├── 14-aug-24.txt
├── README.md
├── SELinux_live_july23.pdf
├── ansible.cfg
├── countdown
├── httpd.conf
├── my-VGAuthService.pp
├── my-VGAuthService.te
├── my-kdumpctl.pp
├── my-kdumpctl.te
├── my-legedpy.pp
├── my-legedpy.te
├── my-systemdudevd.pp
├── my-systemdudevd.te
├── my-vmtoolsd.pp
├── my-vmtoolsd.te
├── myapp
├── myapp.service
├── mydaemon.c
├── mydaemon.service
├── myfile
├── rot13.service
├── server.php
├── setup-rot.sh
├── startrot13
└── using_sepolicy_generate_history.txt
/14-aug-24.txt:
--------------------------------------------------------------------------------
1 | 1 getenforxcce
2 | 2 getenforce
3 | 3 ls -Z /etc/passwd
4 | 4 ls -Z /etc/shadow
5 | 5 useradd anna
6 | 6 ls -Z /etc/shadow
7 | 7 vim /etc/default/grub
8 | 8 ls -Z /boot/grub2/grub.cfg
9 | 9 grub2-mkconfig -o /boot/grub2/grub.cfg
10 | 10 ls -Z /boot/grub2/grub.cfg
11 | 11 reboot
12 | 12 dnf install -y git
13 | 13 git clone https://github.com/sandervanvugt/selinux
14 | 14 cd selinux/
15 | 15 ls
16 | 16 history
17 | 17 ./countdown 12
18 | 18 grep AVC /var/log/audit/audit.log
19 | 19 cd
20 | 20 semanage fcontext -a -t public_content_t /etc/bogus
21 | 21 ls -Z /etc/bogus
22 | 22 touch /etc/bogus
23 | 23 ls -Z /etc/bogus
24 | 24 restorecon -v /etc/bogus
25 | 25 ls -dZ /web
26 | 26 ls -Z /var/www
27 | 27 dnf list selinux*
28 | 28 dnf list selinux
29 | 29 dnf install selinux-policy-doc
30 | 30 man -k _selinux
31 | 31 man httpd_selinux
32 | 32 ls -Z /etc/bogus
33 | 33 mkdir /files
34 | 34 touch /files/file{1..10}
35 | 35 ls -Z /files/
36 | 36 semanage fcontext -a -t public_content_t "/files(/.*)?"
37 | 37 ls -Zd /files
38 | 38 restorecon -Rv /files
39 | 39 cd /etc/selinux/targeted/
40 | 40 ls
41 | 41 cd contexts/
42 | 42 ls
43 | 43 cd files/
44 | 44 ls
45 | 45 cat file_contexts.local
46 | 46 cd
47 | 47 touch /tmp/chconfile
48 | 48 chcon -t httpd_sys_content_t /tmp/chconfile
49 | 49 ls -Z /tmp/chconfile
50 | 50 restorecon -R\v /tmp
51 | 51 restorecon -Rv /tmp
52 | 52 ls -Z /tmp/chconfile /etc/hosts
53 | 53 chcon -t httpd_sys_content_t /etc/hosts
54 | 54 restorecon -v /etc/hosts
55 | 55 man semanage-fcontext
56 | 56 semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
57 | 57 restorecon -Rv /web
58 | 58 vim /etc/ssh/sshd_config
59 | 59 vim /etc/httpd/conf/httpd.conf
60 | 60 systemctl restart httpd
61 | 61 systemctl status httpd
62 | 62 journalctl -xeu httpd.service
63 | 63 grep AVC /var/log/audit/audit.log
64 | 64 man httpd_selinux
65 | 65 semanage port -l
66 | 66 semanage port -l | grep http
67 | 67 man semanage-port
68 | 68 semanage port -a -t http_port_t -p tcp 82
69 | 69 systemctl restart httpd
70 | 70 netstat -Ztulpen
71 | 71 semanage port -l
72 | 72 semanage port -l | wc -l
73 | 73 semanage fcontext -l
74 | 74 semanage fcontext -l | wc -l
75 | 75 semanage fcontext -l | grep http | wc -l
76 | 76 semanage fcontext -l | grep http | less
77 | 77 history
78 | 78 semanage port -l | grep 82
79 | 79 history
80 | 80 touch /tmp/customizable1
81 | 81 ls -Z /tmp/customizable1
82 | 82 ls -ld /tmp
83 | 83 ls -ldZ /tmp
84 | 84 chcon -t container_file_t /tmp/customizable1
85 | 85 ls -ldZ /tmp
86 | 86 ls -Z /tmp/customizable1
87 | 87 restorecon -Rv /tmp
88 | 88 ls -Z /tmp/customizable1
89 | 89 history
90 | 90 getsebool -l
91 | 91 getsebool -a
92 | 92 getsebool -a | grep ftp
93 | 93 seinfo -b ftpd_anon_write -C
94 | 94 seinfo -b ftpd_anon_write
95 | 95 vim /etc/httpd/conf.d/userdir.conf
96 | 96 grep anna /etc/passwd
97 | 97 chmod -R 755 /home/anna
98 | 98 su - anna
99 | 99 systemctl restart httpd
100 | 100 grep AVC /var/log/audit/audit.log
101 | 101 curl http://localhost/~anna
102 | 102 vim /etc/httpd/conf/httpd.conf
103 | 103 systemctl restart httpd
104 | 104 grep AVC /var/log/audit/audit.log
105 | 105 sesearch -s httpd_t -t httpd_user_content_t -A
106 | 106 setsebool -P httpd_enable_home_dirs on
107 | 107 setsebool -P httpd_enable_homedirs on
108 | 108 grep AVC /var/log/audit/audit.log | grep http
109 | 109 grep AVC /var/log/audit/audit.log | grep http | audit2allow -M myhttp
110 | 110 ls
111 | 111 vim myhttp.te
112 | 112 journalctl | grep sealert
113 | 113 grep sealert /var/log/messages
114 | 114 sealert -l 3ee5c758-e52a-4f00-a4f4-d58b994ab83e | less
115 | 115 history
116 | 116 sealert -l 3ee5c758-e52a-4f00-a4f4-d58b994ab83e | less
117 | 117 man semodule
118 | 118 grep sealert /var/log/messages
119 | 119 sealert -l e5687fbf-61d3-4ff6-b5ef-c6566a9cdd88 | less
120 | 120 sealert -l 35fe92b8-d684-4997-8a58-f3fa5e90118d | less
121 | 121 hostnamectl hostname selinux.example.com
122 | 122 exit
123 | 123 sesearch -t public_content_t -A
124 | 124 sesearch -s vmware_t -t public_content_t -A
125 | 125 seinfo -a unconfined_domain_type -x
126 | 126 sesearch -b ftpd_full_access -A
127 | 127 getsebool -a | grep ftp
128 | 128 sesearch -b ftpd_anon_write -A
129 | 129 semodule -l
130 | 130 semodule -d zabbix
131 | 131 seinfo -c
132 | 132 seinfo -cfd -x
133 | 133 seinfo -ctcp_socket -x
134 | 134 seinfo -csocket -x
135 | 135 seinfo -cfile -x
136 | 136 seinfo -cdir -x
137 | 137 grep AVC /var/log/audit/audit.log
138 | 138 grep http /var/log/audit/audit.log | grep AVC > avc.txt
139 | 139 vim avc.txt
140 | 140 cat avc.txt | audit2allow -M mypolict
141 | 141 vim mypolict.te
142 | 142 history
143 | 143 cd selinux/
144 | 144 ls
145 | 145 vim sander.te
146 | 146 vim sander.fc
147 | 147 checkmodule -M -m -o sander.mod sander.te
148 | 148 semodule_package -o sander.pp -m sander.mod -f sander.fc
149 | 149 ls sander*
150 | 150 semodule -i sander.pp
151 | 151 mkdir /opt/sander
152 | 152 ls -dZ /opt/sander
153 | 153 restorecon -Rv /opt/sander
154 | 154 sudo dnf install policycoreutils-devel setools-console gcc
155 | 155 ls
156 | 156 vim mydaemon.c
157 | 157 gcc -o mydaemon mydaemon.c
158 | 158 sudo cp mydaemon /usr/local/bin/
159 | 159 cat mydaemon.service
160 | 160 cp mydaemon.service /etc/systemd/system/
161 | 161 systemctl daemon-reload
162 | 162 systemctl start mydaemon
163 | 163 ps Zaux | grep mydaemon
164 | 164 sepolicy generate --init /usr/local/bin/mydaemon
165 | 165 dnf repolist
166 | 166 dnf install -y nmap
167 | 167 ls
168 | 168 sepolicy generate --init /usr/local/bin/mydaemon
169 | 169 dnf list selinux*
170 | 170 reboot
171 | 171 cd selinux/
172 | 172 ./countdown 1
173 | 173 ./countdown 12
174 | 174 ./countdown 15
175 | 175 cd selinux/
176 | 176 sepolicy generate --init /usr/local/bin/mydaemon
177 | 177 ssh sander@192.168.52.180
178 | 178 history | grep audit2allow
179 | 179 ssh sander@192.168.52.180
180 | 180 history
181 | 181 semanage login -l
182 | 182 seinfo -u
183 | 183 seinfo -r
184 | 184 semanage user -l
185 | 185 useradd linda
186 | 186 echo password | passwd --stdin linda
187 | 187 useradd -Z sysadm_u -G wheel lisa
188 | 188 echo password | passwd --stdin lisa
189 | 189 semanage user -l
190 | 190 semanage login -l
