Simplicity is a form of art...

Python 3 support for SELinux userland, tests and policy rev 10
by Sven Vermeulen, post on Sat 26 May 2012

In the last few hours I pushed my local changes on the SELinux userland utilities towards the hardened-development overlay. The utilities not only include some bugfixes, but have now also seen a first set of tests towards Python 3.2. In the past, I've made a few attempts at making …

Catching up, but stuff is piling...
by Sven Vermeulen, post on Thu 24 May 2012

Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird bug which seems to come down to an incorrect free() on …

Keeping /selinux
by Sven Vermeulen, post on Fri 04 May 2012

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux …

20120215 policies now stable
by Sven Vermeulen, post on Sun 29 April 2012

Today I've stabilized the sec-policy/selinux-* packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …

Linux Sea now in ePub
by Sven Vermeulen, post on Fri 20 April 2012

On request of Matthew Marchese, I now automatically build an ePub version of Linux Sea for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources …

Why both chroot and SELinux?
by Sven Vermeulen, post on Sun 15 April 2012

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …

Chrooted BIND for IPv6 with SELinux
by Sven Vermeulen, post on Sat 14 April 2012

BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …

Documentation updates for initramfs needed?
by Sven Vermeulen, post on Thu 12 April 2012

A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file bugreports and have them block bug #407959. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and …

Get your devtmpfs ready
by Sven Vermeulen, post on Sat 07 April 2012

If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …

More on initramfs and SELinux
by Sven Vermeulen, post on Sun 25 March 2012

With the upcoming udev version not supporting separate /usr locations unless you boot with an initramfs, we are now starting to document how to create an initramfs to boot with. After all, systems with a separate /usr are not that uncommon.

As I've blogged about before, getting an initramfs to …