#SELinux
Hab (auf einem Testsystem) Probleme mit #SELinux und alles was ich ergoogeln kann, ist die Empfehlung, von enforcing auf permissive umzustellen. Euer Ernst? 🤔
qubes-notes.md
"don't use dom0, it doesn't have all packages required for building
increase #qube private storage max size - default 2GB is not enough to even clone the code
disable #SELinux (sudo setenforce 0)"
https://gist.github.com/krystian-hebel/4359297e4ca3d9e9e3da01f9695d0e27#:~:text=don%27t%20use%20dom0,setenforce%200)
@dugite_code @frox Agreed. They are different solutions for different purposes. Also, containers should be confined with #Apparmor, #selinux, or some other #LSM mandatory access control mechanism. They are not, themselves, a thoroughly secure method of confinement, though there can be some security benefits to some container implementations.
"🐧 #Linux-Tipp: Mithilfe von 'semanage' kannst du unter #SELinux Berechtigungen verwalten. Nutze 'semanage fcontext' zum Hinzufügen von Dateitypen und 'restorecon' zum Zurücksetzen des Kontextes. Beispiele: 'semanage fcontext -a -t httpd_sys_content_t /var/www/html' und 'restorecon -Rv /var/www/html'! #OpenSource"
Prezentujemy Wam dzisiaj vovcię - współzałożyciela fundacji CLUG, administratora, programistę, architekta - aktualnie w web3. Na #JesieniLinuksowa opowie jak użyć #SELinux do zabezpieczenia kontenerów w #Kubernetes, bez robienia z niego doktoratu.🍁#Linux
Więcej informacji o programie: https://jesien.org/2023/agenda/
Pierwszy post na Mastodonie i zaczynamy z przytupem!
Miło nam poinformować, że są dostępne bilety i agenda 19. edycji Jesieni Linuksowej. Po więcej szczegółów zapraszamy na stronę konferencji:
https://jesien.org/2023/
#JesienLinuksowa #linux #kubernetes #selinux #django #opensource #freesoftware #PLUG
Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.
https://github.com/containers/podman/blob/main/troubleshooting.md#34-passed-in-devices-or-files-cant-be-accessed-in-rootless-container-uidgid-mapping-problem
#Google #chrome #privacy #manifestv3 #spyware #libre #foss #floss #oss #oepnsource #DeadSoftwareStorage #Finance #men #mgtow #selinux
Posted from my qutebrowser
LSM provides hooks only for access control
Systems like #grsecurity and RSBAC 1 need >just access
control. in Implementations like #AppArmor , LIDS 2 , #POSIX capabilitites ,Smack 3 ,TOMOYO 4 ,#SELinux, Stacking multiple security modules is problematic , LSM hooks expose kernel internal data structures as parameters, #Ethos is running inside the Xen Virtual Machine Monitor #VMM
#Xen Dom0 OS is typically Linux. #Virtualization allows to run Ethos alongside Linux. 4
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver packet correctly.
(1) request was received on interface n’s partition,
(2) target address belongs to a host that exists on an interface
other than n.
(3) ensure Dom0 has ARP table entries for each Ethos host.
#Ethos immediately sends a packet to shadowdæmon upon booting, and shadowdæmon uses this
packet to update Dom0’s static ARP table
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver the packet correctly.
e fileInformation system call is interesting in that Ethos supports file metadata typically
not present on Linux. Here shadowdæmon makes use of Linux’s getxattr/setxattr system calls
to store Ethos metadata along with the files it describes. Shadowdæmon is also responsible for
providing Ethos with random data using a Random RPC.
. Shadowdæmon is also responsible for providing Ethos with random data using a Random RPC
Ethos offers distributed types in the Etypes subsystem:
A notation, ETN, for specifying types, a machine-readable type description (“type graph”), A single wire format (ETE), Tools (userspace and kernelspace) to transform ETN into code that will encode, decode, and recognize types,Extensions to read and write system calls to check input and output,Programs specify what input types they allow,Validity of input (and outputs) enforced by OS
#Kerberos was motivated by the transition from single, time-sharing systems to distributed
networks of workstations
a Kerberos installation is made up of two services: an authentication service and a Ticket Granting Service(TGS).
