SECMARK and SELinux

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …

more ...




How logins get their SELinux user context

Sometimes, especially when users are converting their systems to be SELinux-enabled, their user context is wrong. An example would be when, after logon (in permissive mode), the user is in the system_u:system_r:local_login_t domain instead of a user domain like staff_u:staff_r:staff_t.
So, how does a login get …

more ...


SELinux tutorial series, update

Just a small update - the set of SELinux tutorials has been enhanced since my last blog post about it with information on SELinux booleans, customizable types, run-time modi (enforcing versus permissive), some bits about unconfined domains, information on policy loading, purpose of SELinux roles, SELinux users and an example on …

more ...


Using pam_selinux to switch contexts

With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the Pluggable Authentication Modules, and for SELinux this plays an important role.

Applications that are PAM-enabled …

more ...

Local policy management script

I've written a small script that I call selocal which manages locally needed SELinux rules. It allows me to add or remove SELinux rules from the command line and have them loaded up without needing to edit a .te file and building the .pp file manually. If you are interested …

more ...