A nice twitter discussion with Erling Hellenäs caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?
SELinux is implemented through the Linux Security Modules framework which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through additional access checks. This criteria was made to have LSM be as minimally invasive as possible.
After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.
Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …
I've never fully investigated the what and how of D-Bus. I know it is some sort of IPC, but higher level than the POSIX IPC methods. After some reading, I think I start to understand how it works and how administrators can work with it. So a quick write-down is …
When checking audit logs, you might come across applications that
request loading of a
net-pf-## module, with
## being an integer.
Having requests for
net-pf-10 is a more known cause (enable IPv6) but
The answer can be found in
#define AF_ATMPVC …
As a Linux administrator, you'll eventually need to concern you about Inter-Process Communication (IPC). The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is ipcs. Let's start with semaphores first.
Semaphores in …
Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …
Just a quick pro-tip: if you need to know the environment variables for
a process, you can see them in that process'
file. The file however shows the environment variables on one line, with
a null character as separator. With a simple sed you can show it …
I had issues umounting my NFSv4 shares on an IPv6-only network. When
trying to umount the share, it said that it couldn't find the mount in
~# umount /mnt/nfs/portage /mnt/nfs/portage was not found in /proc/mounts
The solution: copy
/etc/mtab, and …
One of the things I have been meaning to implement on my system is a way to properly "remove" old files from the system. Currently, I do this through frequently listing all files, going through them and deleting those I feel I no longer need (in any case, I can …
There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.