Four days ago, the well-known Gnome environment came with a new release.
I guess it will be implemented in Fedora distro soon.
tutorials, tips, tricks, commands, programming, linux, windows, database, sql, python, programming language, Fedora, drawing, painting, tutorial, tutorials
Four days ago, the well-known Gnome environment came with a new release.
I guess it will be implemented in Fedora distro soon.
In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux.
SELinux uses a policy store to keep track of its loaded policy modules and related settings.
You can see my active policy store name is MLS.
[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name: mls
I want to create policy in the most easy way to denny memory.
I can use many way to do that or find it on SELinux.
If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem.
This is dangerous and the executable should be reported in bugzilla and is is enabled by default.
You must turn on the deny_execmem boolean.
setsebool -P deny_execmem 1
Let's use it:
[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-WebContent.pp
[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp
Let's see if this SELinux is currently loaded:
[root@desk mythcat]# semodule -l | grep Web
my-WebContent
[mythcat@desk ~]$ cd Python-3.5.10/
[mythcat@desk Python-3.5.10]$ ./configure
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for python3.5... no
checking for python3... python3
checking for --enable-universalsdk... no
...
The next command is make:
[mythcat@desk Python-3.5.10]$ make
gcc -pthread -c -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes
-Werror=declaration-after-statement -I. -I./Include -DPy_BUILD_CORE -o Programs/python.o
./Programs/python.c
...
# On Darwin, always use the python version of the script, the shell
# version doesn't use the compiler customizations that are provided
# in python (_osx_support.py).
if test `uname -s` = Darwin; then \
cp python-config.py python-config; \
fi
Then I used make test.
[mythcat@desk Python-3.5.10]$ make test
running build
running build_ext
INFO: Can't locate Tcl/Tk libs and/or headers
Python build finished successfully!
...
For the last part I used this command:
[mythcat@desk Python-3.5.10]$ sudo make install
...
The result of this is ...
[mythcat@desk Python-3.5.10]$ ls
aclocal.m4 config.sub Include Mac Modules platform python README
build configure install-sh Makefile Objects Programs Python setup.py
config.guess configure.ac Lib Makefile.pre Parser pybuilddir.txt python-config Tools
config.log Doc libpython3.5m.a Makefile.pre.in PC pyconfig.h python-config.py
config.status Grammar LICENSE Misc PCbuild pyconfig.h.in python-gdb.py
[mythcat@desk Python-3.5.10]$ ./python
Python 3.5.10 (default, Sep 6 2020, 22:32:07)
[GCC 10.2.1 20200723 (Red Hat 10.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
...
dnf install gtk3-devel
The Fedora team come with a group install with many feature.
#dnf -y groupinstall "Development Tools"
I test with these examples:
#include
int main(int argc,
char *argv[])
{
GtkWidget *window;
gtk_init (&argc, &argv);
window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
gtk_window_set_title (GTK_WINDOW (window), "Hello World");
gtk_widget_show (window);
gtk_main ();
return 0;
}
This create a simple window with Hello World title.
#include
static void on_window_closed(GtkWidget * widget, gpointer data)
{
gtk_main_quit();
}
int main(int argc, char * argv[])
{
GtkWidget * window, * label;
gtk_init(&argc, &argv);
window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
g_signal_connect( window, "destroy", G_CALLBACK(on_window_closed), NULL);
label = gtk_label_new("Hello, World!");
gtk_container_add(GTK_CONTAINER(window), label);
gtk_widget_show(label);
gtk_widget_show(window);
gtk_main();
return 0;
}
This is the same example but you will see a label with te text Hello, World!.#include
const char *password = "mythcat";
// close the window application
void closeApp(GtkWidget *widget, gpointer data)
{
gtk_main_quit();
}
// show text when you click on button
void button_clicked(GtkWidget *button, gpointer data)
{
const char *password_text = gtk_entry_get_text(GTK_ENTRY((GtkWidget *)data));
if(strcmp(password_text, password) == 0)
printf("Access granted for user: \"%s\"\n",password);
else
printf("Access denied!\n");
}
int main( int argc, char *argv[])
{
GtkWidget *window;
GtkWidget *label1, *label2, *label3;
GtkWidget *hbox;
GtkWidget *vbox;
GtkWidget *ok_button;
GtkWidget *password_entry;
gtk_init(&argc, &argv);
window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
gtk_window_set_title(GTK_WINDOW(window), "Labels, password with one button and layout");
gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER);
gtk_window_set_default_size(GTK_WINDOW(window), 300, 200);
g_signal_connect(G_OBJECT(window), "destroy", G_CALLBACK(closeApp), NULL);
label1 = gtk_label_new("Catalin");
label2 = gtk_label_new("George");
label3 = gtk_label_new("Festila");
password_entry = gtk_entry_new();
gtk_entry_set_visibility(GTK_ENTRY(password_entry), FALSE);
ok_button = gtk_button_new_with_label("OK");
g_signal_connect(G_OBJECT(ok_button), "clicked", G_CALLBACK(button_clicked),password_entry);
hbox = gtk_box_new(FALSE, 1);
vbox = gtk_box_new(TRUE, 2);
gtk_box_pack_start(GTK_BOX(vbox), label1, TRUE, FALSE, 5);
gtk_box_pack_start(GTK_BOX(vbox), label2, TRUE, FALSE, 5);
gtk_box_pack_start(GTK_BOX(hbox), vbox, FALSE, TRUE, 5);
gtk_box_pack_start(GTK_BOX(hbox), label3, FALSE, FALSE, 5);
gtk_box_pack_start(GTK_BOX(vbox), ok_button, FALSE, FALSE, 5);
gtk_box_pack_start(GTK_BOX(hbox), password_entry, TRUE, FALSE, 5);
gtk_container_add(GTK_CONTAINER(window), hbox);
gtk_widget_show_all(window);
gtk_main();
return 0;
}
The result can be seen in the following image:[mythcat@desk ~]$ gcc test.c $(pkg-config --cflags --libs gtk+-3.0) -o test
[mythcat@desk ~]$ ./test
SELinux user | Description | Used for |
---|---|---|
unconfined_u | SELinux user meant for unrestricted users. Unconfined users have hardly any restrictions in a SELinux context and are meant for systems where only Internet-facing services should run confined (i.e. the targeted SELinux policy store). | All users on a targeted system |
root | The SELinux user meant for the root account | The Linux root account |
sysadm_u | SELinux user with direct system administrative role assigned | Linux accounts that only perform administrative tasks |
staff_u | SELinux user for operators that need to run both non-administrative commands (through the staff_r role) and administrative commands (through the sysadm_r role).
|
Linux accounts used for both end user usage as well as administrative tasks |
user_u | SELinux user for non-privileged accounts | Unprivileged Linux accounts |
system_u | Special SELinux user meant for system services | Not used directly |
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s2:c100 mythcat
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s0-s15:c0.c1023 mythcat
[root@desk mythcat]# semanage login -l
[root@desk mythcat]# setenforce enforcing
[root@desk mythcat]# getenforce
Enforcing
[root@desk mythcat]# semanage login -l
ValueError: Cannot read policy store.
After reboot need some time to load the new changes, first is the last configuration.
[mythcat@desk ~]$ semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[mythcat@desk ~]$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
[mythcat@desk ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Few seconds later all is good:
[mythcat@desk ~]$ sudo su
[sudo] password for mythcat:
bash: /root/.bashrc: Permission denied
bash-5.0# ls
bash-5.0# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
bash-5.0# id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
bash-5.0# exit
exit
[mythcat@desk ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
Everything is fine for now, this delay is the reason for using the selinux kernel settings.
More information about Multi-Level Security and Multi-Category Security can be found on this webpage.
[root@desk mythcat]# dnf install gdm
...
Complete!
[root@desk mythcat]# systemctl disable lightdm
[root@desk mythcat]# systemctl enable gdm
Failed to enable unit: File /etc/systemd/system/display-manager.service already exists and is a symlink to /usr/lib/systemd/system/sddm.service.
[root@desk mythcat]# systemctl disable sddm.service
Removed /etc/systemd/system/display-manager.service.
[root@desk mythcat]# systemctl enable gdm
Created symlink /etc/systemd/system/display-manager.service → /usr/lib/systemd/system/gdm.service.
[root@desk mythcat]# reboot
If you have problems with gdm display manager then you can read about settings here.[root@desk mythcat]# cat /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
# Uncomment the line below to force the login screen to use Xorg
#WaylandEnable=false
AutomaticLogin=mythcat
AutomaticLoginEnable=False
[security]
[xdmcp]
[chooser]
[debug]
# Uncomment the line below to turn on debugging
#Enable=true
[root@desk mythcat]# dnf -y update
...
[mythcat@desk ~]$ cp Downloads/LibreOffice_7.0.0_Linux_x86-64_rpm.tar.gz ~
[mythcat@desk ~]$ ls LibreOffice*
LibreOffice_7.0.0_Linux_x86-64_rpm.tar.gz
[mythcat@desk ~]$ tar xvf LibreOffice_7.0.0_Linux_x86-64_rpm.tar.gz
LibreOffice_7.0.0.3_Linux_x86-64_rpm/
LibreOffice_7.0.0.3_Linux_x86-64_rpm/RPMS/
...
[mythcat@desk ~]$ cd LibreOffice_7.0.0.3_Linux_x86-64_rpm/
[mythcat@desk LibreOffice_7.0.0.3_Linux_x86-64_rpm]$ cd RPMS/
[mythcat@desk RPMS]$ sudo dnf install *.rpm
[sudo] password for mythcat:
Last metadata expiration check: 2:09:12 ago on Sat 22 Aug 2020 10:33:11 PM EEST.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
libobasis7.0-base x86_64 7.0.0.3-3 @commandline 1.8 M
libobasis7.0-calc x86_64 7.0.0.3-3 @commandline 9.5 M
libobasis7.0-core x86_64 7.0.0.3-3 @commandline 101 M
libobasis7.0-draw x86_64 7.0.0.3-3 @commandline 6.1 k
libobasis7.0-en-US x86_64 7.0.0.3-3 @commandline 88 k
...
Complete!
The last step is to run this software from Fedora 32 distro desktop environment.