Simplicity is a form of art... - Gentoohttps://blog.siphos.be/Tue, 22 Aug 2017 19:04:00 +0200Switch to Gentoo sourceshttps://blog.siphos.be/2017/08/switch-to-gentoo-sources/<p>You've might already read it on the Gentoo news site, the <a href="https://www.gentoo.org/news/2017/08/19/hardened-sources-removal.html">Hardened Linux kernel sources are removed from the tree</a> due to the <a href="http://grsecurity.net/">grsecurity</a> change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.</p> <p>That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. <a href="https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available/#utm_source=feed&amp;utm_medium=feed&amp;utm_campaign=feed">Agostino Sarubbo has started providing sys-kernel/grsecurity-sources</a> for the users who want to stick with it, as it is based on <a href="https://github.com/minipli/linux-unofficial_grsec">minipli's unofficial patchset</a>. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.</p> <p>Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).</p> Sven VermeulenTue, 22 Aug 2017 19:04:00 +0200tag:blog.siphos.be,2017-08-22:/2017/08/switch-to-gentoo-sources/GentoogentoohardenedgrsecurityselinuxHandling certificates in Gentoo Linuxhttps://blog.siphos.be/2017/03/handling-certificates-in-gentoo-linux/<p>I recently created a new article on the Gentoo Wiki titled <a href="https://wiki.gentoo.org/wiki/Certificates">Certificates</a> which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle <em>everything</em> about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.</p> Sven VermeulenMon, 06 Mar 2017 22:20:00 +0100tag:blog.siphos.be,2017-03-06:/2017/03/handling-certificates-in-gentoo-linux/GentoogentoocertificatesnssCustom CIL SELinux policies in Gentoohttps://blog.siphos.be/2015/09/custom-cil-selinux-policies-in-gentoo/<p>In Gentoo, we have been supporting <a href="https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file">custom policy packages</a> for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although <a href="https://wiki.gentoo.org/wiki/Binary_package_guide">binary packages</a> are supported as well).</p> <p>A recent <a href="https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f2aa45db35bbf3a74f8db09ece9edac60e79ee4">commit</a> now also allows CIL files to be used.</p> Sven VermeulenThu, 10 Sep 2015 07:13:00 +0200tag:blog.siphos.be,2015-09-10:/2015/09/custom-cil-selinux-policies-in-gentoo/GentoogentoocilselinuxebuildeclassMaintaining packages and backportinghttps://blog.siphos.be/2015/09/maintaining-packages-and-backporting/<p>A few days ago I committed a small update to <code>policycoreutils</code>, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.</p> Sven VermeulenWed, 02 Sep 2015 20:33:00 +0200tag:blog.siphos.be,2015-09-02:/2015/09/maintaining-packages-and-backporting/GentoogentooebuildpatchingSlowly converting from GuideXML to HTMLhttps://blog.siphos.be/2015/08/slowly-converting-from-guidexml-to-html/<p>Gentoo has removed its support of the older GuideXML format in favor of using the <a href="https://wiki.gentoo.org">Gentoo Wiki</a> and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.</p> <p>In order to do so, I make use of the <a href="https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/xsl/guidexml2wiki.xsl?view=log">guidexml2wiki</a> stylesheet I <a href="http://blog.siphos.be/2013/02/transforming-guidexml-to-wiki/">developed</a>. But instead of migrating it to wiki syntax, I want to end with HTML.</p> Sven VermeulenTue, 25 Aug 2015 11:30:00 +0200tag:blog.siphos.be,2015-08-25:/2015/08/slowly-converting-from-guidexml-to-html/GentoogentooguidexmlxmlxsltrstmediawikihtmlFinding a good compression utilityhttps://blog.siphos.be/2015/08/finding-a-good-compression-utility/<p>I recently came across a <a href="http://catchchallenger.first-world.info//wiki/Quick_Benchmark:_Gzip_vs_Bzip2_vs_LZMA_vs_XZ_vs_LZ4_vs_LZO">wiki page</a> written by <a href="http://catchchallenger.first-world.info/wiki/User:Alpha_one_x86">Herman Brule</a> which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the <code>app-arch</code> category), with also a number of options (in case multiple options are possible).</p> Sven VermeulenThu, 13 Aug 2015 19:15:00 +0200tag:blog.siphos.be,2015-08-13:/2015/08/finding-a-good-compression-utility/GentoogentoocompressionLive SELinux userspace ebuildshttps://blog.siphos.be/2015/06/live-selinux-userspace-ebuilds/<p>In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the <a href="https://github.com/SELinuxProject/selinux">SELinux userspace</a> so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.</p> Sven VermeulenWed, 10 Jun 2015 20:07:00 +0200tag:blog.siphos.be,2015-06-10:/2015/06/live-selinux-userspace-ebuilds/GentoocilGentooselinuxuserspaceMoving closer to 2.4 stabilizationhttps://blog.siphos.be/2015/04/moving-closer-to-2-4-stabilization/<p>The <a href="https://github.com/SELinuxProject/selinux/wiki">SELinux userspace</a> project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the <a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened</a> project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …</p>Sven VermeulenMon, 27 Apr 2015 19:18:00 +0200tag:blog.siphos.be,2015-04-27:/2015/04/moving-closer-to-2-4-stabilization/Gentoo2.4GentoohardenedselinuxuserspaceTrying out Pelican, part onehttps://blog.siphos.be/2015/03/trying-out-pelican-part-one/<p>One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And <a href="http://docs.getpelican.com/en/3.5.0/">Pelican</a> looks to be a good solution to do so. It's based on …</p>Sven VermeulenFri, 06 Mar 2015 20:02:00 +0100tag:blog.siphos.be,2015-03-06:/2015/03/trying-out-pelican-part-one/GentooblogGentoohaskellpandocpelicanwordpressHave dhcpcd wait before backgroundinghttps://blog.siphos.be/2015/02/have-dhcpcd-wait-before-backgrounding/<p>Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …</p>Sven VermeulenSun, 08 Feb 2015 16:50:00 +0100tag:blog.siphos.be,2015-02-08:/2015/02/have-dhcpcd-wait-before-backgrounding/GentoodhcpdhcpcdGentooOld Gentoo system? Not a problem...https://blog.siphos.be/2015/01/old-gentoo-system-not-a-problem/<p>If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …</p>Sven VermeulenWed, 21 Jan 2015 23:05:00 +0100tag:blog.siphos.be,2015-01-21:/2015/01/old-gentoo-system-not-a-problem/GentooGentooportagesnapshottreeGentoo Handbooks almost moved to wikihttps://blog.siphos.be/2014/12/gentoo-handbooks-almost-moved-to-wiki/<p>Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page">the gentoo handbook main page …</a></p>Sven VermeulenFri, 12 Dec 2014 17:35:00 +0100tag:blog.siphos.be,2014-12-12:/2014/12/gentoo-handbooks-almost-moved-to-wiki/GentooGentoohandbookwikiSometimes I forget how important communication ishttps://blog.siphos.be/2014/12/sometimes-i-forget-how-important-communication-is/<p>Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …</p>Sven VermeulenWed, 10 Dec 2014 20:38:00 +0100tag:blog.siphos.be,2014-12-10:/2014/12/sometimes-i-forget-how-important-communication-is/GentoocommunicationdeveloperGentooselinuxtimeNo more DEPENDs for SELinux policy package dependencieshttps://blog.siphos.be/2014/11/no-more-depends-for-selinux-policy-package-dependencies/<p>I just finished updating 102 packages. The change? Removing the following from the ebuilds:</p> <div class="highlight"><pre><span></span><code>DEPEND=&quot;selinux? ( sec-policy/selinux-${packagename} )&quot; </code></pre></div> <p>In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …</p>Sven VermeulenSun, 02 Nov 2014 14:51:00 +0100tag:blog.siphos.be,2014-11-02:/2014/11/no-more-depends-for-selinux-policy-package-dependencies/GentooDEPENDebuildGentooRDEPENDselinuxMigrating to SELinux userspace 2.4 (small warning for users)https://blog.siphos.be/2014/10/migrating-to-selinux-userspace-2-4-small-warning-for-users/<p>In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …</p>Sven VermeulenThu, 30 Oct 2014 19:44:00 +0100tag:blog.siphos.be,2014-10-30:/2014/10/migrating-to-selinux-userspace-2-4-small-warning-for-users/GentoocilGentoomigrateselinuxsemanageupgradeuserspaceShowing return code in PS1https://blog.siphos.be/2014/08/showing-return-code-in-ps1/<p>If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …</p>Sven VermeulenSun, 31 Aug 2014 01:14:00 +0200tag:blog.siphos.be,2014-08-31:/2014/08/showing-return-code-in-ps1/Gentoobashps1rcshellGentoo Hardened august meetinghttps://blog.siphos.be/2014/08/gentoo-hardened-august-meeting/<p>Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.</p> <p><em>Lead elections</em></p> <p>The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)</p> <p><em>Toolchain</em></p> <p>blueness (Anthony G …</p>Sven VermeulenFri, 29 Aug 2014 16:43:00 +0200tag:blog.siphos.be,2014-08-29:/2014/08/gentoo-hardened-august-meeting/GentooGentoohardenedircmeetingSwitching to new laptophttps://blog.siphos.be/2014/08/switching-to-new-laptop/<p>I'm slowly but surely starting to switch to a new laptop. The old one hasn't completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the …</p>Sven VermeulenTue, 19 Aug 2014 22:11:00 +0200tag:blog.siphos.be,2014-08-19:/2014/08/switching-to-new-laptop/GentooefiGentoolaptopSome changes under the hoodhttps://blog.siphos.be/2014/08/some-changes-under-the-hood/<p>In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.</p> <p>First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …</p>Sven VermeulenSat, 09 Aug 2014 21:45:00 +0200tag:blog.siphos.be,2014-08-09:/2014/08/some-changes-under-the-hood/GentooeclassGentoogithardenedrefpolicyselinuxGentoo Hardened July meetinghttps://blog.siphos.be/2014/08/gentoo-hardened-july-meeting/<p>I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …</p>Sven VermeulenFri, 01 Aug 2014 21:48:00 +0200tag:blog.siphos.be,2014-08-01:/2014/08/gentoo-hardened-july-meeting/GentooGentoohardenedircmeetingMultilib in Gentoohttps://blog.siphos.be/2014/07/multilib-in-gentoo/<p>One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper <a href="https://wiki.gentoo.org/wiki/Project:Multilib">multilib support</a> throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having …</p>Sven VermeulenWed, 02 Jul 2014 21:03:00 +0200tag:blog.siphos.be,2014-07-02:/2014/07/multilib-in-gentoo/GentooGentoo Hardened, June 2014https://blog.siphos.be/2014/06/gentoo-hardened-june-2014/<p>Friday the <a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened</a> project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.</p> <p>On the <strong>toolchain</strong> part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …</p>Sven VermeulenSun, 15 Jun 2014 21:28:00 +0200tag:blog.siphos.be,2014-06-15:/2014/06/gentoo-hardened-june-2014/GentooGentoohardenedircmeetingRevamped our SELinux documentationhttps://blog.siphos.be/2014/05/revamped-our-selinux-documentation/<p>In the move to the <a href="https://wiki.gentoo.org">Gentoo wiki</a>, I have updated and revamped most of our SELinux documentation. The end result can be seen through the <a href="https://wiki.gentoo.org/wiki/SELinux">main SELinux page</a>. Most of the content is below this page (as subpages).</p> <p>We start with a new <a href="https://wiki.gentoo.org/wiki/SELinux/Quick_introduction">introduction to SELinux</a> article which goes over …</p>Sven VermeulenMon, 12 May 2014 22:15:00 +0200tag:blog.siphos.be,2014-05-12:/2014/05/revamped-our-selinux-documentation/GentoodocumentationGentooselinuxwikiDropping sesandbox supporthttps://blog.siphos.be/2014/05/dropping-sesandbox-support/<p>A <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215">vulnerability in seunshare</a>, part of <code>policycoreutils</code>, came to light recently (through <a href="https://bugs.gentoo.org/show_bug.cgi?id=509896">bug 509896</a>). The issue is within <code>libcap-ng</code> actually, but the specific situation in which the vulnerability can be exploited is only available in <code>seunshare</code>.</p> <p>Now, <code>seunshare</code> is not built by default on Gentoo. You need to define <code>USE …</code></p>Sven VermeulenFri, 09 May 2014 21:03:00 +0200tag:blog.siphos.be,2014-05-09:/2014/05/dropping-sesandbox-support/GentooGentoohardenedpolicycoreutilsselinuxseunsharevulnerabilityStepping through the build process with ebuildhttps://blog.siphos.be/2014/04/stepping-through-the-build-process-with-ebuild/<p>Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …</p>Sven VermeulenSun, 20 Apr 2014 11:59:00 +0200tag:blog.siphos.be,2014-04-20:/2014/04/stepping-through-the-build-process-with-ebuild/GentooebuildphaseportageProof of concept for USE enabled policieshttps://blog.siphos.be/2014/03/proof-of-concept-for-use-enabled-policies/<p><em>tl;dr:</em> Some (<code>-9999</code>) policy ebuilds now have <code>USE</code> support for building in (or leaving out) SELinux policy statements.</p> <p>One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …</p>Sven VermeulenMon, 31 Mar 2014 18:33:00 +0200tag:blog.siphos.be,2014-03-31:/2014/03/proof-of-concept-for-use-enabled-policies/GentooalsapolicyselinuxOnline hardened meeting of Marchhttps://blog.siphos.be/2014/03/online-hardened-meeting-of-march/<p>I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the <a href="http://gcc.gnu.org/gcc-4.9/changes.html">changes …</a></p>Sven VermeulenThu, 27 Mar 2014 23:44:00 +0100tag:blog.siphos.be,2014-03-27:/2014/03/online-hardened-meeting-of-march/GentooGentoohardenedircmeetingFixing the busybox build failurehttps://blog.siphos.be/2014/03/fixing-the-busybox-build-failure/<p>Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate <code>/usr</code> and LVM for everything except <code>/boot</code>):</p> <div class="highlight"><pre><span></span><code>* busybox: &gt;&gt; Compiling... * ERROR: Failed to compile the &quot;all&quot; target... * * -- Grepping log... -- * * - busybox-1.7.4-signal-hack.patch …</code></pre></div>Sven VermeulenWed, 26 Mar 2014 14:18:00 +0100tag:blog.siphos.be,2014-03-26:/2014/03/fixing-the-busybox-build-failure/GentoobusyboxgenkernelGentooinitramfsinitrdnoexectmpCreate your own SELinux Gentoo profilehttps://blog.siphos.be/2014/03/create-your-own-selinux-gentoo-profile/<p>Or any other profile for that matter ;-)</p> <p>A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn't have a <code>&lt;some profilename&gt;/selinux</code> equivalent. Because we don't create SELinux profiles for all possible profiles out there, having a way to do this …</p>Sven VermeulenMon, 24 Mar 2014 21:51:00 +0100tag:blog.siphos.be,2014-03-24:/2014/03/create-your-own-selinux-gentoo-profile/GentooGentooprofileHidden symbols and dynamic linkinghttps://blog.siphos.be/2014/03/hidden-symbols-and-dynamic-linking/<p>A few weeks ago, we introduced an error in the (\~arch) <code>libselinux</code> ebuild which caused the following stacktrace to occur every time the <strong>semanage</strong> command was invoked:</p> <div class="highlight"><pre><span></span><code>~ # semanage Traceback (most recent call last): File &quot;/usr/lib/python-exec/python2.7/semanage&quot;, line 27, in import seobject File &quot;/usr/lib64/python2.7 …</code></pre></div>Sven VermeulenMon, 24 Mar 2014 21:14:00 +0100tag:blog.siphos.be,2014-03-24:/2014/03/hidden-symbols-and-dynamic-linking/GentooelfhiddenselinuxsymbolsClosing week? No, starting week...https://blog.siphos.be/2014/03/closing-week-no-starting-week/<p>I've been away for a while, and this week will (hopefully) be the last week of all the effort that is causing this. And that means I'll get back to blogging, documentation development, SELinux integration, SELinux policy development and more. To be honest, I'm eagerly awaiting this moment of getting …</p>Sven VermeulenSun, 16 Mar 2014 21:36:00 +0100tag:blog.siphos.be,2014-03-16:/2014/03/closing-week-no-starting-week/GentooCan Gentoo play a role in a RHEL-only environment?https://blog.siphos.be/2014/01/can-gentoo-play-a-role-in-a-rhel-only-environment/<p>Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …</p>Sven VermeulenThu, 09 Jan 2014 04:13:00 +0100tag:blog.siphos.be,2014-01-09:/2014/01/can-gentoo-play-a-role-in-a-rhel-only-environment/GentooGentoolinuxvappliancevirtual-applianceUpgrading old Gentoo installationshttps://blog.siphos.be/2013/12/upgrading-old-gentoo-installations/<p>Today I got "pinged" on <a href="https://bugs.gentoo.org/show_bug.cgi?id=463240">bug #463240</a> about the difficulty of upgrading a Gentoo Linux deployment after a long time of inactivity on the system. We already have an <a href="https://wiki.gentoo.org/wiki/Upgrading_Gentoo">Upgrading Gentoo</a> article on the Gentoo wiki that describes in great detail how upgrades can be accomplished. But one of the …</p>Sven VermeulenSun, 29 Dec 2013 14:18:00 +0100tag:blog.siphos.be,2013-12-29:/2013/12/upgrading-old-gentoo-installations/GentooGentooportagesnapshotupgradeDecember hardened meetinghttps://blog.siphos.be/2013/12/december-hardened-meeting/<p>Yesterday evening (UTC, that is) the members of the <a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened</a> project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.</p> <p><em>Toolchain</em></p> <p>A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.</p> <p>And …</p>Sven VermeulenFri, 20 Dec 2013 10:20:00 +0100tag:blog.siphos.be,2013-12-20:/2013/12/december-hardened-meeting/GentooGentoohardenedircmeetingonlineGPT or MBR in the Gentoo Handbookhttps://blog.siphos.be/2013/12/gpt-or-mbr-in-the-gentoo-handbook/<p>I just committed a set of changes against the Gentoo Handbook (x86 and amd64) with the intent to have better instructions on GPT (GUID Partition Table) layout versus MBR (Master Boot Record) or MSDOS-style layout.</p> <p>The part on "Preparing the Disks" saw the most changes. It starts with explaining the …</p>Sven VermeulenWed, 18 Dec 2013 12:25:00 +0100tag:blog.siphos.be,2013-12-18:/2013/12/gpt-or-mbr-in-the-gentoo-handbook/GentoodocumentationfdiskgdpGentoogpthandbookmbrpartedGentoo SELinux policy release scripthttps://blog.siphos.be/2013/12/gentoo-selinux-policy-release-script/<p>A few months ago, I wrote a small script that aids in the creation of new SELinux policy packages. The script is on the <a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=summary">repository</a> itself, in the <code>gentoo/</code> subdirectory, and is called <code>release-prepare.sh</code>.</p> <p>The reason for the script is that there are a number of steps to perform …</p>Sven VermeulenWed, 11 Dec 2013 18:37:00 +0100tag:blog.siphos.be,2013-12-11:/2013/12/gentoo-selinux-policy-release-script/GentooGentoohardenedpolicyreleaseselinuxNovember online hardened meetinghttps://blog.siphos.be/2013/12/november-online-hardened-meeting/<p>Later than usual, as I wasn't able to make the meeting myself (thus had to wait for the meeting logs in order to draft up this summary), so here it is. The next meeting is scheduled for next week, btw ;-)</p> <p><em>Toolchain</em></p> <p>The 4.8.2 ebuild for GCC is available …</p>Sven VermeulenWed, 11 Dec 2013 12:12:00 +0100tag:blog.siphos.be,2013-12-11:/2013/12/november-online-hardened-meeting/GentooGentoohardenedircmeetingonlineNew SELinux userspace releasehttps://blog.siphos.be/2013/11/new-selinux-userspace-release-2/<p>Between now and an hour, Gentoo users using the \~arch branch will notice that new versions of the <a href="http://userspace.selinuxproject.org/trac/wiki/Releases">SELinux userspace applications</a> are now available. Released on October 30th, they contain many bug fixes sent previously as well as a couple of interesting developments and enhancements (more work on sepolicy, for …</p>Sven VermeulenTue, 05 Nov 2013 00:06:00 +0100tag:blog.siphos.be,2013-11-05:/2013/11/new-selinux-userspace-release-2/GentooGentoo Hardened meeting 201310https://blog.siphos.be/2013/10/gentoo-hardened-meeting-201310/<p>We gathered online again to talk about the progress, changes and other stuff related to the <a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened</a> project.