A SELinux policy for incron: our first interface
by Sven Vermeulen, post on Fri 24 May 2013The next step after having a basic skeleton is to get incrontab running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of …
A SELinux policy for incron: the basic skeleton
by Sven Vermeulen, post on Thu 23 May 2013So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.
In SELinux, policies are generally …
A SELinux policy for incron: what does it do?
by Sven Vermeulen, post on Wed 22 May 2013In this series of posts, we'll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …
Why oh why does a process run in unlabeled_t?
by Sven Vermeulen, post on Tue 21 May 2013If you notice that a process is running in the unlabeled_t
domain, the
first question to ask is how it got there.
Well, one way is to have a process running in a known domain, like
screen_t
, after which the SELinux policy module that provides this
domain is removed from …
A simple IPv6 setup
by Sven Vermeulen, post on Mon 20 May 2013For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …
The weird "audit_access" permission
by Sven Vermeulen, post on Sun 19 May 2013While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …
Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …
Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
In …
Gentoo Hardened spring notes
by Sven Vermeulen, post on Thu 16 May 2013We got back together on the #gentoo-hardened
chat channel to discuss
the progress of Gentoo
Hardened, so it's time for
another write-up of what was said.
Toolchain
GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …
Public support channels: irc
by Sven Vermeulen, post on Thu 16 May 2013I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.
Consider the "Chat …