Suggest some beginner-friendly resources for learning about Linux kernel features like LSM (SElinux, Yama Landlock, Lockdown), Netfilter, eBPF, Cgroups, Namespaces, and KVM :D
A bit later than usual, and perhaps not very exciting this time around, but here are the LSM, SELinux, and audit* highlights from the Linux v6.10 merge window.
Overheard in the RL chat: "SELinux is that thing you don't realize you need until you need it." If the first thing you ever learned about SELinux was how to disable it, but you've realized you need a security-enhanced mechanism for your Enterprise Linux system, here is your guide to make SELinux work for you. #tutorialtuesday#rockydocs#security#selinux https://buff.ly/49BayNJ
#pv-migrate is an amazing #Kubernetes tool that is absolutely essential to all #homelab (s) and cluster admins that allows you to easily and securely copy the data from one persistent volume claim to another in the same namespace, a different namespace, or heck even a different cluster.
One thing to note about it tho, what I learned just today after years of using it is that it does not support #SELinux found on #RHEL based clusters (which also means I just learned that my former company's clusters prolly weren't using SELinux... oops). I wouldn't recommend removing SELinux entirely tho, simply toggle SELinux from enforcing (1) to permissive (0) when you're about to migrate your data using pv-migrate. Once you're done, just toggle SELinux back on and you're golden.
#Kubernetes/#K8S Q: I've been having an issue all this while I haven't quite been able to tackle. How do I properly mount a #Samba/#SMB/#CIFS share in a #Docker container on Kubernetes?
I definitely don't want a method that does any "pass through" outside of the container such as mounting said share on the Kubernetes node then passing it to the container, since that seems quite hacky and the deployment/pod could easily be reassigned to a different node.
The #SMB share could be accessed (ls-ed) directly on the worker node:
sudo ls -alZ /var/lib/kubelet/plugins/kubernetes.io/csi/smb.csi.k8s.io/{volume}/globalmount
-but not on the container itself. The fix is, the worker nodes (with SELinux) needs the boolean, virt_use_samba to be enabled. On the worker node, check if it is indeed disabled:
A bit later than usual due to some personal travel earlier this week (Go Blue!), but here is my write-up on the SELinux and audit highlights from the Linux v6.8 merge window. As a bonus, I'm also going to start including LSM layer highlights as we've got some cool new things starting with Linux v6.8 :)
Eine schnelle Bereitstellung von Stirling PDF mit podman unter openSUSE MicroOS. Ich bin vor Kurzem auf Stirling PDF gestoßen und möchte es in diesem Artikel kurz vorstellen und eine Installationshilfe geben.
Given the drive towards using selinux or apparmor more within Linux, I really would be grateful, if applications could actually check, what path exists and not try to open 32 paths in /dev/ just in case they exist.
The same applies to linkers, who don't look into folders, but instead blindly try to open files, which might never exist.
This type of behavior creates a lot of noise and clutter and makes it hard to restrict the access of applications. #linux#apparmor#selinux
I decided to look at a few quick ways to improve the security of a #Linux system compared to the baseline most distros provide.
They generally have to strike a balance between usability and security, which means that, depending on your own use case, there are some steps you might want to take to increase how secure your own install is. So, here are a few quick tips I find useful for my own servers and desktops:
Man, I need a "for dummies" tutorial to explain and use #selinux. I really don't like using copy and paste solutions or disabling it altogether. For now, I've just disabled selinux because I am not dealing with sensitive information. #linux