Pages: Welcome | Projects

First steps with SELinux

Tags: [ GNU/Linux ] [ security ] [ SELinux ]

I figured I'd like to get some better knowledge on IT security.

I've got already some good practices that I've got refined over time. GPG, private-key only authentication via SSH, using a browser as little as possible (and with extensions like NoScript or CookieSelfDestruct), just to name a few. Plus another ton of habits for the privacy side, that are out of topic here.

I'd like to focus on SELinux, after some discussions. A good starting point is to use it for securing what I perceive as my weakest spot: (obviously) the browser.

I'd like to keep a journal about my SELinux exploration, since my perception is it's a somewhat difficult thing to work with. I can't guarantee I'll be able to write everything I find, as writing takes time, and time is valuable for learning (which one of the reasons why I seldom write on this site).

The other reason why I don't often write is that there's people who know better what to write. On this point, it looks like Dan Walsh knows a lot on SELinux.

This video seemed to me a good starting point.

My next goal is to overcome the issues I'm experimenting protecting Firefox with the sandbox command (described here).

In short I've got a lot of AVC (Access Vector Cache -- that's what it means) denials, with a high rate. Let's figure out :)

First batch of notes