Last week colleague of mine asked, how to prove that some operation is allowed in installed SELinux policy? This could be useful when you’re troubleshooting
Distinguish sysadm and secadm roles
Today, I would like to focus on more advance feature in SELinux technology which are confined users. I wrote several posts where I described how
Use udica to build SELinux policy for containers
Last week article about the udica was published on fedoramagazine.Go and see how easily SELinux policy could be generated for containers! We also collects use
SELinux helped to find security bug in build system!
Hi All, Two weeks ago, very interesting bug was created against selinux-policy component and assigned to me. Immediately, after first research, there was something really
Red Hat Brno Open House 2019
Hi All, We had Open House Brno 2019 and our team Platform Security had talk on this event. Slides are available here, demos are here.
CVE-2019-5736 runc escape vs. SELinux
Hi All! Two months ago, very interesting and dangerous CVE was published. It’s CVE-2019-5736 what is vulnerability in runc and allows malicious process in container
New trick: macro-expander!
Hi All, Sysadmins and SELinux policy developers are often asking me one simple question. “Lukas, How should I know what allow rules will be allowed
Polkit CVE-2018-19788 vs. SELinux
Hi All, Last month, I wrote about Xorg X server vulnerability and we have a new interesting vulnerability, now in PolicyKit. The exploit is based
CVE-2018-14665 : Xorg X Server Vulnerabilities vs. SELinux
Hi All! There is a new interesting CVE. An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users
How get file name from inode number?
Hi All, I will generate SELinux denial using following command: # cd /root ; passwd –help >& output.txt # ausearch -m AVC -ts recent type=AVC