SELinux System Administration 3rd Edition
by Sven Vermeulen, post on Wed 06 January 2021As I mentioned previously, recently my latest installment of "SELinux System Administration" has been released by Packt Publishing. This is already the third edition of the book, after the first (2013) and second (2016) editions have gotten reasonable success given the technical and often hard nature of full SELinux administration.
Like with the previous editions, this book remains true to the public of system administrators, rather than SELinux policy developers. Of course, SELinux policy development is not ignored in the book.
SELinux and extended permissions
by Sven Vermeulen, post on Mon 20 November 2017One of the features present in the August release of the SELinux user space is its support for ioctl xperm rules in modular policies. In the past, this was only possible in monolithic ones (and CIL). Through this, allow rules can be extended to not only cover source (domain) and target (resource) identifiers, but also a specific number on which it applies. And ioctl's are the first (and currently only) permission on which this is implemented.
Note that ioctl-level permission controls isn't a new feature by itself, but the fact that it can be used in modular policies is.
SELinux Userspace 2.7
by Sven Vermeulen, post on Tue 26 September 2017A few days ago, Jason "perfinion" Zaman stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a few new features, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.
Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).
Using nVidia with SELinux
by Sven Vermeulen, post on Wed 23 August 2017Yesterday I've switched to the gentoo-sources kernel package on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.
The move to nvidia was quite simple, as the nvidia-drivers wiki article on the Gentoo wiki was quite easy to follow.
Switch to Gentoo sources
by Sven Vermeulen, post on Tue 22 August 2017You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.
That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.
Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).
SELinux System Administration, 2nd Edition
by Sven Vermeulen, post on Thu 22 December 2016While still working on a few other projects, one of the time consumers of the past half year (haven't you noticed? my blog was quite silent) has come to an end: the SELinux System Administration - Second Edition book is now available. With almost double the amount of pages and a serious update of the content, the book can now be bought either through Packt Publishing itself, or the various online bookstores such as Amazon.
With the holidays now approaching, I hope to be able to execute a few tasks within the Gentoo community (and of the Gentoo Foundation) and get back on track. Luckily, my absence was not jeopardizing the state of SELinux in Gentoo thanks to the efforts of Jason Zaman.
We do not ship SELinux sandbox
by Sven Vermeulen, post on Tue 27 September 2016A few days ago a vulnerability was reported in the SELinux sandbox user space
utility. The utility is part of the policycoreutils
package. Luckily, Gentoo's
sys-apps/policycoreutils
package is not vulnerable - and not because we were
clairvoyant about this issue, but because we don't ship this utility.
Getting su to work in init scripts
by Sven Vermeulen, post on Mon 14 September 2015While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:
~# rc-service hadoop-namenode format
Authenticating root.
* Formatting HDFS ...
su: Authentication service cannot retrieve authentication info
(Ignored)
Custom CIL SELinux policies in Gentoo
by Sven Vermeulen, post on Thu 10 September 2015In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).
A recent commit now also allows CIL files to be used.
Using multiple OpenSSH daemons
by Sven Vermeulen, post on Sun 06 September 2015I administer a couple of systems which provide interactive access by end users, and for this interactive access I position OpenSSH. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.
For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).