191 | 191 semanage login -a -s user_u linda
192 | 192 semanage login -l
193 | 193 ssh linda@localhost
194 | 194 semanage login -l
195 | 195 semanage login -m -s sysadm_u root
196 | 196 semanage login -m -s user_u -r s0 __default__
197 | 197 semanage login -l
198 | 198 userdel anna
199 | 199 useradd anna
200 | 200 echo password | passwd --stdin anna
201 | 201 getsebool -a | grep -E 'user|sysadm|staff'
202 | 202 history -w
203 | 203 cd selinux/
204 | 204 sepolicy generate --init /usr/local/bin/mydaemon
205 | 205 ssh sander@192.168.52.180
206 | 206 history | grep audit2allow
207 | 207 ssh sander@192.168.52.180
208 | 208 history
209 | 209 semanage login -l
210 | 210 seinfo -u
211 | 211 seinfo -r
212 | 212 semanage user -l
213 | 213 useradd linda
214 | 214 echo password | passwd --stdin linda
215 | 215 useradd -Z sysadm_u -G wheel lisa
216 | 216 echo password | passwd --stdin lisa
217 | 217 semanage user -l
218 | 218 semanage login -l
219 | 219 semanage login -a -s user_u linda
220 | 220 semanage login -l
221 | 221 ssh linda@localhost
222 | 222 semanage login -l
223 | 223 semanage login -m -s sysadm_u root
224 | 224 semanage login -m -s user_u -r s0 __default__
225 | 225 semanage login -l
226 | 226 userdel anna
227 | 227 useradd anna
228 | 228 echo password | passwd --stdin anna
229 | 229 getsebool -a | grep -E 'user|sysadm|staff'
230 | 230 history -w
231 | 231 reboot
232 | 232 cd selinux/
233 | 233 ./countdown 12
234 | 234 setsebool -P xdm_sysadm_login on
235 | 235 setsebool -P ssh_sysadm_login on
236 | 236 semanage login -l
237 | 237 semanage login -m -s sysadm_u student
238 | 238 semanage login -a -s sysadm_u student
239 | 239 reboot
240 | 240 exit
241 | 241 mkdir container1
242 | 242 mkdir container2
243 | 243 podman run -d -v /root/container1:/container1:Z busybox
244 | 244 ls -Zd container1
245 | 245 ps Zaux | grep busybox
246 | 246 ps Zfaux | less
247 | 247 podman run -d -v /root/container1:/container1:Z busybox sleep infinity
248 | 248 ps Zfaux | less
249 | 249 podman ps
250 | 250 ps Zfaux | less
251 | 251 ls Z
252 | 252 ls -Z
253 | 253 podman run -d -v /root/container2:/container2:Z busybox sleep infinity
254 | 254 ls -Zd con*
255 | 255 history
256 | 256 history > /tmp/14-aug-24.txt
257 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # selinux
2 |
--------------------------------------------------------------------------------
/SELinux_live_july23.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/SELinux_live_july23.pdf
--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | inventory = inventory
3 | remote_user = student
4 | host_key_checking = false
5 | deprecation_warning = false
6 |
7 | [privilege_escalation]
8 | become = True
9 | become_method = sudo
10 | become_user = root
11 | become_ask_pass = False
12 |
13 |
--------------------------------------------------------------------------------
/countdown:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | COUNTER=$1
4 | COUNTER=$(( COUNTER * 60 ))
5 |
6 | while true
7 | do
8 | echo $COUNTER seconds remaining in break
9 | COUNTER=$(( COUNTER - 1 ))
10 | sleep 1
11 | done
12 |
--------------------------------------------------------------------------------
/httpd.conf:
--------------------------------------------------------------------------------
1 | #
2 | # This is the main Apache HTTP server configuration file. It contains the
3 | # configuration directives that give the server its instructions.
4 | # See for detailed information.
5 | # In particular, see
6 | #
7 | # for a discussion of each configuration directive.
8 | #
9 | # See the httpd.conf(5) man page for more information on this configuration,
10 | # and httpd.service(8) on using and configuring the httpd service.
11 | #
12 | # Do NOT simply read the instructions in here without understanding
13 | # what they do. They're here only as hints or reminders. If you are unsure
14 | # consult the online docs. You have been warned.
15 | #
16 | # Configuration and logfile names: If the filenames you specify for many
17 | # of the server's control files begin with "/" (or "drive:/" for Win32), the
18 | # server will use that explicit path. If the filenames do *not* begin
19 | # with "/", the value of ServerRoot is prepended -- so 'log/access_log'
20 | # with ServerRoot set to '/www' will be interpreted by the
21 | # server as '/www/log/access_log', where as '/log/access_log' will be
22 | # interpreted as '/log/access_log'.
23 |
24 | #
25 | # ServerRoot: The top of the directory tree under which the server's
26 | # configuration, error, and log files are kept.
27 | #
28 | # Do not add a slash at the end of the directory path. If you point
29 | # ServerRoot at a non-local disk, be sure to specify a local disk on the
30 | # Mutex directive, if file-based mutexes are used. If you wish to share the
31 | # same ServerRoot for multiple httpd daemons, you will need to change at
32 | # least PidFile.
33 | #
34 | ServerRoot "/etc/httpd"
35 |
36 | #
37 | # Listen: Allows you to bind Apache to specific IP addresses and/or
38 | # ports, instead of the default. See also the
39 | # directive.
40 | #
41 | # Change this to Listen on a specific IP address, but note that if
42 | # httpd.service is enabled to run at boot time, the address may not be
43 | # available when the service starts. See the httpd.service(8) man
44 | # page for more information.
45 | #
46 | #Listen 12.34.56.78:80
47 | Listen 80
48 |
49 | #
50 | # Dynamic Shared Object (DSO) Support
51 | #
52 | # To be able to use the functionality of a module which was built as a DSO you
53 | # have to place corresponding `LoadModule' lines at this location so the
54 | # directives contained in it are actually available _before_ they are used.
55 | # Statically compiled modules (those listed by `httpd -l') do not need
56 | # to be loaded here.
57 | #
58 | # Example:
59 | # LoadModule foo_module modules/mod_foo.so
60 | #
61 | Include conf.modules.d/*.conf
62 |
63 | #
64 | # If you wish httpd to run as a different user or group, you must run
65 | # httpd as root initially and it will switch.
66 | #
67 | # User/Group: The name (or #number) of the user/group to run httpd as.
68 | # It is usually good practice to create a dedicated user and group for
69 | # running httpd, as with most system services.
70 | #
71 | User apache
72 | Group apache
73 |
74 | # 'Main' server configuration
75 | #
76 | # The directives in this section set up the values used by the 'main'
77 | # server, which responds to any requests that aren't handled by a
78 | # definition. These values also provide defaults for
79 | # any containers you may define later in the file.
80 | #
81 | # All of these directives may appear inside containers,
82 | # in which case these default settings will be overridden for the
83 | # virtual host being defined.
84 | #
85 |
86 | #
87 | # ServerAdmin: Your address, where problems with the server should be
88 | # e-mailed. This address appears on some server-generated pages, such
89 | # as error documents. e.g. admin@your-domain.com
90 | #
91 | ServerAdmin root@localhost
92 |
93 | #
94 | # ServerName gives the name and port that the server uses to identify itself.
95 | # This can often be determined automatically, but we recommend you specify
96 | # it explicitly to prevent problems during startup.
97 | #
98 | # If your host doesn't have a registered DNS name, enter its IP address here.
99 | #
100 | #ServerName www.example.com:80
101 |
102 | #
103 | # Deny access to the entirety of your server's filesystem. You must
104 | # explicitly permit access to web content directories in other
105 | # blocks below.
106 | #
107 |
108 | AllowOverride none
109 | Require all denied
110 |
111 |
112 | #
113 | # Note that from this point forward you must specifically allow
114 | # particular features to be enabled - so if something's not working as
115 | # you might expect, make sure that you have specifically enabled it
116 | # below.
117 | #
118 |
119 | #
120 | # DocumentRoot: The directory out of which you will serve your
121 | # documents. By default, all requests are taken from this directory, but
122 | # symbolic links and aliases may be used to point to other locations.
123 | #
124 | DocumentRoot "/web"
125 |
126 | #
127 | # Relax access to content within /var/www.
128 | #
129 |
130 | AllowOverride None
131 | # Allow open access:
132 | Require all granted
133 |
134 |
135 | # Further relax access to the default document root:
136 |
137 | #
138 | # Possible values for the Options directive are "None", "All",
139 | # or any combination of:
140 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
141 | #
142 | # Note that "MultiViews" must be named *explicitly* --- "Options All"
143 | # doesn't give it to you.
144 | #
145 | # The Options directive is both complicated and important. Please see
146 | # http://httpd.apache.org/docs/2.4/mod/core.html#options
147 | # for more information.
148 | #
149 | Options Indexes FollowSymLinks
150 |
151 | #
152 | # AllowOverride controls what directives may be placed in .htaccess files.
153 | # It can be "All", "None", or any combination of the keywords:
154 | # Options FileInfo AuthConfig Limit
155 | #
156 | AllowOverride None
157 |
158 | #
159 | # Controls who can get stuff from this server.
160 | #
161 | Require all granted
162 |
163 |
164 | #
165 | # DirectoryIndex: sets the file that Apache will serve if a directory
166 | # is requested.
167 | #
168 |
169 | DirectoryIndex index.html
170 |
171 |
172 | #
173 | # The following lines prevent .htaccess and .htpasswd files from being
174 | # viewed by Web clients.
175 | #
176 |
177 | Require all denied
178 |
179 |
180 | #
181 | # ErrorLog: The location of the error log file.
182 | # If you do not specify an ErrorLog directive within a
183 | # container, error messages relating to that virtual host will be
184 | # logged here. If you *do* define an error logfile for a
185 | # container, that host's errors will be logged there and not here.
186 | #
187 | ErrorLog "logs/error_log"
188 |
189 | #
190 | # LogLevel: Control the number of messages logged to the error_log.
191 | # Possible values include: debug, info, notice, warn, error, crit,
192 | # alert, emerg.
193 | #
194 | LogLevel warn
195 |
196 |
197 | #
198 | # The following directives define some format nicknames for use with
199 | # a CustomLog directive (see below).
200 | #
201 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
202 | LogFormat "%h %l %u %t \"%r\" %>s %b" common
203 |
204 |
205 | # You need to enable mod_logio.c to use %I and %O
206 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
207 |
208 |
209 | #
210 | # The location and format of the access logfile (Common Logfile Format).
211 | # If you do not define any access logfiles within a
212 | # container, they will be logged here. Contrariwise, if you *do*
213 | # define per- access logfiles, transactions will be
214 | # logged therein and *not* in this file.
215 | #
216 | #CustomLog "logs/access_log" common
217 |
218 | #
219 | # If you prefer a logfile with access, agent, and referer information
220 | # (Combined Logfile Format) you can use the following directive.
221 | #
222 | CustomLog "logs/access_log" combined
223 |
224 |
225 |
226 | #
227 | # Redirect: Allows you to tell clients about documents that used to
228 | # exist in your server's namespace, but do not anymore. The client
229 | # will make a new request for the document at its new location.
230 | # Example:
231 | # Redirect permanent /foo http://www.example.com/bar
232 |
233 | #
234 | # Alias: Maps web paths into filesystem paths and is used to
235 | # access content that does not live under the DocumentRoot.
236 | # Example:
237 | # Alias /webpath /full/filesystem/path
238 | #
239 | # If you include a trailing / on /webpath then the server will
240 | # require it to be present in the URL. You will also likely
241 | # need to provide a section to allow access to
242 | # the filesystem path.
243 |
244 | #
245 | # ScriptAlias: This controls which directories contain server scripts.
246 | # ScriptAliases are essentially the same as Aliases, except that
247 | # documents in the target directory are treated as applications and
248 | # run by the server when requested rather than as documents sent to the
249 | # client. The same rules about trailing "/" apply to ScriptAlias
250 | # directives as to Alias.
