From d46016d4a2e1436f9106048546e6ff9e0f76e72fca42adbc5abdf64345d0bde6 Mon Sep 17 00:00:00 2001
From: Sam Hadow <sam.hadow@inbox.lv>
Date: Sat, 21 Dec 2024 16:26:31 +0100
Subject: [PATCH] selinux + security updates fedora

---
 automatic-updates.md | 51 ++++++++++++++++++++++++++++++++++++++++++++
 selinux.md           | 29 +++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 automatic-updates.md
 create mode 100644 selinux.md

diff --git a/automatic-updates.md b/automatic-updates.md
new file mode 100644
index 0000000..8c083a4
--- /dev/null
+++ b/automatic-updates.md
@@ -0,0 +1,51 @@
+# fedora automatic security updates
+
+
+```
+sudo dnf install dnf-automatic
+```
+
+in /etc/dnf/automatic.conf
+
+```
+[commands]
+upgrade_type = security
+download_updates = yes
+apply_updates = yes
+reboot = never
+
+```
+```
+sudo systemctl enable --now dnf-automatic.timer
+```
+<br>
+
+##  change auto-update schedule
+
+in /usr/lib/systemd/system/dnf-automatic-install.timer
+
+```
+[Unit]
+Description=dnf-automatic-install timer
+# See comment in dnf-makecache.service
+ConditionPathExists=!/run/ostree-booted
+Wants=network-online.target
+
+[Timer]
+######################## LINE BELOW IS SCHEDULE
+OnCalendar=*-*-* 1:30  # everyday at 1:30 am
+########################
+RandomizedDelaySec=60m # randomized between 1:30 and 2:30
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+
+```
+
+check timers
+
+```  
+systemctl list-timers	# all timers
+systemctl cat dnf-automatic-install.timer	# only auto-update timer
+```
diff --git a/selinux.md b/selinux.md
new file mode 100644
index 0000000..321c51b
--- /dev/null
+++ b/selinux.md
@@ -0,0 +1,29 @@
+## context
+```
+# ls -Z /bin/file
+unconfined_u:object_r:user_home_t:s0 /bin/file
+```
+list selinux context of file or directory  
+user (unconfined_u), role (object_r), type (user_home_t), and level (s0)
+
+### change type context
+```
+# semanage fcontext -a -t bin_t /bin/file
+```
+apply change
+```
+# restorecon -vR /bin
+Relabeled /bin/file from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:bin_t:s0
+
+```
+
+### change user context
+```
+# semanage fcontext -m -t bin_t -s system_u /bin/file
+```
+apply change
+```
+# restorecon -vF /bin/file
+Relabeled /usr/bin/file from unconfined_u:object_r:bin_t:s0 to system_u:object_r:bin_t:s0
+# restorecon -R for recursive
+```