Switching context depending on user code-wise
by Sven Vermeulen, post on Sun 12 January 2014I blogged about how SELinux decides what the context should be for a particular Linux user; how it checks the default context(s) and tells the SELinux-aware application on what the new context should be. Let's look into the C code that does so, and how an application should behave …
How does foo_t get this privilege?
by Sven Vermeulen, post on Sun 05 January 2014Today a question was raised how the unprivileged user domain user_t
was allowed to write to cgroup_t files. There is nothing obvious about
that in the roles/unprivuser.te file, so what gives?
I used a simple script (which I've been using for a while already) called seshowtree …
Oh it is cron again...
by Sven Vermeulen, post on Fri 03 January 2014Today I was pointed to the following error:
test fcron[6722]: fcron[6722] 3.1.2 started
test fcron[6722]: Cannot bind socket to '/var/run/fcron.fifo': Permission denied
test fcron[6722]: "at" reboot jobs will only be run at computer's startup.
test fcron[6722]: updating configuration from …Private key handling and SELinux protection
by Sven Vermeulen, post on Thu 02 January 2014In this post I'll give some insight in a possible SELinux policy for a script I wrote.
The script is a certificate authority handling script, in which I can generate a private key (and certificate assigned to it), sign the certificate either by itself (for the root CA key) or …
Limiting file access with SELinux alone?
by Sven Vermeulen, post on Tue 31 December 2013While writing a small script to handle simple certificate authority activities using OpenSSL, I considered how to properly protect the files that OpenSSL uses for these activities. As you are probably aware, a system that hosts the necessary files for CA activities (like signing certificate requests) should be very secure …
It has finally arrived: SELinux System Administration
by Sven Vermeulen, post on Fri 27 September 2013Almost everyone has it - either physical or in their heads: a list of things you want to do or achieve before you... well, stop existing. Mine still has numerous things on it (I should get on it, I know) but one of the items on that list has recently been …
Network routing based on SELinux?
by Sven Vermeulen, post on Wed 21 August 2013Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.
SELinux does not route traffic. SELinux is a local mandatory access control system …
Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …
Rebuilding SELinux contexts with sefcontext_compile
by Sven Vermeulen, post on Mon 08 July 2013A recent update of libpcre caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug 471718 but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …
A SELinux policy for incron: finishing up
by Sven Vermeulen, post on Fri 31 May 2013After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...
We built the start of an entire …