08 Dec 2016 tags: netlabel
It has been a while since the last release, but today brings a new release of the NetLabel Tools package, version 0.30.0. NetLabel is a Linux Kernel subsystem that implements network packet labeling protocols such as CIPSO for IPv4 and CALIPSO / RFC 5570 for IPv6; the NetLabel Tools package provides the userspace tools necessary to configure the kernel subsystem.
The primary change in this version of NetLabel Tools is CALIPSO support, which was added to the Linux Kernel in version 4.8; special thanks goes to Huw Davies for his help in this area.
18 Oct 2016 tags: audit selinux
This post is also a bit late, Linux 4.8 was released on October 2nd, but better late than never. Here is a quick rundown of the SELinux and audit highlights.
Support for RFC 5570, Common Architecture Label IPv6 Security Option (CALIPSO). The CALIPSO implementation included in Linux 4.8 has been tested for interoperability with Solaris TX.
Bounds checking is now only applied to source types which should make it much easier to write SELinux policies for sandboxing tools that make use of PR_SET_NO_NEW_PRIVS. Additional details can be found in the commit description.
A number of bug fixes related to NetLabel, especially the handling of category bitmaps.
Fixes to ensure that AF_IUCV sockets are properly labeled.
Expand the exclude filter to include PID, UID, GID, AUID, LOGINUID_SET, and the various SUBJ fields.
Internal fixes to both executable name filter and the execve() argument auditing code to ensure safety and proper operation.
Add syscall argument masking for s390 applications running on s390x kernels.
14 Oct 2016 tags: apparmor audit ima seccomp selinux smack
I'm writing this post much later than intended, almost two months later to be honest. I had planned to write up my notes on the 2016 Linux Security Summit like I had done in previous years, but a combination of work, work travel, and my own vacation plans kept me from spending any time on this until now. Unfortunately, those two months have fuzzed away enough of the details that I think writing up my thoughts now wouldn't be tremendously useful.
The good news is that we have recordings of all the presentations this year, a first for the Linux Security Summit. In case you haven't seen the videos already, I've added them all to a YouTube playlist and put the link below. I've also provided a link to my presentation on the "State of SELinux".
Lastly, I want to thank all the speakers, the program committee, and everyone who attended. In my opinion this was our best Linux Security Summit by almost every metric and I'm already looking forward to next year.