From 8821ff4ea8e1c06954dc5ea2604ed6785652af47 Mon Sep 17 00:00:00 2001 From: toni Date: Fri, 17 Oct 2014 20:02:05 +0200 Subject: replaced iostat with iotop (iostat gives false results) --- configs/xmobar_hddusage.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/xmobar_hddusage.sh b/configs/xmobar_hddusage.sh index e8285e4..bea8391 100755 --- a/configs/xmobar_hddusage.sh +++ b/configs/xmobar_hddusage.sh @@ -1,9 +1,9 @@ #!/bin/bash if [ "x$1" = "xread" ]; then - OUT=$(iostat | sed -n 's/sda\s*[0-9,]*\s*\([0-9]*\).*$/\1/p') + OUT=$(sudo iotop -b -n 1 -P -k -qq | sed -n 's/^Total DISK READ:\s*\([0-9]*\)\..*$/\1/p') elif [ "x$1" = "xwrite" ]; then - OUT=$(iostat | sed -n 's/sda\s*[0-9,]*\s*[0-9,]*\s*\([0-9]*\).*$/\1/p') + OUT=$(sudo iotop -b -n 1 -P -k -qq | sed -n 's/^.*Total DISK WRITE:\s*\([0-9]*\)\..*$/\1/p') else exit 1 fi -- cgit v1.2.3 From ebe18565ddc1de3bd04db67331dab943c59e785b Mon Sep 17 00:00:00 2001 From: toni Date: Mon, 3 Nov 2014 15:28:03 +0100 Subject: - sendxmpp scripts - selinux build/insert/enable pol's script - selinux hald policy --- cmd2admin.sh | 21 +++++++++++++++++++++ selinux_pols/build_all.sh | 32 ++++++++++++++++++++++++++++++++ selinux_pols/hald.mod | Bin 0 -> 1487 bytes selinux_pols/hald.pp | Bin 0 -> 1503 bytes selinux_pols/hald.te | 19 +++++++++++++++++++ send2admin.sh | 42 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 114 insertions(+) create mode 100755 cmd2admin.sh create mode 100755 selinux_pols/build_all.sh create mode 100644 selinux_pols/hald.mod create mode 100644 selinux_pols/hald.pp create mode 100644 selinux_pols/hald.te create mode 100755 send2admin.sh diff --git a/cmd2admin.sh b/cmd2admin.sh new file mode 100755 index 0000000..2d213db --- /dev/null +++ b/cmd2admin.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ "x${1}" != "x" ]; then + RUN_CMDS="${1}" +else + send2admin "cmd2admin failed" +fi + +if [ "x${2}" != "x" ]; then + send2admin "${2}" +fi + +send2admin "RUN CMD: ${RUN_CMDS}" +OUT=$(bash -c "${RUN_CMDS}") +if [ $? -ne 0 ]; then + send2admin "CMD failed!" +else + send2admin "CMD succeeded!" +fi +send2admin "output:\n${OUT}" +exit 0 diff --git a/selinux_pols/build_all.sh b/selinux_pols/build_all.sh new file mode 100755 index 0000000..0ce8ba5 --- /dev/null +++ b/selinux_pols/build_all.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +BDIR=$(dirname ${0}) + +function run_cmd { + cmd="${1}" + echo "${cmd}" + $cmd + return $? +} + +echo_cmd +echo "$0: building all in $BDIR" >&2 +for file in ${BDIR}/*.te; do + echo "* building: $file" + fname=$(basename ${file} | sed -e 's/^\(.*\)\.\(.*\)$/\1/g') + run_cmd "checkmodule -m -M -o ${BDIR}/${fname}.mod ${BDIR}/${fname}.te" + if [ $? -ne 0 ]; then + echo "checkmodule: ERROR, next .." >&2 + continue + fi + run_cmd "semodule_package -m ${BDIR}/${fname}.mod -o ${BDIR}/${fname}.pp" + if [ $? -ne 0 ]; then + echo "semodule_package: ERROR, next .." >&2 + continue + fi + run_cmd "semodule -i ${BDIR}/${fname}.pp" + run_cmd "semodule -e ${fname}" +done + +echo "done." +exit 0 diff --git a/selinux_pols/hald.mod b/selinux_pols/hald.mod new file mode 100644 index 0000000..d8fea69 Binary files /dev/null and b/selinux_pols/hald.mod differ diff --git a/selinux_pols/hald.pp b/selinux_pols/hald.pp new file mode 100644 index 0000000..efb718d Binary files /dev/null and b/selinux_pols/hald.pp differ diff --git a/selinux_pols/hald.te b/selinux_pols/hald.te new file mode 100644 index 0000000..cff1057 --- /dev/null +++ b/selinux_pols/hald.te @@ -0,0 +1,19 @@ + +module hald-custom 1.0; + +require { + type fixed_disk_device_t; + type mnt_t; + type system_dbusd_t; + class blk_file { read ioctl open }; + class dir { write remove_name add_name }; + class file { write rename create unlink }; +} + +#============= system_dbusd_t ============== +allow system_dbusd_t fixed_disk_device_t:blk_file { ioctl open }; +#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types: +# system_dbusd_var_run_t, system_dbusd_tmp_t, user_home_t, tmp_t, var_run_t + +allow system_dbusd_t mnt_t:dir { write remove_name add_name }; +allow system_dbusd_t mnt_t:file { write rename create unlink }; diff --git a/send2admin.sh b/send2admin.sh new file mode 100755 index 0000000..cad0ef5 --- /dev/null +++ b/send2admin.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +MSG_PREFIX="[AUTO_MSG]" +RC_PREFIX="/etc/sendxmpprc" +DEFAULT_REC="/etc/default/send2admin" +RET=0 + +if [ -r ${DEFAULT_REC} ]; then + . ${DEFAULT_REC} +fi +if [ "x${RECIPIENT}" = "x" ]; then + RECIPIENT="${2}" +fi + +if [ "x${DISPLAY}" != "x" ]; then + USEX=1 +else + USEX=0 +fi + +if [ "x${USER}" != "x" ]; then + if [ -r "${RC_PREFIX}.${USER}" ]; then + SX_ARGS=" -f ${RC_PREFIX}.${USER}" + fi +fi + +if [ "x${MSG_PREFIX}" != "x" ]; then + MSG_PREFIX="${MSG_PREFIX}: " +fi +if [ "x${1}" != "x" -a "x${RECIPIENT}" != "x" ]; then + echo -en "${MSG_PREFIX}${1}" | sendxmpp -t${SX_ARGS} ${RECIPIENT} + RET=$? +else + if [ $USEX -eq 1 ]; then + xmessage "sendxmpp error: syntax: $0 [TEXT] [RECIPIENT]" + else + echo "sendxmpp error: syntax: $0 [TEXT] [RECIPIENT]" >&2 + fi + RET=128 +fi + +exit $RET -- cgit v1.2.3 From da31632e4c9dd01014477261d8e4486d70c993ac Mon Sep 17 00:00:00 2001 From: toni Date: Mon, 3 Nov 2014 15:36:54 +0100 Subject: - added selinux pulseaudio policy --- selinux_pols/build_all.sh | 1 - selinux_pols/pulse.te | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 selinux_pols/pulse.te diff --git a/selinux_pols/build_all.sh b/selinux_pols/build_all.sh index 0ce8ba5..286cdc8 100755 --- a/selinux_pols/build_all.sh +++ b/selinux_pols/build_all.sh @@ -9,7 +9,6 @@ function run_cmd { return $? } -echo_cmd echo "$0: building all in $BDIR" >&2 for file in ${BDIR}/*.te; do echo "* building: $file" diff --git a/selinux_pols/pulse.te b/selinux_pols/pulse.te new file mode 100644 index 0000000..2c48f8b --- /dev/null +++ b/selinux_pols/pulse.te @@ -0,0 +1,9 @@ +module pulse-custom 1.0; + +require { + type pulseaudio_t; + class sem { read write unix_write }; +} + +#============= pulseaudio_t ============== +allow pulseaudio_t self:sem { read write unix_write }; -- cgit v1.2.3 From 587f4b1ae4aaccd5519083833e5f65b106904f51 Mon Sep 17 00:00:00 2001 From: toni Date: Mon, 24 Nov 2014 19:05:36 +0100 Subject: - new selinux pols --- selinux_pols/dmesg.te | 10 ++++++++++ selinux_pols/exim.te | 12 ++++++++++++ selinux_pols/fuse.te | 10 ++++++++++ selinux_pols/hald.te | 24 ++++++++++++++++++++++-- selinux_pols/pulse.te | 32 +++++++++++++++++++++++++++++++- selinux_pols/samba.te | 12 ++++++++++++ 6 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 selinux_pols/dmesg.te create mode 100644 selinux_pols/exim.te create mode 100644 selinux_pols/fuse.te create mode 100644 selinux_pols/samba.te diff --git a/selinux_pols/dmesg.te b/selinux_pols/dmesg.te new file mode 100644 index 0000000..dd85723 --- /dev/null +++ b/selinux_pols/dmesg.te @@ -0,0 +1,10 @@ +module dmesg 1.0; + +require { + type dmesg_t; + type tty_device_t; + class chr_file { read write }; +} + +#============= dmesg_t ============== +allow dmesg_t tty_device_t:chr_file { read write }; diff --git a/selinux_pols/exim.te b/selinux_pols/exim.te new file mode 100644 index 0000000..9b0cb01 --- /dev/null +++ b/selinux_pols/exim.te @@ -0,0 +1,12 @@ +module exim-custom 1.0; + +require { + type sysctl_crypto_t; + type exim_t; + class dir search; + class file { read getattr open }; +} + +#============= exim_t ============== +allow exim_t sysctl_crypto_t:dir search; +allow exim_t sysctl_crypto_t:file { read getattr open }; diff --git a/selinux_pols/fuse.te b/selinux_pols/fuse.te new file mode 100644 index 0000000..510cbe3 --- /dev/null +++ b/selinux_pols/fuse.te @@ -0,0 +1,10 @@ +module fuse-custom 1.0; + +require { + type fuse_device_t; + type mount_t; + class chr_file { write read }; +} + +#============= mount_t ============== +allow mount_t fuse_device_t:chr_file { write read }; diff --git a/selinux_pols/hald.te b/selinux_pols/hald.te index cff1057..6f40fad 100644 --- a/selinux_pols/hald.te +++ b/selinux_pols/hald.te @@ -1,5 +1,4 @@ - -module hald-custom 1.0; +module hald-custom 1.2; require { type fixed_disk_device_t; @@ -17,3 +16,24 @@ allow system_dbusd_t fixed_disk_device_t:blk_file { ioctl open }; allow system_dbusd_t mnt_t:dir { write remove_name add_name }; allow system_dbusd_t mnt_t:file { write rename create unlink }; + +require { + type removable_device_t; + type event_device_t; + type system_dbusd_t; + class blk_file { read ioctl open }; + class chr_file read; +} + +#============= system_dbusd_t ============== +allow system_dbusd_t event_device_t:chr_file read; +allow system_dbusd_t removable_device_t:blk_file { read ioctl open }; + +require { + type removable_device_t; + type system_dbusd_t; + class blk_file { read ioctl open }; +} + +#============= system_dbusd_t ============== +allow system_dbusd_t removable_device_t:blk_file { read ioctl open }; diff --git a/selinux_pols/pulse.te b/selinux_pols/pulse.te index 2c48f8b..6e7672d 100644 --- a/selinux_pols/pulse.te +++ b/selinux_pols/pulse.te @@ -1,4 +1,4 @@ -module pulse-custom 1.0; +module pulse-custom 1.2; require { type pulseaudio_t; @@ -7,3 +7,33 @@ require { #============= pulseaudio_t ============== allow pulseaudio_t self:sem { read write unix_write }; + +require { + type udev_tbl_t; + type pulseaudio_t; + class file { read getattr open }; +} + +#============= pulseaudio_t ============== +allow pulseaudio_t udev_tbl_t:file { read getattr open }; + +require { + type pulseaudio_t; + class sem destroy; +} + +#============= pulseaudio_t ============== +allow pulseaudio_t self:sem destroy; + +require { + type initrc_state_t; + type tmpfs_t; + type pulseaudio_t; + class sem { unix_read create getattr setattr associate }; + class file { read write getattr open }; +} + +#============= pulseaudio_t ============== +allow pulseaudio_t initrc_state_t:file { read getattr open }; +allow pulseaudio_t self:sem { unix_read create getattr setattr associate }; +allow pulseaudio_t tmpfs_t:file { read write }; diff --git a/selinux_pols/samba.te b/selinux_pols/samba.te new file mode 100644 index 0000000..b153f83 --- /dev/null +++ b/selinux_pols/samba.te @@ -0,0 +1,12 @@ +module samba-custom 1.0; + +require { + type sysctl_crypto_t; + type smbd_t; + class dir search; + class file { read getattr open }; +} + +#============= smbd_t ============== +allow smbd_t sysctl_crypto_t:dir search; +allow smbd_t sysctl_crypto_t:file { read getattr open }; -- cgit v1.2.3 From 99fd112d43bc37104a45df62e37ee33590f701ec Mon Sep 17 00:00:00 2001 From: toni Date: Mon, 24 Nov 2014 22:47:56 +0100 Subject: - xmobar/xmonad update - fixed iceweasel-sandbox bug - removed (pre-)compiled selinux pol's --- configs/xmobarrc | 4 ++-- configs/xmonad.hs | 27 ++++++++++++++++++--------- iceweasel-sandbox.sh | 29 +++++++++++++++++++++++++---- selinux_pols/hald.mod | Bin 1487 -> 0 bytes selinux_pols/hald.pp | Bin 1503 -> 0 bytes 5 files changed, 45 insertions(+), 15 deletions(-) delete mode 100644 selinux_pols/hald.mod delete mode 100644 selinux_pols/hald.pp diff --git a/configs/xmobarrc b/configs/xmobarrc index 78d4a42..59759db 100644 --- a/configs/xmobarrc +++ b/configs/xmobarrc @@ -12,10 +12,10 @@ Config { font = "-misc-fixed-*-*-*-*-18-*-*-*-*-*-*-*" , Run Com "~/.xmobar_cputemp.sh" ["MB"] "mtmp" 100 , Run Network "eth0" ["-L","0","-H","32","--normal","green","--high","red"] 10 , Run Network "eth1" ["-L","0","-H","32","--normal","green","--high","red"] 10 - , Run Cpu ["-L","15","-H","50","--normal","green","--high","red"] 10 + , Run Cpu ["-L","15","-H","50","--normal","green","--high","red"] 20 , Run Memory ["Mem: %"] 200 , Run Swap [] 200 - , Run Date "%a %b (%V) %_d %Y %H:%M:%S" "date" 10 + , Run Date "%a %b %_d %Y %H:%M (KW%V)" "date" 600 , Run StdinReader ] , sepChar = "%" diff --git a/configs/xmonad.hs b/configs/xmonad.hs index e698351..acec436 100644 --- a/configs/xmonad.hs +++ b/configs/xmonad.hs @@ -25,7 +25,7 @@ import qualified Data.Map as M -- The preferred terminal program, which is used in a binding below and by -- certain contrib modules. -- -myTerminal = "/usr/bin/konsole" +myTerminal = "x-terminal-emulator" ------------------------------------------------------------------------ @@ -33,7 +33,7 @@ myTerminal = "/usr/bin/konsole" -- The default number of workspaces (virtual screens) and their names. -- myWorkspaces :: [WorkspaceId] -myWorkspaces = ["1:term","2:code","3:web","4:vm","5:media"] ++ map show [6..9] +myWorkspaces = ["1:pidg","2:file","3:web","4:work1","5:work2"] ++ map show [6..9] ------------------------------------------------------------------------ -- Window rules @@ -52,15 +52,17 @@ myWorkspaces = ["1:term","2:code","3:web","4:vm","5:media"] ++ map show [6..9] myManageHook = composeAll [ className =? "Iceweasel" --> doShift "3:web" , className =? "Icedove" --> doShift "3:web" - , className =? "Pidgin" --> doShift "1:term" - , className =? "Eclipse" --> doShift "2:code" + , className =? "Pidgin" --> doShift "1:pidg" + , className =? "Eclipse" --> doShift "2:file" , className =? "Kmail" --> doShift "3:web" - , className =? "Konqueror" --> doShift "2:code" + , className =? "Konqueror" --> doShift "2:file" + , className =? "Nautilus" --> doShift "2:file" , resource =? "desktop_window" --> doIgnore , className =? "Galculator" --> doFloat + , className =? "Gource" --> doFloat , className =? "MPlayer" --> doFloat - , className =? "VirtualBox" --> doShift "4:vm" - , className =? "Xchat" --> doShift "5:media" + , className =? "VirtualBox" --> doShift "4:work1" + , className =? "Xchat" --> doShift "5:work2" , isFullscreen --> (doF W.focusDown <+> doFullFloat)] @@ -131,6 +133,14 @@ myKeys conf@(XConfig {XMonad.modMask = modMask}) = M.fromList $ , ((modMask .|. shiftMask, xK_l), spawn "xscreensaver-command -lock") + -- Start Firefox + , ((modMask .|. shiftMask, xK_i), + spawn "iceweasel") + + -- run demnu + , ((modMask .|. shiftMask, xK_d), + spawn "dmenu_run -b") + -- Take full screenshot in multi-head mode. -- That is, take a screenshot of everything you see. , ((modMask .|. shiftMask, xK_p), @@ -296,8 +306,7 @@ myMouseBindings (XConfig {XMonad.modMask = modMask}) = M.fromList $ --myStartupHook = return () myStartupHook :: X () myStartupHook = do --- safeSpawnProg "iceweasel" - safeSpawnProg "konqueror" + safeSpawnProg "iceweasel" safeSpawnProg "pidgin" setWMName "LG3D" diff --git a/iceweasel-sandbox.sh b/iceweasel-sandbox.sh index 37cad6c..aab60a6 100755 --- a/iceweasel-sandbox.sh +++ b/iceweasel-sandbox.sh @@ -14,6 +14,8 @@ else CHROOTDIR="$HOME/iceweasel.sandbox" fi +export CHROOTKILL="for pid in $(lsof -t ${CHROOTDIR} 2>/dev/null | tr '\n' ' '); do echo -n "."; kill -SIGTERM "\$pid"; done; echo" + if [ ! -z "$2" ]; then DBS_OPTS="--arch ${DEF_ARCH} ${2} ${DEF_SUITE}" else @@ -36,7 +38,22 @@ fi echo "* CHROOT: $CHROOTDIR" xhost + if [ ! -f ${CHROOTDIR}/.stamp_installed ]; then - su -- -c "/usr/sbin/debootstrap --unpack-tarball ${HOME}/iceweasel.sandbox.tar ${DBS_OPTS} ${CHROOTDIR} && touch ${CHROOTDIR}/.stamp_installed" + echo "* DEBOOTSTRAP" + su -- -c "/usr/sbin/debootstrap --unpack-tarball ${HOME}/iceweasel.sandbox.tar ${DBS_OPTS} ${CHROOTDIR}; touch ${CHROOTDIR}/.stamp_installed" +else + echo "* INSTALLED" +fi + +if [ $(lsof -t ${CHROOTDIR} 2>/dev/null | wc -l) -ne 0 ]; then + echo "* Running instance found" + read -p "kill instance? (Y/n) " -t 3 answ + if [ "x$answ" = "xY" ]; then + echo -n "* SIGTERM all processes" + su -- -c "$CHROOTKILL" + else + echo "* abort" + exit 1 + fi fi read -p "mount proc? (Y/n) " -t 3 answ @@ -44,7 +61,8 @@ if [ "x$answ" = "xY" ]; then add_precmd "mount -t proc proc ${CHROOTDIR}/proc" add_postcmd "umount ${CHROOTDIR}/proc" fi -su -- -c "${PRECMD}; chroot ${CHROOTDIR} /bin/bash -c 'apt-get update; apt-get upgrade; apt-get install -y iceweasel; useradd -m firefox; su -l firefox -c iceweasel'; ${POSTCMD}" +echo "* CHROOT" +su -- -c "${PRECMD}; chroot ${CHROOTDIR} /bin/bash -c 'apt-get update; apt-get upgrade; apt-get install -y iceweasel; useradd -m firefox; su -l firefox -c iceweasel'; ${CHROOTKILL}; ${POSTCMD}" read -p "delete ${CHROOTDIR} ? (Y/n) " -t 5 answ if [ "x$answ" = "xY" ]; then @@ -54,10 +72,13 @@ if [ "x$answ" = "xY" ]; then DOWIPE=y fi fi + add_postcmd "umount ${CHROOTDIR}/proc" if [ "x$DOWIPE" = "xy" ]; then - su -- -c "wipe -qrcf ${CHROOTDIR}/{home,tmp} && rm -rf ${CHROOTDIR}" + echo "* WIPE" + su -- -c "${CHROOTKILL}; ${POSTCMD}; wipe -qrcf ${CHROOTDIR}/{home,tmp}; rm -rf ${CHROOTDIR}" else - su -- -c "rm -rf ${CHROOTDIR}" + echo "* RM" + su -- -c "${CHROOTKILL}; ${POSTCMD}; rm -rf ${CHROOTDIR}" fi fi diff --git a/selinux_pols/hald.mod b/selinux_pols/hald.mod deleted file mode 100644 index d8fea69..0000000 Binary files a/selinux_pols/hald.mod and /dev/null differ diff --git a/selinux_pols/hald.pp b/selinux_pols/hald.pp deleted file mode 100644 index efb718d..0000000 Binary files a/selinux_pols/hald.pp and /dev/null differ -- cgit v1.2.3