi")
time.sleep(3)
Change permissions file for this python file and testpython.service, see:
[mythcat@desk ~]$ chmod 764 test_service.py
Because you run this service with systemd then selinux will send you error, fix that:
[mythcat@desk ~]$ chcon -t bin_t ~/test_service.py
Reload all services and start your service with this commands:
[root@desk system]# systemctl daemon-reload
[root@desk system]# systemctl start testpython.service
[root@desk system]# systemctl status testpython.service
● testpython.service - Python Service
Loaded: loaded (/etc/systemd/system/testpython.service; enabled; vendor>
Active: active (running) since Sat 2018-09-22 21:36:23 EEST; 5s ago
Main PID: 7213 (python)
Tasks: 1 (limit: 2102)
Memory: 5.7M
CGroup: /system.slice/testpython.service
└─7213 /usr/bin/python /home/mythcat/test_service.py
Sep 22 21:36:23 desk systemd[1]: Started Python Service.
Sep 22 21:36:24 desk python[7213]: INFO:root:Hi
Sep 22 21:36:27 desk python[7213]: INFO:root:Hi
You can use the journalctl command to see the output of this service:
[root@desk system]# journalctl -u testpython.service
-- Logs begin at Sat 2018-09-22 20:40:06 EEST, end at Sat 2018-09-22 21:31:07 EEST. --
Sep 22 20:40:06 desk python[6232]: INFO:root:Hi
Sep 22 20:40:09 desk python[6232]: INFO:root:Hi
Sep 22 20:40:12 desk python[6232]: INFO:root:Hi
Sep 22 20:40:15 desk python[6232]: INFO:root:Hi
Sep 22 20:40:18 desk python[6232]: INFO:root:Hi
Sep 22 20:40:21 desk python[6232]: INFO:root:Hi
Sep 22 20:40:24 desk python[6232]: INFO:root:Hi
Sep 22 20:40:27 desk python[6232]: INFO:root:Hi
Sep 22 20:40:30 desk python[6232]: INFO:root:Hi
Let's see the result:Wednesday, February 21, 2018
Fedora 27 : selinux and getfattr attributes.
One attribute is selinux.security for selinux and other like:
- security.capability - the security.capability files stores Linux capabilities for the related file and is applies to binaries which are provided one or more capabilities via this file.
- security.ima - for the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.
- security.evm - this is similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file ( the different with IMA is that it protects the metadata of the file, not the contents).
Now, about selinux.security :
You can use for example the getfattr command to perform specific security selinux tasks:
# getfattr -m security.selinux -d /etc/passwd
getfattr: Removing leading '/' from absolute path
names
# file: etc/passwd
security.selinux="system_u:object_r:passwd_file_t:s0"
# getfattr -m security.selinux -d /etc/shadow
...
# getfattr -m security.selinux -d /var/www d /var/www
...
Both getfattr and setfattr commands has provided by the POSIX ACL package (Portable Operating Systems Interface).
Tuesday, December 19, 2017
Fedora 27 : Firefox and selinux : sepolgen tool .
First test if is installed into your Fedora distro.
I used Fedora 27 with SELinux set Enforcing.
If your application is named my_app then use this command:
sepolgen --init /path/to/my_app
The result of this command will be this:app.fc
my_app.sh
my_app.if
my_app_selinux.spec
my_app.te
If your application will be a rpm package, you can delete app.spec and app.sh.The file with extension .te is a Type Enforcement file.
About this five files, the Linux help tells us:
Type Enforcing File NAME.te
This file can be used to define all the types rules for a particular domain.
Note: Policy generated by sepolicy generate will automatically add a permissive DOMAIN
to your te file. When you are satisfied that your policy works, you need to remove
the permissive line from the te file to run your domain in enforcing mode.
Interface File NAME.if
This file defines the interfaces for the types generated in the te file, which can
be used by other policy domains.
File Context NAME.fc
This file defines the default file context for the system, it takes the file types
created in the te file and associates file paths to the types. Tools like restorecon
and RPM will use these paths to put down labels.
RPM Spec File NAME_selinux.spec
This file is an RPM SPEC file that can be used to install the SELinux policy on to
machines and setup the labeling. The spec file also installs the interface file and
a man page describing the policy. You can use sepolicy manpage -d NAME to generate
the man page.
Shell File NAME.sh
This is a helper shell script to compile, install and fix the labeling on your test
system. It will also generate a man page based on the installed policy, and compile
and build an RPM suitable to be installed on other machines
Open the my_app.te file will see something like this:policy_module(my_app, 1.0.0)
########################################
#
# Declarations
#
type my_app_t;
type my_app_exec_t;
init_daemon_domain(my_app_t, my_app_exec_t)
# Please remove this once your policy works as expected.
permissive my_app_t;
########################################
#
# my_app local policy
#
allow my_app_t self:fifo_file rw_fifo_file_perms;
allow my_app_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(my_app_t)
files_read_etc_files(my_app_t)
auth_use_nsswitch(my_app_t)
miscfiles_read_localization(my_app_t)
sysnet_dns_name_resolve(my_app_t)
The first line uses the name of the binary and will be the name of the policy and the version.
policy_module(my_app, 1.0.0)
The nest rows come with this:
type my_app_t;
type my_app_exec_t;
init_daemon_domain(my_app_t, my_app_exec_t)
- the unique type to describe this application is my_app_t.- SELinux tells us we’ll be executing this file with my_app_exec_t.
- this program will run as a service: init_daemon_domain(my_app_t, my_app_exec_t).
The next row is about log permission errors ( but let the application continue to run).
permissive my_app_t;
The next rows show how the application use file permissions and if the application will use Unix steam.
Don't change it , you can get a google search to see more examples with this type of allow.
allow my_app_t self:fifo_file rw_fifo_file_perms;
allow my_app_t self:unix_stream_socket create_stream_socket_perms;
Abou this rows:
domain_use_interactive_fds(my_app_t)
files_read_etc_files(my_app_t)
auth_use_nsswitch(my_app_t)
miscfiles_read_localization(my_app_t)
sysnet_dns_name_resolve(my_app_t)
The domain_use_interactive_fds and term_use_all_terms support operations where SSH allocates a tty for the user( example the allow fifo_file supports the opposite).
The my_app want to read from /etc folder with files_read_etc_files.
The auth_use_nsswitch also can adds rules allowing access to NIS/YPBIND ports.
The miscfiles_read_localization is about localization code.
To better understand this tutorial, you can create a folder in your home directory and then test it with a different application from Fedora 27.
One good example: sepolgen --init /opt/firefox .
Friday, December 8, 2017
Fedora 27 : Firefox and selinux intro .
This is a protection and security utility in linux operating systems.
It is quite complex and requires a little guidance in learning.
The basic thing is to secure a grid that matches the security gaps.
The tutorial today simply exemplifies how you can change these rules.
First, check with these commands for the status of selinux:
#getenforce
#sestatus
#sestatus -b
#cat /etc/selinux/config
#ls -lZ /usr/bin/firefox
#chcon -v -t user_home_t /user/bin/firefox
This will change the selinux target type to user_home_t .
That will allow firefox to run with this label (like that users) are allowed to read/write and manage.
This is the default label for all content in a users home directory.
This last command try to prevent confined applications from being able to read and write this content just from users home.
Friday, November 26, 2010
Savage Server and Selinux under Fedora 14
Use this commands to fix it.
$ chcon -t execmem_exec_t '/home/mythcat/SavageSer/silverback.bin'