X.509 added a graph-based trust model to its traditional hierarchical model [94], but
its design imposes a high performance overhead. SDSI [95] also provides a strong trust model,
but likewise does not perform well at Internet scale. Another alternative is the web of trust
used by #PGP
#SSH attempts to isolate private keys by protecting them
#Multics provides a hierarchical filesystem that is governed by access control lists. Processes
serve as subjects and can access objects in the storage system. Each subject has associated
with it a value called a principal identifier, which corresponds to the user on whose behalf the
process runs. Each object in the storage system has associated with it three modes, read, write,
and execute. For each mode, there exists a list of principal identifiers that may access the object
using the mode.
likewise #Unix authorization traditionally has been discretionary.
#Factotum acts as an authentication proxy.
Consider a POP email server that must implement the APOP authentication protocol. On
Plan 9, such an email server would receive requests from the network and process them. In the
case of authentication requests, the email server forwards the request to factotum. Factotum
then provides the email server with the response it should pass to the client. Never in this process are keys shared with the email server.
#HiStar’s flow controls contain effect of a compromised app , serving as a countermeasure to one of the facets of application based subversion. Even if an app is compromised, it cannot bypass the flow controls that HiStar imposes on it. bu An app that operates within its information-flow constraints could easily be programmed or misconfigured so that protections are missing.
on traditional Unix systems, still remain with HiStar’s Unix layer
Goodbye to the obnoxious "NSA" reference when activating #SELinux in #Linux kconfig!
https://www.phoronix.com/news/SELinux-Drops-NSA-References
On the babybooks topic, remember there is also good old "selinux coloring book" to learn selinux:
https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
Hi, #Debian friends! Do any of you run Debian with #SELinux? If so, what is your experience like? What are some common issues to watch for?
I see that the Debian kernel supports SELinux, and there is some good documentation for it in the Debian handbook, but it does not seem to be commonly used with the OS (#AppArmor seems much more common with Debian). So my main concern is that using it in Debian may be unpredictable or more of a challenge than with distributions that use SELinux by default.
Hello my #linux friends. I'm in the planning stages of standing up two bare metal Alma Linux servers that are going to power an e-commerce site for my brother. Since these servers will be handling financial transactions, I'm thinking I'll need to enable #selinux and I've always disabled it. My setup might not pass a SOX or PCI audit without selinux properly configured.
Seeing as I'm thoroughly confused by it, and good "for dummies" refs out there?
@MarkusZoppelt
Not really obscure for Linux users from here on. #Wayland + #Flatpak are pretty much the inevitable future of default out-of-the-box "mainstream" desktop #Linux experience, even though folks love to hate Flatpak (plus, some distros like #Fedora enable #SELinux on top by default, otherwise #AppArmor at least). The only thing I mentioned that will still not be present by default is uBlock Origin.
I guess that makes me Nobody.
Quick guide to install SELinux and disable Apparmor on Debian 12 Bookworm, Debian 11 and 10 #Linux #Debian #Apparmor #Selinux
https://www.linuxcapable.com/how-to-install-selinux-on-debian-linux/
Excited to share, since this is something I've been working on.
SeLinux support with Nginx?
Yes, you can have both worlds.
https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/configure-selinux/ # guide by Nginx
@gnusuario
- "La única ventaja de Snap o Flatpak es el confinamiento. "
Será para ti. Otros valoran la facilidad de creación y distribución de software.
- "Dicho confinamiento se consigue mediante #AppArmor o #SELinux"
Cuánta gente lo mantiene activado? Capas adicionales de seguridad son ventajas, nunca inconvenientes.
Introduction to SELinux: https://github.blog/2023-07-05-introduction-to-selinux/
Introduction to SELinux
Check it out! 👇
https://github.blog/2023-07-05-introduction-to-selinux/
#Selinux #MandatoryAccessControl #LinuxSecurityModel #GithubSecurityLab #Security #Education
I sent the LSM, SELinux, and audit kernel pull requests for the v6.5 merge window up to Linus today. There isn't much in the audit PR, but the LSM and SELinux PRs can be found below:
SELinux PR:
https://lore.kernel.org/selinux/CAHC9VhTC6s-_Q+5+evrgHHdE=wHLP0VXACzfsWSTLQ1ipyFRaw@mail.gmail.com/
With all this talk recently about #RedHat and their ideas of making certain sources more difficult to obtain does concern me. I use #RockyLinux as a clone for work because I've never been able to get that damn Developer crap working from RedHat and firing up and destroying test VMs is a large part of what I do. I want to stick around due to #SELinux out of the box, but maybe it is time to talk about alternatives for some corporations. Has anyone tried SELinux with #Debian?
Experiencing SELinux or Magisk errors with App Cloner? Check out the solution outlined in this blog post: https://appcloner.blog/2023/06/24/selinux-and-magisk-error-messages/
There is more fun in creating #SELinux policies and modules than I thought
the number of seasoned #linux #users who don't know about #cockpit as a tool for administering both servers and desktops is astounding.
#firewall config, #systemd service management, #selinux troubleshooting, #container and virtual machine management, update installation and automating, #smb share creating and securing.
If you haven't installed cockpit on your distro of choice, check it out.
Burned a couple hrs yesterday trying to install #diaspora
The docs failed to mention two _smashingly_obv points that would have saved me hours...
1. #RHEL and cousins are a minor pain in the ass, unless you work in the #SELinux world daily. I tend not to need tools like restorecon outside the #EL world.
- #debian has a package called diaspora-installer that purportedly makes standing up diaspora MUCH easier.
Oops, #TIL
Fun attack against #SELinux 🐧🔓
Bypassing SELinux with init_module
https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html
#vacationModeOn 🌞
SELinux Coloring Book | Red Hat Developer https://developers.redhat.com/e-books/selinux-coloring-book
#selinux Daniel Walsh
@kaitlynethylia Like #XDG definately! Their system is far better for backups and for storing stuff in different drives (e.g. the binaries on the SSD and the data on the HDD)
Additionally, doing things by category first helps with writing #AppArmour and #SELinux profiles.
@lorddimwit So, your wife wouldn’t appreciate my custom-made T-shirt “Make #SELinux enforcing again!”?
SELinux: Using it is like going to the dentist to get a root canal, asking for no anestesia and still getting the procedure done.
You know is good for you but God it sucks.
@mttaggart @BarbossHack Honestly, #SELinux only really clicked for me when I took a prep class for the #RHCE. Once I grok'd it was about *processes* and that labels and booleans were the levers, it became mostly about just installing setroubleshoot-server and remembering which man pages to look at. SELinux stopped seeming so inaccessible, magical, and arcane from that point on for me.
#SELinux In #Linux 6.4 Removes Run-Time Disabling Support
https://www.phoronix.com/news/SELinux-No-More-Runtime-Disable
Original tweet : https://twitter.com/phoronix/status/1650477757413961735
Leute...ich bin der Verzweiflung nahe. 😭
Welcher FILE_TYPE ist denn für #postgresql der richtige? Wo schlägt man sowas nach?
Ich habe ein cgi-bin Verzeichnis, wo Apache ein Perl Skript liest und ausliefert.
Im Webformular wird eine Datei hochgeladen.
Und im Verzeichnis /var/lib/postgresql/incoming kann der User postgres nicht zugreifen.
Die ACL sind richtig gesetzt aber #SELINUX fehlt noch was. 🙈
Ziehe die Seite von Debian zu CentOS um. Daher das SELinux. 🙈
@passbolt I has a few stnanks, we'll say, with the installation. Had to do a bunch of #selinux workarounds and while it generated the #letsencrypt cert, it didn't include the letsencrypt root cert, so it would mostly work on browsers, but not the Android native client. That was a little frustrating to debug, but easy to fix by appending it to the cert.
#SELinux notebook
https://github.com/SELinuxProject/selinux-notebook
"The Notebook's goal is to be the most current and comprehensive book on SELinux, covering the #Linux #Kernel components, the #userspace libraries and tools, the policy toolchain, and the policy itself."
The #Kubernetes Security Profiles Operator made it into #OpenShift 4.12 via the OperatorHub! 🥳
Huge shoutout to everyone involved in making this milestone possible, especially to my @RedHat colleagues! 🫶
The #cloud images I build and ship for deployments at work have #selinux enforcing and #firewalld enabled out of box.
Learning #SELinux with the coloring book from #RedHat https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
Hello, Fediverse! ✈️
Cockpit is #web based #UI for #Linux servers. (It's like a desktop for a server that you can use in your browser, for "newbies", seasoned admins, and everyone in-between.)
You can configure a server, modify your network (and firewall!), view logs, see system stats, edit accounts, start and stop services, debug #SELinux, and much more.
Add-ons are available to work with #Podman #containers, #VirtualMachines, #ostree, and more.