Simplicity is a form of art... - Gentoo

Switch to Gentoo sources

Sven Vermeulen — Tue, 22 Aug 2017 19:04:00 +0200

You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.

That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.

Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).

Handling certificates in Gentoo Linux

Sven Vermeulen — Mon, 06 Mar 2017 22:20:00 +0100

I recently created a new article on the Gentoo Wiki titled Certificates which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle everything about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.

Custom CIL SELinux policies in Gentoo

Sven Vermeulen — Thu, 10 Sep 2015 07:13:00 +0200

In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).

A recent commit now also allows CIL files to be used.

Maintaining packages and backporting

Sven Vermeulen — Wed, 02 Sep 2015 20:33:00 +0200

A few days ago I committed a small update to policycoreutils, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.

Slowly converting from GuideXML to HTML

Sven Vermeulen — Tue, 25 Aug 2015 11:30:00 +0200

Gentoo has removed its support of the older GuideXML format in favor of using the Gentoo Wiki and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.

In order to do so, I make use of the guidexml2wiki stylesheet I developed. But instead of migrating it to wiki syntax, I want to end with HTML.

Finding a good compression utility

Sven Vermeulen — Thu, 13 Aug 2015 19:15:00 +0200

I recently came across a wiki page written by Herman Brule which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the app-arch category), with also a number of options (in case multiple options are possible).

Live SELinux userspace ebuilds

Sven Vermeulen — Wed, 10 Jun 2015 20:07:00 +0200

In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the SELinux userspace so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.

Moving closer to 2.4 stabilization

Sven Vermeulen — Mon, 27 Apr 2015 19:18:00 +0200

The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …

Trying out Pelican, part one

Sven Vermeulen — Fri, 06 Mar 2015 20:02:00 +0100

One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And Pelican looks to be a good solution to do so. It's based on …

Have dhcpcd wait before backgrounding

Sven Vermeulen — Sun, 08 Feb 2015 16:50:00 +0100

Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …

Old Gentoo system? Not a problem...

Sven Vermeulen — Wed, 21 Jan 2015 23:05:00 +0100

If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …

Gentoo Handbooks almost moved to wiki

Sven Vermeulen — Fri, 12 Dec 2014 17:35:00 +0100

Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on the gentoo handbook main page …

Sometimes I forget how important communication is

Sven Vermeulen — Wed, 10 Dec 2014 20:38:00 +0100

Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …

No more DEPENDs for SELinux policy package dependencies

Sven Vermeulen — Sun, 02 Nov 2014 14:51:00 +0100

I just finished updating 102 packages. The change? Removing the following from the ebuilds:

DEPEND="selinux? ( sec-policy/selinux-${packagename} )"

In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …

Migrating to SELinux userspace 2.4 (small warning for users)

Sven Vermeulen — Thu, 30 Oct 2014 19:44:00 +0100

In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …

Showing return code in PS1

Sven Vermeulen — Sun, 31 Aug 2014 01:14:00 +0200

If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …

Gentoo Hardened august meeting

Sven Vermeulen — Fri, 29 Aug 2014 16:43:00 +0200

Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.

Lead elections

The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)

Toolchain

blueness (Anthony G …

Switching to new laptop

Sven Vermeulen — Tue, 19 Aug 2014 22:11:00 +0200

I'm slowly but surely starting to switch to a new laptop. The old one hasn't completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the …

Some changes under the hood

Sven Vermeulen — Sat, 09 Aug 2014 21:45:00 +0200

In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.

First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …

Gentoo Hardened July meeting

Sven Vermeulen — Fri, 01 Aug 2014 21:48:00 +0200

I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.

Toolchain

GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …

Multilib in Gentoo

Sven Vermeulen — Wed, 02 Jul 2014 21:03:00 +0200

One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper multilib support throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having …

Gentoo Hardened, June 2014

Sven Vermeulen — Sun, 15 Jun 2014 21:28:00 +0200

Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.

On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …

Revamped our SELinux documentation

Sven Vermeulen — Mon, 12 May 2014 22:15:00 +0200

In the move to the Gentoo wiki, I have updated and revamped most of our SELinux documentation. The end result can be seen through the main SELinux page. Most of the content is below this page (as subpages).

We start with a new introduction to SELinux article which goes over …

Dropping sesandbox support

Sven Vermeulen — Fri, 09 May 2014 21:03:00 +0200

A vulnerability in seunshare, part of policycoreutils, came to light recently (through bug 509896). The issue is within libcap-ng actually, but the specific situation in which the vulnerability can be exploited is only available in seunshare.

Now, seunshare is not built by default on Gentoo. You need to define USE …

Stepping through the build process with ebuild

Sven Vermeulen — Sun, 20 Apr 2014 11:59:00 +0200

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …

Proof of concept for USE enabled policies

Sven Vermeulen — Mon, 31 Mar 2014 18:33:00 +0200

tl;dr: Some (-9999) policy ebuilds now have USE support for building in (or leaving out) SELinux policy statements.

One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …

Online hardened meeting of March

Sven Vermeulen — Thu, 27 Mar 2014 23:44:00 +0100

I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.

Toolchain

GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …

Fixing the busybox build failure

Sven Vermeulen — Wed, 26 Mar 2014 14:18:00 +0100

Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate /usr and LVM for everything except /boot):

* busybox: >> Compiling...
* ERROR: Failed to compile the "all" target...
* 
* -- Grepping log... --
* 
*           - busybox-1.7.4-signal-hack.patch …

Create your own SELinux Gentoo profile

Sven Vermeulen — Mon, 24 Mar 2014 21:51:00 +0100

Or any other profile for that matter ;-)

A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn't have a <some profilename>/selinux equivalent. Because we don't create SELinux profiles for all possible profiles out there, having a way to do this …

Hidden symbols and dynamic linking

Sven Vermeulen — Mon, 24 Mar 2014 21:14:00 +0100

A few weeks ago, we introduced an error in the (\~arch) libselinux ebuild which caused the following stacktrace to occur every time the semanage command was invoked:

~ # semanage
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in 
    import seobject
  File "/usr/lib64/python2.7 …

Closing week? No, starting week...

Sven Vermeulen — Sun, 16 Mar 2014 21:36:00 +0100

I've been away for a while, and this week will (hopefully) be the last week of all the effort that is causing this. And that means I'll get back to blogging, documentation development, SELinux integration, SELinux policy development and more. To be honest, I'm eagerly awaiting this moment of getting …

Can Gentoo play a role in a RHEL-only environment?

Sven Vermeulen — Thu, 09 Jan 2014 04:13:00 +0100

Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …

Upgrading old Gentoo installations

Sven Vermeulen — Sun, 29 Dec 2013 14:18:00 +0100

Today I got "pinged" on bug #463240 about the difficulty of upgrading a Gentoo Linux deployment after a long time of inactivity on the system. We already have an Upgrading Gentoo article on the Gentoo wiki that describes in great detail how upgrades can be accomplished. But one of the …

December hardened meeting

Sven Vermeulen — Fri, 20 Dec 2013 10:20:00 +0100

Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.

Toolchain

A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.

And …

GPT or MBR in the Gentoo Handbook

Sven Vermeulen — Wed, 18 Dec 2013 12:25:00 +0100

I just committed a set of changes against the Gentoo Handbook (x86 and amd64) with the intent to have better instructions on GPT (GUID Partition Table) layout versus MBR (Master Boot Record) or MSDOS-style layout.

The part on "Preparing the Disks" saw the most changes. It starts with explaining the …

Gentoo SELinux policy release script

Sven Vermeulen — Wed, 11 Dec 2013 18:37:00 +0100

A few months ago, I wrote a small script that aids in the creation of new SELinux policy packages. The script is on the repository itself, in the gentoo/ subdirectory, and is called release-prepare.sh.

The reason for the script is that there are a number of steps to perform …

November online hardened meeting

Sven Vermeulen — Wed, 11 Dec 2013 12:12:00 +0100

Later than usual, as I wasn't able to make the meeting myself (thus had to wait for the meeting logs in order to draft up this summary), so here it is. The next meeting is scheduled for next week, btw ;-)

Toolchain

The 4.8.2 ebuild for GCC is available …

New SELinux userspace release

Sven Vermeulen — Tue, 05 Nov 2013 00:06:00 +0100

Between now and an hour, Gentoo users using the \~arch branch will notice that new versions of the SELinux userspace applications are now available. Released on October 30th, they contain many bug fixes sent previously as well as a couple of interesting developments and enhancements (more work on sepolicy, for …

Gentoo Hardened meeting 201310

Sven Vermeulen — Thu, 24 Oct 2013 23:25:00 +0200

We gathered online again to talk about the progress, changes and other stuff related to the Gentoo Hardened project.

