Simplicity is a form of art...

A simple IPv6 setup
by Sven Vermeulen, post on Mon 20 May 2013

For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …

The weird "audit_access" permission
by Sven Vermeulen, post on Sun 19 May 2013

While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities …

Commandline SELinux policy helper functions
by Sven Vermeulen, post on Sat 18 May 2013

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …

Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013

There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.

In …

Gentoo Hardened spring notes
by Sven Vermeulen, post on Thu 16 May 2013

We got back together on the #gentoo-hardened chat channel to discuss the progress of Gentoo Hardened, so it's time for another write-up of what was said.

Toolchain

GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …

Public support channels: irc
by Sven Vermeulen, post on Thu 16 May 2013

I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.

Consider the "Chat …

Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …

Highlevel assessment of Cdorked and Gentoo Hardened/SELinux
by Sven Vermeulen, post on Tue 14 May 2013

With all the reports surrounding Cdorked, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.

First of all, we don't know yet how the malware gets installed on the server. We do know that the …

SECMARK and SELinux
by Sven Vermeulen, post on Mon 13 May 2013

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …

Peer labeling in SELinux policy
by Sven Vermeulen, post on Sun 12 May 2013

Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …