Unix domain sockets are files

Probably not a first for many seasoned Linux administrators, and probably not correct accordingly to more advanced users than myself, but I just found out that Unix domain sockets are files. Even when they're not.

I have been looking at a weird SELinux denial I had occuring on my system …

more ...

Some people on #selinux are ... dolphins

A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on irc.freenode.net. People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …

more ...

Policy 25, 26

Recently I've seen quite a few messages on IRC pop up about policy.25 or even policy.26 so I harassed the guys in the chat channel to talk about it. Apparently, these new binary policy formats add support for filename transitions and non-process role transitions.

Currently, when you initiate …

more ...

SELinux file contexts

If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …

more ...

SELinux User-Based Access Control

Within the reference policy, support is given to a feature called UBAC constraints. Here, UBAC stands for User Based Access Control. The idea behind the constraint is that any activity between two types (say foo_t and bar_t) can be prohibited if the user contexts of the resources that are using …

more ...



Portage fails to build due to SELinux?

If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.

Now, the real issue (not being …

more ...