API tools faq
paste
Advertisement
sandervanvugt

SELinux dec22

sandervanvugt
Dec 14th, 2022
117
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.14 KB | None | 0 0
raw download clone embed print report
  1. [root@localhost selinux]# history
  2. 1 cd selinux/
  3. 2 ./countdown 12
  4. 3 cd /etc
  5. 4 ls -Z
  6. 5 ps Zaux
  7. 6 grep AVC /var/log/audit/audit.log
  8. 7 cat /etc/os-release
  9. 8 cd
  10. 9 dnf install -y httpd
  11. 10 systemctl start httpd
  12. 11 ps Zaux | grep http
  13. 12 ls -Zl /var/www
  14. 13 mkdir /web
  15. 14 vim /web/index.html
  16. 15 vim /etc/httpd/conf/httpd.conf
  17. 16 systemctl restart httpd
  18. 17 curl localhost
  19. 18 setenforce permissive
  20. 19 curl localhost
  21. 20 vim /etc/httpd/conf/httpd.conf
  22. 21 systemctl restart httpd
  23. 22 curl localhost
  24. 23 getenforce
  25. 24 setenforce enforcing
  26. 25 curl localhost
  27. 26 grep AVC /var/log/audit/audit.log
  28. 27 ls -Z /web/index.html
  29. 28 dnf install -y git
  30. 29 git clone https://github.com/sandervanvugt/selinux
  31. 30 cd selinux/
  32. 31 ls
  33. 32 cd ..
  34. 33 grep AVC /var/log/audit/audit.log
  35. 34 date -d @1671032151
  36. 35 history
  37. 36 cat /etc/sysconfig/selinux
  38. 37 sestatus
  39. 38 getsebool -a
  40. 39 getsebool -a | grep ftp
  41. 40 ps Zaux | grep dbus
  42. 41 ps Zaux | grep dbus-daemon
  43. 42 ls -lZd /web
  44. 43 semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
  45. 44 ls -lZd /web
  46. 45 cd /etc/selinux/
  47. 46 ls
  48. 47 cd targeted/
  49. 48 ls
  50. 49 cd contexts/
  51. 50 ls
  52. 51 cd files/
  53. 52 ls
  54. 53 cat file_contexts.local
  55. 54 cd
  56. 55 restorecon -Rv /web
  57. 56 getenforce
  58. 57 curl localhost
  59. 58 history
  60. 59 man semanage
  61. 60 man semanage-fcontext
  62. 61 reboot
  63. 62 chvt 2
  64. 63 exit
  65. 64 podman ps
  66. 65 podman inspect e11f8637ec65 > ubi8.json
  67. 66 less ubi8.json
  68. 67 udica -j ubi8.json ubi8pol
  69. 68 semodule -i ubi8pol.cil /usr/share/udica/templates/{base_container.cil,home_container.cil}
  70. 69 ls
  71. 70 less ubi8pol.cil
  72. 71 ls -lZ /var/www
  73. 72 man -k _selinux
  74. 73 dfn install -y selinux-policy-doc
  75. 74 dnf install -y selinux-policy-doc
  76. 75 man -k _selinux
  77. 76 man -k _selinux | wc
  78. 77 man zebra_selinux
  79. 78 journalctl
  80. 79 journalctl | grep sealert
  81. 80 sealert
  82. 81 grep sealert /var/log/messages
  83. 82 sealert -l 29e1308a-3434-43d1-a935-fce5f7217355 | less
  84. 83 vim /etc/ssh/sshd_config
  85. 84 systemctl restart sshd
  86. 85 systemctl status sshd
  87. 86 setenforce 0
  88. 87 systemctl status sshd
  89. 88 systemctl restart sshd
  90. 89 grep sealert /var/log/messages
  91. 90 sealert -l fb6422b5-79ed-458b-b504-37aca6456309 | less
  92. 91 emanage port -a -t ssh_port_t -p tcp 2022
  93. 92 semanage port -a -t ssh_port_t -p tcp 2022
  94. 93 getenforce
  95. 94 setenforce 1
  96. 95 getenforce
  97. 96 systemctl restart sshd
  98. 97 systemctl status sshd
  99. 98 cp /etc/hosts .
  100. 99 ls -Z /etc/hosts ./hosts
  101. 100 rm /etc/hosts
  102. 101 mv hosts /etc/
  103. 102 ls -Z /etc/hosts
  104. 103 restorecon -R /etc/hosts
  105. 104 ls -Z /etc/hosts
  106. 105 dnf install vsftpd
  107. 106 vim /etc/vsftpd/vsftpd.conf
  108. 107 grep ftp /etc/passwd
  109. 108 cd /var/ftp
  110. 109 mkdir pub
  111. 110 ls -l
  112. 111 chmod 777 pub
  113. 112 dnf install -y lftp
  114. 113 systemctl start vsftpd
  115. 114 lftp localhost
  116. 115 grep AVC /var/log/audit/audit.log
  117. 116 grep sealert /var/log/messages
  118. 117 sealert -l 4f3b42bb-89ba-47e8-98e2-b8a6e52f36e6 | less
  119. 118 # semanage fcontext -a -t public_content_rw_t pub
  120. 119 # restorecon -R -v pub
  121. 120 # setsebool -P allow_ftpd_anon_write 1
  122. 121 pwd
  123. 122 semanage fcontext -a -t public_content_rw_t "/var/ftp/pub(/.*)?"
  124. 123 restorecon -Rv /var/ftp/pub
  125. 124 setsebool -P allow_ftpd_anon_write 1
  126. 125 lftp localhost
  127. 126 getsebool -a | grep ftp
  128. 127 cd
  129. 128 selinux/countdown 13
  130. 129 sesearch
  131. 130 sesearch -b ftpd_anon_write -A | less
  132. 131 getsebool -a | grep ftp
  133. 132 sesearch -b ftpd_full_access -A | less
  134. 133 sesearch -b ftpd_anon_write -p read -AC
  135. 134 sesearch -s httpd_t -t user_home_t -p read -A
  136. 135 sesearch -s httpd_t -t default_t -p read -A
  137. 136 sesearch -A | grep httpd_t
  138. 137 sesearch -A | grep httpd_t | wc
  139. 138 sesearch -A
  140. 139 sesearch -A | wc
  141. 140 cp /etc/hosts /tmp/hosts
  142. 141 ls -Z /tmp/hosts
  143. 142 mv /tmp/hosts /var/www/html/
  144. 143 mv /var/www/html/ /web/
  145. 144 ls -Z /web
  146. 145 cd /web
  147. 146 mv html/hosts .
  148. 147 ls -Z
  149. 148 curl http://localhost/hosts
  150. 149 systemctl enable --now httpd
  151. 150 curl http://localhost/hosts
  152. 151 grep AVC /var/log/audit/audit.log
  153. 152 dnf install -y setools-console
  154. 153 sesearch -A | grep httpd_t | grep user_tmp_t
  155. 154 seinfo -aunconfined_domain_type -x
  156. 155 dnf install -y container-tools
  157. 156 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it docker.io/redhat/ubi9 bash
  158. 157 podman ps
  159. 158 podman run --env container=podman -v /home:/home:ro -v /var/spool:/var/spool:rw -it docker.io/redhat/ubi9 bash
  160. 159 podmamn stop e11
  161. 160 podman stop e11
  162. 161 podman run --security-opt label=type:ubi8pol.process -v /home:/home:ro -v /var/spool:/var/spool:rw -it docker.io/redhat/ubi9 bash
  163. 162 semodule -l
  164. 163 semodule -l | wc
  165. 164 cd
  166. 165 grep http /var/log/audit/audit.log | audit2allow -M mypolicy
  167. 166 ls
  168. 167 vim mypolicy.te
  169. 168 cd selinux/
  170. 169 ls
  171. 170 cd ..
