Since the earliest days there has been a command named audit2allow that takes audit messages of operations that SE Linux denied and produces policy that will permit those operations. A lesser known option for this program is the “-R” option to use the interfaces from the Reference Policy (the newer version of the policy that […]
One of the access controls in SE Linux is for execmem – which is used to stop processes from creating memory regions that are writable and executable (as they make it easier to compromise programs and get them to execute supplied code). When the SE Linux audit log tells you that a program is attempting […]
My SE Linux Play Machine  has been offline for almost a month (it went offline late May 30 and has just gone online again). It’s the sort of downtime that can happen when you use Debian/Unstable.
For a while I’ve been using a HP E-PC (a SFF desktop system with 256M of RAM and […]
I have just uploaded refpolicy version 0.2.20100524-1 to Unstable. This policy is not well tested (a SE Linux policy package ending in “-1” is not something that tends to work well for all people) and in particular lacks testing for Desktop environments. But for servers it should work reasonably well.
I expect to have a […]
I was asked “Can you run SELinux on a XEN guest without any problem?“. In a generic sense the answer is of course YES, Xen allows you to run Linux kernels with all the usual range of features and SE Linux isn’t a particularly difficult feature to enable. I do most of my SE Linux […]
It’s widely regarded that passwords should be changed regularly. The Australian government declared last week the “National Cyber Security Awareness Week”  and has published a list of tips for online security which includes “Get a stronger password and change it at least twice a year“.
Can a Password be Semi-Public?
Generally I think of […]
My blog post about logging in as root and whether sudo provides any benefit  got some interest on Redit. In the Reddit comments on my post  there are a lot of strange things. One interesting comment was to suggest that logging in as non-root provided “defense in depth”.
The NSA is credited with […]
In response to my previous post about logging in directly as root  it was suggested that using sudo is the only way to log the commands that are entered as root. One reason for doing this is if you don’t trust the people who are granted root access and you want to log all […]
Joey Hess wrote on Debian-devel about the problem of init scripts not doing adequate checks before using the data from a PID file under /var/run to determine which process to kill . Unfortunately that still doesn’t quite solve the problem, there is still the issue of a race condition causing a process to die while […]
I was asked by email whether SE Linux could implement traditional Unix users and groups.
The Strictly Literal Answer to that Question
The core of the SE Linux access control is the domain-type model where every process has a domain and every object that a process can access (including other processes) has a type. Domains […]