Why does it access /etc/shadow?
by Sven Vermeulen, post on Tue 30 December 2014While updating the SELinux policy for the Courier IMAP daemon, I noticed
that it (well, the authdaemon that is part of Courier) wanted to access
/etc/shadow, which is of course a big no-no. It doesn't take long to
know that this is through the PAM support (more specifically,
pam_unix …
Using multiple priorities with modules
by Sven Vermeulen, post on Fri 31 October 2014One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not …
After SELinux System Administration, now the SELinux Cookbook
by Sven Vermeulen, post on Wed 24 September 2014Almost an entire year ago (just a few days apart) I announced my first published book, called SELinux System Administration. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.
An important part of SELinux was only covered very briefly in the …
Segmentation fault when emerging packages after libpcre upgrade?
by Sven Vermeulen, post on Wed 09 July 2014SELinux users might be facing failures when emerge is merging a package to the file system, with an error that looks like so:
>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
* ERROR: dev-libs/libpcre-8.35::gentoo …D-Bus and SELinux
by Sven Vermeulen, post on Mon 30 June 2014After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.
Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …
Chroots for SELinux enabled applications
by Sven Vermeulen, post on Sun 22 June 2014Today I had to prepare a chroot jail (thank you grsecurity for the neat
additional chroot protection features) for a SELinux-enabled
application. As a result, "just" making a chroot was insufficient: the
application needed access to /sys/fs/selinux. Of course, granting
access to /sys is not something I like …
Visualizing constraints
by Sven Vermeulen, post on Sat 31 May 2014SELinux constraints are an interesting way to implement specific, well,
constraints on what SELinux allows. Most SELinux rules that users come
in contact with are purely type oriented: allow something to do
something against something. In fact, most of the SELinux rules applied
on a system are such allow rules …
If things are weird, check for policy.29
by Sven Vermeulen, post on Thu 17 April 2014Today we analyzed a weird issue one of our SELinux users had with their
system. He had a denial when calling audit2allow, informing us that
sysadm_t had no rights to read the SELinux policy. This is a known
issue that has been resolved in our current SELinux policy repository
but …
Decoding the hex-coded path information in AVC denials
by Sven Vermeulen, post on Sun 30 March 2014When investigating AVC denials, some denials show a path that isn't human readable, like so:
type=AVC msg=audit(1396189189.734:1913): avc: denied { execute } for pid=17955 comm="emerge" path=2F7661722F666669737A69596157202864656C6574656429 dev="dm-3" ino=1838 scontext=staff_u:sysadm_r:portage_t tcontext=staff_u:object_r:var_t tclass=file
To know what this …
Querying SELinux policy for boolean information
by Sven Vermeulen, post on Fri 28 March 2014Within an SELinux policy, certain access vectors (permissions) can be conditionally granted based on the value of a SELinux boolean.
To find the list of SELinux booleans that are available on your system, you can use the getsebool -a method, or semanage boolean -l. The latter also displays the description …