Simplicity is a form of art...

A SELinux policy for incron: the basic skeleton
by Sven Vermeulen, post on Thu 23 May 2013

So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.

In SELinux, policies are generally …

A SELinux policy for incron: what does it do?
by Sven Vermeulen, post on Wed 22 May 2013

In this series of posts, we'll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …

Why oh why does a process run in unlabeled_t?
by Sven Vermeulen, post on Tue 21 May 2013

If you notice that a process is running in the unlabeled_t domain, the first question to ask is how it got there.

Well, one way is to have a process running in a known domain, like screen_t, after which the SELinux policy module that provides this domain is removed from …

A simple IPv6 setup
by Sven Vermeulen, post on Mon 20 May 2013

For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …

The weird "audit_access" permission
by Sven Vermeulen, post on Sun 19 May 2013

While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …

Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …

Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013

There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.

In …

Gentoo Hardened spring notes
by Sven Vermeulen, post on Thu 16 May 2013

We got back together on the #gentoo-hardened chat channel to discuss the progress of Gentoo Hardened, so it's time for another write-up of what was said.


GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …

Public support channels: irc
by Sven Vermeulen, post on Thu 16 May 2013

I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.

Consider the "Chat …

Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …