A SELinux policy for incron: the basic skeleton
by Sven Vermeulen, post on Thu 23 May 2013So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.
In SELinux, policies are generally …
A SELinux policy for incron: what does it do?
by Sven Vermeulen, post on Wed 22 May 2013In this series of posts, we'll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …
Why oh why does a process run in unlabeled_t?
by Sven Vermeulen, post on Tue 21 May 2013If you notice that a process is running in the unlabeled_t domain, the
first question to ask is how it got there.
Well, one way is to have a process running in a known domain, like
screen_t, after which the SELinux policy module that provides this
domain is removed from …
A simple IPv6 setup
by Sven Vermeulen, post on Mon 20 May 2013For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …
The weird "audit_access" permission
by Sven Vermeulen, post on Sun 19 May 2013While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …
Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …
Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
In …
Gentoo Hardened spring notes
by Sven Vermeulen, post on Thu 16 May 2013We got back together on the #gentoo-hardened chat channel to discuss
the progress of Gentoo
Hardened, so it's time for
another write-up of what was said.
Toolchain
GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …
Public support channels: irc
by Sven Vermeulen, post on Thu 16 May 2013I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.
Consider the "Chat …
Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?
Well, sadly …