Simplicity is a form of art...

Preliminary SELinux MCS support in Gentoo Hardened
by Sven Vermeulen, post on Thu 21 July 2011

Users tracking the hardened-dev overlay for SELinux packages will notice yet another update on the selinux-base-policy package. This time however, the change is a little more than just a policy update. With this new revision, preliminary support for Multi-Category Security (aka MCS) is added.

MCS is an update on the …

High level explanation on some binary executable security
by Sven Vermeulen, post on Fri 15 July 2011

One very important functionality offered by Gentoo Hardened is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …

Some people on #selinux are ... dolphins
by Sven Vermeulen, post on Thu 14 July 2011

A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on irc.freenode.net. People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …

On the new SELinux profiles
by Sven Vermeulen, post on Thu 14 July 2011

Ever since Anthony put in the new SELinux profiles - which was long due - they have seen quite a few tests and the necessary, evolutionary updates. No changes that broke things, no oddities that would give a WTF to whomever is using it. The latest updates were to remove some obsolete …

Gentoo Hardened SELinux state
by Sven Vermeulen, post on Sat 09 July 2011

Since last post, we've been working on the further stabilization and bug fixing of the SELinux policies within Gentoo Hardened. You might have noticed that we started working on the QA of the packages, like I promised in the last post. The binaries within selinux-base-policy are now published somewhere on …

What's next after stabilization?
by Sven Vermeulen, post on Mon 13 June 2011

The last few weeks have shown quite a few interesting improvements on Gentoo Hardened's SELinux state. We now have improved (simplified) Gentoo profile support, supporting SELinux on no-multilib (an often requested feature, now finally in), we stabilized the 2.20101213 policies that are in the tree and are cleaning up …

Policy 25, 26
by Sven Vermeulen, post on Wed 01 June 2011

Recently I've seen quite a few messages on IRC pop up about policy.25 or even policy.26 so I harassed the guys in the chat channel to talk about it. Apparently, these new binary policy formats add support for filename transitions and non-process role transitions.

Currently, when you initiate …

SELinux file contexts
by Sven Vermeulen, post on Sun 15 May 2011

If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …

SELinux Gentoo profile updates
by Sven Vermeulen, post on Tue 03 May 2011

The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make USE="open …

SELinux User-Based Access Control
by Sven Vermeulen, post on Mon 02 May 2011

Within the reference policy, support is given to a feature called UBAC constraints. Here, UBAC stands for User Based Access Control. The idea behind the constraint is that any activity between two types (say foo_t and bar_t) can be prohibited if the user contexts of the resources that …