API tools faq
paste
Advertisement
sandervanvugt

SELInux sept 22

sandervanvugt
Sep 22nd, 2022
81
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.56 KB | None | 0 0
raw download clone embed print report
  1. [root@localhost selinux]# history
  2. 1 cd selinux/
  3. 2 ./countdown 18
  4. 3 getenforce
  5. 4 dnf install -y httpd
  6. 5 systemctl enable --now httpd
  7. 6 ps Zaux | grep http
  8. 7 ls -Z /var/www
  9. 8 history
  10. 9 getenforce
  11. 10 mkdir /web
  12. 11 vim /web/index.html
  13. 12 vim /etc/httpd/conf/httpd.conf
  14. 13 systemctl restart httpd
  15. 14 curl http://localhost
  16. 15 setenforce 0
  17. 16 getenforce
  18. 17 curl http://localhost
  19. 18 vim /etc/httpd/conf/httpd.conf
  20. 19 systemctl restart httpd
  21. 20 curl http://localhost
  22. 21 getenforce
  23. 22 setenforce enforcing
  24. 23 curl http://localhost
  25. 24 grep AVC /var/log/audit/audit.log
  26. 25 history
  27. 26 grep AVC /var/log/audit/audit.log | tail -1
  28. 27 date -d
  29. 28 date -d -- 1663850760
  30. 29 ausearch -i
  31. 30 date -d '@1663850760'
  32. 31 dnf install -y git
  33. 32 git clone https://github.com/SELinuxProject/refpolicy
  34. 33 cd refpolicy/
  35. 34 ls
  36. 35 cd policy/
  37. 36 ls
  38. 37 cd modules/
  39. 38 ls
  40. 39 cd system/
  41. 40 ls
  42. 41 history
  43. 42 sestatus
  44. 43 cd
  45. 44 git clone https://github.com/sandervanvugt/selinux
  46. 45 cd selinux/
  47. 46 ./countdown 13
  48. 47 history
  49. 48 ps Zaux
  50. 49 ps -eZ | grep dbus-daemon
  51. 50 ps -eZ | grep dbus
  52. 51 ps -efuZ | grep dbus
  53. 52 hello
  54. 53 history
  55. 54 ls -lZ /web
  56. 55 ls -lZd /web
  57. 56 ls -Z /var/www
  58. 57 semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
  59. 58 ls -lZd /web
  60. 59 cd /etc/selinux/targeted/
  61. 60 ls
  62. 61 cd contexts/
  63. 62 ls
  64. 63 cd files/
  65. 64 ls
  66. 65 cat file_contexts.local
  67. 66 restorecon -Rv /web
  68. 67 ls -lZd /web
  69. 68 setenforce
  70. 69 getenforce
  71. 70 curl http://localhost
  72. 71 history
  73. 72 dnf install selinux-policy-doc
  74. 73 man -k _selinux
  75. 74 man -k _selinux | wc
  76. 75 man -k _selinux | grep httpd
  77. 76 man httpd_selinux
  78. 77 semanage fcontext -l
  79. 78 semanage fcontext -l | wc
  80. 79 semanage fcontext -l | grep http
  81. 80 seinfo -t
  82. 81 seinfo -t | wc
  83. 82 vim /etc/ssh/sshd_config
  84. 83 semanage port -a -t ssh_port_t -p tcp 2022
  85. 84 man semanage-port
  86. 85 man semanage-fcontext
  87. 86 getsebool -a
  88. 87 getsebool -a | wc
  89. 88 getsebool -a | grep ftp
  90. 89 dnf install vsftpd
  91. 90 vim /etc/vsftpd/vsftpd.conf
  92. 91 getsebool -a | grep ftp
  93. 92 setsebool -P ftpd_anon_write on
  94. 93 sesearch -b ftpd_anon_write -A | less
  95. 94 systemctl status auditd
  96. 95 journalctl | grep sealert
  97. 96 sealert -l e95683a9-e0c2-4fa6-ab09-7e8aa1295e0a | less
  98. 97 semanage port -l -C
  99. 98 vim /etc/ssh/sshd_config
  100. 99 systemctl restart sshd
  101. 100 journalctl | grep sealert
  102. 101 sealert -l a470dd69-91a2-4113-a0d1-d8922dcc1596 | less
  103. 102 vim /etc/httpd/conf/httpd.conf
  104. 103 systemctl restart httpd
  105. 104 journalctl | grep sealert
  106. 105 sealert -l 93dc64a6-48f4-466a-a5e6-3b9e759a50af | less
  107. 106 semanage port -a -t http_port_t -p tcp 82
  108. 107 systemctl restart httpd
  109. 108 grep AVC /var/log/audit/audit.log
  110. 109 history
  111. 110 sealert -b
  112. 111 pwd
  113. 112 cd
  114. 113 cd selinux/
  115. 114 ./countdown 13
  116. 115 sesearch -s httpd_t -t user_home_t -p read -A
  117. 116 sesearch -A
  118. 117 sesearch -A | wc
  119. 118 sesearch -A | grep httpd_t
  120. 119 cd
  121. 120 cp /etc/hosts /tmp/hosts
  122. 121 ls -Z /etc/hosts /tmp/hosts
  123. 122 mv /tmp/hosts /var/www/html/
  124. 123 ls -Z /var/www/html/
  125. 124 curl http://localhost/hosts
  126. 125 vim /etc/httpd/conf/httpd.conf
  127. 126 echo default > /var/www/html/index.html
  128. 127 systemctl restart httpd
  129. 128 curl http://localhost
  130. 129 curl http://localhost/hosts
  131. 130 grep AVC /var/log/audit/audit.log
  132. 131 grep AVC /var/log/audit/audit.log | grep http
  133. 132 grep AVC /var/log/audit/audit.log | grep http | grep hosts
  134. 133 dnf install -y setools-console
  135. 134 sesearch -A | grep httpd_t | grep user_tmp_t
  136. 135 history
  137. 136 semanage permissive -l
  138. 137 seinfo -tunconfined_t
  139. 138 seinfo -aunconfined_domain_type -x
  140. 139 semodule -l | less
  141. 140 semodule -l
  142. 141 semanage fcontext -l | grep zebra
  143. 142 semodule -d zebra
  144. 143 semanage fcontext -l | grep zebra
  145. 144 semodule -e zebra
  146. 145 semanage fcontext -l | grep zebra
  147. 146 journalctl -a | grep sealert
  148. 147 vim /etc/ssh/sshd_config
  149. 148 systemctl restart sshd
  150. 149 journalctl -a | grep sealert | grep http
  151. 150 sealert -l e95683a9-e0c2-4fa6-ab09-7e8aa1295e0a | less
  152. 151 #ausearch -c 'httpd' --raw | audit2allow -M my-httpd
  153. 152 ausearch -c httpd --raw
  154. 153 ausearch -c httpd --raw | grep AVC
  155. 154 sealert -l e95683a9-e0c2-4fa6-ab09-7e8aa1295e0a | less
  156. 155 ausearch -c 'httpd' --raw | audit2allow -M my-httpd
  157. 156 ls
  158. 157 vim my-httpd.te
  159. 158 grep AVC /var/log/audit/audit.log
  160. 159 grep AVC /var/log/audit/audit.log | grep http
  161. 160 seinfo -c
  162. 161 seinfo -cfile -x
  163. 162 vim sander.te
  164. 163 vim sander.fc
  165. 164 checkmodule -M -m -o sander.mod sander.te
  166. 165 semodule_package -o sander.pp -m sander.mod -f sander.fc
  167. 166 semodule -i sander.pp
  168. 167 mkdir /opt/sander
  169. 168 ls -Zd /opt/sander/
  170. 169 ls -Zd /opt
  171. 170 restorecon -Rv /opt/sander
  172. 171 cd selinux/
  173. 172 ./countdown 1
  174. 173 history
  175. 174 cat sander.te
  176. 175 cd ..
  177. 176 cat sander.te
  178. 177 cat sander.fc
  179. 178 dnf search setroubleshoot
  180. 179 dnf install -y setroubleshoot
  181. 180 sealert -b
  182. 181 dnf install -y container-tools
  183. 182 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  184. 183 podman run --security-opt label=type:ubi9pol.process --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  185. 184 exit
  186. 185 podman ps
  187. 186 podman inspect 51087a67dfc0 > ubi9.json
  188. 187 vim ubi9.json
  189. 188 udica -j ubi9.json ubi9pol
  190. 189 semodule -i ubi9pol.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}
  191. 190 exit
  192. 191 history
  193. 192 echo command 183 should be executed after command 189
  194. 193 ls
  195. 194 vim ubi9pol.cil
  196. 195 grep AVC /var/log/audit/audit.log | grep process
  197. 196 grep AVC /var/log/audit/audit.log
  198. 197 semanage user -l
  199. 198 seinfo -aselinux_unconfined_type -x
  200. 199 semanage login -l
  201. 200 semanage user -l
  202. 201 useradd linda
  203. 202 echo password | passwd --stdin linda
  204. 203 useradd -Z sysadm_u -G wheel lisa
  205. 204 echo password | passwd --stdin lisa
  206. 205 semanage login -a -s user_u linda
  207. 206 semanage login -l
  208. 207 ssh linda@localhost
  209. 208 semanage login -l
  210. 209 #semanage login -m -s sysadm_u root
  211. 210 semanage login -m -s user_u -r s0 __default__
  212. 211 semanage login -l
  213. 212 useradd anna
  214. 213 echo password | passwd --stdin anna
  215. 214 ssh anna@localhost
  216. 215 getsebool -a | grep user
  217. 216 getsebool -a | grep sysadm
  218. 217 setsebool -P ssh_sysadm_login on
  219. 218 setsebool -P xdm_sysadm_login on
  220. 219 semanage login -m -s sysadm_u root
  221. 220 semanage login -l
  222. 221 cd selinux/
  223. 222 ./countdown 13
  224. 223 semodule -l | grep virt
  225. 224 seinfo --type
  226. 225 seinfo --attribute
  227. 226 ls
  228. 227 cd ..
  229. 228 ls
  230. 229 vim sander.fc
  231. 230 cd refpolicy/policy/modules/services/
  232. 231 ls
  233. 232 vim cron.fc
  234. 233 cd
  235. 234 cd selinux/
  236. 235 ls
  237. 236 dnf install policycoreutils-devel setools-console gcc
  238. 237 vim mydaemon.c
  239. 238 gcc -o mydaemon mydaemon.c
  240. 239 ls
  241. 240 cp mydaemon /usr/local/bin/
  242. 241 cp mydaemon.service /etc/systemd/system/
  243. 242 vim mydaemon.service
  244. 243 systemctl start mydaemon
  245. 244 systemctl status mydaemon
  246. 245 ps Zaux | grep mydaemon
  247. 246 sepolicy generate --init /usr/local/bin/mydaemon
  248. 247 vim mydaemon.te
  249. 248 vim mydaemon.fc
  250. 249 ./mydaemon.sh
  251. 250 man mydaemon_selinux
  252. 251 man -k mydaemon
  253. 252 mandb
  254. 253 man mydaemon_selinux
  255. 254 systemctl restart mydaemon
  256. 255 ps Zaux | grep mydaemon
  257. 256 ausearch -m AVC -rs recent
  258. 257 ausearch -m AVC -ts recent
  259. 258 sealert -l "*"
  260. 259 vim mydaemon.te
  261. 260 ./mydaemon.sh
  262. 261 vim mydaemon.te
  263. 262 ./mydaemon.sh
  264. 263 semodule -d mydaemon
  265. 264 ./mydaemon.sh
  266. 265 systemctl status vsftpd
  267. 266 runcon -u system_u -r system_r -t httpd_t vsftpd
  268. 267 grep AVC /var/log/audit/audit.log
  269. 268 ausearch -c 'mydaemon' --raw | audit2allow -M my-mydaemon
  270. 269 semodule -X 300 -i my-mydaemon.pp
  271. 270 ./mydaemon.sh
  272. 271 ps Zaux | grep mydaemon
  273. 272 systemctl restart mydaemon
  274. 273 ps Zaux | grep mydaemon
  275. 274 systemctl status mydaemon
  276. 275 grep AVC /var/log/audit/audit.log
  277. 276 history
  278.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!