New SELinux shirts are available

With the upcoming Red Hat Summit 2016 in San Francisco almost upon us, I decided to update the old SELinux shirts with two new designs: You can buy these now over at Spreadshirt! There are styles there for men and women and I’ve priced them as low as the store will allow. Spreadshirt is also running a sale for 15% off T-shirts until June 21st with the code TSHIRT16. Let’s make SELinux enforcing again!...

2016-06-16 · 1 min · Major Hayden

What I learned while securing Ubuntu

The blog posts have slowed down a bit lately because I’ve been heads down on a security project at work. I’m working with people in the OpenStack community to create a new Ansible role called openstack-ansible-security. The role aims to improve host security by using hardening standards to improve the configuration of various parts of the operating system. This means applying security hardening to Ubuntu 14.04 systems since that’s the only host operating system supported by openstack-ansible at the moment....

2015-10-14 · 7 min · Major Hayden

systemd in Fedora 22: Failed to restart service: Access Denied

If you’re running Fedora 22 and you’ve recently updated to systemd-219-24.fc22, you might see errors like these: # systemctl restart postfix Failed to restart postfix.service: Access denied Your audit logs will have entries like these: type=USER_AVC msg=audit(1442602150.292:763): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/run/systemd/system/session-4.scope" cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1442602150.437:768): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/user@....

2015-09-18 · 1 min · Major Hayden

Chronicles of SELinux: Dealing with web content in unusual directories

I’ve decided to start a series of posts called “Chronicles of SELinux” where I hope to educate more users on how to handle SELinux denials with finesse rather than simply disabling it entirely. To kick things off, I’ll be talking about dealing with web content in the first post. First steps If you’d like to follow along, simply hop onto a system running Fedora 21 (or later), CentOS 7 or Red Hat Enterprise Linux 7....

2015-09-10 · 7 min · Major Hayden

AVC: denied dyntransition from sshd

I’ve been working with some Fedora environments in chroots and I ran into a peculiar SELinux AVC denial a short while ago: avc: denied { dyntransition } for pid=809 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process The ssh daemon is running on a non-standard port but I verified that the port is allowed with semanage port -l. The target context of sshd_net_t from the AVC seems sensible for the ssh daemon. I started to wonder if a context wasn’t applied correctly to the sshd excutable itself, so I checked within the chroot:...

2014-07-03 · 1 min · Major Hayden

Fixing broken DNS lookups in spamassassin

I talked about the joys of running my own mail server last week only to find that my mail server was broken yesterday. Spamassassin stopped doing DNS lookups for RBL and SPF checks. I had one of these moments: My logs looked like this: plugin: eval failed: available_nameservers: No DNS servers available! plugin: eval failed: available_nameservers: No DNS servers available! rules: failed to run NO_DNS_FOR_FROM RBL test, skipping: (available_nameservers: [....

2014-06-20 · 2 min · Major Hayden

Text missing in chrome on Linux

I’m in the process of trying Fedora 20 on my retina MacBook and I ran into a peculiar issue with Chrome. Some sites would load up normally and I could read everything on the page. Other sites would load up and only some of the text would be displayed. Images were totally unaffected. It wasn’t this way on the initial installation of Fedora but it cropped up somewhere along the way as I installed software....

2014-05-18 · 2 min · Major Hayden

Launch secure LXC containers on Fedora 20 using SELinux and sVirt

Getting started with LXC is a bit awkward and I’ve assembled this guide for anyone who wants to begin experimenting with LXC containers in Fedora 20. As an added benefit, you can follow almost every step shown here when creating LXC containers on Red Hat Enterprise Linux 7 Beta (which is based on Fedora 19). You’ll need a physical machine or a VM running Fedora 20 to get started. (You could put a container in a container, but things get a little dicey with that setup....

2014-04-22 · 7 min · Major Hayden

Come and get your SELinux shirts!

After my podcast interview at the 2013 Red Hat Summit, Dan Walsh posted a photo of himself in the SELinux shirt that I gave him at the Summit: Needless to say, I was flooded with requests for shirts after that. Someone suggested using the Overpass font and I have new shirts ready for purchase on Spreadshirt. I set all the prices as low as the vendor will allow and I’m not making any profit for each purchase....

2013-07-18 · 1 min · Major Hayden

Confine untrusted users (including your children) with SELinux

The confined user support in SELinux is handy for ensuring that users aren’t able to do something that they shouldn’t. It seems more effective and easier to use than most of the other methods I’ve seen before. Thanks to Dan for reminding me about this during his SELinux in the Enterprise talk from this year’s Red Hat Summit. There are five main SELinux user types (and a handy chart in the Fedora documentation):...

2013-07-05 · 4 min · Major Hayden