Recent searches

No recent searches

Search options

Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Administered by:

Server stats:

216
active users

eupolicy.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#selinux

0 posts0 participants0 posts today
Thorsten Leemhuis (acct. 1/4)

'"[…] #SELinux stops all access unless allowed by policy. […] Before the SELinux 3.6 userspace version, it was not possible to drop any access already allowed in the base SELinux policy or in a module. […] The changes in the latest SELinux userspace release 3.6 introduced support for deny rules. They are documented in Access Vector Rules: "Remove the access rights defined from any matching allow rules.""'

developers.redhat.com/articles

Red Hat Developer · How SELinux deny rules improve system security | Red Hat DeveloperLearn how you can now use deny rules to remove SELinux permissions from the base SELinux policy or a module with the new SELinux userspace release 3.6
*
Rasmus Lindegaard

I am experimenting with MicroOS running btrfs and SELinux.

I have some storage i use for Minecraft server data for instance, on the partition i have a directory with readonly snapshots. The server will not boot properly, because it's running auto relabeling and cannot relabel the readonly stuff.

What's the correct way to handle this? I've tried mounting the partition in different locations, but it seems everything is targeted by the relabel

#selinux#microos#OpenSUSE
FurbyOnSteroids

Ah.. nothing beats spending 2 hour trying to create a simple #systemd service + timer + bash script to back up an sqlite database every week and it just not working because random permission issues just for selinux to be the culprit. Love how you need another tool to actually understand wtf #SELinux wants from you. #linux

in ♥️ with PDA (and 🐧)

So #opensuse switched to #selinux. Changing my systems works. Only Steam is not running, because selinux blocks boolean.
I have to admit, that I don't understand selinux. Is there a easy to understand tutorial? I don't want to mess around.
In the suse forum I found this solution:
sudo setsebool selinuxuser_execmod 1
..but with hint: If you understand the risks.

I don't understand the risc :)

Replied in thread
*
boredsquirrel

@kde@floss.social @kde@lemmy.kde.social

Thx for the info, then it is like that.

Here is the goal proposal

phabricator.kde.org/T17370

Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.

As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.

phabricator.kde.org⚓ T17370 Sandbox all the things!
Replied in thread
*
boredsquirrel

@kde@floss.social @kde@lemmy.kde.social

Can you tell us what happens on the "sandbox all the things" goal?

I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.

(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)

TrendingLive feeds
About