Simplicity is a form of art...

Introducing selocal for small SELinux policy enhancements
by Sven Vermeulen, post on Sun 21 April 2013

When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …

Transforming GuideXML to DocBook
by Sven Vermeulen, post on Sat 20 April 2013

I recently committed an XSL stylesheet that allows us to transform the GuideXML documents (both guides and handbooks) to DocBook. This isn't part of a more elaborate move to try and push DocBook instead of GuideXML for the Gentoo Documentation though (I'd rather direct documentation development more to the Gentoo …

Comparing performance with sysbench: performance analysis
by Sven Vermeulen, post on Fri 19 April 2013

So in the past few posts I discussed how sysbench can be used to simulate some workloads, specific to a particular set of tasks. I used the benchmark application to look at the differences between the guest and host on my main laptop, and saw a major performance regression with …

Comparing performance with sysbench: memory, threads and mutexes
by Sven Vermeulen, post on Fri 19 April 2013

In the previous post, I gave some feedback on the cpu and fileio workload tests that sysbench can handle. Next on the agenda are the memory, threads and mutex workloads.

When using the memory workload, sysbench will allocate a buffer (provided through the --memory-block-size parameter, defaults to 1kbyte) and each …

Another Gentoo Hardened month has passed
by Sven Vermeulen, post on Thu 18 April 2013

Another month has passed, so time to mention again what we have all been doing lately ;-)

Toolchain

Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). asan support in …

Comparing performance with sysbench: cpu and fileio
by Sven Vermeulen, post on Thu 18 April 2013

Being busy with virtualization and additional security measures, I frequently come in contact with people asking me what the performance impact is. Now, you won't find the performance impact of SELinux here as I have no guests nor hosts that run without SELinux. But I did want to find out …

Simple drawing for I/O positioning
by Sven Vermeulen, post on Thu 18 April 2013

Instead of repeatedly trying to create an overview of the various layers involved with I/O operations within Linux on whatever white-board is in the vicinity, I decided to draw one up in Draw.io that I can then update as I learn more from this fascinating world. The drawing's …

What could SELinux have done to mitigate the postgresql vulnerability?
by Sven Vermeulen, post on Tue 16 April 2013

Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?

When correctly configured, the PostgreSQL daemon will run in the postgresql_t domain. In …

Integrity checking with AIDE
by Sven Vermeulen, post on Thu 11 April 2013

As to at least do some progress in the integrity part of Gentoo Hardened (a subproject I'd like to extend towards greater heights), I dediced to write up a small guide on how to work with AIDE. The tool is simple enough (and it allowed me to test its SELinux …

Not needing run_init for password-less service management
by Sven Vermeulen, post on Tue 09 April 2013

One of the things that has been bugging me was why, even with having pam_rootok.so set in /etc/pam.d/run_init, I cannot enjoy passwordless service management without using run_init directly:

# rc-service postgresql-9.2 status
Authenticating root.
Password:

# run_init rc-service postgresql-9.2 status
Authenticating root …