API tools faq
paste
Advertisement
sandervanvugt

SELinux april23

sandervanvugt
Apr 11th, 2023
115
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.41 KB | None | 0 0
raw download clone embed print report
  1. 1 dnf install -y httpd
  2. 2 systemctl enable --now httpd
  3. 3 ps aux | grep httpd
  4. 4 ps Za | grep httpd
  5. 5 ps Zaux | grep httpd
  6. 6 ps Zaux | less
  7. 7 ls -Z /var/www
  8. 8 getenforce
  9. 9 setenforce permissive
  10. 10 getenforce
  11. 11 setenforce disabled
  12. 12 vim /etc/sysconfig/selinux
  13. 13 reboot
  14. 14 getenforce
  15. 15 ls -Z /etc/*
  16. 16 reboot
  17. 17 dnf install -y git
  18. 18 git clone https://github.com/SELinuxProject/refpolicy
  19. 19 ls
  20. 20 sestatus
  21. 21 git clone https://github.com/sandervanvugt/selinux
  22. 22 cd selinux/
  23. 23 ls
  24. 24 history
  25. 25 mkdir /web
  26. 26 vim /web/index.html
  27. 27 vim /etc/httpd/conf/httpd.conf
  28. 28 systemctl restart httpd
  29. 29 curl localhost
  30. 30 getenforce
  31. 31 setenforce permissive
  32. 32 curl localhost
  33. 33 vim /etc/httpd/conf/httpd.conf
  34. 34 systemctl restart httpd
  35. 35 curl localhost
  36. 36 setenforce enforcing
  37. 37 curl localhost
  38. 38 history
  39. 39 grep AVC /var/log/audit/audit.log
  40. 40 ls -ldZ /web /var/www/html
  41. 41 semanage fcontext -a -t httdp_sys_content_t "/web/(.*)?"
  42. 42 semanage fcontext -a -t httpd_sys_content_t "/web/(.*)?"
  43. 43 ls -ldZ /web /var/www/html
  44. 44 restorecon -Rv /web
  45. 45 getenforce
  46. 46 curl localhost
  47. 47 man semanage-fcontext
  48. 48 history
  49. 49 cd /etc/selinux/
  50. 50 ls
  51. 51 cd targeted/
  52. 52 ls
  53. 53 cd contexts/
  54. 54 ls
  55. 55 cd files
  56. 56 ls
  57. 57 less file_contexts.local
  58. 58 history
  59. 59 ps -eZ | grep dbus
  60. 60 cd /web/
  61. 61 touch newfile.txt
  62. 62 ls -Z
  63. 63 restorecon -Rv /web
  64. 64 history -w
  65. 65 cd selinux/
  66. 66 ./countdown 12
  67. 67 dnf install -y git
  68. 68 git clone https://github.com/SELinuxProject/refpolicy
  69. 69 ls
  70. 70 sestatus
  71. 71 git clone https://github.com/sandervanvugt/selinux
  72. 72 cd selinux/
  73. 73 ls
  74. 74 history
  75. 75 mkdir /web
  76. 76 vim /web/index.html
  77. 77 vim /etc/httpd/conf/httpd.conf
  78. 78 systemctl restart httpd
  79. 79 curl localhost
  80. 80 getenforce
  81. 81 setenforce permissive
  82. 82 curl localhost
  83. 83 vim /etc/httpd/conf/httpd.conf
  84. 84 systemctl restart httpd
  85. 85 curl localhost
  86. 86 setenforce enforcing
  87. 87 curl localhost
  88. 88 history
  89. 89 grep AVC /var/log/audit/audit.log
  90. 90 ls -ldZ /web /var/www/html
  91. 91 semanage fcontext -a -t httdp_sys_content_t "/web/(.*)?"
  92. 92 semanage fcontext -a -t httpd_sys_content_t "/web/(.*)?"
  93. 93 ls -ldZ /web /var/www/html
  94. 94 restorecon -Rv /web
  95. 95 getenforce
  96. 96 curl localhost
  97. 97 man semanage-fcontext
  98. 98 history
  99. 99 cd /etc/selinux/
  100. 100 ls
  101. 101 cd targeted/
  102. 102 ls
  103. 103 cd contexts/
  104. 104 ls
  105. 105 cd files
  106. 106 ls
  107. 107 less file_contexts.local
  108. 108 history
  109. 109 ps -eZ | grep dbus
  110. 110 cd /web/
  111. 111 touch newfile.txt
  112. 112 ls -Z
  113. 113 restorecon -Rv /web
  114. 114 history -w
  115. 115 reboot
  116. 116 # GRUB boot argument: init=/bin/bash
  117. 117 # mount -o remount,rw /
  118. 118 # passwd
  119. 119 # touch /.autorelabel
  120. 120 # exec /usr/lib/systemd/systemd
  121. 121 history
  122. 122 dnf install selinux-policy-doc
  123. 123 man -k _selinux
  124. 124 man -k _selinux | wc
  125. 125 man -k _selinux | grep http
  126. 126 man httpd_selinux
  127. 127 vim /etc/httpd/conf/httpd.conf
  128. 128 systemctl restart httpd
  129. 129 systemctl status httpd
  130. 130 setenforce permissive
  131. 131* systemctl restart http
  132. 132 setenforce enforce
  133. 133 setenforce enforcing
  134. 134 grep AVC /var/log/audit/audit.log
  135. 135 journalctl | grep sealert
  136. 136 sealert -l e3d592df-a274-4e05-be27-009e9af1367b | less
  137. 137 semanage port -a -t http_port_t -p tcp 82
  138. 138 getenforce
  139. 139 systemctl restart httpd
  140. 140 grep sealert /var/log/messages
  141. 141 sealert -l 3ef1dbd1-b558-422f-a325-045bb2906f37 | less
  142. 142 dnf provides */sealert
  143. 143 ls -Z /etc/hosts
  144. 144 cp /etc/host /root
  145. 145 cp /etc/hosts /root
  146. 146 ls -Z hosts
  147. 147 ls -Zd /root
  148. 148 rm /etc/hosts
  149. 149 mv /etc/hosts /etc/
  150. 150 mv hosts /etc/
  151. 151 ls -Z /etc/hosts
  152. 152 mv /etc/hosts .
  153. 153 ls -Z hosts
  154. 154 cp hosts /etc/
  155. 155 ls -Z /etc/hosts
  156. 156 restorecon -v /etc/hosts
  157. 157 getsebool -l
  158. 158 getsebool -a
  159. 159 getsebool -a | wc
  160. 160*
  161. 161 getsebool -a | grep ftp
  162. 162 dnf install -y vsftpd
  163. 163 cd /var/ftp/
  164. 164 ls
  165. 165 ls -l
  166. 166 chmod 777 pub
  167. 167 vim /etc/vsftpd/vsftpd.conf
  168. 168 systemctl enable --now vsftpd
  169. 169 dnf install -y lftp
  170. 170 lftp localhost
  171. 171 grep AVC /var/log/audit/audit.log
  172. 172 journalctl | grep sealert
  173. 173 sealert -l 1a8107c7-7c91-43a0-926e-3b6fdcb622bf | less
  174. 174 # semanage fcontext -a -t public_content_rw_t pub
  175. 175 # restorecon -R -v pub
  176. 176 # setsebool -P allow_ftpd_anon_write 1
  177. 177 semanage fcontext -a -t public_content_rw_t "/var/ftp/pub(/.*)?"
  178. 178 restorecon -Rv /var/ftp/pub
  179. 179 setsebool -P allow_ftpd_anon_write 1
  180. 180 lftp localhost
  181. 181 sesearcg -b ftpd_anon_write -A
  182. 182 sesearch -b ftpd_anon_write -A
  183. 183 sesearch -b ftpd_full_access -A
  184. 184 cp /etc/hosts /tmp/hosts
  185. 185 ls -Z /tmp/hosts
  186. 186 mv /tmp/hosts /var/www/html/
  187. 187 curl http://localhost:82/hosts
  188. 188 grep AVC /var/log/audit/audit.log
  189. 189 vim /etc/httpd/conf/httpd.conf
  190. 190 systemctl restart httpd
  191. 191 curl http://localhost/hosts
  192. 192 ls -lZ /var/www/html/
  193. 193 grep AVC /var/log/audit/audit.log
  194. 194 mv /var/www/html/ /web/
  195. 195 curl http://localhost/hosts
  196. 196 systemctl restart httpd
  197. 197 curl http://localhost/hosts
  198. 198 grep AVC /var/log/audit/
  199. 199 grep AVC /var/log/audit/audit.log
  200. 200 ls -l /web/
  201. 201 cd /we b
  202. 202 cd /web
  203. 203 ls -lZ
  204. 204 mv html/hosts .
  205. 205 ls -Z
  206. 206 curl http://localhost/hosts
  207. 207 grep AVC /var/log/audit/audit.log
  208. 208 dnf install -y setools-console
  209. 209 sesearch -A | grep httpd_t | grep user_tmp_t
  210. 210 cd
  211. 211 cd selinux/
  212. 212 history
  213. 213 seinfo -tunconfined
  214. 214 seinfo -aunconfined_domain_type -x
  215. 215 dnf module install -y container-tools
  216. 216 dnf install -y container-tools
  217. 217 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  218. 218 systemctl disable --now vsftpd
  219. 219 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  220. 220 podman run --security-opt label=type:ubi9pol/process --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  221. 221 history
  222. 222 podman run --security-opt label=type:ubi9pol.process --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  223. 223 semodule -l
  224. 224 sealert -l 1a8107c7-7c91-43a0-926e-3b6fdcb622bf | less
  225. 225 ls
  226. 226 vim sander.te
  227. 227 sander.fc
  228. 228 vim sander.fc
  229. 229 checkmodule -M -m -o sander.mod sander.te
  230. 230 semodule_package -o sander.pp -m sander.mod -f sander.fc
  231. 231 semodule -i sander.pp
  232. 232 mkdir /opt/sander
  233. 233 ls -dZ /opt/sander
  234. 234 cd /opt/sander
  235. 235 touch bbbb
  236. 236 ls -lZ
  237. 237 history
  238. 238 vim sander.fc
  239. 239 pwd
  240. 240 cd
  241. 241 cd selinux/
  242. 242 ls
  243. 243 cat sander.fc
  244. 244 ls -lZ
  245. 245 history
  246. 246 pwd
  247. 247 restorecon -Rv /opt/sander
  248. 248 pwd
  249. 249 ./countdown 12
  250. 250 semanage user -l
  251. 251 semanage login -l
  252. 252 useradd linda
  253. 253 echo password | passwd --stdin linda
  254. 254 useradd -Z sysadm_u -G wheel lisa
  255. 255 passwd lisa
  256. 256 semanage login -a -s user_u linda
  257. 257 semanage login -l
  258. 258 ssh linda@localhost
  259. 259 semanage login -l
  260. 260 semanage login -m -s sysadm_u root
  261. 261 semanage login -l
  262. 262 semanage login -m -u user_u -r s0 __default__
  263. 263 semanage login -m -u user_u __default__
  264. 264 semanage login -m -u user_u -r s0 __default__
  265. 265 semanage login -m -s user_u -r s0 __default__
  266. 266 semanage login -l
  267. 267 useradd anna
  268. 268 passwd anna
  269. 269 ssh anna@localhost
  270. 270 setsebool -P xdm_sysadm_login on
  271. 271 ssh root@localhost
  272. 272 setsebool -P ssh_sysadm_login on
  273. 273 pwd
  274. 274 ls
  275. 275 dnf install policycoreutils-devel setools-console gcc
  276. 276 ls
  277. 277 cat mydaemon.
  278. 278 cat mydaemon.c
  279. 279 gcc -o mydaemon mydaemon.c
  280. 280 cp mydaemon /usr/local/bin/
  281. 281 vim mydaemon.service
  282. 282 cp mydaemon.service /etc/systemd/system/
  283. 283 systemctl start mydaemon
  284. 284 ps Zaux | grep mydaemon
  285. 285 mkdir mydaemon
  286. 286 mkdir md
  287. 287 cd md
  288. 288 sepolicy generate --init /usr/local/bin/mydaemon
  289. 289 ls
  290. 290 cat mydaemon.te
  291. 291 ./mydaemon.sh
  292. 292 systemctl restart mydaemon
  293. 293 ps Zaux | grep mydaemon
  294. 294 grep AVC /var/log/audit/audit.log
  295. 295 getenforce
  296. 296 ls
  297. 297 vim mydaemon_selinux.spec
  298. 298 systemctl stop vsftpd
  299. 299 runcon -u system_u -r system_r -t httpd_t vsftpd
  300. 300 grep AVC /var/log/audit/audit.log
  301. 301 journactl | grep sealert
  302. 302 journalctl | grep sealert
  303. 303 sealert -l 9a203745-ab2f-45fd-b698-1dff0378bc18 | less
  304. 304 ausearch -c 'runcon' --raw | audit2allow -M my-runcon
  305. 305 semodule -i my-runcon.pp
  306. 306 runcon -u system_u -r system_r -t httpd_t vsftpd
  307. 307 journalctl | grep sealert
  308. 308 sealert -l 227c5cb4-87f8-4fd7-bdb4-82f5ea8697ce | less
  309. 309 setsebool -P domain_can_mmap_files 1
  310. 310 runcon -u system_u -r system_r -t httpd_t vsftpd
  311. 311 cd
  312. 312 history
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!