251 | #
252 | ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
253 |
254 |
255 |
256 | #
257 | # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
258 | # CGI directory exists, if you have that configured.
259 | #
260 |
261 | AllowOverride None
262 | Options None
263 | Require all granted
264 |
265 |
266 |
267 | #
268 | # TypesConfig points to the file containing the list of mappings from
269 | # filename extension to MIME-type.
270 | #
271 | TypesConfig /etc/mime.types
272 |
273 | #
274 | # AddType allows you to add to or override the MIME configuration
275 | # file specified in TypesConfig for specific file types.
276 | #
277 | #AddType application/x-gzip .tgz
278 | #
279 | # AddEncoding allows you to have certain browsers uncompress
280 | # information on the fly. Note: Not all browsers support this.
281 | #
282 | #AddEncoding x-compress .Z
283 | #AddEncoding x-gzip .gz .tgz
284 | #
285 | # If the AddEncoding directives above are commented-out, then you
286 | # probably should define those extensions to indicate media types:
287 | #
288 | AddType application/x-compress .Z
289 | AddType application/x-gzip .gz .tgz
290 |
291 | #
292 | # AddHandler allows you to map certain file extensions to "handlers":
293 | # actions unrelated to filetype. These can be either built into the server
294 | # or added with the Action directive (see below)
295 | #
296 | # To use CGI scripts outside of ScriptAliased directories:
297 | # (You will also need to add "ExecCGI" to the "Options" directive.)
298 | #
299 | #AddHandler cgi-script .cgi
300 |
301 | # For type maps (negotiated resources):
302 | #AddHandler type-map var
303 |
304 | #
305 | # Filters allow you to process content before it is sent to the client.
306 | #
307 | # To parse .shtml files for server-side includes (SSI):
308 | # (You will also need to add "Includes" to the "Options" directive.)
309 | #
310 | AddType text/html .shtml
311 | AddOutputFilter INCLUDES .shtml
312 |
313 |
314 | #
315 | # Specify a default charset for all content served; this enables
316 | # interpretation of all content as UTF-8 by default. To use the
317 | # default browser choice (ISO-8859-1), or to allow the META tags
318 | # in HTML content to override this choice, comment out this
319 | # directive:
320 | #
321 | AddDefaultCharset UTF-8
322 |
323 |
324 | #
325 | # The mod_mime_magic module allows the server to use various hints from the
326 | # contents of the file itself to determine its type. The MIMEMagicFile
327 | # directive tells the module where the hint definitions are located.
328 | #
329 | MIMEMagicFile conf/magic
330 |
331 |
332 | #
333 | # Customizable error responses come in three flavors:
334 | # 1) plain text 2) local redirects 3) external redirects
335 | #
336 | # Some examples:
337 | #ErrorDocument 500 "The server made a boo boo."
338 | #ErrorDocument 404 /missing.html
339 | #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
340 | #ErrorDocument 402 http://www.example.com/subscription_info.html
341 | #
342 |
343 | #
344 | # EnableMMAP and EnableSendfile: On systems that support it,
345 | # memory-mapping or the sendfile syscall may be used to deliver
346 | # files. This usually improves server performance, but must
347 | # be turned off when serving from networked-mounted
348 | # filesystems or if support for these functions is otherwise
349 | # broken on your system.
350 | # Defaults if commented: EnableMMAP On, EnableSendfile Off
351 | #
352 | #EnableMMAP off
353 | EnableSendfile on
354 |
355 | # Supplemental configuration
356 | #
357 | # Load config files in the "/etc/httpd/conf.d" directory, if any.
358 | IncludeOptional conf.d/*.conf
359 |
--------------------------------------------------------------------------------
/my-VGAuthService.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/my-VGAuthService.pp
--------------------------------------------------------------------------------
/my-VGAuthService.te:
--------------------------------------------------------------------------------
1 |
2 | module my-VGAuthService 1.0;
3 |
4 | require {
5 | type vmware_log_t;
6 | type init_t;
7 | class file { append open setattr };
8 | class vsock_socket { bind connect create };
9 | }
10 |
11 | #============= init_t ==============
12 | allow init_t self:vsock_socket create;
13 |
14 | #!!!! This avc is allowed in the current policy
15 | allow init_t self:vsock_socket { bind connect };
16 |
17 | #!!!! This avc is allowed in the current policy
18 | allow init_t vmware_log_t:file append;
19 | allow init_t vmware_log_t:file { open setattr };
20 |
--------------------------------------------------------------------------------
/my-kdumpctl.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/my-kdumpctl.pp
--------------------------------------------------------------------------------
/my-kdumpctl.te:
--------------------------------------------------------------------------------
1 |
2 | module my-kdumpctl 1.0;
3 |
4 | require {
5 | type kdumpctl_t;
6 | type var_log_t;
7 | class dir { add_name write };
8 | class file create;
9 | }
10 |
11 | #============= kdumpctl_t ==============
12 | allow kdumpctl_t var_log_t:dir { add_name write };
13 | allow kdumpctl_t var_log_t:file create;
14 |
--------------------------------------------------------------------------------
/my-legedpy.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/my-legedpy.pp
--------------------------------------------------------------------------------
/my-legedpy.te:
--------------------------------------------------------------------------------
1 |
2 | module my-legedpy 1.0;
3 |
4 | require {
5 | type usr_t;
6 | type init_t;
7 | class file execute_no_trans;
8 | }
9 |
10 | #============= init_t ==============
11 | allow init_t usr_t:file execute_no_trans;
12 |
--------------------------------------------------------------------------------
/my-systemdudevd.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/my-systemdudevd.pp
--------------------------------------------------------------------------------
/my-systemdudevd.te:
--------------------------------------------------------------------------------
1 |
2 | module my-systemdudevd 1.0;
3 |
4 | require {
5 | type systemd_hwdb_etc_t;
6 | type udev_t;
7 | class system module_load;
8 | class file getattr;
9 | }
10 |
11 | #============= udev_t ==============
12 | allow udev_t self:system module_load;
13 | allow udev_t systemd_hwdb_etc_t:file getattr;
14 |
--------------------------------------------------------------------------------
/my-vmtoolsd.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/my-vmtoolsd.pp
--------------------------------------------------------------------------------
/my-vmtoolsd.te:
--------------------------------------------------------------------------------
1 |
2 | module my-vmtoolsd 1.0;
3 |
4 | require {
5 | type vmware_log_t;
6 | type vsock_device_t;
7 | type init_t;
8 | class vsock_socket { bind connect getattr getopt };
9 | class chr_file { ioctl open read };
10 | class file append;
11 | }
12 |
13 | #============= init_t ==============
14 | allow init_t self:vsock_socket { bind connect getattr getopt };
15 | allow init_t vmware_log_t:file append;
16 | allow init_t vsock_device_t:chr_file { ioctl open read };
17 |
--------------------------------------------------------------------------------
/myapp:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | while sleep 60
4 | do
5 | echo $(date) >> /tmp/myappfile.txt
6 | done
7 |
--------------------------------------------------------------------------------
/myapp.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=lab 9 service
3 |
4 | [Service]
5 | Type=simple
6 | ExecStart=/usr/local/bin/myapp
7 |
8 | [Install]
9 | WantedBy=multi-user.target
10 |
--------------------------------------------------------------------------------
/mydaemon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | FILE *f;
5 |
6 | int main(void)
7 | {
8 | while(1) {
9 | f = fopen("/var/log/messages","w");
10 | sleep(5);
11 | fclose(f);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/mydaemon.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Simple testing daemon
3 |
4 | [Service]
5 | Type=simple
6 | ExecStart=/usr/local/bin/mydaemon
7 |
8 | [Install]
9 | WantedBy=multi-user.target
10 |
--------------------------------------------------------------------------------
/myfile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sandervanvugt/selinux/77afaac2169d81d574eafaa106a7780750e1b1ef/myfile
--------------------------------------------------------------------------------
/rot13.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=ROT13 demo service
3 | StartLimitIntervalSec=0
4 |
5 | [Service]
6 | Type=simple
7 | Restart=always
8 | RestartSec=1
9 | ExecStart=/usr/bin/env php /tmp/server.php
10 |
11 | [Install]
12 | WantedBy=multi-user.target
13 |
--------------------------------------------------------------------------------
/server.php:
--------------------------------------------------------------------------------
1 | > mydaemon.te
20 | 70 ./mydaemon.sh
21 | 71 ps -efZ | grep mydaemon
22 | 72 ausearch -m AVC -ts recent
23 | 73 date -d '@1663923961'
24 |
25 |
--------------------------------------------------------------------------------