API tools faq
paste
Advertisement
sandervanvugt

SELinux june22

sandervanvugt
Jun 20th, 2022
74
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.54 KB | None | 0 0
raw download clone embed print report
  1. [root@localhost ~]# history
  2. 1 dnf install -y httpd
  3. 2 systemctl enable --now httpd
  4. 3 ps aux | grep http
  5. 4 ps Zaux | grep http
  6. 5 ls -lZ /var/www
  7. 6 getenforce
  8. 7 setenforce permissive
  9. 8 getenforce
  10. 9 setenforce disabled
  11. 10 reboot
  12. 11 getenforce
  13. 12 setenforce enforcing
  14. 13 reboot
  15. 14 podman ps
  16. 15 podman ps -a
  17. 16 podman inspect 7a4f5afe3ef2 > ubi8.json
  18. 17 udica -j ubi8.json ubi8pol
  19. 18 semodule -i ubi8pol.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}
  20. 19 podman stop 7a4f5afe3ef2
  21. 20 podman run --security-opt label=type:ubi8pol.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it ubi8 bash
  22. 21 podman run --security-opt label=type:ubi8pol.process -v /home:/home:ro -v /var/spool:/var/spool:rw -it ubi8 bash
  23. 22 ssh linda@localhost
  24. 23 chvt 4
  25. 24 w
  26. 25 semanage user -l
  27. 26 #semanage login -m -s sysadm_u root
  28. 27 semanage login -m -s user_u -r s0 __default__
  29. 28 semanage login -l
  30. 29 useradd anna
  31. 30 echo password | passwd --stdin anna
  32. 31 chvt 5
  33. 32 getsebool -a | grep user
  34. 33 getsebool -a | grep sysadm
  35. 34 cd selinux/
  36. 35 ./countdown 13
  37. 36 seinfo -t exec_type -x
  38. 37 seinfo -t httpd_sys_content_t -x
  39. 38 pwd
  40. 39 ls
  41. 40 vim setup-rot.sh
  42. 41 vim rot13.service
  43. 42 vim server.php
  44. 43 vim setup-rot.sh
  45. 44 ./setup-rot.sh
  46. 45 sepolgen --application startrot13
  47. 46 ls
  48. 47 cat startrot13
  49. 48 cat startrot13.te
  50. 49 cat startrot13.fc
  51. 50 ./startrot13.sh
  52. 51 vim startrot13.te
  53. 52 ./startrot13.sh
  54. 53 semodule -d startrot
  55. 54 semodule -d startrot13
  56. 55 ./startrot13.sh
  57. 56 systemctl stop vsftpd
  58. 57 systemctl stop httpd
  59. 58 runcon -u system_u -r system_r -t httpd_t vsftpd
  60. 59 grep AVC /var/log/audit/audit.log
  61. 60 vim sander.te
  62. 61 pwd
  63. 62 ls
  64. 63 cd ..
  65. 64 ls
  66. 65 cat sander.te
  67. 66 cp sander.te runcon.te
  68. 67 vim runcon.te
  69. 68 getenforce
  70. 69 setenforce permissive
  71. 70 runcon -u system_u -r system_r -t httpd_t vsftpd
  72. 71 ps Zaux | grep vsft
  73. 72 grep AVC /var/log/audit/audit.log
  74. 73 vim vsftp.te
  75. 74 mv vsftp.te vsftp.txt
  76. 75 cat vsftp.txt | audit2allow
  77. 76 ls
  78. 77 journalct | grep sealert
  79. 78 journalctl | grep sealert
  80. 79 sealert -l 3be52f7d-015d-4c83-aecb-a6fa5920ce9c | less
  81. 80 # ausearch -c 'vsftpd' --raw | audit2allow -M my-vsftpd
  82. 81 # semodule -X 300 -i my-vsftpd.pp
  83. 82 cat vsftp.txt | audit2allow -M myvsftpd
  84. 83 vim myvsftpd.te
  85. 84 semodule -i myvsftpd.te
  86. 85 semodule -i myvsftpd.pp
  87. 86 runcon -u system_u -r system_r -t httpd_t vsftpd
  88. 87 systemctl cat vsftpd.service
  89. 88 systemctl edit vsftp.service
  90. 89 systemctl edit vsftpd.service
  91. 90 which runcon
  92. 91 systemctl edit vsftpd.service
  93. 92 setenforce enforcing
  94. 93 systemctl restart vsftpd.service
  95. 94 exit
  96. 95 dnf install git
  97. 96 git clone https://github.com/sandervanvugt/selinux
  98. 97 cd selinux/
  99. 98 ls
  100. 99 vim /var/www/html/index.html
  101. 100 systemctl restart httpd
  102. 101 curl localhost
  103. 102 ps Zaux | grep http
  104. 103 ls -Z /var/www/html/index.html
  105. 104 mkdir /web
  106. 105 vim /web/index.html
  107. 106 vim /etc/httpd/conf/httpd.conf
  108. 107 systemctl restart httpd
  109. 108 curl localhost
  110. 109 getenforce
  111. 110 setenforce permissive
  112. 111 curl localhost
  113. 112 vim /etc/httpd/conf/httpd.conf
  114. 113 systemctl restart httpd
  115. 114 curl localhost
  116. 115 setenforce enforcing
  117. 116 grep AVC /var/log/audit/audit.log
  118. 117 ./countdown 1
  119. 118 cd ..
  120. 119 git clone https://github.com/SELinuxProject/RefPolicy
  121. 120 sestatus
  122. 121 vim /etc/sysconfig/selinux
  123. 122 cd selinux/
  124. 123 ./countdown 12
  125. 124 ./countdown 6
  126. 125 grep AVC /var/log/audit/audit.log
  127. 126 ls -Z /var/www
  128. 127 semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
  129. 128 cd /etc/selinux/
  130. 129 ls
  131. 130 cd targeted/
  132. 131 ls
  133. 132 cd contexts/
  134. 133 ls
  135. 134 cd files
  136. 135 ls
  137. 136 pwd
  138. 137 cat file_contexts.local
  139. 138 ls -dZ /web
  140. 139 restorecon -Rv /web
  141. 140 ls -Zd /var/www
  142. 141 man semanage-fcontext
  143. 142 ps aux | grep setroub
  144. 143 journalctl | grep sealert
  145. 144 sealert -l 34c49ef7-763b-442b-851a-35b3d1916918 | less
  146. 145 grep AVC /var/log/audit/audit.log
  147. 146 dnf install -y selinux-policy-doc
  148. 147 man -k _selinux
  149. 148 man -k _selinux | wc
  150. 149 man -k _selinux | grep http
  151. 150 man httpd_selinux
  152. 151 man ypbind_selinux
  153. 152 vim /etc/ssh/sshd_config
  154. 153 systemctl restart sshd
  155. 154 systemctl status sshd
  156. 155 journalctl | grep AVC
  157. 156 grep avc /var/log/audit/audit.log
  158. 157 man semanage-port
  159. 158 #semanage port -a -t ssh_port_t -p tcp 8991
  160. 159 semanage port -a -t ssh_port_t -p tcp 443
  161. 160 man semanage-port
  162. 161 semanage port -m -t ssh_port_t -p tcp 443
  163. 162 systemctl restart sshd
  164. 163 ss -tunap
  165. 164 ss -tunapZ
  166. 165 dnf install -y vsftpd
  167. 166 vim /etc/vsftpd/vsftpd.conf
  168. 167 grep ftp /etc/passwd
  169. 168 cd /var/ftp/
  170. 169 ls
  171. 170 ls -l
  172. 171 chmod 777 pub
  173. 172 systemctl restart vsftpd
  174. 173 dnf install -y lftp
  175. 174 lftp localhost
  176. 175 grep avc /var/log/audit/audit.log
  177. 176 journalct | grep sealert
  178. 177 journalctl | grep sealert
  179. 178 sealert -l b6ed4355-8200-4156-a467-997b80b10ab8 | less
  180. 179 setsebool -P allow_ftpd_anon_write 1
  181. 180 lftp localhost
  182. 181 setsebool -P allow_ftpd_anon_write 1
  183. 182 sealert -l b6ed4355-8200-4156-a467-997b80b10ab8 | less
  184. 183 semanage fcontext -a -t public_content_rw_t pub
  185. 184 less /etc/selinux/targeted/contexts/files/file_contexts.local
  186. 185 man semanage-fcontext
  187. 186 semanage fcontext -d -t public_content_rw_t pub
  188. 187 less /etc/selinux/targeted/contexts/files/file_contexts.local
  189. 188 semanage fcontext -a -t public_content_rw_t "/var/ftp/pub(/.*)?"
  190. 189 restorecon -Rv /var/ftp/pub
  191. 190 lftp localhost
  192. 191 cd
  193. 192 cd selinux/
  194. 193 ./countdown 13
  195. 194 dnf provides */sesearch
  196. 195 dnf install setools-console
  197. 196 man sesearch
  198. 197 sesearch -b ftpd_anon_write -A
  199. 198 getsebool -a | grep ftp
  200. 199 sesearch -b ftpd_full_access -A
  201. 200 sesearch -s httpd_t -t user_home_t -p read -A
  202. 201 grep AVC /var/log/audit/audit.log | grep ssh
  203. 202 sesearch -s sshd_t -t http_port_t -p name_bind -A
  204. 203 ps Zaux | grep cron
  205. 204 sesearch -A | wc
  206. 205 sesearch -A | grep crond_t
  207. 206 sesearch -A | grep crond_t | wc
  208. 207 man -k _selinux | grep cron
  209. 208 man crond_selinux
  210. 209 ldd $(which passwd)
  211. 210 ssh student@192.168.29.184
  212. 211 ssh student@192.168.29.194
  213. 212 ss tuneap | grep ssh
  214. 213 ss -tunap | grep ssh
  215. 214 man restorecon
  216. 215 ps Zaux
  217. 216 seinfo -tunconfined_t
  218. 217 seinfo -aunconfined_domain_type -x
  219. 218 seinfo -aunconfined_domain_type -x | less
  220. 219 yum install container-tools
  221. 220 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it ubi8 bash
  222. 221 podman ps
  223. 222 podman ps -a
  224. 223 podman stop 7a4
  225. 224 podman stop 11f
  226. 225 ps Zaux | grep ubi8
  227. 226 ./countdown 18
  228. 227 semodule -l
  229. 228 semodule -d zabbix
  230. 229 journalctl | grep sealer
  231. 230 sealert -l 34c49ef7-763b-442b-851a-35b3d1916918 | less
  232. 231 # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
  233. 232 # semodule -X 300 -i my-httpd.pp
  234. 233 grep AVC /var/log/audit/audit.log | grep http > http_allow.txt
  235. 234 vim http_allow.txt
  236. 235 cat http_allow.txt | audit2allow -M httppol
  237. 236 ls httpp*
  238. 237 vim httppol.te
  239. 238 semodule -i httppol.pp
  240. 239 cd ..
  241. 240 ls
  242. 241 cd RefPolicy/
  243. 242 ls
  244. 243 cd policy/
  245. 244 ls
  246. 245 cd modules/
  247. 246 ls
  248. 247 cd services
  249. 248 ls
  250. 249 vim obex.te
  251. 250 seinfo -c | less
  252. 251 seinfo -csocket -x
  253. 252 seinfo -cfile -x
  254. 253 seinfo -c file -x
  255. 254 semanage port -m -t http_port_t -p tcp 443
  256. 255 systemctl restart sshd
  257. 256 cd
  258. 257 vim sander.te
  259. 258 vim sander.fc
  260. 259 checkmodule -M -m -o sander.mod sander.te
  261. 260 semodule_package -o sander.pp -m sander.mod -f sander.fc
  262. 261 semodule -i sander.pp
  263. 262 mkdir /opt/sander
  264. 263 touch /opt/sander/file.txt
  265. 264 ls -Zd /opt/sander/
  266. 265 restorecon -Rv /opt/sander
  267. 266 semanage user -l
  268. 267 semanage login -l
  269. 268 useradd linda
  270. 269 echo password | passwd --stdin linda
  271. 270 useradd -Z sysadm_u -G wheel lisa
  272. 271 semanage login -a -s user_u linda
  273. 272 semanage login -l
  274. 273 exit
  275. 274 history
  276.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!