Simplicity is a form of art...

SELinux policy and network controls
by Sven Vermeulen, post on Sat 11 May 2013

Let's talk about how SELinux governs network streams (and how it reflects this into the policy).

When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are tcp_socket and udp_socket (depending on the protocol). There used to be …

Gentoo metadata support for CPE
by Sven Vermeulen, post on Fri 10 May 2013

Recently, the metadata.xml file syntax definition (the DTD for those that know a bit of XML) has been updated to support CPE definitions. A CPE (Common Platform Enumeration) is an identifier that describes an application, operating system or hardware device using its vendor, product name, version, update, edition and …

Enabling Kernel Samepage Merging (KSM)
by Sven Vermeulen, post on Thu 09 May 2013

When using virtualization extensively, you will pretty soon hit the limits of your system (at least, the resources on it). When the virtualization is used primarily for testing (such as in my case), the limit is memory. So it makes sense to seek memory optimization strategies on such systems. The …

The Linux ".d" approach
by Sven Vermeulen, post on Wed 08 May 2013

Many services on a Linux system use a *.d directory approach to make their configuration easily configurable by other services. This is a remarkably simple yet efficient method for exposing services towards other applications. Let's look into how this .d approach works.

Take a look at the /etc/pam.d …

Added "predictable network interface" info into the handbook
by Sven Vermeulen, post on Tue 07 May 2013

Being long overdue - like many of our documentation-reported bugs :-( I worked on bug 466262 to update the Gentoo Handbook with information about Network Interface Naming. Of course, the installation instructions have also seen the necessary updates to refer to this change.

With some luck (read: time) I might be able …

Overview of Linux capabilities, part 3
by Sven Vermeulen, post on Mon 06 May 2013

In previous posts I talked about capabilities and gave an introduction to how this powerful security feature within Linux can be used (and also exploited). I also covered a few capabilities, so let's wrap this up with the remainder of them.

CAP_AUDIT_CONTROL
Enable and disable kernel auditing; change …

Overview of Linux capabilities, part 2
by Sven Vermeulen, post on Sun 05 May 2013

As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).

CAP_IPC_LOCK …

Overview of Linux capabilities, part 1
by Sven Vermeulen, post on Sat 04 May 2013

In the previous posts, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run ping without granting it setuid root rights …

Restricting and granting capabilities
by Sven Vermeulen, post on Fri 03 May 2013

As capabilities are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …

Capabilities, a short intro
by Sven Vermeulen, post on Thu 02 May 2013

Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …