Why our policies don't like emerge --config
by Sven Vermeulen, post on Fri 23 August 2013One of the features that Portage provides is to have post-processing
done on request of the administrator for certain packages. For instance,
for the dev-db/postgresql-server package we can call its
pkg_config() phase to create the PostgreSQL instance and configure it
so that the configuration of the database is …
Network routing based on SELinux?
by Sven Vermeulen, post on Wed 21 August 2013Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.
SELinux does not route traffic. SELinux is a local mandatory access control system …
Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?
by Sven Vermeulen, post on Fri 16 August 2013As you are probably aware, Gentoo uses the reference
policy as its base for
SELinux policies. Yes, we do customize it and not everything is already
pushed upstream (for instance, our approach to use xdg_*_home_t
customizable types to further restrict user application access has been
sent up for …
Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …
And now, 31 days later...
by Sven Vermeulen, post on Thu 01 August 2013... the Gentoo Hardened team had its monthly online meeting again ;-)
On the agenda were the usual suspects, such as the toolchain. In this
category, Zorry mentioned that he has a fix for GCC 4.8.1 for the
hardenedno* and vanilla gcc-config options which will be added to
the tree …
Rebuilding SELinux contexts with sefcontext_compile
by Sven Vermeulen, post on Mon 08 July 2013A recent update of libpcre caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug 471718 but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …
Adding mcstrans to Gentoo
by Sven Vermeulen, post on Sun 07 July 2013If you use SELinux, you might be using an MLS-enabled policy. These are
policies that support sensitivity labels on resources and domains. In
Gentoo, these are supported in the mcs and mls policy stores. Now
sensitivity ranges are fun to work with, but the moment you have several
sensitivity levels …
A SELinux policy for incron: finishing up
by Sven Vermeulen, post on Fri 31 May 2013After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...
We built the start of an entire …
A SELinux policy for incron: using booleans
by Sven Vermeulen, post on Thu 30 May 2013After using a default set of directories to watch, and allowing admins to mark other types as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called incron_notify_non_security_files enables incrond to be notified on …
A SELinux policy for incron: marking types eligible for watching
by Sven Vermeulen, post on Wed 29 May 2013In the
previous
post we made incrond able to watch public_content_t and
public_content_rw_t types. However, this is not scalable, so we might
want to be able to update the policy more dynamically with additional
types. To accomplish this, we will make types eligible for watching …