Martin Schmitt
4 days ago

Hab (auf einem Testsystem) Probleme mit #SELinux und alles was ich ergoogeln kann, ist die Empfehlung, von enforcing auf permissive umzustellen. Euer Ernst? 🤔

"don't use dom0, it doesn't have all packages required for building
increase #qube private storage max size - default 2GB is not enough to even clone the code
disable #SELinux (sudo setenforce 0)",setenforce%200)

Michela Marie 🇨🇦
2 weeks ago

@dugite_code @frox Agreed. They are different solutions for different purposes. Also, containers should be confined with #Apparmor, #selinux, or some other #LSM mandatory access control mechanism. They are not, themselves, a thoroughly secure method of confinement, though there can be some security benefits to some container implementations.

Open Source Pro
2 weeks ago

"🐧 #Linux-Tipp: Mithilfe von 'semanage' kannst du unter #SELinux Berechtigungen verwalten. Nutze 'semanage fcontext' zum Hinzufügen von Dateitypen und 'restorecon' zum Zurücksetzen des Kontextes. Beispiele: 'semanage fcontext -a -t httpd_sys_content_t /var/www/html' und 'restorecon -Rv /var/www/html'! #OpenSource"

Jesień Linuksowa
2 weeks ago

Prezentujemy Wam dzisiaj vovcię - współzałożyciela fundacji CLUG, administratora, programistę, architekta - aktualnie w web3. Na #JesieniLinuksowa opowie jak użyć #SELinux do zabezpieczenia kontenerów w #Kubernetes, bez robienia z niego doktoratu.🍁#Linux
Więcej informacji o programie:

Jesień Linuksowa
2 weeks ago

Pierwszy post na Mastodonie i zaczynamy z przytupem!

Miło nam poinformować, że są dostępne bilety i agenda 19. edycji Jesieni Linuksowej. Po więcej szczegółów zapraszamy na stronę konferencji:

#JesienLinuksowa #linux #kubernetes #selinux #django #opensource #freesoftware #PLUG

Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.

3 weeks ago

Recent systemd update broke my Fedora

I get the error message on boot :
'!!!! Failed to mount API Filesystems'

i had to disable SELinux in rescue mode to be able to boot

I'm alone ?

#Fedora #Systemd #SELinux #udev #Update #Linux #Help

i will really just avoid #selinux until i have to deal with it


LSM provides hooks only for access control
Systems like #grsecurity and RSBAC 1 need >just access
control. in Implementations like #AppArmor , LIDS 2 , #POSIX capabilitites ,Smack 3 ,TOMOYO 4 ,#SELinux, Stacking multiple security modules is problematic , LSM hooks expose kernel internal data structures as parameters, #Ethos is running inside the Xen Virtual Machine Monitor #VMM
#Xen Dom0 OS is typically Linux. #Virtualization allows to run Ethos alongside Linux. 4

when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver packet correctly.

(1) request was received on interface n’s partition,

(2) target address belongs to a host that exists on an interface
other than n.
(3) ensure Dom0 has ARP table entries for each Ethos host.

#Ethos immediately sends a packet to shadowdæmon upon booting, and shadowdæmon uses this
packet to update Dom0’s static ARP table
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver the packet correctly.
e fileInformation system call is interesting in that Ethos supports file metadata typically
not present on Linux. Here shadowdæmon makes use of Linux’s getxattr/setxattr system calls
to store Ethos metadata along with the files it describes. Shadowdæmon is also responsible for
providing Ethos with random data using a Random RPC.
. Shadowdæmon is also responsible for providing Ethos with random data using a Random RPC
Ethos offers distributed types in the Etypes subsystem:
A notation, ETN, for specifying types, a machine-readable type description (“type graph”), A single wire format (ETE), Tools (userspace and kernelspace) to transform ETN into code that will encode, decode, and recognize types,Extensions to read and write system calls to check input and output,Programs specify what input types they allow,Validity of input (and outputs) enforced by OS
#Kerberos was motivated by the transition from single, time-sharing systems to distributed
networks of workstations
a Kerberos installation is made up of two services: an authentication service and a Ticket Granting Service(TGS).
X.509 added a graph-based trust model to its traditional hierarchical model [94], but
its design imposes a high performance overhead. SDSI [95] also provides a strong trust model,
but likewise does not perform well at Internet scale. Another alternative is the web of trust
used by #PGP
#SSH attempts to isolate private keys by protecting them
#Multics provides a hierarchical filesystem that is governed by access control lists. Processes
serve as subjects and can access objects in the storage system. Each subject has associated
with it a value called a principal identifier, which corresponds to the user on whose behalf the
process runs. Each object in the storage system has associated with it three modes, read, write,
and execute. For each mode, there exists a list of principal identifiers that may access the object
using the mode.
likewise #Unix authorization traditionally has been discretionary.
#Factotum acts as an authentication proxy.
Consider a POP email server that must implement the APOP authentication protocol. On
Plan 9, such an email server would receive requests from the network and process them. In the
case of authentication requests, the email server forwards the request to factotum. Factotum
then provides the email server with the response it should pass to the client. Never in this process are keys shared with the email server.
#HiStar’s flow controls contain effect of a compromised app , serving as a countermeasure to one of the facets of application based subversion. Even if an app is compromised, it cannot bypass the flow controls that HiStar imposes on it. bu An app that operates within its information-flow constraints could easily be programmed or misconfigured so that protections are missing.
on traditional Unix systems, still remain with HiStar’s Unix layer

Shawn Powers
4 weeks ago

Do you hate #SELinux?

Full video here:

of course! #selinux is why it doesn't work!


1 month ago

Goodbye to the obnoxious "NSA" reference when activating #SELinux in #Linux kconfig!

Ilkka Tengvall
1 month ago

On the babybooks topic, remember there is also good old "selinux coloring book" to learn selinux:

#selinux #linux #coloringbook #books

Michela Marie 🇨🇦
2 months ago

Hi, #Debian friends! Do any of you run Debian with #SELinux? If so, what is your experience like? What are some common issues to watch for?

I see that the Debian kernel supports SELinux, and there is some good documentation for it in the Debian handbook, but it does not seem to be commonly used with the OS (#AppArmor seems much more common with Debian). So my main concern is that using it in Debian may be unpredictable or more of a challenge than with distributions that use SELinux by default.

Herzenschein 🩵⭐
2 months ago

I wonder why it's so uncommon to see the #SELinux label used for #Docker compose in the wild (at least that has been my experience).

With #Podman compose I see most projects using it correctly.

Meow :verified:
2 months ago

Hello my #linux friends. I'm in the planning stages of standing up two bare metal Alma Linux servers that are going to power an e-commerce site for my brother. Since these servers will be handling financial transactions, I'm thinking I'll need to enable #selinux and I've always disabled it. My setup might not pass a SOX or PCI audit without selinux properly configured.

Seeing as I'm thoroughly confused by it, and good "for dummies" refs out there?

Jeff Fortin T.
2 months ago

Not really obscure for Linux users from here on. #Wayland + #Flatpak are pretty much the inevitable future of default out-of-the-box "mainstream" desktop #Linux experience, even though folks love to hate Flatpak (plus, some distros like #Fedora enable #SELinux on top by default, otherwise #AppArmor at least). The only thing I mentioned that will still not be present by default is uBlock Origin.

I guess that makes me Nobody.

Poster from the old western movie "My Name is Nobody"
2 months ago

Quick guide to install SELinux and disable Apparmor on Debian 12 Bookworm, Debian 11 and 10 #Linux #Debian #Apparmor #Selinux

bzip2 Command in Linux with Examples
Linux Is Best
3 months ago

SeLinux support with Nginx?

Yes, you can have both worlds. # guide by Nginx

#SeLinux #Nginx #Linux

Iñigo Serna
3 months ago

- "La única ventaja de Snap o Flatpak es el confinamiento. "
Será para ti. Otros valoran la facilidad de creación y distribución de software.

- "Dicho confinamiento se consigue mediante #AppArmor o #SELinux"
Cuánta gente lo mantiene activado? Capas adicionales de seguridad son ventajas, nunca inconvenientes.

#SELinux any time I try to do literally anything new. #Linux

Sue Sylvester from Glee, saying "I'm going to create an environment that is so toxic."
Paul Moore
3 months ago

I sent the LSM, SELinux, and audit kernel pull requests for the v6.5 merge window up to Linus today. There isn't much in the audit PR, but the LSM and SELinux PRs can be found below:


SELinux PR:

#lsm #selinux

With all this talk recently about #RedHat and their ideas of making certain sources more difficult to obtain does concern me. I use #RockyLinux as a clone for work because I've never been able to get that damn Developer crap working from RedHat and firing up and destroying test VMs is a large part of what I do. I want to stick around due to #SELinux out of the box, but maybe it is time to talk about alternatives for some corporations. Has anyone tried SELinux with #Debian?

App Cloner
3 months ago

Experiencing SELinux or Magisk errors with App Cloner? Check out the solution outlined in this blog post:

#AppCloner #SELinux #Magisk

4 months ago

There is more fun in creating #SELinux policies and modules than I thought

GNU/Matt :fedora: :kde:
4 months ago

the number of seasoned #linux #users who don't know about #cockpit as a tool for administering both servers and desktops is astounding.

#firewall config, #systemd service management, #selinux troubleshooting, #container and virtual machine management, update installation and automating, #smb share creating and securing.

If you haven't installed cockpit on your distro of choice, check it out.

4 months ago

Burned a couple hrs yesterday trying to install #diaspora

The docs failed to mention two _smashingly_obv points that would have saved me hours...

1. #RHEL and cousins are a minor pain in the ass, unless you work in the #SELinux world daily. I tend not to need tools like restorecon outside the #EL world.

- #debian has a package called diaspora-installer that purportedly makes standing up diaspora MUCH easier.

Oops, #TIL

#linux #development #install

Marco Ivaldi
4 months ago

Fun attack against #SELinux 🐧🔓

Bypassing SELinux with init_module

Markus Eisele
4 months ago

#vacationModeOn 🌞
SELinux Coloring Book | Red Hat Developer
#selinux Daniel Walsh

4 months ago

Another successful #fedora #linux upgrade to v38 but: On every single release pam_mount is broken... This time because of #SELinux policy issues (again) 😞

@kaitlynethylia Like #XDG definately! Their system is far better for backups and for storing stuff in different drives (e.g. the binaries on the SSD and the data on the HDD)

Additionally, doing things by category first helps with writing #AppArmour and #SELinux profiles.

James Morris
4 months ago
TIL: Dickie George, who spoke at the 2007 #SELinux Symposium, and who was added to the NSA HoH in 2022, is the guy who created differential cryptanalysis while reviewing the DES code from IBM! This is why the then-mysterious S boxes were added.

@lorddimwit So, your wife wouldn’t appreciate my custom-made T-shirt “Make #SELinux enforcing again!”?

Keep getting #SELinux alerts while upgrading my #Fedora 38 install...

Awlod #selinux needs to #relabel the entire system

5 months ago

SELinux: Using it is like going to the dentist to get a root canal, asking for no anestesia and still getting the procedure done.

You know is good for you but God it sucks.

#selinux #rootcanal #linux #security #sucks

Scott Williams 🐧
5 months ago

@mttaggart @BarbossHack Honestly, #SELinux only really clicked for me when I took a prep class for the #RHCE. Once I grok'd it was about *processes* and that labels and booleans were the levers, it became mostly about just installing setroubleshoot-server and remembering which man pages to look at. SELinux stopped seeming so inaccessible, magical, and arcane from that point on for me.

Major Hayden 🤠
5 months ago

Useful excerpt:


One might well wonder why there is so much hostility toward a simple run-time system-configuration option. For developers who are working on the creation of highly secure systems, any sort of an "off" switch is a potential failure point. A system may be locked down with various security policies but, if an attacker can somehow get a zero byte written to /sys/fs/selinux/disable during the boot sequence, the system will run without SELinux enforcement and much of that work will have been for naught. Taking that option away adds one more obstacle to somebody who is trying to circumvent a system's security.

#SELinux is always a source for fr... *cough* love for security...


Robyn :antifa:
6 months ago

Leute...ich bin der Verzweiflung nahe. 😭

Welcher FILE_TYPE ist denn für #postgresql der richtige? Wo schlägt man sowas nach?

Ich habe ein cgi-bin Verzeichnis, wo Apache ein Perl Skript liest und ausliefert.

Im Webformular wird eine Datei hochgeladen.

Und im Verzeichnis /var/lib/postgresql/incoming kann der User postgres nicht zugreifen.

Die ACL sind richtig gesetzt aber #SELINUX fehlt noch was. 🙈

Ziehe die Seite von Debian zu CentOS um. Daher das SELinux. 🙈


Output von sealtert -l "*" | less
# semanage fcontext -a -t FILE_TYPE 'data'
where FILE_TYPE is one of the following: cluster_var_run_t, faillog_t, krb5_host_rcache_t, postgresql_db_t, postgresql_log_t, postgresql_tmp_t, postgresql_var_run_t, tmp_t, tmpfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t.
Then execute:
restorecon -v 'data'
Screenshot vom Browser

Cannot open env file /var/lib/postgresql/incoming/2023-03-24-17.04.13-538066504/environment: No such file or directory at /home/popreport/production/www/cgi-bin/ line 363.
[root@popreport2 ~]# getfacl /home/popreport/production/popreport/www/cgi-bin/ /var/lib/postgresql/incoming/
getfacl: Removing leading '/' from absolute path names
# file: home/popreport/production/popreport/www/cgi-bin/
# owner: popreport
# group: apache

# file: var/lib/postgresql/incoming/
# owner: apache
# group: popreport
David Sardari
7 months ago

@jalcine one reason: there is no official #gentoo documentation on #systemd and #selinux.

Scott Williams 🐧
7 months ago

@passbolt I has a few stnanks, we'll say, with the installation. Had to do a bunch of #selinux workarounds and while it generated the #letsencrypt cert, it didn't include the letsencrypt root cert, so it would mostly work on browsers, but not the Android native client. That was a little frustrating to debug, but easy to fix by appending it to the cert.

David Egts
7 months ago

I'm delighted to see that my #ChatGPT-generated #Linux hallucination has #SELinux enabled & enforcing!

Vincent Batts
8 months ago

#SELinux notebook

"The Notebook's goal is to be the most current and comprehensive book on SELinux, covering the #Linux #Kernel components, the #userspace libraries and tools, the policy toolchain, and the policy itself."

8 months ago

The #Kubernetes Security Profiles Operator made it into #OpenShift 4.12 via the OperatorHub! 🥳

Huge shoutout to everyone involved in making this milestone possible, especially to my @RedHat colleagues! 🫶

#seccomp #selinux

Scott Williams 🐧
9 months ago

The #cloud images I build and ship for deployments at work have #selinux enforcing and #firewalld enabled out of box.

@adamw On a different note, did you see any extra #SELinux errors on Fedora 37? My system is giving me alerts after many many years.

11 months ago

Hello, Fediverse! ✈️


Cockpit is #web based #UI for #Linux servers. (It's like a desktop for a server that you can use in your browser, for "newbies", seasoned admins, and everyone in-between.)

You can configure a server, modify your network (and firewall!), view logs, see system stats, edit accounts, start and stop services, debug #SELinux, and much more.

Add-ons are available to work with #Podman #containers, #VirtualMachines, #ostree, and more.