Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?
Well, sadly …
Highlevel assessment of Cdorked and Gentoo Hardened/SELinux
by Sven Vermeulen, post on Tue 14 May 2013With all the reports surrounding Cdorked, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.
First of all, we don't know yet how the malware gets installed on the server. We do know that the …
SECMARK and SELinux
by Sven Vermeulen, post on Mon 13 May 2013When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …
Peer labeling in SELinux policy
by Sven Vermeulen, post on Sun 12 May 2013Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …
SELinux policy and network controls
by Sven Vermeulen, post on Sat 11 May 2013Let's talk about how SELinux governs network streams (and how it reflects this into the policy).
When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are tcp_socket and udp_socket (depending on the protocol). There used to be node and …
Overview of Linux capabilities, part 2
by Sven Vermeulen, post on Sun 05 May 2013As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).
- CAP_IPC_LOCK
- Allow the …
Capabilities, a short intro
by Sven Vermeulen, post on Thu 02 May 2013Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …
SELinux mount options
by Sven Vermeulen, post on Wed 01 May 2013When you read through the Gentoo Hardened SELinux
handbook,
you'll notice that we sometimes update /etc/fstab with some
SELinux-specific settings. So, what are these settings about and are
there more of them?
First of all, let's look at a particular example from the installation instructions so you see what …
Securely handling libffi
by Sven Vermeulen, post on Sun 28 April 2013I've recently came across libffi again.
No, not because it was mentioned during the Gentoo
Hardened online meeting, but
because my /var/tmp wasn't mounted correctly, and emerge (actually
python) uses libffi. Most users won't notice this, because libffi works
behind the scenes. But when it fails, it fails bad …
How logins get their SELinux user context
by Sven Vermeulen, post on Sat 27 April 2013Sometimes, especially when users are converting their systems to be
SELinux-enabled, their user context is wrong. An example would be when,
after logon (in permissive mode), the user is in the
system_u:system_r:local_login_t domain instead of a user domain like
staff_u:staff_r:staff_t.
So, how does a login get …