New SELinux userspace release
by Sven Vermeulen, post on Fri 26 April 2013A new release of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …
Using strace to troubleshoot SELinux problems
by Sven Vermeulen, post on Wed 24 April 2013When SELinux is playing tricks on you, you can just "allow" whatever it wants to do, but that is not always an option: sometimes, there is no denial in sight because the problem lays within SELinux-aware applications (applications that might change their behavior based on what the policy sais or …
SLOT'ing the old swig-1
by Sven Vermeulen, post on Tue 23 April 2013The SWIG tool helps developers in building interfaces/libraries that can be accessed from many other languages than the ones the library is initially written in or for. The SELinux userland utility setools uses it to provide Python and Ruby interfaces even though the application itself is written in C …
Introducing selocal for small SELinux policy enhancements
by Sven Vermeulen, post on Sun 21 April 2013When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …
Another Gentoo Hardened month has passed
by Sven Vermeulen, post on Thu 18 April 2013Another month has passed, so time to mention again what we have all been doing lately ;-)
Toolchain
Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). asan support in …
What could SELinux have done to mitigate the postgresql vulnerability?
by Sven Vermeulen, post on Tue 16 April 2013Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?
When correctly configured, the PostgreSQL daemon will run in the
postgresql_t domain. In SELinux-speak …
Not needing run_init for password-less service management
by Sven Vermeulen, post on Tue 09 April 2013One of the things that has been bugging me was why, even with having
pam_rootok.so set in /etc/pam.d/run_init, I cannot enjoy
passwordless service management without using run_init directly:
# rc-service postgresql-9.2 status
Authenticating root.
Password:
# run_init rc-service postgresql-9.2 status
Authenticating root.
* status: started
So I …
Separate puppet provider for Gentoo/SELinux?
by Sven Vermeulen, post on Sun 07 April 2013While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the service type (which handles init script services), there are providers for RedHat, Debian …
Fiddling with puppet apply
by Sven Vermeulen, post on Wed 20 March 2013As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …
SELinux tutorial series
by Sven Vermeulen, post on Fri 15 March 2013As we get a growing number of SELinux users within Gentoo Hardened and because the SELinux usage at the firm I work at is most likely going to grow as well, I decided to join the bunch of documents on SELinux that are "out there" and start a series of …