Hab (auf einem Testsystem) Probleme mit #SELinux und alles was ich ergoogeln kann, ist die Empfehlung, von enforcing auf permissive umzustellen. Euer Ernst? 🤔
"don't use dom0, it doesn't have all packages required for building
increase #qube private storage max size - default 2GB is not enough to even clone the code
disable #SELinux (sudo setenforce 0)"
@dugite_code @frox Agreed. They are different solutions for different purposes. Also, containers should be confined with #Apparmor, #selinux, or some other #LSM mandatory access control mechanism. They are not, themselves, a thoroughly secure method of confinement, though there can be some security benefits to some container implementations.
"🐧 #Linux-Tipp: Mithilfe von 'semanage' kannst du unter #SELinux Berechtigungen verwalten. Nutze 'semanage fcontext' zum Hinzufügen von Dateitypen und 'restorecon' zum Zurücksetzen des Kontextes. Beispiele: 'semanage fcontext -a -t httpd_sys_content_t /var/www/html' und 'restorecon -Rv /var/www/html'! #OpenSource"
Prezentujemy Wam dzisiaj vovcię - współzałożyciela fundacji CLUG, administratora, programistę, architekta - aktualnie w web3. Na #JesieniLinuksowa opowie jak użyć #SELinux do zabezpieczenia kontenerów w #Kubernetes, bez robienia z niego doktoratu.🍁#Linux
Więcej informacji o programie: https://jesien.org/2023/agenda/
Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.
LSM provides hooks only for access control
Systems like #grsecurity and RSBAC 1 need >just access
control. in Implementations like #AppArmor , LIDS 2 , #POSIX capabilitites ,Smack 3 ,TOMOYO 4 ,#SELinux, Stacking multiple security modules is problematic , LSM hooks expose kernel internal data structures as parameters, #Ethos is running inside the Xen Virtual Machine Monitor #VMM
#Xen Dom0 OS is typically Linux. #Virtualization allows to run Ethos alongside Linux. 4
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver packet correctly.
(1) request was received on interface n’s partition,
(2) target address belongs to a host that exists on an interface
other than n.
(3) ensure Dom0 has ARP table entries for each Ethos host.
#Ethos immediately sends a packet to shadowdæmon upon booting, and shadowdæmon uses this
packet to update Dom0’s static ARP table
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver the packet correctly.
e fileInformation system call is interesting in that Ethos supports file metadata typically
not present on Linux. Here shadowdæmon makes use of Linux’s getxattr/setxattr system calls
to store Ethos metadata along with the files it describes. Shadowdæmon is also responsible for
providing Ethos with random data using a Random RPC.
. Shadowdæmon is also responsible for providing Ethos with random data using a Random RPC
Ethos offers distributed types in the Etypes subsystem:
A notation, ETN, for specifying types, a machine-readable type description (“type graph”), A single wire format (ETE), Tools (userspace and kernelspace) to transform ETN into code that will encode, decode, and recognize types,Extensions to read and write system calls to check input and output,Programs specify what input types they allow,Validity of input (and outputs) enforced by OS
#Kerberos was motivated by the transition from single, time-sharing systems to distributed
networks of workstations
a Kerberos installation is made up of two services: an authentication service and a Ticket Granting Service(TGS).
X.509 added a graph-based trust model to its traditional hierarchical model , but
its design imposes a high performance overhead. SDSI  also provides a strong trust model,
but likewise does not perform well at Internet scale. Another alternative is the web of trust
used by #PGP
#SSH attempts to isolate private keys by protecting them
#Multics provides a hierarchical filesystem that is governed by access control lists. Processes
serve as subjects and can access objects in the storage system. Each subject has associated
with it a value called a principal identifier, which corresponds to the user on whose behalf the
process runs. Each object in the storage system has associated with it three modes, read, write,
and execute. For each mode, there exists a list of principal identifiers that may access the object
using the mode.
likewise #Unix authorization traditionally has been discretionary.
#Factotum acts as an authentication proxy.
Consider a POP email server that must implement the APOP authentication protocol. On
Plan 9, such an email server would receive requests from the network and process them. In the
case of authentication requests, the email server forwards the request to factotum. Factotum
then provides the email server with the response it should pass to the client. Never in this process are keys shared with the email server.
#HiStar’s flow controls contain effect of a compromised app , serving as a countermeasure to one of the facets of application based subversion. Even if an app is compromised, it cannot bypass the flow controls that HiStar imposes on it. bu An app that operates within its information-flow constraints could easily be programmed or misconfigured so that protections are missing.
on traditional Unix systems, still remain with HiStar’s Unix layer
Goodbye to the obnoxious "NSA" reference when activating #SELinux in #Linux kconfig!
On the babybooks topic, remember there is also good old "selinux coloring book" to learn selinux:
I see that the Debian kernel supports SELinux, and there is some good documentation for it in the Debian handbook, but it does not seem to be commonly used with the OS (#AppArmor seems much more common with Debian). So my main concern is that using it in Debian may be unpredictable or more of a challenge than with distributions that use SELinux by default.
Hello my #linux friends. I'm in the planning stages of standing up two bare metal Alma Linux servers that are going to power an e-commerce site for my brother. Since these servers will be handling financial transactions, I'm thinking I'll need to enable #selinux and I've always disabled it. My setup might not pass a SOX or PCI audit without selinux properly configured.
Seeing as I'm thoroughly confused by it, and good "for dummies" refs out there?
Not really obscure for Linux users from here on. #Wayland + #Flatpak are pretty much the inevitable future of default out-of-the-box "mainstream" desktop #Linux experience, even though folks love to hate Flatpak (plus, some distros like #Fedora enable #SELinux on top by default, otherwise #AppArmor at least). The only thing I mentioned that will still not be present by default is uBlock Origin.
I guess that makes me Nobody.
Excited to share, since this is something I've been working on.
SeLinux support with Nginx?
Yes, you can have both worlds.
- "La única ventaja de Snap o Flatpak es el confinamiento. "
Será para ti. Otros valoran la facilidad de creación y distribución de software.
Introduction to SELinux: https://github.blog/2023-07-05-introduction-to-selinux/
I sent the LSM, SELinux, and audit kernel pull requests for the v6.5 merge window up to Linus today. There isn't much in the audit PR, but the LSM and SELinux PRs can be found below:
With all this talk recently about #RedHat and their ideas of making certain sources more difficult to obtain does concern me. I use #RockyLinux as a clone for work because I've never been able to get that damn Developer crap working from RedHat and firing up and destroying test VMs is a large part of what I do. I want to stick around due to #SELinux out of the box, but maybe it is time to talk about alternatives for some corporations. Has anyone tried SELinux with #Debian?
Experiencing SELinux or Magisk errors with App Cloner? Check out the solution outlined in this blog post: https://appcloner.blog/2023/06/24/selinux-and-magisk-error-messages/
If you haven't installed cockpit on your distro of choice, check it out.
Burned a couple hrs yesterday trying to install #diaspora
The docs failed to mention two _smashingly_obv points that would have saved me hours...
- #debian has a package called diaspora-installer that purportedly makes standing up diaspora MUCH easier.
Fun attack against #SELinux 🐧🔓
Bypassing SELinux with init_module
SELinux Coloring Book | Red Hat Developer https://developers.redhat.com/e-books/selinux-coloring-book
#selinux Daniel Walsh
@mttaggart @BarbossHack Honestly, #SELinux only really clicked for me when I took a prep class for the #RHCE. Once I grok'd it was about *processes* and that labels and booleans were the levers, it became mostly about just installing setroubleshoot-server and remembering which man pages to look at. SELinux stopped seeming so inaccessible, magical, and arcane from that point on for me.
Original tweet : https://twitter.com/phoronix/status/1650477757413961735
Leute...ich bin der Verzweiflung nahe. 😭
Welcher FILE_TYPE ist denn für #postgresql der richtige? Wo schlägt man sowas nach?
Ich habe ein cgi-bin Verzeichnis, wo Apache ein Perl Skript liest und ausliefert.
Im Webformular wird eine Datei hochgeladen.
Und im Verzeichnis /var/lib/postgresql/incoming kann der User postgres nicht zugreifen.
Die ACL sind richtig gesetzt aber #SELINUX fehlt noch was. 🙈
Ziehe die Seite von Debian zu CentOS um. Daher das SELinux. 🙈
@passbolt I has a few stnanks, we'll say, with the installation. Had to do a bunch of #selinux workarounds and while it generated the #letsencrypt cert, it didn't include the letsencrypt root cert, so it would mostly work on browsers, but not the Android native client. That was a little frustrating to debug, but easy to fix by appending it to the cert.
"The Notebook's goal is to be the most current and comprehensive book on SELinux, covering the #Linux #Kernel components, the #userspace libraries and tools, the policy toolchain, and the policy itself."
Huge shoutout to everyone involved in making this milestone possible, especially to my @RedHat colleagues!
Learning #SELinux with the coloring book from #RedHat https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
Hello, Fediverse! ✈️
You can configure a server, modify your network (and firewall!), view logs, see system stats, edit accounts, start and stop services, debug #SELinux, and much more.