</p> <p><em>New Developer</em></p> <p>We welcomed Zero_Chaos as a new addition to our team. Big welcome, with the usual IRC kick in between, ensued.</p> <p><em>Toolchain</em></p> <p>GCC 4.8.x is unmasked and ready …</p>Sven VermeulenThu, 24 Oct 2013 23:25:00 +0200tag:blog.siphos.be,2013-10-24:/2013/10/gentoo-hardened-meeting-201310/GentooGentoohardenedircmeetingonlineA bug please...https://blog.siphos.be/2013/09/a-bug-please/<p>I know contacting me (or other developers) through IRC is often fast, but having a bug report on our <a href="https://bugs.gentoo.org">bugzilla</a> is very important to me and other developers. Allow me to explain a bit why.</p> <p>First of all, <em>IRC is ephemeral</em>. If we are not immediately on IRC noticing it …</p>Sven VermeulenMon, 30 Sep 2013 21:53:00 +0200tag:blog.siphos.be,2013-09-30:/2013/09/a-bug-please/GentoobugreportbugsbugzillaGentooAaaand we're back - hardened monthly meetinghttps://blog.siphos.be/2013/09/aaaand-were-back-hardened-monthly-meeting/<p>It almost feels like we had our monthly online meeting just a week ago. Below a small write-up of the highlights. If you want to know the gory details, just wait a few hours/days until the IRC logs are sent out ;-) Now remember, the project does more than what …</p>Sven VermeulenThu, 26 Sep 2013 22:22:00 +0200tag:blog.siphos.be,2013-09-26:/2013/09/aaaand-were-back-hardened-monthly-meeting/GentoohardenedircmeetingUnderestimated or underused: Portage (e)logginghttps://blog.siphos.be/2013/09/underestimated-or-underused-portage-elogging/<p>Within 30 minutes of each other, two people on the <code>#gentoo</code> channel asked if Portage kept logs of the messages displayed during the build and installation of a package. Of course, the answer is a sounding "yes" - and depending on your needs, you can even save more of the logging …</p>Sven VermeulenWed, 25 Sep 2013 10:09:00 +0200tag:blog.siphos.be,2013-09-25:/2013/09/underestimated-or-underused-portage-elogging/GentooelogGentoologgingportageGentoo Hardened progress reporthttps://blog.siphos.be/2013/08/gentoo-hardened-progress-report/<p>Today, we had our monthly online meeting to discuss the progress amongst the various Gentoo Hardened projects. As usual, here is a small write-up.</p> <p><em>Lead election</em></p> <p>As every year, we also reviewed the current project leads. No surprises here, everybody is happy with the current leads so they are re-elected …</p>Sven VermeulenThu, 29 Aug 2013 20:27:00 +0200tag:blog.siphos.be,2013-08-29:/2013/08/gentoo-hardened-progress-report/GentooGentoohardenedircmeetingminutesprogress_reportreportWhy our policies don't like emerge --confighttps://blog.siphos.be/2013/08/why-our-policies-dont-like-emerge-config/<p>One of the features that Portage provides is to have post-processing done on request of the administrator for certain packages. For instance, for the <code>dev-db/postgresql-server</code> package we can call its <code>pkg_config()</code> phase to create the PostgreSQL instance and configure it so that the configuration of the database is stored …</p>Sven VermeulenFri, 23 Aug 2013 11:53:00 +0200tag:blog.siphos.be,2013-08-23:/2013/08/why-our-policies-dont-like-emerge-config/GentooGentoopkg_configportageselinuxUsing CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?https://blog.siphos.be/2013/08/using-custom_buildopt-in-refpolicy-for-use-flag-alike-functionality/<p>As you are probably aware, Gentoo uses the <a href="http://oss.tresys.com/projects/refpolicy/">reference policy</a> as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use <code>xdg_*_home_t</code> customizable types to further restrict user application access has been sent up for comments …</p>Sven VermeulenFri, 16 Aug 2013 09:17:00 +0200tag:blog.siphos.be,2013-08-16:/2013/08/using-custom_buildopt-in-refpolicy-for-use-flag-alike-functionality/GentoobooleanGentoopolicyselinuxuseuseflagAnd now, 31 days later...https://blog.siphos.be/2013/08/and-now-31-days-later/<p>... the <a href="http://www.gentoo.org/proj/en/hardened">Gentoo Hardened</a> team had its monthly online meeting again ;-)</p> <p>On the agenda were the usual suspects, such as the <em>toolchain</em>. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the <code>hardenedno*</code> and vanilla <code>gcc-config</code> options which will be added to the tree …</p>Sven VermeulenThu, 01 Aug 2013 22:43:00 +0200tag:blog.siphos.be,2013-08-01:/2013/08/and-now-31-days-later/GentooGentoogrsecurityhardenedircirlmeetingminutespaxprojectselinuxtoolchainAdding mcstrans to Gentoohttps://blog.siphos.be/2013/07/adding-mcstrans-to-gentoo/<p>If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the <code>mcs</code> and <code>mls</code> policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …</p>Sven VermeulenSun, 07 Jul 2013 20:38:00 +0200tag:blog.siphos.be,2013-07-07:/2013/07/adding-mcstrans-to-gentoo/GentoocategoriesmcsmcstransmlsselinuxsensitivityHardening is our business... new monthly report ;-)https://blog.siphos.be/2013/06/hardening-is-our-business-new-monthly-report/<p>We're back with another report on the <a href="http://www.gentoo.org/proj/en/hardened">Gentoo Hardened</a> project. Please excuse my brevity, as you've noticed I'm not that active (yet) due to work on an external project - I'll be back mid-July though. I promise.</p> <p>On the <em>Toolchain</em> side, GCC 4.8.1 is in the tree and has …</p>Sven VermeulenThu, 27 Jun 2013 23:03:00 +0200tag:blog.siphos.be,2013-06-27:/2013/06/hardening-is-our-business-new-monthly-report/GentooGentoohardenedircmeetingprogressGentoo Hardened spring noteshttps://blog.siphos.be/2013/05/gentoo-hardened-spring-notes/<p>We got back together on the <code>#gentoo-hardened</code> chat channel to discuss the progress of <a href="http://www.gentoo.org/proj/en/hardened">Gentoo Hardened</a>, so it's time for another write-up of what was said.</p> <p><em>Toolchain</em></p> <p>GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …</p>Sven VermeulenThu, 16 May 2013 22:54:00 +0200tag:blog.siphos.be,2013-05-16:/2013/05/gentoo-hardened-spring-notes/GentooGentoohardenedircmeetingmonthlyonlineOverriding the default SELinux policieshttps://blog.siphos.be/2013/05/overriding-the-default-selinux-policies/<p>Extending SELinux policies with additional rules is easy. As SELinux uses a <em>deny by default</em> approach, all you need to do is to <a href="https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file">create a policy module</a> that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?