Collaborate Disseminate
I am using Selinux now for a while and I like it pretty much. But so far I was not able to setup rules in a way so that I could prevent my browser from reading my private ssh keys. So far I got this setup:
id -Z
staff_u:staff_r:staff_t:s0-… Continue reading Using Selinux to prevent Browser from reading priave SSH keys
I was recently having a conversation with a friend about his server system (he does a lot of self-hosting) and he mentioned he was in the middle of configuring SELinux. I was curious about the comparison of that over AppArmor for his use c… Continue reading Is AppArmor used in production environments?
Deno (the node.js fork) is designed to be secure by default. Therefore, unless you specifically enable it, a program run with Deno has no file, network, or environment access. Deno has a set of command line flags that allow the process per… Continue reading How can I enforce a security sandbox with any process?
What are the differences between the CIS hardened linux and SELinux(security linux)? Also, all the public cloud service providers support CIS hardened linux. Does it mean SELinux has lost the battle? Or in terms of security, which flavor s… Continue reading CIS hardened linux vs SELinux(Security Enhanced)
Let’s say you have a important file/folder, and want to only allow certain processes (based on process name, or its corresponding ELF file on the disk, or the digital signature of the corresponding ELF, etc) to read/write to that file. How… Continue reading How to only allow whitelisted processes to access a certain file using SElinux?
As a developer, I ask how to approach security concerns regarding permissions of a binary which needs access to resources only available to root users.
For example, let’s think of a simple tool which creates a virtual device or executes co… Continue reading Secure way to run a linux binary which needs access to ressources only available to root?
I want to control some accesses of root in Linux- fedora, for example, I want to run a process and I want root not to be able to kill it.
I use SELinux and I changed root mapping from unconfined to guest_u:
Login Name SELinux Use… Continue reading Selinux: changing root mapping
tldr
How can I define a SELinux policy, that limits filesystem access of portable Tor Browser to its installation directory, say /home/user/.local/opt/tor-browser_en-US?
How might Tor Browser be hardened even further (X11 Window system, To… Continue reading How to harden portable Tor Browser installation (SELinux, sandbox)?
ausearch reports this error:
type=AVC msg=audit(30/03/21 11:54:49.726:125) : avc: denied { read } for pid=8028 comm=httpd name=logs dev="nvme0n1p1" ino=4430391 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object… Continue reading Why is SELinux denying apache to read directory of wordpress plugin?
I have nginx and php-fm set up to front a word press site. I used certbot to setup TLS.
When I load any page, I see selinux violations and it looks like php-fpm is trying to reach out to some port 443 for some reason and getting blocked.
… Continue reading Why is php-fpm trying to connect somewhere on port 443?