Simplicity is a form of art...

SELinux User-Based Access Control
by Sven Vermeulen, post on Mon 02 May 2011

Within the reference policy, support is given to a feature called UBAC constraints. Here, UBAC stands for User Based Access Control. The idea behind the constraint is that any activity between two types (say foo_t and bar_t) can be prohibited if the user contexts of the resources that …

SELinux and noatsecure, or why portage complains about LD_PRELOAD and libsandbox.so
by Sven Vermeulen, post on Fri 22 April 2011

If you're fiddling with SELinux policies, you will eventually notice that the reference policy by default hides certain privilege requests (which are denied). One of them is noatsecure. But what is noatsecure? To describe noatsecure, I first need to describe what atsecure is. And to describe what that is, we …

Updates on SELinux docs, added FAQ
by Sven Vermeulen, post on Wed 09 March 2011

As you're probably noticing from my twitter feed and the various posts earlier in my blog, I'm helping out with the Gentoo Hardened folks to get the SELinux support state up to par. Today, the Gentoo Hardened/SELinux Handbook had a few updates, but the most important change is that …

Portage fails to build due to SELinux?
by Sven Vermeulen, post on Thu 03 March 2011

If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.

Now, the real issue (not being …

Temporary script for Gentoo Hardened SELinux users
by Sven Vermeulen, post on Sun 27 February 2011

If you are currently using Gentoo Hardened with SELinux, you might have noticed that we are currently lacking the proper dependencies within our Portage tree upon the SELinux policies (or, in other words, installing a package doesn't guarantee that the SELinux policy needed for that package is pulled in as …

SELinux for Gentoo Hardened
by Sven Vermeulen, post on Sun 06 February 2011

Recently, most of the SELinux-related ebuilds from the hardened overlay have been moved to the official Portage tree. Hopefully, this will trigger more people / organizations to try Gentoo Hardened with SELinux and help us improve the ebuilds. They're still marked as \~arch (as they should be). The draft SELinux handbook …

Confining user applications
by Sven Vermeulen, post on Sun 16 January 2011

Ever since I started using SELinux, I'm getting more and more fond of what it can do for (security) administrators. Lately, I've started confining user applications (like skype) in the idea that I do not want any application connecting to the Internet or working with content received from untrusted sources …

SELinux enforcing for console activity
by Sven Vermeulen, post on Sat 30 October 2010

I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to …

SELinux quicky
by Sven Vermeulen, post on Tue 14 September 2010

I've been using SELinux for a few days now (in permissive mode, just to get to know things) and have learned a few interesting commands (or other nice-to-know's) for using SELinux. Since I'm going to forget those the moment all is running well, I'll "document" them here ;-) I'm not going …