Gentoo Hardened, June 2014
by Sven Vermeulen, post on Sun 15 June 2014Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.
On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …
Visualizing constraints
by Sven Vermeulen, post on Sat 31 May 2014SELinux constraints are an interesting way to implement specific, well,
constraints on what SELinux allows. Most SELinux rules that users come
in contact with are purely type oriented: allow something to do
something against something. In fact, most of the SELinux rules applied
on a system are such allow rules …
Revamped our SELinux documentation
by Sven Vermeulen, post on Mon 12 May 2014In the move to the Gentoo wiki, I have updated and revamped most of our SELinux documentation. The end result can be seen through the main SELinux page. Most of the content is below this page (as subpages).
We start with a new introduction to SELinux article which goes over …
Dropping sesandbox support
by Sven Vermeulen, post on Fri 09 May 2014A vulnerability in
seunshare,
part of policycoreutils, came to light recently (through bug
509896). The issue is
within libcap-ng actually, but the specific situation in which the
vulnerability can be exploited is only available in seunshare.
Now, seunshare is not built by default on Gentoo. You need to define
USE …
Stepping through the build process with ebuild
by Sven Vermeulen, post on Sun 20 April 2014Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …
If things are weird, check for policy.29
by Sven Vermeulen, post on Thu 17 April 2014Today we analyzed a weird issue one of our SELinux users had with their
system. He had a denial when calling audit2allow, informing us that
sysadm_t had no rights to read the SELinux policy. This is a known
issue that has been resolved in our current SELinux policy repository
but …
What is that net-pf-## thingie?
by Sven Vermeulen, post on Tue 01 April 2014When checking audit logs, you might come across applications that
request loading of a net-pf-## module, with ## being an integer.
Having requests for net-pf-10 is a more known cause (enable IPv6) but
what about net-pf-34?
The answer can be found in /usr/src/linux/include/linux/socket.h:
#define AF_ATMPVC …Proof of concept for USE enabled policies
by Sven Vermeulen, post on Mon 31 March 2014tl;dr: Some (-9999) policy ebuilds now have USE support for
building in (or leaving out) SELinux policy statements.
One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …
Decoding the hex-coded path information in AVC denials
by Sven Vermeulen, post on Sun 30 March 2014When investigating AVC denials, some denials show a path that isn't human readable, like so:
type=AVC msg=audit(1396189189.734:1913): avc: denied { execute } for pid=17955 comm="emerge" path=2F7661722F666669737A69596157202864656C6574656429 dev="dm-3" ino=1838 scontext=staff_u:sysadm_r:portage_t tcontext=staff_u:object_r:var_t tclass=file
To know what this …
Managing Inter-Process Communication (IPC)
by Sven Vermeulen, post on Sun 30 March 2014As a Linux administrator, you'll eventually need to concern you about Inter-Process Communication (IPC). The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is ipcs. Let's start with semaphores first.
Semaphores in …