diff --git a/active/os_fedora/selinux.md b/active/os_fedora/selinux.md deleted file mode 100644 index b69779b..0000000 --- a/active/os_fedora/selinux.md +++ /dev/null @@ -1,9 +0,0 @@ -# Selinux Findings - -## Cloning a Virtual Machine - -```bash -cd active/os_fedora/selinux_policies -sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage -sudo semodule -X 300 -i my-rpcvirtstorage.pp -``` diff --git a/active/os_fedora/selinux_policies/clamav-notifysend.te b/active/os_fedora/selinux_policies/clamav-notifysend.te new file mode 100644 index 0000000..a6b865e --- /dev/null +++ b/active/os_fedora/selinux_policies/clamav-notifysend.te @@ -0,0 +1,14 @@ + +module clamav-notifysend 1.0; + +require { + type session_dbusd_tmp_t; + type antivirus_t; + type unconfined_dbusd_t; + class sock_file write; + class unix_stream_socket connectto; +} + +#============= antivirus_t ============== +allow antivirus_t session_dbusd_tmp_t:sock_file write; +allow antivirus_t unconfined_dbusd_t:unix_stream_socket connectto; diff --git a/active/os_fedora/selinux_policies/clamav-sudo.te b/active/os_fedora/selinux_policies/clamav-sudo.te new file mode 100644 index 0000000..c9d1c43 --- /dev/null +++ b/active/os_fedora/selinux_policies/clamav-sudo.te @@ -0,0 +1,29 @@ + +module clamav-sudo 1.0; + +require { + type antivirus_t; + type sudo_exec_t; + type systemd_logind_var_run_t; + type pidfs_t; + type chkpwd_exec_t; + type systemd_logind_t; + class file { execute execute_no_trans map }; + class netlink_audit_socket { create nlmsg_relay read write }; + class capability { audit_write sys_resource }; + class process { setrlimit setsched }; + class sock_file write; + class unix_stream_socket connectto; + class filesystem getattr; +} + +#============= antivirus_t ============== +allow antivirus_t chkpwd_exec_t:file { execute execute_no_trans }; +allow antivirus_t pidfs_t:filesystem getattr; +allow antivirus_t self:capability { audit_write sys_resource }; +allow antivirus_t self:netlink_audit_socket { create nlmsg_relay write }; +allow antivirus_t self:netlink_audit_socket read; +allow antivirus_t self:process { setrlimit setsched }; +allow antivirus_t sudo_exec_t:file map; +allow antivirus_t systemd_logind_t:unix_stream_socket connectto; +allow antivirus_t systemd_logind_var_run_t:sock_file write; diff --git a/active/os_fedora/selinux_policies/clamav-unixchkpwd.te b/active/os_fedora/selinux_policies/clamav-unixchkpwd.te new file mode 100644 index 0000000..c7c39da --- /dev/null +++ b/active/os_fedora/selinux_policies/clamav-unixchkpwd.te @@ -0,0 +1,23 @@ + +module clamav-unixchkpwd 1.0; + +require { + type chkpwd_t; + type user_devpts_t; + type antivirus_t; + type shadow_t; + type init_t; + class chr_file { read write }; + class file { getattr open read }; + class process siginh; +} + +#============= antivirus_t ============== +allow antivirus_t shadow_t:file { open read }; +allow antivirus_t shadow_t:file getattr; + +#============= chkpwd_t ============== +allow chkpwd_t user_devpts_t:chr_file { read write }; + +#============= init_t ============== +allow init_t chkpwd_t:process siginh; diff --git a/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp b/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp deleted file mode 100644 index b06e66e..0000000 Binary files a/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp and /dev/null differ diff --git a/active/software_firewalld/firewalld.md b/active/software_firewalld/firewalld.md new file mode 100644 index 0000000..51b4211 --- /dev/null +++ b/active/software_firewalld/firewalld.md @@ -0,0 +1,23 @@ +# Firewalld + +## Notes + +```bash +# Add a port +firewall-cmd --permanent --add-port=22/tcp + +# List active zones +firewall-cmd --get-active-zones + +# Set default zone +firewall-cmd --set-default-zone=drop + +# Set zone for a specific subnet +firewall-cmd --permanent --zone=drop --add-source=10.244.0.0/16 + +# Get info about service +firewall-cmd --info-service=samba + +# Get zone information +firewall-cmd --info-zone=drop +``` \ No newline at end of file diff --git a/active/software_gpg/gpg.md b/active/software_gpg/gpg.md index 1b661cd..3574258 100644 --- a/active/software_gpg/gpg.md +++ b/active/software_gpg/gpg.md @@ -13,9 +13,6 @@ - [Signing Files](#signing-files) - [Encrypting Files](#encrypting-files) - [Yubikey](#yubikey) - - [Saving GPG key to card](#saving-gpg-key-to-card) - - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey) - - [Factory Reset](#factory-reset) - [Linux Apps](#linux-apps) - [Evolution Email](#evolution-email) - [Android Apps](#android-apps) @@ -193,47 +190,7 @@ gpg --decrypt README.md.gpg ## Yubikey -### Saving GPG key to card - - - -```bash -gpg --edit-key 1234ABC - -# Save both the signature and authentication keys -> keytocard - -# Do not save or your key will be deleted locally -> quit -``` - -Check the keys on the yubikey with - -```bash -gpg --card-status -``` - -Once your keys have been loaded, change the pin. - -```bash -gpg --change-pin -``` - -### Using the GPG key on a Yubikey - - - -Importing the public key and trusting it with ultimate should cause `gpg ---list-secret-keys` to show your yubikey. - -### Factory Reset - -```bash -gpg --edit-card - -> admin -> factory-reset -``` +See [Yubikey Notes](/active/device_yubikey/yubikey.md#gpg) ## Linux Apps diff --git a/active/systemd_k3s/k3s.md b/active/software_k3s/k3s.md similarity index 100% rename from active/systemd_k3s/k3s.md rename to active/software_k3s/k3s.md diff --git a/active/systemd_k3s/tests/democratic-csi-pvc-test.yaml b/active/software_k3s/tests/democratic-csi-pvc-test.yaml similarity index 100% rename from active/systemd_k3s/tests/democratic-csi-pvc-test.yaml rename to active/software_k3s/tests/democratic-csi-pvc-test.yaml diff --git a/active/systemd_k3s/tests/ffmpeg.yaml b/active/software_k3s/tests/ffmpeg.yaml similarity index 100% rename from active/systemd_k3s/tests/ffmpeg.yaml rename to active/software_k3s/tests/ffmpeg.yaml diff --git a/active/systemd_k3s/tests/ingress-nginx-test.yaml b/active/software_k3s/tests/ingress-nginx-test.yaml similarity index 100% rename from active/systemd_k3s/tests/ingress-nginx-test.yaml rename to active/software_k3s/tests/ingress-nginx-test.yaml diff --git a/active/systemd_k3s/tests/metallb-test.yaml b/active/software_k3s/tests/metallb-test.yaml similarity index 100% rename from active/systemd_k3s/tests/metallb-test.yaml rename to active/software_k3s/tests/metallb-test.yaml diff --git a/active/systemd_k3s/tests/statefulset-example.yaml b/active/software_k3s/tests/statefulset-example.yaml similarity index 100% rename from active/systemd_k3s/tests/statefulset-example.yaml rename to active/software_k3s/tests/statefulset-example.yaml diff --git a/active/systemd_k3s/upgrade-plan.yaml b/active/software_k3s/upgrade-plan.yaml similarity index 100% rename from active/systemd_k3s/upgrade-plan.yaml rename to active/software_k3s/upgrade-plan.yaml diff --git a/active/software_selinux/selinux.md b/active/software_selinux/selinux.md new file mode 100644 index 0000000..c272a16 --- /dev/null +++ b/active/software_selinux/selinux.md @@ -0,0 +1,162 @@ +# Selinux + + + +## Terminology + +Subjects vs Objects: + +- A Subject is a process (e.g., the Apache httpd process). +- An Object is the thing a subject wants to access (e.g., a file, a directory, + a network port, a system socket). + +Labels (Contexts): + +- Every single Subject and every single Object on an SELinux system has a + label. This label is called an SELinux Context. +- A process’s label is called a domain. +- A file’s label is called a type. + +The Policy: + +- The SELinux policy is just a massive database of rules that says which + domains can access which types. +- A rule might say: “Allow the domain httpd_t (the Apache process) to read + files with the type httpd_sys_content_t (web content).” + +Type Enforcement (TE): + +- This is the name of the engine that enforces these rules. When a Subject + (process) tries to access an Object (file), the Linux kernel’s hook for + SELinux checks their labels. +- It looks up the rule in the policy. +- If a rule allow httpd_t httpd_sys_content_t:file { read }; exists, the access + is granted. +- If no “allow” rule exists, the access is implicitly denied, and an event is + logged to /var/log/audit/audit.log. + +An SELinux context is a string with four parts, separated by colons: `user:role:type:level` + +- User: An SELinux user (e.g., system_u, unconfined_u). This is not the same as + your Linux user (root, john). It’s an identity within the policy. +- Role: Used in Role-Based Access Control (RBAC). (e.g., system_r, object_r). +- Level: Used in Multi-Level Security (MLS) and Multi-Category Security (MCS). + (e.g., s0, or s0:c0,c1). This is what keeps containers (Docker, Podman) + separate from each other. +- For 99% of all system administration, you can COMPLETELY IGNORE the user, role, and level. + +The only part that matters for day-to-day troubleshooting is the third part: +the type. This is the real label. + +- For a process (Subject), the type is its domain. +- For a file (Object), the type is its type. + +## Using Selinux + +```bash +# List labels +# The type is the third item in the four colon-separated values +ls -lZ /var +ls -lZ /var/log +ls -lZ . + +# List processes +ps -eZ | grep -i auditd +ps -eZ | grep -i clam +ps -eZ | grep -i grep +``` + +### Using Selinux Booleans + +When you see an "selinux denied" error you have two choices: + +1. (Wrong) Write a custom policy module to allow this. +2. (Right) Check if there’s an “off” switch for this rule. + +This “off” switch is called an SELinux Boolean. + +Booleans are on/off toggles for common policy rules. They are the first thing +you should check when you have a denial. + +Your workflow should look like: + +1. Get a denial. +2. Run getsebool -a | grep service_name. +3. Read the list of booleans and find one that sounds like the action being denied. +4. Temporarily flip it with setsebool. +5. Test. If it works, make it permanent with setsebool -P. + +```bash +# Get all booleans +getsebool -a + +# Find one that's relevant +getsebool -a | grep -i clam + +# Flip an sebool on temporarily +setsebool httpd_can_network_connect_db on + +# Flip sebool on permanently +setsebool -P httpd_can_network_connect_db on +``` + +### Using Selinux with Audit Log + +If the selinux boolean approach doesn't work. + +```bash +# Make sure you have the troubleshooting package installed +sudo dnf install -y setroubleshoot-server + +# List all alerts +sudo sealert -a /var/log/audit/audit.log + +# If sealert doesn't have a recommendation, like restorecon, then use audit2why +# This will tell you what you should do to fix the issue +sudo grep "denied" /var/log/audit/audit.log | tail -n 1 | audit2why + +# Check what rule would be created +sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -m clamav-notifysend + +# Create the .te (human readable) policy, compile it (.pp), and load it into the kernel +sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -M clamav-notifysend + +# Apply the policy +sudo semodule -X 300 -i clamav-notifysend.pp + +# List active policies +sudo semodule -l + +# Remove an active policy +sudo semodule -r clamav-notifysend +``` + +### Showing Dontaudit Rules + +Selinux will hide denies that are explicitly prohibited through a rule. + +```bash +# Show dontaudit rules +semodule -DB + +# Hide dontaudit rules +semodule -B +``` + +## Compiling Modules + +If you have a `te` file you can compile to a `pp` file with the following: + +```bash +# Compile to module source, then to policy package +checkmodule -M -m -o sample.mod sample.te +semodule_package -o sample.pp -m sample.mod +``` + +## Cloning a Virtual Machine + +```bash +cd active/os_fedora/selinux_policies +sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage +sudo semodule -X 300 -i my-rpcvirtstorage.pp +```