Tag Selinux

Stackoverflow.com and the SELinux poll

So, stackoverflow.com was released to public beta pretty recently and I must say I’m impressed. It looks like a great place to go to get tough programming (and other) questions answered. So, in order to give it a spin I posted the question Do you disable SELinux? It didn’t get nearly as many answers as What’s your favorite “programmer” cartoon but I did get mostly good feedback, it seems like the audience on stackoverflow, in general, have seen the positive progress of SELinux and many have chosen to keep it enabled (or even write policies and make it work for them).

SELinux on Ubuntu (part 1)

I’m in the process of moving my server from an ancient decrepit Gentoo install to a shiny new Ubuntu Hardy install with SELinux enabled.

Web browsers, security and Google Chrome

Securing web browsers has always been a little tricky. With so many web applications available today, including corporate intranet sites, email and so on with confidential or proprietary information it is always a bit troublesome that web browsers essentially run in one security domain. The last thing I want is for a teller at my bank to go to some site that ends up getting bank info from another tab.

Security Anti-Pattern: MLS for Guards

This article was requested, and was a long time coming anyway. I’ve gone over Multi-Level Security (MLS) a little bit before. It’s basically a security policy that is implemented by many trusted operating systems (such as Trusted Solaris) that is hierarchical and inflexible by nature. Specifically Bell-LaPadula (BLP) is used by many operating systems because it reflects the real world security policy used by the government and military. In BLP subjects and objects have a label consisting of a level (Secret, Top Secret, Unclassified, etc) and a set of non-hierarchical categories (US Only, Army, etc).

Secure doesn't mean anything.

No, seriously. I’m not trying to be ironic because the title of my blog is “Brindle on Security”, which I should probably change to something more creative anyway.

During my tenure at Gentoo, running the Hardened Gentoo project, the most common question by far was “How do I secure my system?” Warning, this article may contain some flamebait, avoid it if you can’t resist flaming back ;) .

Eventually we gave up and just pointed people to websites, perhaps this post can serve as that page. The answer was “What do you mean ‘secure’ your system?” Security isn’t, and can’t be, a goal by itself. You need to know what exactly you are trying to protect yourself against, your threat model, as it were.

Misunderstanding UNIX security

I just got a comment on my post about path based access control that was fairly startling to me. The more I thought about it, though, the more I thought maybe others shared the beliefs so I’m going to respond to it here. inode-based security has analogous problems to path-based security. Software opens paths, not inodes, so it very much matters what the permissions are for the file at /etc/shadow or /var/data/mydb, regardless of what the inode happens to be.

Secure Networking with SELinux

During the last year quite a bit of effort has gone into improving SELinux’ networking support, thanks to the great SELinux community. While this support is still evolving it will be very beneficial for people to try it out and give feedback so the final result is useful to more users and meets the security needs of a wider audience. As the network support in SELinux continues to evolve (there are already other ideas being discussed for possible inclusion) I’ll try to keep this post updated so that people who find it will have the latest information available.

Don't disable SELinux!

A while back I wrote a post on companies telling their customers to disable SELinux in order to get applications running and why this is a very bad thing. While I don’t see the situation getting better in the near term I did see a blog posting today from an SAP employee about using SELinux with SAP. This made me happy Since I don’t think his blog software uses trackbacks I’ll be contacting him to suggest some changes.

SELinux training

My employer, Tresys Technology, occasionally hosts an SELinux training class, many of which I’ve been the teacher for. The course outline and slides are available for free at http://tresys.com/selinux/selinux-course-outline.html but that isn’t what this post is about. I’ve been asked if I think many people would pay to take an online shorter version of the class if it were around $500. I wasn’t sure how to answer so I decided to ask the people that read my blog what they think.

The Future of SELinux (or how we are going to take over the world)

I’ve been talking to a few people about what SELinux might look like in a few years and the conversations have been fairly stimulating so I’m going to share some of the ideas here.

As you (hopefully) know in my day job I work on the SELinux policy server, which as far as I know, is the most forward looking SELinux project around. Granted all those forward looking goals aren’t published on the site, hopefully we can remedy that at some point.. So alot of this is going to be centered around the policy server, other parts are just on my wishlist.. without further ado lets get started…