selinux
apparmor
selinux | apparmor | |
---|---|---|
5 | 21 | |
1,251 | - | |
0.8% | - | |
9.2 | - | |
27 days ago | - | |
C | ||
GNU General Public License v3.0 or later | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
selinux
-
Newbie here, just installed fedora i3 spin but keep getting selinux alert
Look into audit2allow. it will help you make the correct context changes you need. https://github.com/SELinuxProject/selinux/wiki/Tools
-
Why is OpenSUSE switching to SELinux?
I know you made this comment 5 days ago, but: the last two commits were 1 and 3 day ago for me while SELinux is behind at 3 days and 2 weeks for its last two commits, and also has about half as many commits overall. So AppArmor is arguably as alive, if not more, than SELinux.
-
zathura - SELinux confined
The source code: https://github.com/SELinuxProject/selinux-kernel (SELinux kernel repository ) https://github.com/SELinuxProject/selinux ((SELinux userland libraries and tools.) https://github.com/SELinuxProject/refpolicy(SELinux Reference Policy)
-
They do be glowing HARD
well, since we're spreading FUD on fully foss projects (selinux github, torpoject github)...
-
You got played
selinux github
apparmor
-
Enhancing Service Security with Systemd
# /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
- Restricting access to critical directories to trusted applications?
-
Is it safe to enable Apparmor on the proxmox host server?
root@hive:/usr/lib/apparmor# systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2023-05-18 19:44:34 EDT; 23h ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 861 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SU> Main PID: 861 (code=exited, status=0/SUCCESS) CPU: 39ms
- sandboxed and customizable setup of LoL on Linux
- Apparmor rules
- Audit backlog limit exceeded every 2-3 minutes and AppArmor issues
-
Why is OpenSUSE switching to SELinux?
I know you made this comment 5 days ago, but: the last two commits were 1 and 3 day ago for me while SELinux is behind at 3 days and 2 weeks for its last two commits, and also has about half as many commits overall. So AppArmor is arguably as alive, if not more, than SELinux.
-
Do I understand how to use apparmor correctly?
I'm working on doing what I can to secure a hobby VPS running Ubuntu. I've done some reading about apparmor (especially this document) and created a profile for nginx.
-
Void Linux Security Scanners
Also, I agree that the documentation doesn't seem to be exactly helpful. I'd recommend Wikipedia about what it is (for links to what these terms mean) and its documentation in the project's Wiki.
-
Question to all the linux mint soldiers
Learn how to use AppArmor: https://gitlab.com/apparmor/apparmor/-/wikis/Documentation. Enforce its profiles (at least) for internet facing apps.
What are some alternatives?
tor - unofficial git repo -- report bugs/issues/pull requests on https://gitlab.torproject.org/ --
bubblewrap - Low-level unprivileged sandboxing tool used by Flatpak and similar projects
nix-deploy - Deploy software or an entire NixOS system configuration to another NixOS system
privacy-respecting - Curated List of Privacy Respecting Services and Software
cef - A Haskell library for CEF (Commont Event Format)
ubuntu-server-nosnap
filepath - Haskell FilePath core library
apparmor-profiles - AppArmor Profiles for Arch Linux
language-puppet - A library to work with Puppet manifests, test them and eventually replace everything ruby.
lxc - High level Haskell bindings to LXC (Linux containers).
selinux-kernel - GitHub mirror of the SELinux kernel repository