Why we do confine Firefoxby Sven Vermeulen, post on Tue 11 August 2015
If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.
Don't confuse SELinux with its policyby Sven Vermeulen, post on Mon 03 August 2015
With the increased attention that SELinux is getting thanks to its inclusion in recent Android releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.
Testing with permissive domainsby Sven Vermeulen, post on Mon 18 May 2015
When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.
Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done after the technology is understood.
Use change management when you are using SELinux to its fullestby Sven Vermeulen, post on Thu 30 April 2015
If you are using SELinux on production systems (with which I mean systems that you offer services with towards customers or other parties beyond you, yourself and your ego), please consider proper change management if you don't do already. SELinux is a very sensitive security subsystem - not in the sense …
D-Bus and SELinuxby Sven Vermeulen, post on Mon 30 June 2014
After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.
Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …
If things are weird, check for policy.29by Sven Vermeulen, post on Thu 17 April 2014
Today we analyzed a weird issue one of our SELinux users had with their
system. He had a denial when calling audit2allow, informing us that
sysadm_t had no rights to read the SELinux policy. This is a known
issue that has been resolved in our current SELinux policy repository …
Proof of concept for USE enabled policiesby Sven Vermeulen, post on Mon 31 March 2014
tl;dr: Some (
-9999) policy ebuilds now have
USE support for
building in (or leaving out) SELinux policy statements.
One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …
How does foo_t get this privilege?by Sven Vermeulen, post on Sun 05 January 2014
Today a question was raised how the unprivileged user domain
was allowed to write to
cgroup_t files. There is nothing obvious about
that in the
roles/unprivuser.te file, so what gives?
I used a simple script (which I've been using for a while already) called seshowtree …
Private key handling and SELinux protectionby Sven Vermeulen, post on Thu 02 January 2014
In this post I'll give some insight in a possible SELinux policy for a script I wrote.
The script is a certificate authority handling script, in which I can generate a private key (and certificate assigned to it), sign the certificate either by itself (for the root CA key) or …
Gentoo SELinux policy release scriptby Sven Vermeulen, post on Wed 11 December 2013
A few months ago, I wrote a small script that aids in the creation of
new SELinux policy packages. The script is on the
itself, in the
gentoo/ subdirectory, and is called
The reason for the script is that there are a number of steps to perform …