SELinux file contexts

If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …

more ...

SELinux Gentoo profile updates

The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make USE="open_perms …

more ...

SELinux User-Based Access Control

Within the reference policy, support is given to a feature called UBAC constraints. Here, UBAC stands for User Based Access Control. The idea behind the constraint is that any activity between two types (say foo_t and bar_t) can be prohibited if the user contexts of the resources that are using …

more ...


cvechecker 3.0

I'm pleased to announce the immediate availability of cvechecker 3.0. It contains two major feature enhancements: watchlists and MySQL support.

watchlists allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …

more ...

cvechecker updates

The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:

  1. support the same features as cvechecker currently does using sqlite
  2. streamline the database code so that duplicate code in …
more ...

Restoring configuration files on Gentoo

If you work with Gentoo, you're probably aware of tools like etc-update and dispatch-conf. If you use dispatch-conf, you might know that it supports rcs for version control of the changes it makes. But if you have enabled it, you might be wondering how to actually restore configuration files with …

more ...


Portage fails to build due to SELinux?

If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.

Now, the real issue (not being …

more ...

Updates on the Gentoo Hardened SELinux state

For those following the progress of SELinux support in Gentoo Hardened...

In the hardened-development overlay, the selinux-base-policy package has been updated, hopefully fixing a nasty issue with support for the targeted policy (up to today, I only tested strict policies so I missed that). It also fixes an issue with …

more ...