Yesterday and today I attended Ruxcon – the leading technical security conference in Australia . The first lecture I attended was “Breaking Linux Security Protections” by Andrew Griffiths. This included a good overview of many current issues with Linux security. One thing that was particularly noteworthy was his mention of SE Linux policy, he cited [...]
My SE Linux Play Machine is online again. It’s been online for the last month and much of the month before due to Xen issues. Nothing really tricky to solve, but I was busy with other things. Sorry for any inconvenience.
Play Machine Online Again with Xen 4.0 My SE Linux Play Machine  has been offline for…
Lenny Play Machine Online As Debian/Lenny has been released and the temperatures in my…
Play Machine Online Again I have returned from the US and my SE Linux…
New SE Linux Play Machine Online After over a year I have finally got a SE…
New Play Machine Update: Thanks to Sven Joachim and Andrew Pollock for informing…
deb http://www.coker.com.au squeeze selinux
I have an Apt repository for Squeeze SE Linux packages at the above URL. Currently it contains a modified version of ffmpeg that doesn’t need execmod access on i386 and fixes the labeling of /dev/xen on systems that use devtmpfs as reported in bug #597403. I will keep updating this repository [...]
Why use a Chroot environment?
A large part of the use of chroot environments is for the purpose of security, it used to be the only way of isolating a user from a section of the files on a server. In many of the cases where a chroot used to be used for security it [...]
I’ve updated my SE Linux repository for Squeeze to include a modified version of the ffmpeg packages without MMX support for the i386 architecture. When MMX support is enabled it uses assembler code which requires text relocations (see Ulrich Drepper’s documentation for the explanation of this ). This makes it possible to run programs [...]
Since the earliest days there has been a command named audit2allow that takes audit messages of operations that SE Linux denied and produces policy that will permit those operations. A lesser known option for this program is the “-R” option to use the interfaces from the Reference Policy (the newer version of the policy that [...]
One of the access controls in SE Linux is for execmem – which is used to stop processes from creating memory regions that are writable and executable (as they make it easier to compromise programs and get them to execute supplied code). When the SE Linux audit log tells you that a program is attempting [...]
My SE Linux Play Machine  has been offline for almost a month (it went offline late May 30 and has just gone online again). It’s the sort of downtime that can happen when you use Debian/Unstable.
For a while I’ve been using a HP E-PC (a SFF desktop system with 256M of RAM and [...]
I have just uploaded refpolicy version 0.2.20100524-1 to Unstable. This policy is not well tested (a SE Linux policy package ending in “-1” is not something that tends to work well for all people) and in particular lacks testing for Desktop environments. But for servers it should work reasonably well.
I expect to have a [...]
I was asked “Can you run SELinux on a XEN guest without any problem?“. In a generic sense the answer is of course YES, Xen allows you to run Linux kernels with all the usual range of features and SE Linux isn’t a particularly difficult feature to enable. I do most of my SE Linux [...]