Skip to main content

SELinux and useful systemd components

Just learned about a few interesting and useful stuff, when playing with bootc:


systemd Components

systemd-tmpfiles and systemd-sysusers allows managing files and users in a declarative way. Originally I learned about this for building bootc images, but later I realized that they are also very useful on Debian.

I learned systemd-credential as a way of passing ssh authorized keys to a QEMU VM, but after reading more, I realized it can be used in other interesting ways. My favorite one is with LoadCredential=, I can run a script with DynamicUser=yes and the script can access some root-only secrets.


I finally decided to migrate from cron to systemd-timer. systemd-timer is more interesting and handy than expected, and the migration process is less painful than expected.


SELinux

Actually I heared about SELinux many years ago. Over the time I just know SELinux as "something about security, similar but more complicated to AppArmor".

Recently I got to learn more about it:

- https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

- https://www.youtube.com/watch?v=_WOKRaM-HI4

- https://developers.redhat.com/articles/2025/04/11/my-advice-selinux-container-labeling#

- https://docs.podman.io/en/v5.0.3/markdown/podmansh.1.html

- https://reintech.io/blog/securing-debian-12-with-selinux

- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_selinux/assembly_using-multi-category-security-mcs-for-data-confidentiality_using-selinux

- https://www.redhat.com/en/blog/how-selinux-separates-containers-using-multi-level-security

- https://www.redhat.com/en/blog/why-you-should-be-using-multi-category-security-your-linux-containers

- https://wiki.gentoo.org/wiki/SELinux/User-based_access_control


With more knowledge about it, I feel that I like it much better than before:

- I actually have written my own tool to verify file permissions, in a similar fashion (regex -> permissions)

- rootless docker and apparmor didn't work very well together in my case. rootless podman and selinux might work better together.

- :Z is pretty nice for containers: https://github.com/containers/container-selinux


I probably will start trying SELinux. With more confidence I might eventually enable it on Debian and replace AppArmor.

Labels:

Comments

Post a Comment

Popular posts from this blog

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...
3 comments
Read More »

Hardware Password Manager

[Updates 2025-01-20] The original blog post assumes that all passwords are stored in one password manager, and the password manager either unlocks everything or nothing (e.g. Keepass). After discussing with friends, I realized that if I use something like pass , and I use a hardware GPG token, I can actually store and sync all encrypted passwords to all devices, because I will only decrypt the passwords on demand, and the computer will not see the GPG private key. The compromise is that the computer will see the list of all password entries (e.g. accounts), as well as a few other issues . I've been using Keepass for many years. I don't use online password services because I cannot fully trust them. Besides, I may not always have Internet connection, which is why I also don't use a self-hosted service. Everything has been working fine, until I turn my paranoid knob to the max. Here's the thought experiment . The Imaginary Scenario Let's say I have 100 PCs for differe...
Post a Comment
Read More »

ESP32S3: Flash Encryption and Secure Boot

Flash encryption and secure boot are useful security features for ESP32S3 chip. While not perfect, they definitely make it harder to extract the secrets in the chip. However, it is tricky to enable both features at the same time. The topic is actually discussed in the official documentation: ESP32S3 Security Features Security Features Enablement Workflows Especially, the second one mentioned it is recommended to enable flash encryption before secure boot. But I still find the documentation confusing. In the end I was able to successfully enable both, here's my findings. My Understanding After my adventure, here's what I think could have worked. WARNING, this is untested. Follow  Security Features Enablement Workflows : Burn all the keys, as long as their purpose eFuses and read/write protections Burn other security eFuses, but DO NOT burn ENABLE_SECURITY_DOWNLOAD in the middle, which is mentined at the end of the instruction for both flash encryption and secure boot. Burn...
Post a Comment
Read More »