Simplicity is a form of art...

How far reaching vulnerabilities can go
by Sven Vermeulen, post on Tue 09 April 2013

If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …

Separate puppet provider for Gentoo/SELinux?
by Sven Vermeulen, post on Sun 07 April 2013

While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the service type (which handles init script services), there are providers for RedHat, Debian …

Matching packages with CVEs
by Sven Vermeulen, post on Thu 04 April 2013

I've come across a few posts on forums (Gentoo and elsewhere) asking why Gentoo doesn't make security-related patches on the tree. Some people think this is the case because they do not notice (m)any GLSAs, which are Gentoo's security advisories. However, it isn't that Gentoo doesn't push out security …

Linux Sea and ePub update
by Sven Vermeulen, post on Tue 02 April 2013

I just "published" a small update on the Linux Sea online book. Nothing major, some path updates (like the move to /etc/portage for the make.conf file). But I wouldn't put a blog post online if there wasn't anything else to say ;-)

Recently I was made aware that the …

Fiddling with puppet apply
by Sven Vermeulen, post on Wed 20 March 2013

As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …

SELinux tutorial series, update
by Sven Vermeulen, post on Mon 18 March 2013

Just a small update - the set of SELinux tutorials has been enhanced since my last blog post about it with information on SELinux booleans, customizable types, run-time modi (enforcing versus permissive), some bits about unconfined domains, information on policy loading, purpose of SELinux roles, SELinux users and an example on …

SELinux tutorial series
by Sven Vermeulen, post on Fri 15 March 2013

As we get a growing number of SELinux users within Gentoo Hardened and because the SELinux usage at the firm I work at is most likely going to grow as well, I decided to join the bunch of documents on SELinux that are "out there" and start a series of …

Gentoo Hardened progress meeting of march 2013
by Sven Vermeulen, post on Thu 07 March 2013

Another month has passed, so time for a new progress meeting...

Toolchain

GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …

Uploading selinuxnode test VM
by Sven Vermeulen, post on Mon 25 February 2013

At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …

Working on a new selinuxnode VM
by Sven Vermeulen, post on Sat 23 February 2013

A long time ago, I made a SELinux enabled VM for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …