Simplicity is a form of art...

Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …

Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …

SECMARK and SELinux
by Sven Vermeulen, post on Mon 13 May 2013

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …

Peer labeling in SELinux policy
by Sven Vermeulen, post on Sun 12 May 2013

Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …

SELinux policy and network controls
by Sven Vermeulen, post on Sat 11 May 2013

Let's talk about how SELinux governs network streams (and how it reflects this into the policy).

When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are tcp_socket and udp_socket (depending on the protocol). There used to be …

Introducing selocal for small SELinux policy enhancements
by Sven Vermeulen, post on Sun 21 April 2013

When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …