Simplicity is a form of art...

The weird "audit_access" permission
by Sven Vermeulen, post on Sun 19 May 2013

While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …

Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …

SECMARK and SELinux
by Sven Vermeulen, post on Mon 13 May 2013

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …

Peer labeling in SELinux policy
by Sven Vermeulen, post on Sun 12 May 2013

Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …

SELinux policy and network controls
by Sven Vermeulen, post on Sat 11 May 2013

Let's talk about how SELinux governs network streams (and how it reflects this into the policy).

When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are tcp_socket and udp_socket (depending on the protocol). There used to be node and …

SELinux mount options
by Sven Vermeulen, post on Wed 01 May 2013

When you read through the Gentoo Hardened SELinux handbook, you'll notice that we sometimes update /etc/fstab with some SELinux-specific settings. So, what are these settings about and are there more of them?

First of all, let's look at a particular example from the installation instructions so you see what …

How logins get their SELinux user context
by Sven Vermeulen, post on Sat 27 April 2013

Sometimes, especially when users are converting their systems to be SELinux-enabled, their user context is wrong. An example would be when, after logon (in permissive mode), the user is in the system_u:system_r:local_login_t domain instead of a user domain like staff_u:staff_r:staff_t.
So, how does a login get …

Using strace to troubleshoot SELinux problems
by Sven Vermeulen, post on Wed 24 April 2013

When SELinux is playing tricks on you, you can just "allow" whatever it wants to do, but that is not always an option: sometimes, there is no denial in sight because the problem lays within SELinux-aware applications (applications that might change their behavior based on what the policy sais or …

SELinux tutorial series, update
by Sven Vermeulen, post on Mon 18 March 2013

Just a small update - the set of SELinux tutorials has been enhanced since my last blog post about it with information on SELinux booleans, customizable types, run-time modi (enforcing versus permissive), some bits about unconfined domains, information on policy loading, purpose of SELinux roles, SELinux users and an example on …

SELinux tutorial series
by Sven Vermeulen, post on Fri 15 March 2013

As we get a growing number of SELinux users within Gentoo Hardened and because the SELinux usage at the firm I work at is most likely going to grow as well, I decided to join the bunch of documents on SELinux that are "out there" and start a series of …