If you notice that a process is running in the unlabeled_t
domain, the
first question to ask is how it got there.
Well, one way is to have a process running in a known domain, like
screen_t
, after which the SELinux policy module that provides this
domain is removed from …
For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …
more ...While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …
more ...To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …
more ...There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
In …
more ...We got back together on the #gentoo-hardened
chat channel to discuss
the progress of Gentoo
Hardened, so it's time for
another write-up of what was said.
Toolchain
GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …
more ...I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.
Consider the "Chat …
more ...Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?
Well, sadly …
more ...