Using pam_selinux to switch contexts
by Sven Vermeulen, post on Mon 10 December 2012With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the Pluggable Authentication Modules, and for SELinux this plays an important role.
Applications that are PAM-enabled …
Local policy management script
by Sven Vermeulen, post on Sun 11 November 2012I've written a small script that I call selocal which manages locally needed SELinux rules. It allows me to add or remove SELinux rules from the command line and have them loaded up without needing to edit a .te file and building the .pp file manually. If you are interested …
Lots of work on supporting swig-2
by Sven Vermeulen, post on Mon 20 August 2012The SELinux setools package provides a few of the commands I used the most when working with SELinux: sesearch for looking through the policy and seinfo to get information on type/attribute/role/... from the currently loaded policy.
This package uses swig, the Simplified (sic) Wrapper and Interface Generator to …
Dynamic transitions in SELinux
by Sven Vermeulen, post on Sun 22 July 2012In between talks on heap spraying techniques and visualization of data for fast analysis, I'm working on integrating the chromium SELinux policy that was offered in bug bug #412637 within Gentoo Hardened. If you take a look at the bug, you notice I'm not really fond of the policy because …
Transitioning to MCS policies
by Sven Vermeulen, post on Fri 24 February 2012Since I started maintaining the SELinux
policies for Gentoo
Hardened, the policy types we supported
were primarily strict and targeted. About half a year ago, we also
started supported mcs and offered the possibility for using mls as
well (but didn't really support that one).
With the recent release of …
Trying out initramfs with selinux and grsec
by Sven Vermeulen, post on Sun 15 January 2012I'm no fan of initramfs. All my systems boot up just fine without it, so I often see it as an additional layer of obfuscation. But there are definitely cases where initramfs is needed, and from the looks of it, we might be needing to push out some documentation and …
Unix domain sockets are files
by Sven Vermeulen, post on Sat 31 December 2011Probably not a first for many seasoned Linux administrators, and probably not correct accordingly to more advanced users than myself, but I just found out that Unix domain sockets are files. Even when they're not.
I have been looking at a weird SELinux denial I had occuring on my system …
Some people on #selinux are ... dolphins
by Sven Vermeulen, post on Thu 14 July 2011A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on irc.freenode.net. People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …
Policy 25, 26
by Sven Vermeulen, post on Wed 01 June 2011Recently I've seen quite a few messages on IRC pop up about policy.25
or even policy.26 so I harassed the guys in the chat channel to talk
about it. Apparently, these new binary policy formats add support for
filename transitions and non-process role transitions.
Currently, when you initiate …
SELinux file contexts
by Sven Vermeulen, post on Sun 15 May 2011If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …