Archives

Categories

Xen and SE Linux – EWeek review of RHEL5

The online magazine EWeek has done a review of RHEL5. It’s quite a positive review which can be summarised as “good support for Xen as service (not an appliance), better value than previous versions with the licenses for multiple guests included, and SE Linux briefly got in the way but the Troubleshooting tool fixed it […]

SE Linux – not too difficult for new users

At http://tanso.net/selinux/ Jan-Frode Myklebust has documented his work in creating new SE Linux policy to run Googleearth on Red Hat Enterprise Linux 5. He discussed this with us on #selinux in irc.freenode.net (the main SE Linux IRC channel).

One of his later IRC comments was: <janfrode> btw erich, the reason for creating this googleearth module […]

The Inevitability of Failure

The below document was reproduced from the NSA web site with permission. I have moved three footnotes to comments within the document (footnotes don’t work well in HTML) and also converted the HTTP references to links.

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

Peter A. Loscocco, Stephen D. […]

Trusted Solaris vs SE Linux

Karl MacMillan writes an interesting review of a Sun article about SE Linux. Not only does he correct errors in the Sun article but he also summarises some of the features of SE Linux design and terminology that we use. If you are interested in computer security and want to learn some of the basic […]

questions regarding SE Linux

I just received a question about SE Linux via email. As I don’t want to post private messages containing material that’s globally useful I’ll answer through my blog:

> other than strict and targeted policies……other policies like > RBAC, MCS, Type Enforcement are also there….how are these policies > implemented

The two main policies are […]

Debian and Google Summer (Winter) Of Code

Debian is participating in the Google Summer Of Code (or Winter if you are in the southern hemisphere).

It would be good if we could get a SE Linux related project in. If you are interested in doing some SE Linux work (or other security related work) in this regard then please let me know. […]

SE Linux on /.

The book SE Linux by Example has been reviewed on Slashdot.

The issue of Perl scripts was raised for discussion. It is of course true that a domain which is permitted to run the Perl interpreter can perform arbitrary system calls – it can therefore do anything that SE Linux permits that domain to do. […]

creating a new SE Linux policy module

Creating a simple SE Linux policy module is not difficult.

audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm=”spf-policy.pl” name=”hostname” dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the “hostnme” program. So I […]

execmod

Ulrich Drepper has written a good web page about text relocation which is most often noticed as execmod failures reported when running SE Linux. When an AVC message reports a failure of execmod against a shared object it means that the object has text relocations (the shared object code writes to code that it executes […]

classic security mistake

One of the most obvious (and yet most common) computer security mistakes is to take input from an untrusted (and potentially hostile) source. A classic example of this is in Windows Vista where audio output from the system speakers can be taken as input to the speech recognition system. According to the BBC article an […]