checksec kernel security
by Sven Vermeulen, post on Sun 24 July 2011I have
blogged
about checksec.sh earlier
before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed
me to its --kernel option. So I feel obliged to give its options a
stab as well. So, here goes the next batch of OPE-style (One Paragraph
Explanations).
~# checksec.sh --kernel
* Kernel protection information …emerge-webrsync and gpg verification
by Sven Vermeulen, post on Fri 22 July 2011Gentoo has been working on its security from very early on. One of the (many) features it supports is to allow users to validate the state of the portage tree. Ebuild signing (where developers sign the Manifest file with their key) is one of the layers offered by Gentoo, but …
Preliminary SELinux MCS support in Gentoo Hardened
by Sven Vermeulen, post on Thu 21 July 2011Users tracking the
hardened-dev
overlay for SELinux packages will notice yet another update on the
selinux-base-policy package. This time however, the change is a
little more
than just a policy update. With this new revision, preliminary support
for Multi-Category Security (aka MCS) is added.
MCS is an update on the …
High level explanation on some binary executable security
by Sven Vermeulen, post on Fri 15 July 2011One very important functionality offered by Gentoo Hardened is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …
Some people on #selinux are ... dolphins
by Sven Vermeulen, post on Thu 14 July 2011A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on irc.freenode.net. People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …
On the new SELinux profiles
by Sven Vermeulen, post on Thu 14 July 2011Ever since Anthony put in the new SELinux profiles - which was long due - they have seen quite a few tests and the necessary, evolutionary updates. No changes that broke things, no oddities that would give a WTF to whomever is using it. The latest updates were to remove some obsolete …
Gentoo Hardened SELinux state
by Sven Vermeulen, post on Sat 09 July 2011Since last post, we've been working on the further stabilization and bug
fixing of the SELinux policies within Gentoo Hardened. You might have
noticed that we started working on the QA of the packages, like I
promised in the last post. The binaries within selinux-base-policy are
now published somewhere on …
What's next after stabilization?
by Sven Vermeulen, post on Mon 13 June 2011The last few weeks have shown quite a few interesting improvements on Gentoo Hardened's SELinux state. We now have improved (simplified) Gentoo profile support, supporting SELinux on no-multilib (an often requested feature, now finally in), we stabilized the 2.20101213 policies that are in the tree and are cleaning up …
Policy 25, 26
by Sven Vermeulen, post on Wed 01 June 2011Recently I've seen quite a few messages on IRC pop up about policy.25
or even policy.26 so I harassed the guys in the chat channel to talk
about it. Apparently, these new binary policy formats add support for
filename transitions and non-process role transitions.
Currently, when you initiate …
SELinux file contexts
by Sven Vermeulen, post on Sun 15 May 2011If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …