#selinux — Public Fediverse posts

Ein Konfigurationsfehler legt die komplette .de-Zone lahm. Drei Linux-Kernel-Exploits zielen auf dasselbe Angriffsmuster. Und Daniel Stenberg beschreibt, wie KI-generierte Bug-Reports curl gleichzeitig besser und anstrengender machen.
 
Unser aktueller Security Digest ordnet ein, was die letzten Wochen wirklich relevant war:
🔐 Copy Fail, Dirty Frag, Dirty Pipe: Local Privilege Escalation bleibt eine der häufigsten Schwachstellenklassen im Linux-Kernel. Unser Take: SELinux ist kein Nice-to-have, sondern die wirksamste Gegenmaßnahme. Nicht-privilegierte Accounts sollten nicht unter unconfined_u laufen. Punkt.
🌐 DNSSEC-Ausfall der .de-Zone: Ein Signierfehler bei der DENIC hat am 05.05. gezeigt, wie fragil zentralisierte DNS-Infrastruktur sein kann.
🤖 KI und Open Source: curl erlebt nach der AI-Slop-Welle jetzt hochwertige Meldungen. Gleichzeitig steigt die Last für Maintainerinnen und Maintainer massiv.
📱 Android Intrusion Logging: Google liefert mit dem Advanced Protection Mode endlich eine echte Datenquelle für mobile Forensik. Wir empfehlen die Aktivierung für exponierte Personen und Organisationen mit erhöhtem Schutzbedarf.
 
Das Security-Modell aus dem Mobilbereich wird zunehmend zum Vorbild für Desktop und Server. Wer heute noch ohne Mandatory Access Control arbeitet, liefert eine Angriffsfläche, die sich mit wenigen Konfigurationsschritten deutlich reduzieren ließe. Den vollständigen Digest mit allen Quellen und unserer Einordnung finden Sie hier: https://research.hisolutions.com/2026/05/
 
Wie gehen Sie in Ihrer Organisation mit SELinux um? Und nutzt jemand von Ihnen bereits Android Intrusion Logging in der Vorfallsbehandlung?
 
#Cybersecurity #SELinux #DNSSEC #AndroidSecurity #OpenSource @brahms @jrt

@devopscats
Do not apply on hosts which need IPsec.

Workarounds:

1️⃣ Try to migrate away from #IPsec to #Wireguard (quite some work per setup)

2️⃣ Use #SELinux to limit what "normal" processes can do with the modules (even more work, but probably only needs to be done once)

3️⃣ If none of this works, secure and minitor these machines, especially preventing untrusted users or code

Настройка self-hosted gitlab runner

Часть 2 серии об осмысленном CI/CD: настраиваем self-hosted GitLab Runner. Пройдем от docker-compose.yml до работающего runner, попутно разбирая ошибки permissions, SELinux context и особенности rootless Podman. Все то же самое актуально и для Docker.

https://habr.com/ru/articles/1032654/

#gitlab_runner #docker_compose #SELinux #selfhosted #configtoml #volume_permissions #podman #rootless_containers #gitlab_ci

Думаем графами с IPAHound

Всем привет, меня зовут Михаил Сухов, я участник команды PT SWARM. Нам в команде все чаще встречается инфраструктура, построенная на базе альтернативных реализаций службы каталога Microsoft Active Directory. Одной из таких реализаций, заслуженно получившей большое распространение является FreeIPA. В ходе работы с FreeIPA стало очевидно, что можно изучать еще и архитектурные особенности, которые сильно отличаются от AD. Так появился IPAHound — наш аналог BloodHound для FreeIPA. За основу был взят проект BloodHound Legacy с поддержкой PKI. Мы неоднократно использовали IPAHound в своих проектах по поиску уязвимостей. В этой статье я расскажу о нашем инструменте. Также посмотрим на различные способы анализа связей, облегчающие продвижение в FreeIPA.

https://habr.com/ru/companies/pt/articles/1028412/

#ipahound #freeipa #ldap #sudo #selinux #kerberos #pentest #ald pro #bloodhound

Думаем графами с IPAHound

Всем привет, меня зовут Михаил Сухов, я участник команды PT SWARM. Нам в команде все чаще встречается инфраструктура, построенная на базе альтернативных реализаций службы каталога Microsoft Active Directory. Одной из таких реализаций, заслуженно получившей большое распространение является FreeIPA. В ходе работы с FreeIPA стало очевидно, что можно изучать еще и архитектурные особенности, которые сильно отличаются от AD. Так появился IPAHound — наш аналог BloodHound для FreeIPA. За основу был взят проект BloodHound Legacy с поддержкой PKI. Мы неоднократно использовали IPAHound в своих проектах по поиску уязвимостей. В этой статье я расскажу о нашем инструменте. Также посмотрим на различные способы анализа связей, облегчающие продвижение в FreeIPA.

