03 Apr
When discussing the machine there are two common comments I get. One is a suggestion that I am putting myself at risk, I think that the risk of visiting random web sites is significantly greater. Another is a challenge to put the machine on my internal network if I really trust SE Linux, as noted I have made mistakes in the past and there have been Linux kernel bugs - but apart from that it’s always best to have multiple layers of protection.
Posted in Security by: etbe
No Comments
02 Apr
My SE Linux Play Machine has been online again since the 18th of March.
On Monday the 11th of Feb I took it offline after a user managed to change the password for my own account. Part of the problem was the way /bin/passwd determines whether it should change a password.
Posted in Security by: etbe
3 Comments
02 Apr
My Etch back-port repository of SE Linux related packages (which I documented in a previous post) now has a complete set of packages for AMD64. From now on I aim to make AMD64 and i386 be my main supported platforms for SE Linux development.
Posted in Security by: etbe
No Comments
28 Mar
At the moment I’ve got more time to work on these things than I have had for a while.
I’ve got Etch support going quite well (see my post about my Etch repository [1]), the next step is to back-port some packages for AMD64 to get it working as well as i386.
I’ve got an i386 Xen [...]
Posted in Security by: etbe
1 Comment
07 Feb
Using the “ulimit” controls over process resource use it is possible to limit RAM for processes and to limit the number of processes per UID. The problem is that this often is only good for accidental problems not dealing with malicious acts.
For a multi-user machine each user needs to be allowed to have two [...]
Posted in Linux, Security by: etbe
6 Comments
31 Jan
I previously wrote about how I gave a talk about SE Linux at a conference spot when a talk about AppArmor was scheduled. It turned out that the Suse people had notified the LCA people some time in advance about the fact that John would not be attending the conference. The LCA people [...]
Posted in Linux.conf.au, Security by: etbe
No Comments
30 Jan
Last year at LCA Crispin Cowan suggested to me that I make a joint offer of a combined tutorial on SE Linux and AppArmor as a way of publicly comparing the two technologies. I ended up not accepting the challenge, among other things I had a long-term project going in production in early December [...]
Posted in Linux.conf.au, Security by: etbe
1 Comment
17 Nov
Recently a user has been asking about SE Linux support in MEPIS [1]. He seems to expect that as the distribution is based on Debian it should have the same SE Linux support as is in Debian.
The problem with derived distributions (which potentially applies to all variants of Debian, Fedora, and RHEL) is that [...]
Posted in Security by: etbe
2 Comments
13 Nov
SE Linux has a utility named restorecon to set (or reset) the security context. This is useful for many reasons, corrupted filesystems, users removing files or changing the context in inappropriate ways, and for re-creating files from tar files or backup programs that don’t restore SE Linux contexts. It can also be used [...]
Posted in Security by: etbe
10 Comments
10 Nov
On Thursday at Secure Con [1] I gave a lecture about SE Linux that went according to plan, and they gave me a nice bottle of Penfolds Shiraz afterwards (thanks to the sponsors).
During my lecture I announced my plan to run the hands-on training session over the net. The idea is that the Debian [...]
Posted in Security by: etbe
2 Comments