move selinux, firewalld, k3s

active/os_fedora/selinux.md

@@ -1,9 +0,0 @@
-# Selinux Findings
-
-## Cloning a Virtual Machine
-
-```bash
-cd active/os_fedora/selinux_policies
-sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
-sudo semodule -X 300 -i my-rpcvirtstorage.pp
-```

active/os_fedora/selinux_policies/clamav-notifysend.te

@@ -0,0 +1,14 @@
+
+module clamav-notifysend 1.0;
+
+require {
+	type session_dbusd_tmp_t;
+	type antivirus_t;
+	type unconfined_dbusd_t;
+	class sock_file write;
+	class unix_stream_socket connectto;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t session_dbusd_tmp_t:sock_file write;
+allow antivirus_t unconfined_dbusd_t:unix_stream_socket connectto;

active/os_fedora/selinux_policies/clamav-sudo.te

@@ -0,0 +1,29 @@
+
+module clamav-sudo 1.0;
+
+require {
+	type antivirus_t;
+	type sudo_exec_t;
+	type systemd_logind_var_run_t;
+	type pidfs_t;
+	type chkpwd_exec_t;
+	type systemd_logind_t;
+	class file { execute execute_no_trans map };
+	class netlink_audit_socket { create nlmsg_relay read write };
+	class capability { audit_write sys_resource };
+	class process { setrlimit setsched };
+	class sock_file write;
+	class unix_stream_socket connectto;
+	class filesystem getattr;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t chkpwd_exec_t:file { execute execute_no_trans };
+allow antivirus_t pidfs_t:filesystem getattr;
+allow antivirus_t self:capability { audit_write sys_resource };
+allow antivirus_t self:netlink_audit_socket { create nlmsg_relay write };
+allow antivirus_t self:netlink_audit_socket read;
+allow antivirus_t self:process { setrlimit setsched };
+allow antivirus_t sudo_exec_t:file map;
+allow antivirus_t systemd_logind_t:unix_stream_socket connectto;
+allow antivirus_t systemd_logind_var_run_t:sock_file write;

active/os_fedora/selinux_policies/clamav-unixchkpwd.te

@@ -0,0 +1,23 @@
+
+module clamav-unixchkpwd 1.0;
+
+require {
+	type chkpwd_t;
+	type user_devpts_t;
+	type antivirus_t;
+	type shadow_t;
+	type init_t;
+	class chr_file { read write };
+	class file { getattr open read };
+	class process siginh;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t shadow_t:file { open read };
+allow antivirus_t shadow_t:file getattr;
+
+#============= chkpwd_t ==============
+allow chkpwd_t user_devpts_t:chr_file { read write };
+
+#============= init_t ==============
+allow init_t chkpwd_t:process siginh;

active/software_firewalld/firewalld.md

@@ -0,0 +1,23 @@
+# Firewalld
+
+## Notes
+
+```bash
+# Add a port
+firewall-cmd --permanent --add-port=22/tcp
+
+# List active zones
+firewall-cmd --get-active-zones
+
+# Set default zone
+firewall-cmd --set-default-zone=drop
+
+# Set zone for a specific subnet
+firewall-cmd --permanent --zone=drop --add-source=10.244.0.0/16
+
+# Get info about service
+firewall-cmd --info-service=samba
+
+# Get zone information
+firewall-cmd --info-zone=drop
+```

active/software_gpg/gpg.md

@@ -13,9 +13,6 @@
     - [Signing Files](#signing-files)
     - [Encrypting Files](#encrypting-files)
   - [Yubikey](#yubikey)
-    - [Saving GPG key to card](#saving-gpg-key-to-card)
-    - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
-    - [Factory Reset](#factory-reset)
   - [Linux Apps](#linux-apps)
     - [Evolution Email](#evolution-email)
   - [Android Apps](#android-apps)
@@ -193,47 +190,7 @@ gpg --decrypt README.md.gpg
 
 ## Yubikey
 
-### Saving GPG key to card
+See [Yubikey Notes](/active/device_yubikey/yubikey.md#gpg)
-
-<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
-
-```bash
-gpg --edit-key 1234ABC
-
-# Save both the signature and authentication keys
-> keytocard
-
-# Do not save or your key will be deleted locally
-> quit
-```
-
-Check the keys on the yubikey with
-
-```bash
-gpg --card-status
-```
-
-Once your keys have been loaded, change the pin.
-
-```bash
-gpg --change-pin
-```
-
-### Using the GPG key on a Yubikey
-
-<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
-
-Importing the public key and trusting it with ultimate should cause `gpg
---list-secret-keys` to show your yubikey.
-
-### Factory Reset
-
-```bash
-gpg --edit-card
-
-> admin
-> factory-reset
-```
 
 ## Linux Apps
 

active/software_selinux/selinux.md

@@ -0,0 +1,162 @@
+# Selinux
+
+<https://thecybersecguru.com/tutorials/selinux-ultimate-guide/>
+
+## Terminology
+
+Subjects vs Objects:
+
+- A Subject is a process (e.g., the Apache httpd process).
+- An Object is the thing a subject wants to access (e.g., a file, a directory,
+  a network port, a system socket).
+
+Labels (Contexts):
+
+- Every single Subject and every single Object on an SELinux system has a
+  label. This label is called an SELinux Context.
+- A process’s label is called a domain.
+- A file’s label is called a type.
+
+The Policy:
+
+- The SELinux policy is just a massive database of rules that says which
+  domains can access which types.
+- A rule might say: “Allow the domain httpd_t (the Apache process) to read
+  files with the type httpd_sys_content_t (web content).”
+
+Type Enforcement (TE):
+
+- This is the name of the engine that enforces these rules. When a Subject
+  (process) tries to access an Object (file), the Linux kernel’s hook for
+  SELinux checks their labels.
+- It looks up the rule in the policy.
+- If a rule allow httpd_t httpd_sys_content_t:file { read }; exists, the access
+  is granted.
+- If no “allow” rule exists, the access is implicitly denied, and an event is
+  logged to /var/log/audit/audit.log.
+
+An SELinux context is a string with four parts, separated by colons: `user:role:type:level`
+
+- User: An SELinux user (e.g., system_u, unconfined_u). This is not the same as
+  your Linux user (root, john). It’s an identity within the policy.
+- Role: Used in Role-Based Access Control (RBAC). (e.g., system_r, object_r).
+- Level: Used in Multi-Level Security (MLS) and Multi-Category Security (MCS).
+  (e.g., s0, or s0:c0,c1). This is what keeps containers (Docker, Podman)
+  separate from each other.
+- For 99% of all system administration, you can COMPLETELY IGNORE the user, role, and level.
+
+The only part that matters for day-to-day troubleshooting is the third part:
+the type. This is the real label.
+
+- For a process (Subject), the type is its domain.
+- For a file (Object), the type is its type.
+
+## Using Selinux
+
+```bash
+# List labels
+# The type is the third item in the four colon-separated values
+ls -lZ /var
+ls -lZ /var/log
+ls -lZ .
+
+# List processes
+ps -eZ | grep -i auditd
+ps -eZ | grep -i clam
+ps -eZ | grep -i grep
+```
+
+### Using Selinux Booleans
+
+When you see an "selinux denied" error you have two choices:
+
+1. (Wrong) Write a custom policy module to allow this.
+2. (Right) Check if there’s an “off” switch for this rule.
+
+This “off” switch is called an SELinux Boolean.
+
+Booleans are on/off toggles for common policy rules. They are the first thing
+you should check when you have a denial.
+
+Your workflow should look like:
+
+1. Get a denial.
+2. Run getsebool -a | grep service_name.
+3. Read the list of booleans and find one that sounds like the action being denied.
+4. Temporarily flip it with setsebool.
+5. Test. If it works, make it permanent with setsebool -P.
+
+```bash
+# Get all booleans
+getsebool -a
+
+# Find one that's relevant
+getsebool -a | grep -i clam
+
+# Flip an sebool on temporarily
+setsebool httpd_can_network_connect_db on
+
+# Flip sebool on permanently
+setsebool -P httpd_can_network_connect_db on
+```
+
+### Using Selinux with Audit Log
+
+If the selinux boolean approach doesn't work.
+
+```bash
+# Make sure you have the troubleshooting package installed
+sudo dnf install -y setroubleshoot-server
+
+# List all alerts
+sudo sealert -a /var/log/audit/audit.log
+
+# If sealert doesn't have a recommendation, like restorecon, then use audit2why
+# This will tell you what you should do to fix the issue
+sudo grep "denied" /var/log/audit/audit.log | tail -n 1 | audit2why
+
+# Check what rule would be created
+sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -m clamav-notifysend
+
+# Create the .te (human readable) policy, compile it (.pp), and load it into the kernel
+sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -M clamav-notifysend
+
+# Apply the policy
+sudo semodule -X 300 -i clamav-notifysend.pp
+
+# List active policies
+sudo semodule -l
+
+# Remove an active policy
+sudo semodule -r clamav-notifysend
+```
+
+### Showing Dontaudit Rules
+
+Selinux will hide denies that are explicitly prohibited through a rule.
+
+```bash
+# Show dontaudit rules
+semodule -DB
+
+# Hide dontaudit rules
+semodule -B
+```
+
+## Compiling Modules
+
+If you have a `te` file you can compile to a `pp` file with the following:
+
+```bash
+# Compile to module source, then to policy package
+checkmodule -M -m -o sample.mod sample.te
+semodule_package -o sample.pp -m sample.mod
+```
+
+## Cloning a Virtual Machine
+
+```bash
+cd active/os_fedora/selinux_policies
+sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
+sudo semodule -X 300 -i my-rpcvirtstorage.pp
+```