https://habr.com/ru/companies/pt/articles/1028412/

#ipahound #freeipa #ldap #sudo #selinux #kerberos #pentest #ald pro #bloodhound

Думаем графами с IPAHound

Всем привет, меня зовут Михаил Сухов, я участник команды PT SWARM. Нам в команде все чаще встречается инфраструктура, построенная на базе альтернативных реализаций службы каталога Microsoft Active Directory. Одной из таких реализаций, заслуженно получившей большое распространение является FreeIPA. В ходе работы с FreeIPA стало очевидно, что можно изучать еще и архитектурные особенности, которые сильно отличаются от AD. Так появился IPAHound — наш аналог BloodHound для FreeIPA. За основу был взят проект BloodHound Legacy с поддержкой PKI. Мы неоднократно использовали IPAHound в своих проектах по поиску уязвимостей. В этой статье я расскажу о нашем инструменте. Также посмотрим на различные способы анализа связей, облегчающие продвижение в FreeIPA.

https://habr.com/ru/companies/pt/articles/1028412/

#ipahound #freeipa #ldap #sudo #selinux #kerberos #pentest #ald pro #bloodhound

Думаем графами с IPAHound

Всем привет, меня зовут Михаил Сухов, я участник команды PT SWARM. Нам в команде все чаще встречается инфраструктура, построенная на базе альтернативных реализаций службы каталога Microsoft Active Directory. Одной из таких реализаций, заслуженно получившей большое распространение является FreeIPA. В ходе работы с FreeIPA стало очевидно, что можно изучать еще и архитектурные особенности, которые сильно отличаются от AD. Так появился IPAHound — наш аналог BloodHound для FreeIPA. За основу был взят проект BloodHound Legacy с поддержкой PKI. Мы неоднократно использовали IPAHound в своих проектах по поиску уязвимостей. В этой статье я расскажу о нашем инструменте. Также посмотрим на различные способы анализа связей, облегчающие продвижение в FreeIPA.

https://habr.com/ru/companies/pt/articles/1028412/

#ipahound #freeipa #ldap #sudo #selinux #kerberos #pentest #ald pro #bloodhound

Права в Linux: chown/chmod, SELinux context, символьная/восьмеричная нотация, DAC/MAC/RBAC/ABAC

Собрал в одном месте всё, что нужно знать о правах в Linux, простым и понятным языком: символьная и восьмеричная нотация, SUID/SGID/Sticky bit, SELinux-контекст, DAC, MAC, RBAC, ABAC, команды ls/stat/chmod/chown/find — с примерами и схемами, к которым легко вернуться.

https://habr.com/ru/articles/1027674/

#linux #chmod #chown #SELinux #права_доступа #DAC #MAC #RBAC #ACL #системное_администрирование

Права в Linux: chown/chmod, SELinux context, символьная/восьмеричная нотация, DAC/MAC/RBAC/ABAC

Собрал в одном месте всё, что нужно знать о правах в Linux, простым и понятным языком: символьная и восьмеричная нотация, SUID/SGID/Sticky bit, SELinux-контекст, DAC, MAC, RBAC, ABAC, команды ls/stat/chmod/chown/find — с примерами и схемами, к которым легко вернуться.

https://habr.com/ru/articles/1027674/

#linux #chmod #chown #SELinux #права_доступа #DAC #MAC #RBAC #ACL #системное_администрирование

Права в Linux: chown/chmod, SELinux context, символьная/восьмеричная нотация, DAC/MAC/RBAC/ABAC

Собрал в одном месте всё, что нужно знать о правах в Linux, простым и понятным языком: символьная и восьмеричная нотация, SUID/SGID/Sticky bit, SELinux-контекст, DAC, MAC, RBAC, ABAC, команды ls/stat/chmod/chown/find — с примерами и схемами, к которым легко вернуться.

https://habr.com/ru/articles/1027674/

#linux #chmod #chown #SELinux #права_доступа #DAC #MAC #RBAC #ACL #системное_администрирование

