Using extended attributes for custom information
by Sven Vermeulen, post on Sun 02 June 2013One of the things I have been meaning to implement on my system is a way to properly "remove" old files from the system. Currently, I do this through frequently listing all files, going through them and deleting those I feel I no longer need (in any case, I can …
Hacking java bytecode with dhex
by Sven Vermeulen, post on Sat 01 June 2013I found myself in a weird situation: a long long time ago, I wrote a java application that I didn't touch nor ran for a few years. Today, I found it on a backup and wanted to run it again (its a graphical application for generating HTML pages). However, it …
A SELinux policy for incron: finishing up
by Sven Vermeulen, post on Fri 31 May 2013After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...
We built the start of an entire …
A SELinux policy for incron: using booleans
by Sven Vermeulen, post on Thu 30 May 2013After using a default set of directories to watch, and allowing admins to mark other types as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called incron_notify_non_security_files enables incrond to be notified on changes on all possible …
A SELinux policy for incron: marking types eligible for watching
by Sven Vermeulen, post on Wed 29 May 2013In the
previous
post we made incrond able to watch public_content_t and
public_content_rw_t types. However, this is not scalable, so we might
want to be able to update the policy more dynamically with additional
types. To accomplish this, we will make types eligible for watching
through an attribute.
So how …
A SELinux policy for incron: default set
by Sven Vermeulen, post on Tue 28 May 2013I finished the last post a bit with a cliffhanger as incrond is still not working properly, and we got a few denials that needed to be resolved; here they are again for your convenience:
type=AVC msg=audit(1368734110.912:28353): avc: denied { getattr } for pid=9716 comm="incrond …A SELinux policy for incron: the incrond daemon
by Sven Vermeulen, post on Mon 27 May 2013With incrontab_t (hopefully) complete, let's look at the incrond_t
domain. As this domain will also be used to execute the user (and
system) commands provided through the incrontabs, we need to consider
how we are going to deal with this wide range of possible permissions
that it might take. One …
A SELinux policy for incron: new types and transitions
by Sven Vermeulen, post on Sun 26 May 2013So I've shown the iterative approach used to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the incrontab command, so let's continue with trying to create a new user incrontab:
$ incrontab -e …A SELinux policy for incron: basic set for incrontab
by Sven Vermeulen, post on Sat 25 May 2013Now that our regular user is allowed to execute incrontab, let's fire it up and look at the denials to build up the policy.
$ incrontab --help
That doesn't show much does it? Well, if you look into the audit.log
(or avc.log) file, you'll notice a lot of denials …
A SELinux policy for incron: our first interface
by Sven Vermeulen, post on Fri 24 May 2013The next step after having a basic skeleton is to get incrontab running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of …