My package needs to set up some SELinux rules to allow my program access to certain things. Although I know which types I need to use in setting up the rules, I'm not sure which packages install those types. I would like to make sure that my package has dependencies on the SELinux types I reference. Is there a way I can find out which package was responsible for installing a given SELinux type?
In this specific case I'm looking for unconfined_service_t, but a general solution would be great because I'm sure I'll hit this again.
SELinux modules are in /usr/share/selinux/targeted/ directory.
You must guess (more about this later) which file it may be.
# cp /etc/selinux/targeted/modules/active/modules/cdrecord.pp /tmp
# file cdrecord.pp
cdrecord.pp: bzip2 compressed data, block size = 900k
# bunzip2 cdrecord.pp
bunzip2: Can't guess original name for cdrecord.pp -- using cdrecord.pp.out
# dnf install checkpolicy
...
# sedismod cdrecord.pp.out
Reading policy...
libsepol.policydb_index_others: security: 0 users, 3 roles, 42 types, 3 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security: 51 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security: 0 users, 3 roles, 42 types, 3 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security: 51 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: cdrecord
Module version: 2.6.0
Select a command:
1) display unconditional AVTAB
2) display conditional AVTAB
3) display users
4) display bools
5) display roles
6) display types, attributes, and aliases
7) display role transitions
8) display role allows
9) Display policycon
0) Display initial SIDs
a) Display avrule requirements
b) Display avrule declarations
c) Display policy capabilities
l) Link in a module
u) Display the unknown handling setting
F) Display filename_trans rules
f) set output file
m) display menu
q) quit
Command ('m' for menu): 6
...
staff_cdrecord_t [1]: alias for type cdrecord_t flags:0
...
Let say that staff_cdrecord_t was the one which interested us. Hurray!
Now just query which package provide it:
# rpm -qf /etc/selinux/targeted/modules/active/modules/cdrecord.pp
selinux-policy-targeted-3.13.1-105.20.fc21.noarch
So the only question is what file from /etc/selinux/targeted/modules/active/modules/ you query. Well you either have to go one by one (unless somebody knows some way, which is scriptable) or you have to use common sense. When I look for staff_cdrecord_t, I would start with cdrecord.pp.
Related
I would like to know if any of my projects (A,B,C or D) have ever been associated with certain tasks from another table.
For instance have project A ever been associated with 'pear' in any of the 'project tasks'
I would assume this would require a array formula to look across a long list of project and check if any project 'A* is associated with pear in a 'contain' manner?
Firstly, it may be possible that your tasks list includes words within words (using your fruit analogy, egAppleand Crabapple
Second, your Project Tasks list needs to be consistant (one choice of seperator, no spaces). So either clean it up manually, or write a formula to do it. Your choice of separator must not appear in in the task list (if you had a task do this, or that then comma wouldn't work) I'll demo the formula
Add a columnJ with this formula
=","&SUBSTITUTE(SUBSTITUTE(I2,";",",")," ","")&","
Add more Substitutes if needed
Then use this formula for the results
=COUNTIFS($H:$H,$A2,$J:$J,"*," & B$1 & ",*") > 0
There is an AWS document that explains how to do it for oneself, i.e. how to allow only one's pages to hotlink and reject all others: https://aws.amazon.com/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/
I'd like to know if WAF is the right choice for my use case, which is a bit different from the one above.
At the company I work for, we intend to sell data through a JS widget.
We'd like to restrict access to those data so that only authorized REFERERs are able to show our data to their users, while rejecting all other REFERERs.
The possibility of spoofing the REFERER is not an important threat for us.
We expect to grow our customer base to some hundreds.
The reason I'm asking this question is due to noticing that there are some strict limits on WAF: https://docs.aws.amazon.com/waf/latest/developerguide/limits.html, according to which I understand that for our use case, WAF wouldn't scale nicely.
WAF is not the right tool for that job.
First, even if there are max 10 rules, each with max 10 conditions, each with max 10 filters, there is a strong max of 100 string conditions per AWS account.
Second, conditions and filters do not compose nicely for our use case. Conditions of a rule get composed with an AND and filters of a condition get composed with an OR. For example, a rule like r(x) := (x=a + x=b + x=c) * (x=d + x=e) would give r(d) = false without ever getting to test x=d.
My objective is to automatically create a list of users and groups with their accompanied UID/GIDs based on the hostname of the system. I'm adding this script to the %post section of a kickstart configuration in which the listed users and groups with accompanied UID/GIDs will be created based on the hostname of the system that the kickstart is being executed on. I think that the best approach would be to hardcode the user/group combinations into an associative array similar to:
declare -A groups
groups[user1]='group1,group2'
groups[user2]='group1,group2'
groups[user3]='group1,group2'
The problem is that the hardcoded list of combinations should be setup by the system's hostname something like this:
declare -A groups
groups[hostname1]='user1:group1,group2' 'user2:group1,group2' etc.
groups[hostname2]='user1:group1,group2' 'user2:group1,group2' etc.
groups[hostname3]='user1:group1,group2' 'user2:group1,group2' etc.