</p> <p>Well, sadly …</p>Sven VermeulenWed, 15 May 2013 03:50:00 +0200tag:blog.siphos.be,2013-05-15:/2013/05/overriding-the-default-selinux-policies/Gentooebuildepatch_userGentoooverridepatchpolicyselinuxGentoo metadata support for CPEhttps://blog.siphos.be/2013/05/gentoo-metadata-support-for-cpe/<p>Recently, the <code>metadata.xml</code> file syntax definition (the DTD for those that know a bit of XML) has been updated to support CPE definitions. A <a href="https://nvd.nist.gov/cpe.cfm">CPE</a> (Common Platform Enumeration) is an identifier that <a href="http://cpe.mitre.org/specification/index.html">describes</a> an application, operating system or hardware device using its vendor, product name, version, update, edition and …</p>Sven VermeulenFri, 10 May 2013 03:50:00 +0200tag:blog.siphos.be,2013-05-10:/2013/05/gentoo-metadata-support-for-cpe/GentoocpecveGentoometadatasecurityNew SELinux userspace releasehttps://blog.siphos.be/2013/04/new-selinux-userspace-release/<p>A new <a href="http://userspace.selinuxproject.org/trac/wiki/Releases">release</a> of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …</p>Sven VermeulenFri, 26 Apr 2013 03:50:00 +0200tag:blog.siphos.be,2013-04-26:/2013/04/new-selinux-userspace-release/GentooautomationregressionreleaseselinuxtesttestinguserspaceGentoo protip: using buildpkgonlyhttps://blog.siphos.be/2013/04/gentoo-protip-using-buildpkgonly/<p>If you don't want to have the majority of builds run in the background while you are busy on the system, but you don't want to automatically install software in the background when you are not behind your desk, then perhaps you can settle for using <a href="https://wiki.gentoo.org/wiki/Binary_package_guide">binary packages</a>. I'm not …</p>Sven VermeulenThu, 25 Apr 2013 03:50:00 +0200tag:blog.siphos.be,2013-04-25:/2013/04/gentoo-protip-using-buildpkgonly/GentoobinpkgemergeGentooprotipSLOT'ing the old swig-1https://blog.siphos.be/2013/04/sloting-the-old-swig-1/<p>The <a href="http://www.swig.org">SWIG</a> tool helps developers in building interfaces/libraries that can be accessed from many other languages than the ones the library is initially written in or for. The SELinux userland utility <a href="http://oss.tresys.com/projects/setools">setools</a> uses it to provide Python and Ruby interfaces even though the application itself is written in C …</p>Sven VermeulenTue, 23 Apr 2013 03:50:00 +0200tag:blog.siphos.be,2013-04-23:/2013/04/sloting-the-old-swig-1/GentooGentooselinuxsetoolsslotswigIntroducing selocal for small SELinux policy enhancementshttps://blog.siphos.be/2013/04/introducing-selocal-for-small-selinux-policy-enhancements/<p>When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …</p>Sven VermeulenSun, 21 Apr 2013 03:50:00 +0200tag:blog.siphos.be,2013-04-21:/2013/04/introducing-selocal-for-small-selinux-policy-enhancements/GentooGentoopolicyselinuxselocalTransforming GuideXML to DocBookhttps://blog.siphos.be/2013/04/transforming-guidexml-to-docbook/<p>I recently <a href="http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/xsl/docbook.xsl?sortby=date&amp;view=log">committed</a> an XSL stylesheet that allows us to transform the GuideXML documents (both guides and handbooks) to DocBook. This isn't part of a more elaborate move to try and push DocBook instead of GuideXML for the Gentoo Documentation though (I'd rather direct documentation development more to the Gentoo …</p>Sven VermeulenSat, 20 Apr 2013 03:50:00 +0200tag:blog.siphos.be,2013-04-20:/2013/04/transforming-guidexml-to-docbook/GentoodocbookGentooguidexmlpdfxslAnother Gentoo Hardened month has passedhttps://blog.siphos.be/2013/04/another-gentoo-hardened-month-has-passed/<p>Another month has passed, so time to mention again what we have all been doing lately ;-)</p> <p><em>Toolchain</em></p> <p>Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). <a href="http://www.internetnews.com/blog/skerner/open-source-gcc-4.8-compiler-including-address-sanitizer-security.html">asan</a> support in …</p>Sven VermeulenThu, 18 Apr 2013 23:36:00 +0200tag:blog.siphos.be,2013-04-18:/2013/04/another-gentoo-hardened-month-has-passed/GentooasangccGentoogrsecurityhardenedintegrityircmeetingpaxselinuxuderefNot needing run_init for password-less service managementhttps://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/<p>One of the things that has been bugging me was why, even with having <code>pam_rootok.so</code> set in <code>/etc/pam.d/run_init</code>, I cannot enjoy passwordless service management without using <strong>run_init</strong> directly:</p> <div class="highlight"><pre><span></span><code># rc-service postgresql-9.2 status Authenticating root. Password: # run_init rc-service postgresql-9.2 status Authenticating root. * status: started </code></pre></div> <p>So I …</p>Sven VermeulenTue, 09 Apr 2013 22:14:00 +0200tag:blog.siphos.be,2013-04-09:/2013/04/not-needing-run_init-for-password-less-service-management/GentooGentoohardenedpamrootokrun_initselinuxSeparate puppet provider for Gentoo/SELinux?https://blog.siphos.be/2013/04/separate-puppet-provider-for-gentooselinux/<p>While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the <em>service</em> type (which handles init script services), there are providers for RedHat, Debian …</p>Sven VermeulenSun, 07 Apr 2013 19:22:00 +0200tag:blog.siphos.be,2013-04-07:/2013/04/separate-puppet-provider-for-gentooselinux/GentooGentooopenrcproviderpuppetselinuxMatching packages with CVEshttps://blog.siphos.be/2013/04/matching-packages-with-cves/<p>I've come across a few posts on forums (Gentoo and elsewhere) asking why Gentoo doesn't make security-related patches on the tree. Some people think this is the case because they do not notice (m)any GLSAs, which are Gentoo's security advisories. However, it isn't that Gentoo doesn't push out security …</p>Sven VermeulenThu, 04 Apr 2013 21:44:00 +0200tag:blog.siphos.be,2013-04-04:/2013/04/matching-packages-with-cves/GentooFiddling with puppet applyhttps://blog.siphos.be/2013/03/fiddling-with-puppet-apply/<p>As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …</p>Sven VermeulenWed, 20 Mar 2013 12:31:00 +0100tag:blog.siphos.be,2013-03-20:/2013/03/fiddling-with-puppet-apply/GentooproviderpuppetselinuxserviceGentoo Hardened progress meeting of march 2013https://blog.siphos.be/2013/03/gentoo-hardened-progress-meeting-of-march-2013/<p>Another month has passed, so time for a new progress meeting...</p> <p><strong>Toolchain</strong></p> <p>GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …</p>Sven VermeulenThu, 07 Mar 2013 22:46:00 +0100tag:blog.siphos.be,2013-03-07:/2013/03/gentoo-hardened-progress-meeting-of-march-2013/GentooGentoogrsecurityhardenedkernelpaxprofilesselinuxtoolchainUploading selinuxnode test VMhttps://blog.siphos.be/2013/02/uploading-selinuxnode-test-vm/<p>At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …</p>Sven VermeulenMon, 25 Feb 2013 03:05:00 +0100tag:blog.siphos.be,2013-02-25:/2013/02/uploading-selinuxnode-test-vm/GentooevmGentoogrsecurityhardenedimakvmselinuxvirtualWorking on a new selinuxnode VMhttps://blog.siphos.be/2013/02/working-on-a-new-selinuxnode-vm/<p>A long time ago, I made a <a href="http://distfiles.gentoo.org/experimental/amd64/qemu-selinux/">SELinux enabled VM</a> for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …</p>Sven VermeulenSat, 23 Feb 2013 14:04:00 +0100tag:blog.siphos.be,2013-02-23:/2013/02/working-on-a-new-selinuxnode-vm/GentooevmGentoohardenedimaselinuxselinuxnodevmTransforming GuideXML to wikihttps://blog.siphos.be/2013/02/transforming-guidexml-to-wiki/<p>The <a href="http://www.gentoo.org">Gentoo project</a> has its own <a href="https://wiki.gentoo.org">official wiki</a> for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …</p>Sven VermeulenTue, 12 Feb 2013 20:12:00 +0100tag:blog.siphos.be,2013-02-12:/2013/02/transforming-guidexml-to-wiki/GentooGentooguidexmlstylesheetwikixmlxslGentoo Hardened goes onward (aka project meeting)https://blog.siphos.be/2013/02/gentoo-hardened-goes-onward-aka-project-meeting/<p>It's been a while again, so time for another Gentoo Hardened online progress meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …</p>Sven VermeulenThu, 07 Feb 2013 23:40:00 +0100tag:blog.siphos.be,2013-02-07:/2013/02/gentoo-hardened-goes-onward-aka-project-meeting/GentooGentoogrsecurityhardenedkernelmeetingminutesonlinepaxprofilesselinuxIMA and EVM on Gentoo, part 2https://blog.siphos.be/2012/12/ima-and-evm-on-gentoo-part-2/<p>I have been playing with <a href="https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page">Linux IMA/EVM</a> on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …</p>Sven VermeulenSat, 29 Dec 2012 23:42:00 +0100tag:blog.siphos.be,2012-12-29:/2012/12/ima-and-evm-on-gentoo-part-2/GentooGentoo Hardened IMA supporthttps://blog.siphos.be/2012/12/gentoo-hardened-ima-support/<p>Adventurous users, contributors and developers can enable the <em>Integrity Measurement Architecture</em> subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the <a href="http://www.gentoo.org/proj/en/hardened/integrity/index.xml">System Integrity</a> subproject within <a href="http://www.gentoo.org/proj/en/hardened">Gentoo Hardened</a> was launched a few months ago. And now …</p>Sven VermeulenThu, 27 Dec 2012 22:40:00 +0100tag:blog.siphos.be,2012-12-27:/2012/12/gentoo-hardened-ima-support/GentooSwitching policy types in Gentoo/SELinuxhttps://blog.siphos.be/2012/12/switching-policy-types-in-gentooselinux/<p>When you are running Gentoo with SELinux enabled, you will be running with a particular policy type, which you can devise from either <code>/etc/selinux/config</code> or from the output of the <strong>sestatus</strong> command. As a user on our IRC channel had some issues converting his strict-policy system to mcs …</p>Sven VermeulenThu, 20 Dec 2012 11:31:00 +0100tag:blog.siphos.be,2012-12-20:/2012/12/switching-policy-types-in-gentooselinux/GentooAnother hardened month has passed...https://blog.siphos.be/2012/12/another-hardened-month-has-passed/<p>... so it's time for a new update ;-)</p> <p><em>Toolchain</em></p> <p>GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …</p>Sven VermeulenThu, 13 Dec 2012 10:02:00 +0100tag:blog.siphos.be,2012-12-13:/2012/12/another-hardened-month-has-passed/GentooWhy you need the real_* thing with genkernelhttps://blog.siphos.be/2012/11/why-you-need-the-real_-thing-with-genkernel/<p>Today it bit me. I rebooted my workstation, and all hell broke loose. Well, actually, it froze. Literally, if you consider my root file system. When the system tried to remount the root file system read-write, it gave me this:</p> <div class="highlight"><pre><span></span><code>mount: / not mounted or bad option </code></pre></div> <p>So I did the …</p>Sven VermeulenSun, 25 Nov 2012 21:05:00 +0100tag:blog.siphos.be,2012-11-25:/2012/11/why-you-need-the-real_-thing-with-genkernel/GentooThe hardened project continues going forward...https://blog.siphos.be/2012/11/the-hardened-project-continues-going-forward/<p>This wednesday, the <a href="http://www.gentoo.org/proj/en/hardened">Gentoo Hardened</a> team held its monthly online meeting, discussing the things that have been done the last few weeks and the ideas that are being worked out for the next. As I did with the last few meetings, allow me to summarize it for all interested parties …</p>Sven VermeulenSat, 17 Nov 2012 21:34:00 +0100tag:blog.siphos.be,2012-11-17:/2012/11/the-hardened-project-continues-going-forward/GentooGentoo Hardened progress meetinghttps://blog.siphos.be/2012/10/gentoo-hardened-progress-meeting/<p>Not that long ago we had our monthly Gentoo Hardened project meeting (on October 3rd to be exact). On these meetings, we discuss the progress of the project since the last meeting.</p> <p>For our <em>toolchain</em> domain, Zorry reported that the PIE patchset is updated for GCC, fixing bug <a href="https://bugs.gentoo.org/436924">#436924</a>. Blueness …</p>Sven VermeulenSun, 14 Oct 2012 15:00:00 +0200tag:blog.siphos.be,2012-10-14:/2012/10/gentoo-hardened-progress-meeting/GentooGentoo Hardened in Augusthttps://blog.siphos.be/2012/08/gentoo-hardened-in-august/<p>Last wednesday <a href="http://hardened.gentoo.org">Gentoo Hardened</a> held its monthly online meeting to discuss the progress of the various subprojects, reconfirm the current project leads, talk about potential new projects and discuss some bugs that were getting on our nerves...</p> <p>For the project leads, all current leads were reconfirmed: Zorry will keep tight …</p>Sven VermeulenSat, 25 Aug 2012 17:18:00 +0200tag:blog.siphos.be,2012-08-25:/2012/08/gentoo-hardened-in-august/GentooAdding roles to the Gentoo Hardened SELinux policyhttps://blog.siphos.be/2012/08/adding-roles-to-the-gentoo-hardened-selinux-policy/<p>I <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=5#doc_chap4">wrote a small section</a> on how to create additional roles to the SELinux policy offered by Gentoo Hardened. Whereas the default policy that we provide only offers a few basic roles, any policy administrator can provide additional roles for the system.