SELinux Gentoo profile updates
by Sven Vermeulen, post on Tue 03 May 2011The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make USE="open_perms …
SELinux User-Based Access Control
by Sven Vermeulen, post on Mon 02 May 2011Within the reference policy, support is given to a feature called UBAC
constraints. Here, UBAC stands for User Based Access Control. The
idea behind the constraint is that any activity between two types (say
foo_t and bar_t) can be prohibited if the user contexts of the
resources that are using …
SELinux and noatsecure, or why portage complains about LD_PRELOAD and libsandbox.so
by Sven Vermeulen, post on Fri 22 April 2011If you're fiddling with SELinux policies, you will eventually notice that the reference policy by default hides certain privilege requests (which are denied). One of them is noatsecure. But what is noatsecure? To describe noatsecure, I first need to describe what atsecure is. And to describe what that is, we …
cvechecker 3.0
by Sven Vermeulen, post on Tue 12 April 2011I'm pleased to announce the immediate availability of cvechecker 3.0. It contains two major feature enhancements: watchlists and MySQL support.
watchlists allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …
cvechecker updates
by Sven Vermeulen, post on Sun 27 March 2011The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:
- support the same features as cvechecker currently does using sqlite
- streamline the database code so that duplicate code in …
Restoring configuration files on Gentoo
by Sven Vermeulen, post on Sat 19 March 2011If you work with Gentoo, you're probably aware of tools like etc-update and dispatch-conf. If you use dispatch-conf, you might know that it supports rcs for version control of the changes it makes. But if you have enabled it, you might be wondering how to actually restore configuration files with …
Updates on SELinux docs, added FAQ
by Sven Vermeulen, post on Wed 09 March 2011As you're probably noticing from my twitter feed and the various posts earlier in my blog, I'm helping out with the Gentoo Hardened folks to get the SELinux support state up to par. Today, the Gentoo Hardened/SELinux Handbook had a few updates, but the most important change is that …
Portage fails to build due to SELinux?
by Sven Vermeulen, post on Thu 03 March 2011If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.
Now, the real issue (not being …
Updates on the Gentoo Hardened SELinux state
by Sven Vermeulen, post on Wed 02 March 2011For those following the progress of SELinux support in Gentoo Hardened...
In the hardened-development overlay, the selinux-base-policy package
has been updated, hopefully fixing a nasty issue with support for the
targeted policy (up to today, I only tested strict policies so I missed
that). It also fixes an issue with …
Temporary script for Gentoo Hardened SELinux users
by Sven Vermeulen, post on Sun 27 February 2011If you are currently using Gentoo Hardened with SELinux, you might have noticed that we are currently lacking the proper dependencies within our Portage tree upon the SELinux policies (or, in other words, installing a package doesn't guarantee that the SELinux policy needed for that package is pulled in as …