The problem with this is that the UIDs/GIDs also need to be added to some portion of the array or have another array with the UID/GID combinations hardcoded. Should I setup a separate array with the UIDs/GIDs of each user/group? Any suggestions or recommendations are greatly appreciated. Thank you.
Currently I'm using OpenDS and have to migrate to Active Directory (AD LDS).
I have a few custom attributes/objects that are defined in .ldif files in the OpenDS/config/schema directory like this:
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
objectClasses: ( 1.3.6.1.4.1.99.2
NAME 'myNewClass'
SUP top STRUCTURAL
MUST ( person $ myNewAttribute )
MAY someOtherAttribute
)
Unfortunately ldifde does not understand this format, so I used ADSI Edit to import my definitions manually one by one (cumbersome!) - but encountered some problems:
It seems AD supports only a handful of different SYNTAX definitions, like 2.5.5.12. How can I map something like 1.3.6.1.4.1.1466.115.121.1.15 to AD?
oMSyntax: Seems to be AD specific and not known to the rest of the LDAP world. oMSyntax in combination with attributeSyntax seems to define the data type in the AD world.
things like EQUALITY seem to be missing completely in AD! How to deal with this?
Question: Is there a tool to convert an LDIF file with attribute/object definitions to a format that is understood by MS / AD / ldifde?
Or a more general question: What is the best practice to migrate attribute/object definitions from OpenDS, OpenLDAP, etc. to the Microsoft world?
Welcome to the Diretories compatibility world. First of all the following syntax :
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
is not an LDIF syntax. it's a syntax used in Netscape like Directories to specify the Schema (OpenLDAP, Ex Sun directory service etc.). As far as you want to introduce new attributes and classes in Active Directory, you can do it using one of these 3 ways :
Manualy using the common ADSIEDIT.MSC (I never do it like that) :
Manualy using the specific Active Directory Scema Editor MMC (Microsoft Management Console)
This is the way I use in the development phase.
MMC.EXE -> File -> Open Component -> Active Directory Schema
If you are using an old server this MMC is only available recording an Active X component :
Regsvr32 c:\windows\system32\schmmgmt.msc
This way is much easier, it's the way I use on a development VM to create my attributes, I Then export the LDIF description with LDIFDE.EXE tool in order to clean it (remove system attributes) and import it on the production servers.
Programaticaly using LDIF
Here is an example of the LDIF syntax of an attribute
dn: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
changetype: add
objectClass: top
objectClass: attributeSchema
cn: SlxChapitres
distinguishedName: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
instanceType: 4
attributeID: 1.3.6.1.4.1.10558.2.1.6
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: SlxChapitres
oMSyntax: 20
lDAPDisplayName: SlxChapitres
name: SlxChapitres
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=XXXX
This code is LDIF, I can inject it using LDIDE.EXE program the DC=XXXX syntax allowing me to use the -c DNSrc DNTarget of the LDIFFDE.EXE program option to locate it to the right DN.
As far as the Syntax and the matching rules are concerned, In my opinion Active-Directory is not so standard. Microsoft use a kind of combination between these to concepts to give one thing they call Syntax. Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Mictosoft documention.
when trying to access older versions of my managed XML files, it gives me something like:
DLS-INVALIDVERSION: (err:FOER0000) /company/1448220.xml has no version number 3
in /MarkLogic/dls.xqy, at 1403:6, ...
Indeed, the file of version 1, 2, 3 within /company/1448220_xml_versions does not exist (in this case lets assume version 4 is the most recent).
When updating a document using dls (Document Management) functions, I run the following tasks:
Check whether the document is managed or not
When its not managed, set to manage using dls:document-manage($uri, fn:false()) inside of an eval statement
Update the document using dls:document-checkout-update-checkin($uri, $new-doc, "Document
update", fn:true()) inside of an eval statement
So far so good.
When tying to get a specific version of a document:
dls:document-version($document-uri, xs:unsignedInt($version))
==> When using $version := 4 it gives me a valid document (which in turn is the most recent version)
==> When using $version := 1 it just gives me an error, indicating that the document of version 1 doesn't exist.
What I am doing wrong?
I am using MarkLogic 6.
You probably haven't set a retention policy using dls:retention-rule-insert, and the default retention rules retain nothing (which means that MarkLogic deletes all older versions of a given document each time you store a new version of it). See the "Defining a retention policy" section in the MarkLogic Application Developer's Guide, here.