Simplicity is a form of art...

Some changes under the hood
by Sven Vermeulen, post on Sat 09 August 2014

In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.

First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …

Gentoo Hardened July meeting
by Sven Vermeulen, post on Fri 01 August 2014

I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.

Toolchain

GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …

Segmentation fault when emerging packages after libpcre upgrade?
by Sven Vermeulen, post on Wed 09 July 2014

SELinux users might be facing failures when emerge is merging a package to the file system, with an error that looks like so:

>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault      /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
 * ERROR: dev-libs/libpcre-8 …

Multilib in Gentoo
by Sven Vermeulen, post on Wed 02 July 2014

One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper multilib support throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having …

D-Bus and SELinux
by Sven Vermeulen, post on Mon 30 June 2014

After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.

Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …

D-Bus, quick recap
by Sven Vermeulen, post on Sun 29 June 2014

I've never fully investigated the what and how of D-Bus. I know it is some sort of IPC, but higher level than the POSIX IPC methods. After some reading, I think I start to understand how it works and how administrators can work with it. So a quick write-down is …

Chroots for SELinux enabled applications
by Sven Vermeulen, post on Sun 22 June 2014

Today I had to prepare a chroot jail (thank you grsecurity for the neat additional chroot protection features) for a SELinux-enabled application. As a result, "just" making a chroot was insufficient: the application needed access to /sys/fs/selinux. Of course, granting access to /sys is not something I like …

Gentoo Hardened, June 2014
by Sven Vermeulen, post on Sun 15 June 2014

Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.

On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …

Visualizing constraints
by Sven Vermeulen, post on Sat 31 May 2014

SELinux constraints are an interesting way to implement specific, well, constraints on what SELinux allows. Most SELinux rules that users come in contact with are purely type oriented: allow something to do something against something. In fact, most of the SELinux rules applied on a system are such allow rules …

Revamped our SELinux documentation
by Sven Vermeulen, post on Mon 12 May 2014

In the move to the Gentoo wiki, I have updated and revamped most of our SELinux documentation. The end result can be seen through the main SELinux page. Most of the content is below this page (as subpages).

We start with a new introduction to SELinux article which goes over …