</p> <p>By using additional roles, you can grant users …</p>Sven VermeulenTue, 14 Aug 2012 20:39:00 +0200tag:blog.siphos.be,2012-08-14:/2012/08/adding-roles-to-the-gentoo-hardened-selinux-policy/GentooKickstarting the Integrity subprojecthttps://blog.siphos.be/2012/07/kickstarting-the-integrity-subproject/<p>Now that Gentoo Hardened has its <a href="http://www.gentoo.org/proj/en/hardened/integrity/index.xml">integrity</a> subproject, I started with writing down the <a href="http://goo.gl/57K8g">concepts</a> (draft - will move to the project site when finished!) used within the subproject: what is integrity, how does trust fit into this, what kind of technologies will we look at, etc. I'm hoping that this …</p>Sven VermeulenMon, 30 Jul 2012 21:34:00 +0200tag:blog.siphos.be,2012-07-30:/2012/07/kickstarting-the-integrity-subproject/GentooGentoo Hardened on the movehttps://blog.siphos.be/2012/07/gentoo-hardened-on-the-move/<p>Gentoo Hardened is thriving and going forward. For those that don't exactly know what <a href="http://hardened.gentoo.org">Gentoo Hardened</a> is - it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we …</p>Sven VermeulenThu, 26 Jul 2012 00:41:00 +0200tag:blog.siphos.be,2012-07-26:/2012/07/gentoo-hardened-on-the-move/GentooUpdated Gentoo Hardened/SELinux VM imagehttps://blog.siphos.be/2012/07/updated-gentoo-hardenedselinux-vm-image/<p>I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under <code>experimental/amd64/qemu-selinux</code>.</p> <p>The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use …</p>Sven VermeulenMon, 16 Jul 2012 18:31:00 +0200tag:blog.siphos.be,2012-07-16:/2012/07/updated-gentoo-hardenedselinux-vm-image/GentooGentoo Hardened/SELinux VM imagehttps://blog.siphos.be/2012/07/gentoo-hardenedselinux-vm-image/<p>A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the <code>/experimental/amd64/qemu-selinux/</code> location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the …</p>Sven VermeulenTue, 10 Jul 2012 21:27:00 +0200tag:blog.siphos.be,2012-07-10:/2012/07/gentoo-hardenedselinux-vm-image/GentooGentoo Summer of Documentation - Let's do it!https://blog.siphos.be/2012/06/gentoo-summer-of-documentation-lets-do-it/<p>The <a href="https://wiki.gentoo.org">Gentoo Wiki folks</a> have started a great idea (and immediately set a nice milestone), namely the <a href="https://wiki.gentoo.org/wiki/Gentoo_Wiki:Summer_of_Documentation/2012">Gentoo Wiki Summer of Documentation</a>. By september, they want to double the amount of articles on the wiki.</p> <p>I'll surely help out and participate where I can, and perhaps we can even go …</p>Sven VermeulenFri, 29 Jun 2012 19:16:00 +0200tag:blog.siphos.be,2012-06-29:/2012/06/gentoo-summer-of-documentation-lets-do-it/GentooHad to edit /etc/init.d/roothttps://blog.siphos.be/2012/06/had-to-edit-etcinit-droot/<p>For some reason, I had to edit my /etc/init.d/root file to use "mount /dev/root -n -o remount,rw /" instead of the standard "mount -n -o remount,rw /". Without this, it failed to remount the root file system in a read-write mode, which is of course not …</p>Sven VermeulenSun, 24 Jun 2012 15:38:00 +0200tag:blog.siphos.be,2012-06-24:/2012/06/had-to-edit-etcinit-droot/GentooOverview of SELinux changeshttps://blog.siphos.be/2012/06/overview-of-selinux-changes/<p>Most users of Gentoo hardly take a look at the (installation) documentation when their installation has finished. After all, being a rolling distribution, there is little need to take a look at the instructions again. And for most Gentoo users, changes that are needed to be reviewed by existing users …</p>Sven VermeulenSun, 24 Jun 2012 14:32:00 +0200tag:blog.siphos.be,2012-06-24:/2012/06/overview-of-selinux-changes/GentooPython 3 support for SELinux userland, tests and policy rev 10https://blog.siphos.be/2012/05/python-3-support-for-selinux-userland-tests-and-policy-rev-10/<p>In the last few hours I pushed my local changes on the SELinux userland utilities towards the <a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=tree">hardened-development</a> overlay. The utilities not only include some bugfixes, but have now also seen a first set of tests towards Python 3.2. In the past, I've made a few attempts at making …</p>Sven VermeulenSat, 26 May 2012 18:59:00 +0200tag:blog.siphos.be,2012-05-26:/2012/05/python-3-support-for-selinux-userland-tests-and-policy-rev-10/GentooCatching up, but stuff is piling...https://blog.siphos.be/2012/05/catching-up-but-stuff-is-piling/<p>Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird <a href="https://bugs.gentoo.org/show_bug.cgi?id=416301">bug</a> which seems to come down to an incorrect free() on …</p>Sven VermeulenThu, 24 May 2012 18:46:00 +0200tag:blog.siphos.be,2012-05-24:/2012/05/catching-up-but-stuff-is-piling/GentooKeeping /selinuxhttps://blog.siphos.be/2012/05/keeping-selinux/<p>Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version <em>and</em> you switch from <code>/selinux</code> to <code>/sys/fs/selinux</code> as the mountpoint for the SELinux file system, you might get into issues. Apparently, <strong>init</strong> (which is responsible for mounting the SELinux …</p>Sven VermeulenFri, 04 May 2012 22:26:00 +0200tag:blog.siphos.be,2012-05-04:/2012/05/keeping-selinux/Gentoo20120215 policies now stablehttps://blog.siphos.be/2012/04/20120215-policies-now-stable/<p>Today I've stabilized the <code>sec-policy/selinux-*</code> packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …</p>Sven VermeulenSun, 29 Apr 2012 16:43:00 +0200tag:blog.siphos.be,2012-04-29:/2012/04/20120215-policies-now-stable/GentooChrooted BIND for IPv6 with SELinuxhttps://blog.siphos.be/2012/04/chrooted-bind-for-ipv6-with-selinux/<p>BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …</p>Sven VermeulenSat, 14 Apr 2012 23:08:00 +0200tag:blog.siphos.be,2012-04-14:/2012/04/chrooted-bind-for-ipv6-with-selinux/GentooDocumentation updates for initramfs needed?https://blog.siphos.be/2012/04/documentation-updates-for-initramfs-needed/<p>A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file <a href="https://bugs.gentoo.org">bugreports</a> and have them <a href="https://bugs.gentoo.org/show_bug.cgi?id=407959">block bug #407959</a>. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and …</p>Sven VermeulenThu, 12 Apr 2012 17:40:00 +0200tag:blog.siphos.be,2012-04-12:/2012/04/documentation-updates-for-initramfs-needed/GentooGet your devtmpfs readyhttps://blog.siphos.be/2012/04/get-your-devtmpfs-ready/<p>If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …</p>Sven VermeulenSat, 07 Apr 2012 22:10:00 +0200tag:blog.siphos.be,2012-04-07:/2012/04/get-your-devtmpfs-ready/GentooMore on initramfs and SELinuxhttps://blog.siphos.be/2012/03/more-on-initramfs-and-selinux/<p>With the upcoming udev version <em>not</em> supporting separate <code>/usr</code> locations unless you boot with an initramfs, we are <a href="https://bugs.gentoo.org/show_bug.cgi?id=407959">now</a> <a href="https://bugs.gentoo.org/show_bug.cgi?id=408691">starting</a> <a href="https://bugs.gentoo.org/show_bug.cgi?id=408971">to</a> document how to create an initramfs to boot with. After all, systems with a separate <code>/usr</code> are not that uncommon.</p> <p>As I've blogged about <a href="http://blog.siphos.be/2012/01/trying-out-initramfs-with-selinux-and-grsec/">before</a>, getting an initramfs to …</p>Sven VermeulenSun, 25 Mar 2012 19:44:00 +0200tag:blog.siphos.be,2012-03-25:/2012/03/more-on-initramfs-and-selinux/GentooHunting fuserhttps://blog.siphos.be/2012/03/hunting-fuser/<p>I am able to work on Gentoo and SELinux about one hour per day. It's more in total time, but being a bit exhausted makes me act a bit more slowly which boils down to about one hour per day. And one hour per day isn't bad, you're able to …</p>Sven VermeulenMon, 12 Mar 2012 21:54:00 +0100tag:blog.siphos.be,2012-03-12:/2012/03/hunting-fuser/GentooIntroducing 2.20120215 policieshttps://blog.siphos.be/2012/02/introducing-2-20120215-policies/<p>A few weeks after being <a href="http://oss.tresys.com/pipermail/refpolicy/2012-February/004953.html">released</a>, we now have the 20120215-based policies available for our users (and also the newer userspace utilities). The packages currently reside in the hardened-dev overlay as they will need to see sufficient testing before we merge those to the main tree. For most users, nothing …</p>Sven VermeulenSun, 26 Feb 2012 18:40:00 +0100tag:blog.siphos.be,2012-02-26:/2012/02/introducing-2-20120215-policies/GentooThis months' stabilization done, more to comehttps://blog.siphos.be/2012/01/this-months-stabilization-done-more-to-come/<p>A small notification to tell you that the SELinux policies that were pushed to the main tree 30 days (or more) ago have now been stabilized (none of them introduced problems, although some of them have other bugs still open which are either fixed in \~arch or will be fixed …</p>Sven VermeulenSun, 29 Jan 2012 13:33:00 +0100tag:blog.siphos.be,2012-01-29:/2012/01/this-months-stabilization-done-more-to-come/GentooGentoo WiKi & Knowledge Basehttps://blog.siphos.be/2011/12/gentoo-wiki-knowledge-base/<p>I have been playing with the <a href="http://wiki.gentoo.org">Gentoo Wiki</a> the last few days and am very impressed with the work that both the wiki teams as well as existing contributors have already done to the place. The look and feel is very slick and editing works just as expected. One of …</p>Sven VermeulenMon, 26 Dec 2011 20:01:00 +0100tag:blog.siphos.be,2011-12-26:/2011/12/gentoo-wiki-knowledge-base/GentooSupporting fix scripts for XCCDF content and maintaining the documentshttps://blog.siphos.be/2011/12/supporting-fix-scripts-for-xccdf-content-and-maintaining-the-documents/<p>One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the <a href="http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html">Gentoo …</a></p>Sven VermeulenFri, 23 Dec 2011 16:00:00 +0100tag:blog.siphos.be,2011-12-23:/2011/12/supporting-fix-scripts-for-xccdf-content-and-maintaining-the-documents/GentooSELinux Gentoo/Hardened state 2011-12-19https://blog.siphos.be/2011/12/selinux-gentoohardened-state-2011-12-19/<p>On december 14th, the <a href="http://hardened.gentoo.org">Gentoo Hardened</a> project had its monthly <a href="http://archives.gentoo.org/gentoo-hardened/msg_6ee74d905f217b47446ace08da32a921.xml">online meeting</a> to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.</p> <p>Since last meeting, the follow topics passed the revue.</p> <ul> <li><a href="http://packages.gentoo.org/package/sec-policy/selinux-base-policy">sec-policy/selinux-base-policy</a>, which is the "master …</li></ul>Sven VermeulenMon, 19 Dec 2011 18:04:00 +0100tag:blog.siphos.be,2011-12-19:/2011/12/selinux-gentoohardened-state-2011-12-19/GentooSupporting CC-BY-SA 3.0https://blog.siphos.be/2011/11/supporting-cc-by-sa-3-0/<p>Until now, documents on the <a href="http://www.gentoo.org">Gentoo website</a> all had to be licensed under the <a href="https://creativecommons.org/licenses/by-sa/2.5/">Creative Commons Attribution/Share Alike</a> license, version 2.5. Why? Because at the time of the license choice, that was probably the latest version at hand. In the XML code itself, the license tagging was done …</p>Sven VermeulenTue, 29 Nov 2011 21:33:00 +0100tag:blog.siphos.be,2011-11-29:/2011/11/supporting-cc-by-sa-3-0/GentooSELinux Gentoo/Hardened state 2011-11-17https://blog.siphos.be/2011/11/selinux-gentoohardened-state-2011-11-17/<p>A small write-down on the <a href="http://hardened.gentoo.org/selinux">Gentoo Hardened SELinux</a> state-of-affairs, largely triggered because there was an online meeting for the <a href="http://hardened.gentoo.org">Gentoo Hardened</a> project today.</p> <ul> <li>The SELinux policies offered in the <code>sec-policy</code> category are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …</li></ul>Sven VermeulenThu, 17 Nov 2011 23:29:00 +0100tag:blog.siphos.be,2011-11-17:/2011/11/selinux-gentoohardened-state-2011-11-17/GentooGentoo Security Benchmark with OVAL and Open-SCAPhttps://blog.siphos.be/2011/11/gentoo-security-benchmark-with-oval-and-open-scap/<p>A while ago, I got referred to the <a href="http://oval.mitre.org/">Open Vulnerability and Assessment Language</a>, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …</p>Sven VermeulenWed, 16 Nov 2011 23:09:00 +0100tag:blog.siphos.be,2011-11-16:/2011/11/gentoo-security-benchmark-with-oval-and-open-scap/GentooSELinux' 2011/07 releases now stablehttps://blog.siphos.be/2011/10/selinux-201107-releases-now-stable/<p>A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the <a href="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</a> with the changes I presented on our <a href="http://archives.gentoo.org/gentoo-hardened/msg_73ddd74112bef0007f361f3598140a21.xml">gentoo-hardened</a> mailinglist. After some time, I'll remove the now …</p>Sven VermeulenSun, 23 Oct 2011 15:07:00 +0200tag:blog.siphos.be,2011-10-23:/2011/10/selinux-201107-releases-now-stable/Gentoo