Catching up, but stuff is piling...

Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird bug which seems to come down to an incorrect free() on …

more ...

Keeping /selinux

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux …

more ...

20120215 policies now stable

Today I've stabilized the sec-policy/selinux-* packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …

more ...

Linux Sea now in ePub

On request of Matthew Marchese, I now automatically build an ePub version of Linux Sea for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources …

more ...

Why both chroot and SELinux?

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …

more ...

Chrooted BIND for IPv6 with SELinux

BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …

more ...


Get your devtmpfs ready

If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …

more ...

More on initramfs and SELinux

With the upcoming udev version not supporting separate /usr locations unless you boot with an initramfs, we are now starting to document how to create an initramfs to boot with. After all, systems with a separate /usr are not that uncommon.

As I've blogged about before, getting an initramfs to …

more ...

Hunting fuser

I am able to work on Gentoo and SELinux about one hour per day. It's more in total time, but being a bit exhausted makes me act a bit more slowly which boils down to about one hour per day. And one hour per day isn't bad, you're able to …

more ...