My Blog

I've been interested in contributing to the kernel for a while now, and recently I've been looking into the best workflow for doing that. I'd need a quick way to build the kernel and test my changes. Though, since I'm mostly interested in the SELinux subsystem I generally need a lot of userspace tools to use with the kernel.

Using mkosi from the systemd guys, I was able to quickly build a rootfs and boot my compiled kernel with qemu. This made it quite convenient to test my changes.

This article contains a short introduction to using SELinux to confine web applications on your server.

The introduction is a short and interactive tutorial, which you can go through by getting the Vagrantfile linked at the bottom of this article and creating a VM.

Why do I need SELinux?

SELinux is a great tool to secure a Linux system. It enforces Mandatory Access Control based on a subjects assigned security context from a centrally controlled security policy. This contrasts with Discretionary Access Control which enforces based on the user identity and delegates authorization down to the users own decisions.

In Mandatory Access Control the system and its central policy specifies which subjects are allowed to access its objects. In SELinux we use security labels on subjects and objects to compute access decisions, and can write rules which say subjects with the type gpg_t can access objects with the type gpg_keyfile_t and enforce in the policy that only the GPG process can read GPG keyfiles.