Simplicity is a form of art...

Overview of Linux capabilities, part 1

In the previous posts, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run ping without granting it setuid root rights …

Restricting and granting capabilities

As capabilities are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …

Capabilities, a short intro

Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …

SELinux mount options

When you read through the Gentoo Hardened SELinux handbook, you'll notice that we sometimes update /etc/fstab with some SELinux-specific settings. So, what are these settings about and are there more of them?

First of all, let's look at a particular example from the installation instructions so you see what …

Qemu-KVM monitor tips and tricks

When running KVM guests, the Qemu/KVM monitor is a nice interface to interact with the VM and do specific maintenance tasks on. If you run the KVM guests with VNC, then you can get to this monitor through Ctrl-Alt-2 (and Ctrl-Alt-1 to get back to the VM display). I …

photorec to the rescue

Once again PhotoRec has been able to save files from a corrupt FAT USB drive. The application scans the partition, looking for known files (based on the file magic) and then restores those files. The files are not named as they were though, so there is still some manual work …

Securely handling libffi

I've recently came across libffi again. No, not because it was mentioned during the Gentoo Hardened online meeting, but because my /var/tmp wasn't mounted correctly, and emerge (actually python) uses libffi. Most users won't notice this, because libffi works behind the scenes. But when it fails, it fails bad …

How logins get their SELinux user context

Sometimes, especially when users are converting their systems to be SELinux-enabled, their user context is wrong. An example would be when, after logon (in permissive mode), the user is in the system_u:system_r:local_login_t domain instead of a user domain like staff_u:staff_r:staff_t.
So, how does a login get …

New SELinux userspace release

A new release of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …

Gentoo protip: using buildpkgonly

If you don't want to have the majority of builds run in the background while you are busy on the system, but you don't want to automatically install software in the background when you are not behind your desk, then perhaps you can settle for using binary packages. I'm not …