Skip to content

Instantly share code, notes, and snippets.

@lcerezo

lcerezo/selinuxgame.answers.md

Last active February 26, 2018 16:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lcerezo/ea3d442f7fccd67e8955cc0157506788 to your computer and use it in GitHub Desktop.
Save lcerezo/ea3d442f7fccd67e8955cc0157506788 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
selinuxgame.answers.md

all_about_contexts_1

Objective:

  • What is the file context of the /home/vagrant/.bash_profile file?
  • What is the file context of the /etc/passwd file?
  • How are these file contexts stored specifically?
[vagrant@selinuxgame ~]$ ls -Z .bash_profile 
unconfined_u:object_r:user_home_t:s0 .bash_profile
[vagrant@selinuxgame ~]$ ls -Z .bash_profile /etc/passwd
unconfined_u:object_r:user_home_t:s0 .bash_profile
system_u:object_r:passwd_file_t:s0 /etc/passwd

selinux contexts are stored in xatters under security.selinux.

[lucho@luis-fvm ~]$ getfattr -n security.selinux .bash_profile 
# file: .bash_profile
security.selinux="unconfined_u:object_r:user_home_t:s0"

[lucho@luis-fvm ~]$

all_about_contexts_2

Objective:

  • What SELinux process context does systemd-journald run as?
[vagrant@selinuxgame ~]$ ps -eZ|grep journal
system_u:system_r:syslogd_t:s0    328 ?        00:00:00 systemd-journal
[vagrant@selinuxgame ~]$

all_my_modules

Objective:

  • List all the SELinux modules installed on a system.

  • Determine if the 'modsys' module is installed. (does not appear to be)

[vagrant@selinuxgame ~]$ sudo semodule -l
abrt
accountsd
acct
afs
aiccu
aide
ajaxterm
alsa
amanda
amtu
anaconda
antivirus
apache
apcupsd
apm
application
arpwatch
asterisk
auditadm
authconfig
authlogin
automount
avahi
awstats
bacula
base
bcfg2
bind
bitlbee
blkmapd
blueman
bluetooth
boinc
bootloader
brctl
brltty
bugzilla
bumblebee
cachefilesd
calamaris
callweaver
canna
ccs
cdrecord
certmaster
certmonger
certwatch
cfengine
cgroup
chrome
chronyd
cinder
cipe
clock
clogd
cloudform
cmirrord
cobbler
cockpit
collectd
colord
comsat
condor
conman
consolekit
couchdb
courier
cpucontrol
cpufreqselector
cpuplug
cron
ctdb
cups
cvs
cyphesis
cyrus
daemontools
dbadm
dbskk
dbus
dcc
ddclient
denyhosts
devicekit
dhcp
dictd
dirsrv
dirsrv-admin
dmesg
dmidecode
dnsmasq
dnssec
dovecot
drbd
dspam
ejabberd
entropyd
exim
fail2ban
fcoe
fetchmail
finger
firewalld
firewallgui
firstboot
fprintd
freeipmi
freqset
fstools
ftp
fwupd
games
ganesha
gdomap
geoclue
getty
git
gitosis
glance
glusterd
gnome
gpg
gpm
gpsd
gssproxy
guest
hddtemp
hostapd
hostname
hsqldb
hwloc
hypervkvp
icecast
inetd
init
inn
iodine
iotop
ipa
ipmievd
ipsec
iptables
irc
irqbalance
iscsi
isns
jabber
jetty
jockey
journalctl
kdbus
kdump
kdumpgui
keepalived
kerberos
keyboardd
keystone
kismet
kmscon
ksmtuned
ktalk
l2tp
ldap
libraries
likewise
linuxptp
lircd
livecd
lldpad
loadkeys
locallogin
lockdev
logadm
logging
logrotate
logwatch
lpd
lsm
lttng-tools
lvm
mailman
mailscanner
man2html
mandb
mcelog
mediawiki
memcached
milter
minidlna
minissdpd
mip6d
mirrormanager
miscfiles
mock
modemmanager
modutils
mojomojo
mon_statd
mongodb
motion
mount
mozilla
mpd
mplayer
mrtg
mta
munin
mysql
mythtv
naemon
nagios
namespace
ncftool
netlabel
netutils
networkmanager
ninfod
nis
nova
nscd
nsd
nslcd
ntop
ntp
numad
nut
nx
obex
oddjob
openct
opendnssec
openfortivpn
openhpid
openshift
openshift-origin
opensm
openvpn
openvswitch
openwsman
oracleasm
osad
pads
passenger
pcmcia
pcp
pcscd
pdns
pegasus
permissivedomains
pesign
pingd
piranha
pkcs
pkcs11proxyd
pki
plymouthd
podsleuth
policykit
polipo
portmap
portreserve
postfix
postgresql
postgrey
ppp
prelink
prelude
privoxy
procmail
prosody
psad
ptchown
publicfile
pulseaudio
puppet
pwauth
qmail
qpid
quantum
quota
rabbitmq
radius
radvd
raid
rasdaemon
rdisc
readahead
realmd
redis
remotelogin
rhcs
rhev
rhgb
rhnsd
rhsmcertd
ricci
rkhunter
rkt
rlogin
rngd
rolekit
roundup
rpc
rpcbind
rpm
rshd
rssh
rsync
rtas
rtkit
rwho
samba
sambagui
sandboxX
sanlock
sasl
sbd
sblim
screen
secadm
sectoolm
selinuxutil
sendmail
sensord
setrans
setroubleshoot
seunshare
sge
shorewall
slocate
slpd
smartmon
smokeping
smoltclient
smsd
snapper
snmp
snort
sosreport
soundserver
spamassassin
speech-dispatcher
squid
ssh
sslh
sssd
staff
stapserver
stunnel
su
sudo
svnserve
swift
sysadm
sysadm_secadm
sysnetwork
sysstat
systemd
targetd
tcpd
tcsd
telepathy
telnet
tftp
tgtd
thin
thumb
tlp
tmpreaper
tomcat
tor
tuned
tvtime
udev
ulogd
uml
unconfined
unconfineduser
unlabelednet
unprivuser
updfstab
usbmodules
usbmuxd
userdomain
userhelper
usermanage
usernetctl
uucp
uuidd
varnishd
vdagent
vhostmd
virt
vlock
vmtools
vmware
vnstatd
vpn
w3c
watchdog
wdmd
webadm
webalizer
wine
wireshark
xen
xguest
xserver
zabbix
zarafa
zebra
zoneminder
zosremote
[vagrant@selinuxgame ~]$ sudo semodule -l| grep modsys
[vagrant@selinuxgame ~]$

status check

Objective:

  • Is SELinux Enforcing on this system?
  • Is SELinux running in targeted mode?
[vagrant@selinuxgame ~]$ getenforce 
Permissive
[vagrant@selinuxgame ~]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
[vagrant@selinuxgame ~]$

new_ways

Objectives:

  • Enable SELinux
  • Ensure the file system has the right SELinux labels

this vm has selinux disabled entirely. Updating /etc/selinux/config to SELINUX=enforcing and reboot. The reboot is required, and will take care of the relabel. touching /.autorelabel would aslo take care of the labeling.

static

Objective:

  • Run the curl reproducer with SELinux Enforcing and have it serve the test page data.
[root@selinuxgame static_site]# chcon -R -t httpd_sys_content_t .
[root@selinuxgame static_site]# exit
logout
[vagrant@selinuxgame www]$ curl http://localhost/index.html
<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
   <HEAD>
      <TITLE>
         A Small Hello
      </TITLE>
   </HEAD>
<BODY>
   <H1>Hi</H1>
   <P>This is very minimal "hello world" HTML document.</P>
</BODY>
</HTML>[vagrant@selinuxgame www]$

broken_antivirus

Objectives

  • With SELinux enforcing, run the following command and have it complete without errors.

    clamdscan /mnt/email_attachments/*

[root@selinuxgame ~]# getsebool -a|grep viru
antivirus_can_scan_system --> off
antivirus_use_jit --> off
[root@selinuxgame ~]# getsebool -a|grep viru
antivirus_can_scan_system --> on
antivirus_use_jit --> off
[root@selinuxgame ~]# systemctl status clamd@scan.service 
● clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset:
   Active: inactive (dead)
[root@selinuxgame ~]# systemctl start clamd@scan.service 
[root@selinuxgame ~]# exit
[vagrant@selinuxgame ~]$ clamdscan /mnt/email_attachments/*
/mnt/email_attachments/89SR1AG_1.exe: OK
/mnt/email_attachments/Q1f41KD_1.exe: OK
/mnt/email_attachments/S981AS4_1.zip: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
[vagrant@selinuxgame ~]$ getenforce 
Enforcing
[vagrant@selinuxgame ~]$

stayin' alive

Objective:

  • Determine how to start keepalived with SELinux enabled and without scary AVC denials.

This one was a bit more involved.

I had to the install audit2allow (dnf install policycoreutils-python-utils) then using audit2allow I could see what was missing in policy form


module local 1.0;

require {
	type keepalived_t;
	type usermodehelper_t;
	class file read;
}

#============= keepalived_t ==============
allow keepalived_t usermodehelper_t:file read;

from here I added the module using semodule, (semodule -i local.pp) and restarted the keepalived service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment