Simplicity is a form of art...

Dropping sesandbox support
by Sven Vermeulen, post on Fri 09 May 2014

A vulnerability in seunshare, part of policycoreutils, came to light recently (through bug 509896). The issue is within libcap-ng actually, but the specific situation in which the vulnerability can be exploited is only available in seunshare.

Now, seunshare is not built by default on Gentoo. You need to define USE …

Stepping through the build process with ebuild
by Sven Vermeulen, post on Sun 20 April 2014

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …

If things are weird, check for policy.29
by Sven Vermeulen, post on Thu 17 April 2014

Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling audit2allow, informing us that sysadm_t had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository …

What is that net-pf-## thingie?
by Sven Vermeulen, post on Tue 01 April 2014

When checking audit logs, you might come across applications that request loading of a net-pf-## module, with ## being an integer. Having requests for net-pf-10 is a more known cause (enable IPv6) but what about net-pf-34?

The answer can be found in /usr/src/linux/include/linux/socket.h:

#define AF …

Proof of concept for USE enabled policies
by Sven Vermeulen, post on Mon 31 March 2014

tl;dr: Some (-9999) policy ebuilds now have USE support for building in (or leaving out) SELinux policy statements.

One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …

Decoding the hex-coded path information in AVC denials
by Sven Vermeulen, post on Sun 30 March 2014

When investigating AVC denials, some denials show a path that isn't human readable, like so:

type=AVC msg=audit(1396189189.734:1913): avc:  denied  { execute } for  pid=17955 comm="emerge" path=2F7661722F666669737A69596157202864656C6574656429 dev="dm-3" ino=1838 scontext=staff_u:sysadm_r:portage_t tcontext=staff_u:object_r:var_t …

Managing Inter-Process Communication (IPC)
by Sven Vermeulen, post on Sun 30 March 2014

As a Linux administrator, you'll eventually need to concern you about Inter-Process Communication (IPC). The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is ipcs. Let's start with semaphores first.

Semaphores in …

Querying SELinux policy for boolean information
by Sven Vermeulen, post on Fri 28 March 2014

Within an SELinux policy, certain access vectors (permissions) can be conditionally granted based on the value of a SELinux boolean.

To find the list of SELinux booleans that are available on your system, you can use the getsebool -a method, or semanage boolean -l. The latter also displays the description …

Online hardened meeting of March
by Sven Vermeulen, post on Thu 27 March 2014

I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.

Toolchain

GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …

Fixing the busybox build failure
by Sven Vermeulen, post on Wed 26 March 2014

Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate /usr and LVM for everything except /boot):

* busybox: >> Compiling...
* ERROR: Failed to compile the "all" target...
* 
* -- Grepping log... --
* 
*           - busybox-1.7.4-signal-hack.patch …