services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

move selinux, firewalld, k3s

Browse Source
This commit is contained in:
Reese Wells
2025-11-13 16:50:53 -05:00
parent ef527abef4
commit 7ccedb9768
15 changed files with 252 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
active/os_fedora/selinux.md
View File

@@ -1,9 +0,0 @@
# Selinux Findings
## Cloning a Virtual Machine
```bash
cd active/os_fedora/selinux_policies
sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
sudo semodule -X 300 -i my-rpcvirtstorage.pp
```

14
active/os_fedora/selinux_policies/clamav-notifysend.te Normal file
View File

@@ -0,0 +1,14 @@
module clamav-notifysend 1.0;
require {
type session_dbusd_tmp_t;
type antivirus_t;
type unconfined_dbusd_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= antivirus_t ==============
allow antivirus_t session_dbusd_tmp_t:sock_file write;
allow antivirus_t unconfined_dbusd_t:unix_stream_socket connectto;

29
active/os_fedora/selinux_policies/clamav-sudo.te Normal file
View File

@@ -0,0 +1,29 @@
module clamav-sudo 1.0;
require {
type antivirus_t;
type sudo_exec_t;
type systemd_logind_var_run_t;
type pidfs_t;
type chkpwd_exec_t;
type systemd_logind_t;
class file { execute execute_no_trans map };
class netlink_audit_socket { create nlmsg_relay read write };
class capability { audit_write sys_resource };
class process { setrlimit setsched };
class sock_file write;
class unix_stream_socket connectto;
class filesystem getattr;
}
#============= antivirus_t ==============
allow antivirus_t chkpwd_exec_t:file { execute execute_no_trans };
allow antivirus_t pidfs_t:filesystem getattr;
allow antivirus_t self:capability { audit_write sys_resource };
allow antivirus_t self:netlink_audit_socket { create nlmsg_relay write };
allow antivirus_t self:netlink_audit_socket read;
allow antivirus_t self:process { setrlimit setsched };
allow antivirus_t sudo_exec_t:file map;
allow antivirus_t systemd_logind_t:unix_stream_socket connectto;
allow antivirus_t systemd_logind_var_run_t:sock_file write;

23
active/os_fedora/selinux_policies/clamav-unixchkpwd.te Normal file
View File

@@ -0,0 +1,23 @@
module clamav-unixchkpwd 1.0;
require {
type chkpwd_t;
type user_devpts_t;
type antivirus_t;
type shadow_t;
type init_t;
class chr_file { read write };
class file { getattr open read };
class process siginh;
}
#============= antivirus_t ==============
allow antivirus_t shadow_t:file { open read };
allow antivirus_t shadow_t:file getattr;
#============= chkpwd_t ==============
allow chkpwd_t user_devpts_t:chr_file { read write };
#============= init_t ==============
allow init_t chkpwd_t:process siginh;

BIN
active/os_fedora/selinux_policies/my-rpcvirtstorage.pp
View File

Binary file not shown.