Working on a new selinuxnode VM
by Sven Vermeulen, post on Sat 23 February 2013A long time ago, I made a SELinux enabled VM for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …
Transforming GuideXML to wiki
by Sven Vermeulen, post on Tue 12 February 2013The Gentoo project has its own official wiki for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …
Gentoo Hardened goes onward (aka project meeting)
by Sven Vermeulen, post on Thu 07 February 2013It's been a while again, so time for another Gentoo Hardened online progress meeting.
Toolchain
GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …
Why would paid-for support be better?
by Sven Vermeulen, post on Mon 31 December 2012Last Saturday evening, I sent an e-mail to a low-volume mailinglist regarding IMA problems that I'm facing. I wasn't expecting an answer very fast of course, being holidays, weekend and a low-volume mailinglist. But hey - it is the free software world, so I should expect some slack on this, right …
IMA and EVM on Gentoo, part 2
by Sven Vermeulen, post on Sat 29 December 2012I have been playing with Linux IMA/EVM on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …
Gentoo Hardened IMA support
by Sven Vermeulen, post on Thu 27 December 2012Adventurous users, contributors and developers can enable the Integrity Measurement Architecture subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the System Integrity subproject within Gentoo Hardened was launched a few months ago. And now …
Switching policy types in Gentoo/SELinux
by Sven Vermeulen, post on Thu 20 December 2012When you are running Gentoo with SELinux enabled, you will be running
with a particular policy type, which you can devise from either
/etc/selinux/config or from the output of the sestatus command. As
a user on our IRC channel had some issues converting his strict-policy
system to mcs …
Another hardened month has passed...
by Sven Vermeulen, post on Thu 13 December 2012... so it's time for a new update ;-)
Toolchain
GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …
Using pam_selinux to switch contexts
by Sven Vermeulen, post on Mon 10 December 2012With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the Pluggable Authentication Modules, and for SELinux this plays an important role.
Applications that are PAM-enabled …
Using stunnel for mutual authentication
by Sven Vermeulen, post on Sat 08 December 2012Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use stunnel to provide this additional …