cvechecker 3.3 released
by Sven Vermeulen, post on Mon 16 September 2013I just uploaded a new release of cvechecker
to the project files. The release is a (long overdue) bugfix release,
but includes two small enhancements: support standard input for the
binary list (so you can pipe the output of one command to cvechecker)
and the introduction of the CVECHECKER_CONFFILE variable …
Gentoo Hardened progress report
by Sven Vermeulen, post on Thu 29 August 2013Today, we had our monthly online meeting to discuss the progress amongst the various Gentoo Hardened projects. As usual, here is a small write-up.
Lead election
As every year, we also reviewed the current project leads. No surprises here, everybody is happy with the current leads so they are re-elected …
Umounting IPv6 NFS(v4) mounts
by Sven Vermeulen, post on Fri 23 August 2013I had issues umounting my NFSv4 shares on an IPv6-only network. When
trying to umount the share, it said that it couldn't find the mount in
/proc/mounts:
~# umount /mnt/nfs/portage
/mnt/nfs/portage was not found in /proc/mounts
The solution: copy /proc/mounts to /etc/mtab, and …
Why our policies don't like emerge --config
by Sven Vermeulen, post on Fri 23 August 2013One of the features that Portage provides is to have post-processing
done on request of the administrator for certain packages. For instance,
for the dev-db/postgresql-server package we can call its
pkg_config() phase to create the PostgreSQL instance and configure it
so that the configuration of the database is stored …
Network routing based on SELinux?
by Sven Vermeulen, post on Wed 21 August 2013Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.
SELinux does not route traffic. SELinux is a local mandatory access control system …
Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?
by Sven Vermeulen, post on Fri 16 August 2013As you are probably aware, Gentoo uses the reference
policy as its base for
SELinux policies. Yes, we do customize it and not everything is already
pushed upstream (for instance, our approach to use xdg_*_home_t
customizable types to further restrict user application access has been
sent up for comments …
Today was a productive day
by Sven Vermeulen, post on Thu 15 August 2013Fixed 14 bugs today, with a few more pending (those for packages only get marked as FIXED if it is moved to the stable state). One of the changes is the GRUB2 support in the Gentoo Handbook (yes, finally, sorry about that). That opens up the road for the stabilization …
Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …
And now, 31 days later...
by Sven Vermeulen, post on Thu 01 August 2013... the Gentoo Hardened team had its monthly online meeting again ;-)
On the agenda were the usual suspects, such as the toolchain. In this
category, Zorry mentioned that he has a fix for GCC 4.8.1 for the
hardenedno* and vanilla gcc-config options which will be added to
the tree …
Putting OVAL at work
by Sven Vermeulen, post on Thu 01 August 2013When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.
This is correct, but you need to remember that the standards are protocols, agreements that can be made …