Can SELinux substitute DAC?
by Sven Vermeulen, post on Sun 09 August 2015A nice twitter discussion with Erling Hellenäs caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?
SELinux is implemented through the Linux Security Modules framework which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through additional access checks. This criteria was made to have LSM be as minimally invasive as possible.
D-Bus and SELinux
by Sven Vermeulen, post on Mon 30 June 2014After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.
Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …
D-Bus, quick recap
by Sven Vermeulen, post on Sun 29 June 2014I've never fully investigated the what and how of D-Bus. I know it is some sort of IPC, but higher level than the POSIX IPC methods. After some reading, I think I start to understand how it works and how administrators can work with it. So a quick write-down is …
What is that net-pf-## thingie?
by Sven Vermeulen, post on Tue 01 April 2014When checking audit logs, you might come across applications that
request loading of a net-pf-## module, with ## being an integer.
Having requests for net-pf-10 is a more known cause (enable IPv6) but
what about net-pf-34?
The answer can be found in /usr/src/linux/include/linux/socket.h:
#define AF_ATMPVC …Managing Inter-Process Communication (IPC)
by Sven Vermeulen, post on Sun 30 March 2014As a Linux administrator, you'll eventually need to concern you about Inter-Process Communication (IPC). The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is ipcs. Let's start with semaphores first.
Semaphores in …
Can Gentoo play a role in a RHEL-only environment?
by Sven Vermeulen, post on Thu 09 January 2014Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …
Linux protip: environment for a process
by Sven Vermeulen, post on Tue 07 January 2014Just a quick pro-tip: if you need to know the environment variables for
a process, you can see them in that process' /proc/${PID}/environ
file. The file however shows the environment variables on one line, with
a null character as separator. With a simple sed you can show it …
Umounting IPv6 NFS(v4) mounts
by Sven Vermeulen, post on Fri 23 August 2013I had issues umounting my NFSv4 shares on an IPv6-only network. When
trying to umount the share, it said that it couldn't find the mount in
/proc/mounts:
~# umount /mnt/nfs/portage
/mnt/nfs/portage was not found in /proc/mounts
The solution: copy /proc/mounts to /etc/mtab, and …
Using extended attributes for custom information
by Sven Vermeulen, post on Sun 02 June 2013One of the things I have been meaning to implement on my system is a way to properly "remove" old files from the system. Currently, I do this through frequently listing all files, going through them and deleting those I feel I no longer need (in any case, I can …
Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
In …