New Developer

We welcomed Zero_Chaos as a new addition to our team. Big welcome, with the usual IRC kick in between, ensued.

Toolchain

GCC 4.8.x is unmasked and …

A bug please...

Sven Vermeulen — Mon, 30 Sep 2013 21:53:00 +0200

I know contacting me (or other developers) through IRC is often fast, but having a bug report on our bugzilla is very important to me and other developers. Allow me to explain a bit why.

First of all, IRC is ephemeral. If we are not immediately on IRC noticing it …

Aaaand we're back - hardened monthly meeting

Sven Vermeulen — Thu, 26 Sep 2013 22:22:00 +0200

It almost feels like we had our monthly online meeting just a week ago. Below a small write-up of the highlights. If you want to know the gory details, just wait a few hours/days until the IRC logs are sent out ;-) Now remember, the project does more than what …

Underestimated or underused: Portage (e)logging

Sven Vermeulen — Wed, 25 Sep 2013 10:09:00 +0200

Within 30 minutes of each other, two people on the #gentoo channel asked if Portage kept logs of the messages displayed during the build and installation of a package. Of course, the answer is a sounding "yes" - and depending on your needs, you can even save more of the logging …

Gentoo Hardened progress report

Sven Vermeulen — Thu, 29 Aug 2013 20:27:00 +0200

Today, we had our monthly online meeting to discuss the progress amongst the various Gentoo Hardened projects. As usual, here is a small write-up.

Lead election

As every year, we also reviewed the current project leads. No surprises here, everybody is happy with the current leads so they are re-elected …

Why our policies don't like emerge --config

Sven Vermeulen — Fri, 23 Aug 2013 11:53:00 +0200

One of the features that Portage provides is to have post-processing done on request of the administrator for certain packages. For instance, for the dev-db/postgresql-server package we can call its pkg_config() phase to create the PostgreSQL instance and configure it so that the configuration of the database is …

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?

Sven Vermeulen — Fri, 16 Aug 2013 09:17:00 +0200

As you are probably aware, Gentoo uses the reference policy as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use xdg_*_home_t customizable types to further restrict user application access has been sent up for …

And now, 31 days later...

Sven Vermeulen — Thu, 01 Aug 2013 22:43:00 +0200

... the Gentoo Hardened team had its monthly online meeting again ;-)

On the agenda were the usual suspects, such as the toolchain. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the hardenedno* and vanilla gcc-config options which will be added to the tree …

Adding mcstrans to Gentoo

Sven Vermeulen — Sun, 07 Jul 2013 20:38:00 +0200

If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the mcs and mls policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …

Hardening is our business... new monthly report ;-)

Sven Vermeulen — Thu, 27 Jun 2013 23:03:00 +0200

We're back with another report on the Gentoo Hardened project. Please excuse my brevity, as you've noticed I'm not that active (yet) due to work on an external project - I'll be back mid-July though. I promise.

On the Toolchain side, GCC 4.8.1 is in the tree and has …

Gentoo Hardened spring notes

Sven Vermeulen — Thu, 16 May 2013 22:54:00 +0200

We got back together on the #gentoo-hardened chat channel to discuss the progress of Gentoo Hardened, so it's time for another write-up of what was said.

Toolchain

GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …

Overriding the default SELinux policies

Sven Vermeulen — Wed, 15 May 2013 03:50:00 +0200

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …

Gentoo metadata support for CPE

Sven Vermeulen — Fri, 10 May 2013 03:50:00 +0200

Recently, the metadata.xml file syntax definition (the DTD for those that know a bit of XML) has been updated to support CPE definitions. A CPE (Common Platform Enumeration) is an identifier that describes an application, operating system or hardware device using its vendor, product name, version, update, edition and …

New SELinux userspace release

Sven Vermeulen — Fri, 26 Apr 2013 03:50:00 +0200

A new release of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …

Gentoo protip: using buildpkgonly

Sven Vermeulen — Thu, 25 Apr 2013 03:50:00 +0200

If you don't want to have the majority of builds run in the background while you are busy on the system, but you don't want to automatically install software in the background when you are not behind your desk, then perhaps you can settle for using binary packages. I'm not …

SLOT'ing the old swig-1

Sven Vermeulen — Tue, 23 Apr 2013 03:50:00 +0200

The SWIG tool helps developers in building interfaces/libraries that can be accessed from many other languages than the ones the library is initially written in or for. The SELinux userland utility setools uses it to provide Python and Ruby interfaces even though the application itself is written in C …

Introducing selocal for small SELinux policy enhancements

Sven Vermeulen — Sun, 21 Apr 2013 03:50:00 +0200

When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …

Transforming GuideXML to DocBook

Sven Vermeulen — Sat, 20 Apr 2013 03:50:00 +0200

I recently committed an XSL stylesheet that allows us to transform the GuideXML documents (both guides and handbooks) to DocBook. This isn't part of a more elaborate move to try and push DocBook instead of GuideXML for the Gentoo Documentation though (I'd rather direct documentation development more to the Gentoo …

Another Gentoo Hardened month has passed

Sven Vermeulen — Thu, 18 Apr 2013 23:36:00 +0200

Another month has passed, so time to mention again what we have all been doing lately ;-)

Toolchain

Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). asan support in …

Not needing run_init for password-less service management

Sven Vermeulen — Tue, 09 Apr 2013 22:14:00 +0200

One of the things that has been bugging me was why, even with having pam_rootok.so set in /etc/pam.d/run_init, I cannot enjoy passwordless service management without using run_init directly:

# rc-service postgresql-9.2 status
Authenticating root.
Password:

# run_init rc-service postgresql-9.2 status
Authenticating root …

Separate puppet provider for Gentoo/SELinux?

Sven Vermeulen — Sun, 07 Apr 2013 19:22:00 +0200

While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the service type (which handles init script services), there are providers for RedHat, Debian …

Matching packages with CVEs

Sven Vermeulen — Thu, 04 Apr 2013 21:44:00 +0200

I've come across a few posts on forums (Gentoo and elsewhere) asking why Gentoo doesn't make security-related patches on the tree. Some people think this is the case because they do not notice (m)any GLSAs, which are Gentoo's security advisories. However, it isn't that Gentoo doesn't push out security …

Fiddling with puppet apply

Sven Vermeulen — Wed, 20 Mar 2013 12:31:00 +0100

As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …

Gentoo Hardened progress meeting of march 2013

Sven Vermeulen — Thu, 07 Mar 2013 22:46:00 +0100

Another month has passed, so time for a new progress meeting...

Toolchain

GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …

Uploading selinuxnode test VM

Sven Vermeulen — Mon, 25 Feb 2013 03:05:00 +0100

At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …

Working on a new selinuxnode VM

Sven Vermeulen — Sat, 23 Feb 2013 14:04:00 +0100

A long time ago, I made a SELinux enabled VM for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …

Transforming GuideXML to wiki

Sven Vermeulen — Tue, 12 Feb 2013 20:12:00 +0100

The Gentoo project has its own official wiki for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …

Gentoo Hardened goes onward (aka project meeting)

Sven Vermeulen — Thu, 07 Feb 2013 23:40:00 +0100

It's been a while again, so time for another Gentoo Hardened online progress meeting.

Toolchain

GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …

IMA and EVM on Gentoo, part 2

Sven Vermeulen — Sat, 29 Dec 2012 23:42:00 +0100

I have been playing with Linux IMA/EVM on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …

Gentoo Hardened IMA support

Sven Vermeulen — Thu, 27 Dec 2012 22:40:00 +0100

Adventurous users, contributors and developers can enable the Integrity Measurement Architecture subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the System Integrity subproject within Gentoo Hardened was launched a few months ago. And now …

Switching policy types in Gentoo/SELinux

Sven Vermeulen — Thu, 20 Dec 2012 11:31:00 +0100

When you are running Gentoo with SELinux enabled, you will be running with a particular policy type, which you can devise from either /etc/selinux/config or from the output of the sestatus command. As a user on our IRC channel had some issues converting his strict-policy system to mcs …

Another hardened month has passed...

Sven Vermeulen — Thu, 13 Dec 2012 10:02:00 +0100

... so it's time for a new update ;-)

Toolchain

GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …

Why you need the real_* thing with genkernel

Sven Vermeulen — Sun, 25 Nov 2012 21:05:00 +0100

Today it bit me. I rebooted my workstation, and all hell broke loose. Well, actually, it froze. Literally, if you consider my root file system. When the system tried to remount the root file system read-write, it gave me this:

mount: / not mounted or bad option

So I did the …

The hardened project continues going forward...

Sven Vermeulen — Sat, 17 Nov 2012 21:34:00 +0100

This wednesday, the Gentoo Hardened team held its monthly online meeting, discussing the things that have been done the last few weeks and the ideas that are being worked out for the next. As I did with the last few meetings, allow me to summarize it for all interested parties …

Gentoo Hardened progress meeting

Sven Vermeulen — Sun, 14 Oct 2012 15:00:00 +0200

Not that long ago we had our monthly Gentoo Hardened project meeting (on October 3rd to be exact). On these meetings, we discuss the progress of the project since the last meeting.

For our toolchain domain, Zorry reported that the PIE patchset is updated for GCC, fixing bug #436924. Blueness …

Gentoo Hardened in August

Sven Vermeulen — Sat, 25 Aug 2012 17:18:00 +0200

Last wednesday Gentoo Hardened held its monthly online meeting to discuss the progress of the various subprojects, reconfirm the current project leads, talk about potential new projects and discuss some bugs that were getting on our nerves...

For the project leads, all current leads were reconfirmed: Zorry will keep tight …

Adding roles to the Gentoo Hardened SELinux policy

Sven Vermeulen — Tue, 14 Aug 2012 20:39:00 +0200

I wrote a small section on how to create additional roles to the SELinux policy offered by Gentoo Hardened. Whereas the default policy that we provide only offers a few basic roles, any policy administrator can provide additional roles for the system.

By using additional roles, you can grant users …

Kickstarting the Integrity subproject

Sven Vermeulen — Mon, 30 Jul 2012 21:34:00 +0200

Now that Gentoo Hardened has its integrity subproject, I started with writing down the concepts (draft - will move to the project site when finished!) used within the subproject: what is integrity, how does trust fit into this, what kind of technologies will we look at, etc. I'm hoping that this …

Gentoo Hardened on the move

Sven Vermeulen — Thu, 26 Jul 2012 00:41:00 +0200

Gentoo Hardened is thriving and going forward. For those that don't exactly know what Gentoo Hardened is - it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we …

Updated Gentoo Hardened/SELinux VM image

Sven Vermeulen — Mon, 16 Jul 2012 18:31:00 +0200

I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under experimental/amd64/qemu-selinux.

The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use …

Gentoo Hardened/SELinux VM image

Sven Vermeulen — Tue, 10 Jul 2012 21:27:00 +0200

A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the /experimental/amd64/qemu-selinux/ location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the …

Gentoo Summer of Documentation - Let's do it!

Sven Vermeulen — Fri, 29 Jun 2012 19:16:00 +0200

The Gentoo Wiki folks have started a great idea (and immediately set a nice milestone), namely the Gentoo Wiki Summer of Documentation. By september, they want to double the amount of articles on the wiki.

I'll surely help out and participate where I can, and perhaps we can even go …

Had to edit /etc/init.d/root

Sven Vermeulen — Sun, 24 Jun 2012 15:38:00 +0200

For some reason, I had to edit my /etc/init.d/root file to use "mount /dev/root -n -o remount,rw /" instead of the standard "mount -n -o remount,rw /". Without this, it failed to remount the root file system in a read-write mode, which is of course not …

Overview of SELinux changes

Sven Vermeulen — Sun, 24 Jun 2012 14:32:00 +0200

Most users of Gentoo hardly take a look at the (installation) documentation when their installation has finished. After all, being a rolling distribution, there is little need to take a look at the instructions again. And for most Gentoo users, changes that are needed to be reviewed by existing users …

Python 3 support for SELinux userland, tests and policy rev 10

Sven Vermeulen — Sat, 26 May 2012 18:59:00 +0200

In the last few hours I pushed my local changes on the SELinux userland utilities towards the hardened-development overlay. The utilities not only include some bugfixes, but have now also seen a first set of tests towards Python 3.2. In the past, I've made a few attempts at making …

Catching up, but stuff is piling...

