Simplicity is a form of art...

Why our policies don't like emerge --config
by Sven Vermeulen, post on Fri 23 August 2013

One of the features that Portage provides is to have post-processing done on request of the administrator for certain packages. For instance, for the dev-db/postgresql-server package we can call its pkg_config() phase to create the PostgreSQL instance and configure it so that the configuration of the database is stored …

Network routing based on SELinux?
by Sven Vermeulen, post on Wed 21 August 2013

Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.

SELinux does not route traffic. SELinux is a local mandatory access control system …

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?
by Sven Vermeulen, post on Fri 16 August 2013

As you are probably aware, Gentoo uses the reference policy as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use xdg_*_home_t customizable types to further restrict user application access has been sent up for comments …

Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013

A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …

And now, 31 days later...
by Sven Vermeulen, post on Thu 01 August 2013

... the Gentoo Hardened team had its monthly online meeting again ;-)

On the agenda were the usual suspects, such as the toolchain. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the hardenedno* and vanilla gcc-config options which will be added to the tree …

Rebuilding SELinux contexts with sefcontext_compile
by Sven Vermeulen, post on Mon 08 July 2013

A recent update of libpcre caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug 471718 but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …

Adding mcstrans to Gentoo
by Sven Vermeulen, post on Sun 07 July 2013

If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the mcs and mls policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …

A SELinux policy for incron: finishing up
by Sven Vermeulen, post on Fri 31 May 2013

After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...

We built the start of an entire …

A SELinux policy for incron: using booleans
by Sven Vermeulen, post on Thu 30 May 2013

After using a default set of directories to watch, and allowing admins to mark other types as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called incron_notify_non_security_files enables incrond to be notified on changes on all possible …

A SELinux policy for incron: marking types eligible for watching
by Sven Vermeulen, post on Wed 29 May 2013

In the previous post we made incrond able to watch public_content_t and public_content_rw_t types. However, this is not scalable, so we might want to be able to update the policy more dynamically with additional types. To accomplish this, we will make types eligible for watching through an attribute.

So how …