  172. 171 vim sander.te
  173. 172 vim sander.fc
  174. 173 checkmodule -M -m -o sander.mod sander.te
  175. 174 semodule_package -o sander.pp -m sander.mod -f sander.fc
  176. 175 semodule -i sander.pp
  177. 176 cat sander.fc
  178. 177 mkdir /opt/sander
  179. 178 ls -ldZ /opt/sander
  180. 179 restorecon -Rv /opt/sander
  181. 180 cd selinux/
  182. 181 ./countdown 20
  183. 182 semanage user -l
  184. 183 useradd linda
  185. 184 echo password | passwd --stdin linda
  186. 185 useradd -Z sysadm_u -G wheel lisa
  187. 186 echo password | passwd --stdin lisa
  188. 187 semanage login -a -s user_u linda
  189. 188 semanage login -l
  190. 189 chvt 3
  191. 190 semanage login -m -s sysadm_u root
  192. 191 semanage login -l
  193. 192 semanage login -m -s user_u -r s0 __default__
  194. 193 semanage login -l
  195. 194 useradd anna
  196. 195 echo password | passwd --stdin anna
  197. 196 chvt 3
  198. 197 getsebool -a | grep user
  199. 198 getsebool -a | grep sysadm
  200. 199 chvt 2
  201. 200 setsebool -P xdm_sysadm_login on
  202. 201 setsebool -P ssh_sysadm_login on
  203. 202 reboot
  204. 203 cd selinux/
  205. 204 ./countdown 12
  206. 205 pwd
  207. 206 ls
  208. 207 dnf install policycoreutils-devel setools-console gcc
  209. 208 ls
  210. 209 gcc -o mydaemon mydaemon.c
  211. 210 ls
  212. 211 sudo cp mydaemon /usr/local/bin/
  213. 212 vim mydaemon.service
  214. 213 cp mydaemon.service /etc/systemd/system/
  215. 214 ls -Z /usr/local/bin/mydaemon
  216. 215 systemctl start mydaemon
  217. 216 ps Zaux | grep mydaemon
  218. 217 sepolicy generate --init /usr/local/bin/mydaemon
  219. 218 vim mydaemon.te
  220. 219 vim mydaemon.if
  221. 220 vim mydaemon.sh
  222. 221 ./mydaemon.sh
  223. 222 systemctl restart mydaemon.service
  224. 223 ps Zaux | grep mydae
  225. 224 man -k mydaemon
  226. 225 mandb
  227. 226 grep AVC /var/log/audit/audit.log
  228. 227 grep sealert /var/log/messages
  229. 228 sealert -l "*"
  230. 229 sealert -l "*" | less
  231. 230 # ausearch -c 'mydaemon' --raw | audit2allow -M my-mydaemon
  232. 231 # semodule -X 300 -i my-mydaemon.pp
  233. 232 ausearch -c 'mydaemon' --raw | audit2allow -M my-mydaemon
  234. 233 semodule -i my-mydaemon.pp
  235. 234 systemctl restart mydaemon
  236. 235 grep AVC /var/log/messages
  237. 236 grep AVC /var/log/audit/audit.log
  238. 237 date -d @1671046387
  239. 238 systemctl cat vsftpd.service
  240. 239 runcon -u system_u -r system_r -t httpd_t vsftpd
  241. 240 grep AVC /var/log/audit/audit.log
  242. 241 sealert -l
  243. 242 sealert -l "*"
  244. 243 # ausearch -c 'runcon' --raw | audit2allow -M my-runcon
  245. 244 # semodule -X 300 -i my-runcon.pp
  246. 245 ausearch -c 'runcon' --raw | audit2allow -M my-runcon
  247. 246 semodule -X 300 -i my-runcon.pp
  248. 247 runcon -u system_u -r system_r -t httpd_t vsftpd
  249. 248 grep AVC /var/log/audit/audit.log
  250. 249 sealert -l "*"
  251. 250 # ausearch -c 'runcon' --raw | audit2allow -M my-runcon
  252. 251 # semodule -X 300 -i my-runcon.pp
  253. 252 ausearch -c 'runcon' --raw | audit2allow -M my-runcon2
  254. 253 semodule -X 300 -i my-runcon2.pp
  255. 254 runcon -u system_u -r system_r -t httpd_t vsftpd
  256. 255 grep AVC /var/log/audit/audit.log
  257. 256 history
  258.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!