Sven Vermeulen — Thu, 24 May 2012 18:46:00 +0200

Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird bug which seems to come down to an incorrect free() on …

Keeping /selinux

Sven Vermeulen — Fri, 04 May 2012 22:26:00 +0200

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux …

20120215 policies now stable

Sven Vermeulen — Sun, 29 Apr 2012 16:43:00 +0200

Today I've stabilized the sec-policy/selinux-* packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …

Chrooted BIND for IPv6 with SELinux

Sven Vermeulen — Sat, 14 Apr 2012 23:08:00 +0200

BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …

Documentation updates for initramfs needed?

Sven Vermeulen — Thu, 12 Apr 2012 17:40:00 +0200

A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file bugreports and have them block bug #407959. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and …

Get your devtmpfs ready

Sven Vermeulen — Sat, 07 Apr 2012 22:10:00 +0200

If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …

More on initramfs and SELinux

Sven Vermeulen — Sun, 25 Mar 2012 19:44:00 +0200

With the upcoming udev version not supporting separate /usr locations unless you boot with an initramfs, we are now starting to document how to create an initramfs to boot with. After all, systems with a separate /usr are not that uncommon.

As I've blogged about before, getting an initramfs to …

Hunting fuser

Sven Vermeulen — Mon, 12 Mar 2012 21:54:00 +0100

I am able to work on Gentoo and SELinux about one hour per day. It's more in total time, but being a bit exhausted makes me act a bit more slowly which boils down to about one hour per day. And one hour per day isn't bad, you're able to …

Introducing 2.20120215 policies

Sven Vermeulen — Sun, 26 Feb 2012 18:40:00 +0100

A few weeks after being released, we now have the 20120215-based policies available for our users (and also the newer userspace utilities). The packages currently reside in the hardened-dev overlay as they will need to see sufficient testing before we merge those to the main tree. For most users, nothing …

This months' stabilization done, more to come

Sven Vermeulen — Sun, 29 Jan 2012 13:33:00 +0100

A small notification to tell you that the SELinux policies that were pushed to the main tree 30 days (or more) ago have now been stabilized (none of them introduced problems, although some of them have other bugs still open which are either fixed in \~arch or will be fixed …

Gentoo WiKi & Knowledge Base

Sven Vermeulen — Mon, 26 Dec 2011 20:01:00 +0100

I have been playing with the Gentoo Wiki the last few days and am very impressed with the work that both the wiki teams as well as existing contributors have already done to the place. The look and feel is very slick and editing works just as expected. One of …

Supporting fix scripts for XCCDF content and maintaining the documents

Sven Vermeulen — Fri, 23 Dec 2011 16:00:00 +0100

One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the Gentoo …

SELinux Gentoo/Hardened state 2011-12-19

Sven Vermeulen — Mon, 19 Dec 2011 18:04:00 +0100

On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.

Since last meeting, the follow topics passed the revue.

sec-policy/selinux-base-policy, which is the "master …

Supporting CC-BY-SA 3.0

Sven Vermeulen — Tue, 29 Nov 2011 21:33:00 +0100

Until now, documents on the Gentoo website all had to be licensed under the Creative Commons Attribution/Share Alike license, version 2.5. Why? Because at the time of the license choice, that was probably the latest version at hand. In the XML code itself, the license tagging was done …

SELinux Gentoo/Hardened state 2011-11-17

Sven Vermeulen — Thu, 17 Nov 2011 23:29:00 +0100

A small write-down on the Gentoo Hardened SELinux state-of-affairs, largely triggered because there was an online meeting for the Gentoo Hardened project today.

The SELinux policies offered in the sec-policy category are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …

Gentoo Security Benchmark with OVAL and Open-SCAP

Sven Vermeulen — Wed, 16 Nov 2011 23:09:00 +0100

A while ago, I got referred to the Open Vulnerability and Assessment Language, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …

SELinux' 2011/07 releases now stable

Sven Vermeulen — Sun, 23 Oct 2011 15:07:00 +0200

A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our gentoo-hardened mailinglist. After some time, I'll remove the now …

Gentoo Hardened SELinux policies, rev 5

Sven Vermeulen — Thu, 13 Oct 2011 18:30:00 +0200

I've pushed out selinux-base-policy version 2.20110726-r5 to the hardened-dev overlay. It does not hold huge changes, most of them are rewrites or updates on pre-existing patches (on the SELinux policies) to make them conform the refpolicy naming conventions and other guidelines. It includes preliminary support for the XDG Specification …

