Simplicity is a form of art...

Network routing based on SELinux?
by Sven Vermeulen, post on Wed 21 August 2013

Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.

SELinux does not route traffic. SELinux is a local mandatory access control system …

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?
by Sven Vermeulen, post on Fri 16 August 2013

As you are probably aware, Gentoo uses the reference policy as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use xdg_*_home_t customizable types to further restrict user application access has been sent up for …

Today was a productive day
by Sven Vermeulen, post on Thu 15 August 2013

Fixed 14 bugs today, with a few more pending (those for packages only get marked as FIXED if it is moved to the stable state). One of the changes is the GRUB2 support in the Gentoo Handbook (yes, finally, sorry about that). That opens up the road for the stabilization …

Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013

A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …

And now, 31 days later...
by Sven Vermeulen, post on Thu 01 August 2013

... the Gentoo Hardened team had its monthly online meeting again ;-)

On the agenda were the usual suspects, such as the toolchain. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the hardenedno* and vanilla gcc-config options which will be added to the tree …

Putting OVAL at work
by Sven Vermeulen, post on Thu 01 August 2013

When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.

This is correct, but you need to remember that the standards are protocols, agreements that can be made …

Moving Gentoo docs to the wiki
by Sven Vermeulen, post on Sun 28 July 2013

Slowly but surely Gentoo documentation guides are being moved to the Gentoo Wiki. Thanks to the translation support provided by the infrastructure, all "reasons" not to go forward with this have been resolved. At first, I'm focusing on documentation with open bugs that have not been picked up (usually due …

Rebuilding SELinux contexts with sefcontext_compile
by Sven Vermeulen, post on Mon 08 July 2013

A recent update of libpcre caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug 471718 but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …

Adding mcstrans to Gentoo
by Sven Vermeulen, post on Sun 07 July 2013

If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the mcs and mls policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …

Hardening is our business... new monthly report ;-)
by Sven Vermeulen, post on Thu 27 June 2013

We're back with another report on the Gentoo Hardened project. Please excuse my brevity, as you've noticed I'm not that active (yet) due to work on an external project - I'll be back mid-July though. I promise.

On the Toolchain side, GCC 4.8.1 is in the tree and has …