Tag Opensource
Secure Networking with SELinux
During the last year quite a bit of effort has gone into improving SELinux’ networking support, thanks to the great SELinux community. While this support is still evolving it will be very beneficial for people to try it out and give feedback so the final result is useful to more users and meets the security needs of a wider audience. As the network support in SELinux continues to evolve (there are already other ideas being discussed for possible inclusion) I’ll try to keep this post updated so that people who find it will have the latest information available.
The Future of SELinux (or how we are going to take over the world)
I’ve been talking to a few people about what SELinux might look like in a few years and the conversations have been fairly stimulating so I’m going to share some of the ideas here.
As you (hopefully) know in my day job I work on the SELinux policy server, which as far as I know, is the most forward looking SELinux project around. Granted all those forward looking goals aren’t published on the site, hopefully we can remedy that at some point.. So alot of this is going to be centered around the policy server, other parts are just on my wishlist.. without further ado lets get started…
On AppArmor
This will be the last thing I write about AppArmor because quite honestly it’s a waste of time to constantly refute people and I’d rather work to make security better for everyone 
.
That said, I taught an SELinux tutorial at LWE San Francisco last week, unfortunately my tutorial wasn’t one of the ones reviewed by the media, what a shame. During the tutorial I was asked about AppArmor, to which I said they could come up after the tutorial to talk about it, I didn’t want to disparage it in front of an audience of 50, I’m a nice guy like that.
Then I saw this article, which has a quite humorous title, which prompted me to go ahead and write up something that I can point to in the future.
SELinux Policy Module Primer
Its been a while since my last post, I apologize but I have a good reason I promise . I’ve been busy working on a series of patches to make the SELinux policy compiler and libraries much more stable and robust and to make optional blocks in the base policy work correctly. While the libraries and compiler are fresh on my mind I thought I’d go ahead and write an article on how the SELinux policy modules work.
Software not working? Disable SELinux.
So, this is a break from my normal philosophical theme to talk about a real experience I had this week.
Basically I was trying out some software, without saying what it was or who makes it, I thought it might be helpful for the software development I do at work. For those who don't know I work on SELinux libraries and the policy toolchain at work.
That said, I downloaded the trial version of the software and got to work. The first time I ran it I got a very obscure error, it had to do with how the app was being run (after installing it according to the instructions included). After figuring out the “correct” way to run it I started it up only to get another (more obscure) error. I emailed the support address found on their page, including strace outputs and a description of what happened with both issues.
I got an email from who I originally thought was a low level support staffer who was instructed to say this, but is actually a cofounder of the company. The email read:
Hi Joshua,
I think you may have selinux enabled (FC5 has this by default).
If /etc/selinux/config has the line:
SELINUX=enforcing
then you need to change it to:
SELINUX=disabled
(or permissive should work, although I’ve not tried it).
Unfortunately, you need to reboot for the changes to take effect.
Hope this works for you (if not, please don’t hesitate to ask).
Welcome to Brindle on Security
I’ll start this blog by introducing myself. My name is Joshua Brindle and I’ve been working on security software and such for a while. About 4 years ago I started Hardened Gentoo which exposed both myself and many users to modern security systems available for Linux. This project has, in many ways, led me up to where I am today in my career and otherwise. Today I work at Tresys Technology on research and development on security systems.