Simplicity is a form of art...

Talk about SELinux on GSE Linux/Security
by Sven Vermeulen, post on Tue 25 March 2014

On today's GSE Linux / GSE Security meeting (in cooperation with IMUG) I gave a small (30 minutes) presentation about what SELinux is. The slides are online and cover two aspects of SELinux: some of its design principles, and then a set of features provided by SELinux. The talk is directed …

Create your own SELinux Gentoo profile
by Sven Vermeulen, post on Mon 24 March 2014

Or any other profile for that matter ;-)

A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn't have a <some profilename>/selinux equivalent. Because we don't create SELinux profiles for all possible profiles out there, having a way to do this …

Hidden symbols and dynamic linking
by Sven Vermeulen, post on Mon 24 March 2014

A few weeks ago, we introduced an error in the (\~arch) libselinux ebuild which caused the following stacktrace to occur every time the semanage command was invoked:

~ # semanage
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in 
    import seobject
  File "/usr/lib64/python2.7 …

Closing week? No, starting week...
by Sven Vermeulen, post on Sun 16 March 2014

I've been away for a while, and this week will (hopefully) be the last week of all the effort that is causing this. And that means I'll get back to blogging, documentation development, SELinux integration, SELinux policy development and more. To be honest, I'm eagerly awaiting this moment of getting …

Switching context depending on user code-wise
by Sven Vermeulen, post on Sun 12 January 2014

I blogged about how SELinux decides what the context should be for a particular Linux user; how it checks the default context(s) and tells the SELinux-aware application on what the new context should be. Let's look into the C code that does so, and how an application should behave …

Can Gentoo play a role in a RHEL-only environment?
by Sven Vermeulen, post on Thu 09 January 2014

Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …

Linux protip: environment for a process
by Sven Vermeulen, post on Tue 07 January 2014

Just a quick pro-tip: if you need to know the environment variables for a process, you can see them in that process' /proc/${PID}/environ file. The file however shows the environment variables on one line, with a null character as separator. With a simple sed you can show it …

How does foo_t get this privilege?
by Sven Vermeulen, post on Sun 05 January 2014

Today a question was raised how the unprivileged user domain user_t was allowed to write to cgroup_t files. There is nothing obvious about that in the roles/unprivuser.te file, so what gives?

I used a simple script (which I've been using for a while already) called seshowtree …

Oh it is cron again...
by Sven Vermeulen, post on Fri 03 January 2014

Today I was pointed to the following error:

test fcron[6722]: fcron[6722] 3.1.2 started
test fcron[6722]: Cannot bind socket to '/var/run/fcron.fifo': Permission denied
test fcron[6722]:  "at" reboot jobs will only be run at computer's startup.
test fcron[6722]: updating configuration from …

Private key handling and SELinux protection
by Sven Vermeulen, post on Thu 02 January 2014

In this post I'll give some insight in a possible SELinux policy for a script I wrote.

The script is a certificate authority handling script, in which I can generate a private key (and certificate assigned to it), sign the certificate either by itself (for the root CA key) or …