Upgrading GCC, revisited

Sven Vermeulen — Thu, 13 Oct 2011 18:23:00 +0200

Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved compatibility as well as a better understood impact made GCC …

Quickly setup a Gentoo system

Sven Vermeulen — Sat, 24 Sep 2011 15:34:00 +0200

In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a very ugly (really) script to automatically "stage" a Gentoo Linux installation in a KVM guest. This is not …

Power management guide updated

Sven Vermeulen — Fri, 23 Sep 2011 21:57:00 +0200

The Gentoo Power Management Guide is now updated. It is a full rewrite, focusing currently on two main toolsets: Laptop Mode Tools and cpufreqd. I was pleasantly surprised by the number of features that the laptop mode tools package provided.

Of course, this does not mean that the guide is …

Catching up

Sven Vermeulen — Sun, 18 Sep 2011 16:51:00 +0200

As mentioned on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our "tracker" bug was an open one (asking if more needs to be done or not) from which we …

Now using refpolicy 2.20110726

Sven Vermeulen — Sun, 04 Sep 2011 20:38:00 +0200

A few days ago, I committed the SELinux policy modules that are based on the 2.20110726 set released upstream. For those that are using Gentoo Hardened with SELinux, you'll find them if you use the \~arch set for the sec-policy category.

When I talk about upstream, it usually is …

Use parted for large partitions

Sven Vermeulen — Wed, 24 Aug 2011 23:46:00 +0200

A few bugs that were sitting in Gentoo's bugzilla for the documentation were related to large partitions (2 TB and higher). Previously, this wasn't as much as an issue since the number of users that have 2+ TB partitions are fairly slim. But of course time flies, hardware becomes cheaper …

Easy documentation updates thanks to the many contributions

Sven Vermeulen — Mon, 22 Aug 2011 23:01:00 +0200

As mentioned previously, I took a stab at the Gentoo Guide to OpenLDAP Authentication, updating its configuration settings as well as give an introduction to its replication mechanism. Although I am no OpenLDAP guru at all, I set up a similar architecture for testing some SELinux policy changes. This test …

Ready, set, commit!

Sven Vermeulen — Fri, 12 Aug 2011 22:35:00 +0200

Yesterday, I have entered the realms of Gentoo Development again. But as it was getting late then, I had to wait before the first commits happened. So this evening, things were done. The first couple of documentation bugs (mostly related to OpenRC) have been committed to the Gentoo CVS repository …

emerge-webrsync and gpg verification

Sven Vermeulen — Fri, 22 Jul 2011 14:33:00 +0200

Gentoo has been working on its security from very early on. One of the (many) features it supports is to allow users to validate the state of the portage tree. Ebuild signing (where developers sign the Manifest file with their key) is one of the layers offered by Gentoo, but …

Preliminary SELinux MCS support in Gentoo Hardened

Sven Vermeulen — Thu, 21 Jul 2011 22:04:00 +0200

Users tracking the hardened-dev overlay for SELinux packages will notice yet another update on the selinux-base-policy package. This time however, the change is a little more than just a policy update. With this new revision, preliminary support for Multi-Category Security (aka MCS) is added.

MCS is an update on the …

On the new SELinux profiles

Sven Vermeulen — Thu, 14 Jul 2011 19:31:00 +0200

Ever since Anthony put in the new SELinux profiles - which was long due - they have seen quite a few tests and the necessary, evolutionary updates. No changes that broke things, no oddities that would give a WTF to whomever is using it. The latest updates were to remove some obsolete …

Gentoo Hardened SELinux state

Sven Vermeulen — Sat, 09 Jul 2011 16:39:00 +0200

Since last post, we've been working on the further stabilization and bug fixing of the SELinux policies within Gentoo Hardened. You might have noticed that we started working on the QA of the packages, like I promised in the last post. The binaries within selinux-base-policy are now published somewhere on …

What's next after stabilization?

Sven Vermeulen — Mon, 13 Jun 2011 20:46:00 +0200

The last few weeks have shown quite a few interesting improvements on Gentoo Hardened's SELinux state. We now have improved (simplified) Gentoo profile support, supporting SELinux on no-multilib (an often requested feature, now finally in), we stabilized the 2.20101213 policies that are in the tree and are cleaning up …

SELinux Gentoo profile updates

Sven Vermeulen — Tue, 03 May 2011 23:17:00 +0200

The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make USE="open …

Restoring configuration files on Gentoo

Sven Vermeulen — Sat, 19 Mar 2011 16:32:00 +0100

If you work with Gentoo, you're probably aware of tools like etc-update and dispatch-conf. If you use dispatch-conf, you might know that it supports rcs for version control of the changes it makes. But if you have enabled it, you might be wondering how to actually restore configuration files with …

Updates on the Gentoo Hardened SELinux state

Sven Vermeulen — Wed, 02 Mar 2011 23:09:00 +0100

For those following the progress of SELinux support in Gentoo Hardened...

In the hardened-development overlay, the selinux-base-policy package has been updated, hopefully fixing a nasty issue with support for the targeted policy (up to today, I only tested strict policies so I missed that). It also fixes an issue with …

"Gentoo in production?" Oh no, not again...

Sven Vermeulen — Fri, 21 Jan 2011 21:59:00 +0100

I think it is that time of the year again, where people get some crazy ideas. Again I discussed the what must be the gazillion-th time I've been asked "Do you think Gentoo is ripe for use in production?". Honestly, I always tell myself to ignore those discussions but I've …

Why I have backups

Sven Vermeulen — Thu, 30 Dec 2010 20:06:00 +0100

You often read stories about people who have data loss and did not keep any (recent) backups, and are now fully equipped with a state-of-the-art backup mechanism. So no - no such failure story here but an example why backups are important.

Yesterday I had a vicious RAID/LVM failure. Due …

Switching to hardened

Sven Vermeulen — Sun, 12 Sep 2010 13:41:00 +0200

Yesterday (and this night) I successfully converted my system to a Gentoo Hardened system. In my case, this currently means that PaX has been enabled and I am currently running the system (which is an x86_64 laptop) with SELinux in permissive mode (so it won't enforce the policies yet …

Listing files of (not) installed software

Sven Vermeulen — Sat, 05 Jun 2010 10:54:00 +0200

Everyone that has been using Gentoo for a while now knows about tools such as qlist that show you the list of files installed by an (installed) package, or qfile that allows you to find which package provided a particular file on your system.

One thing lacking is to be …

License support in Gentoo

Sven Vermeulen — Tue, 16 Feb 2010 00:10:00 +0100

It's a bit sad that Gentoo didn't promote this more, but Gentoo users now have support for license-based masking.

What does this mean? Well, previously, Gentoo already supported various masking reasons (like stable versus staging - the x86 versus \~x86 saga, package.mask'ing - for security reasons or critical bugs, ...). Now, a …

Added quota information

Sven Vermeulen — Tue, 01 Sep 2009 23:19:00 +0200

I've added quota support information to the Linux Sea book as well as information about the eclean command for cleaning distfiles and packages. The part on building a Linux kernel has been moved into its own chapter, the chapter on hardware support now has a bit more information about dealing …

Draft PDF for Linux Sea

Sven Vermeulen — Mon, 10 Aug 2009 22:27:00 +0200

I've added a draft PDF version of my Linux Sea document. If you don't mind the A4 papersize and the bad typesetting of the text boxes (I still have lots of overflows to correct) it is quite usable.

Linux Sea is progressing slowly but surely

Sven Vermeulen — Tue, 10 Feb 2009 23:33:00 +0100

My everlasting document, Linux Sea, is progressing slowely but surely. I've started a few new chapters and also initiated a chapter on Installing Gentoo (which is more a shortlist of tasks with pointers to earlier chapters).

I also took a different CSS (docbook.css file used by the FreeBSD handbook …

Adding exercises and resources

Sven Vermeulen — Mon, 15 Sep 2008 22:59:00 +0200

As stated earlier, I'm now focusing on the existing content of my (work-in-progress) ebook called Linux Sea (PDF, HTML). I'm going to add more text where appropriate, add exercises to each chapter as well as references to online resources.

When that's finished, I'll probably be writing a chapter on installing …

Linux Sea - Updates on graphical environment chapter

Sven Vermeulen — Thu, 21 Aug 2008 22:08:00 +0200

I've updated the chapter on graphical environments a bit to reflect how applications, window managers, X server and widget toolkits work together. Hopefully it isn't a big lie that I wrote there ;-)

I'll probably be doing a bit of clean ups the coming days before I start out with more …