Права в Linux: chown/chmod, SELinux context, символьная/восьмеричная нотация, DAC/MAC/RBAC/ABAC

Собрал в одном месте всё, что нужно знать о правах в Linux, простым и понятным языком: символьная и восьмеричная нотация, SUID/SGID/Sticky bit, SELinux-контекст, DAC, MAC, RBAC, ABAC, команды ls/stat/chmod/chown/find — с примерами и схемами, к которым легко вернуться.

https://habr.com/ru/articles/1027674/

#linux #chmod #chown #SELinux #права_доступа #DAC #MAC #RBAC #ACL #системное_администрирование

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

@threatchain general purpose siem, malcolm ids, debian server, opnsense - good combo imo, good licensing,. I may just refactor and use 500gb drives so cost will not be the limiting factor, you can use debian blends too but even some of these specialized apps won't have included forensics-full and this has a ton of super usefull sw, when you have the persistence partition going corner case use cases can be covered better than say something like a bootable iso #rational clear case #mw #smw #yacy 3jenkins #ntop-ng #misp #cms #lamp server #sbom #addons #app armor #selinux #ufw #fail2ban #hardened debian #pentoo

SELinux больше не враг, а помощник, или как мы подружили его с админами

Привет, Хабр! Меня зовут Ольга, я инженер по автоматизации в компании РЕД СОФТ. Моя работа – превращать сложные и рутинные задачи системных администраторов в простые и понятные конфигурации в РЕД АДМ. Сегодня поговорим о системе, которая у многих администраторов вызывает легкую (или не очень) дрожь – о SELinux.

https://habr.com/ru/companies/redsoft/articles/1002888/

#SELinux #Безопасность #Администрирование #администрирование_linuxсистем #DevOps #РЕД_АДМ #Linux #Автоматизация #Управление_конфигурациями #Open_Source

Hey, my server hasn't actually been running backups since the last time I did it by hand, because SElinux and systemd are apparently having an argument about it.

Running it by hand now, dunno when I'll be able to resolve that nonsense correctly. Literally just a shell script that runs restic. 😓

#selinux #systemd #ohshit

What's that? #ubuntusnaps are badly designed for desktop usage? Who knew?

Scroll my feed whydontcha.

#Flatpak, #AppImage, take your pick. Much better integration and uses standard #SELinux - instead of having to suffer #Canonical and their #NotInventedHere syndrome with #AppArmor.

Microsoft's VS Code in Ubuntu's Snap Format Eats Up Disk Space Like Bloatware Even After Removal
https://itsfoss.com/news/vscode-snap-disk-space-issue/

Singularity Rootkit: SELinux bypass and netlink filter (ss/conntrack hidden)

https://github.com/MatheuZSecurity/Singularity

#HackerNews #SingularityRootkit #SELinux #Bypass #NetlinkFilter #CyberSecurity

Archivierung und Kompression mit tar: Grundlagen, Optionen und Beispiele

https://andreas-moor.de/archivierung-und-kompression-mit-tar-grundlagen-optionen-und-beispiele/

Archivierung und Kompression mit tar: Grundlagen, Optionen und Beispiele

https://andreas-moor.de/archivierung-und-kompression-mit-tar-grundlagen-optionen-und-beispiele/

Archivierung und Kompression mit tar: Grundlagen, Optionen und Beispiele

https://andreas-moor.de/archivierung-und-kompression-mit-tar-grundlagen-optionen-und-beispiele/

Archivierung und Kompression mit tar: Grundlagen, Optionen und Beispiele

https://andreas-moor.de/archivierung-und-kompression-mit-tar-grundlagen-optionen-und-beispiele/

Vergleich von Archivierung und Kompression unter Linux: tar/star, gzip, bzip2, xz und zip

https://andreas-moor.de/vergleich-von-archivierung-und-kompression-unter-linux-tar-star-gzip-bzip2-xz-und-zip/

Vergleich von Archivierung und Kompression unter Linux: tar/star, gzip, bzip2, xz und zip

https://andreas-moor.de/vergleich-von-archivierung-und-kompression-unter-linux-tar-star-gzip-bzip2-xz-und-zip/

Vergleich von Archivierung und Kompression unter Linux: tar/star, gzip, bzip2, xz und zip

https://andreas-moor.de/vergleich-von-archivierung-und-kompression-unter-linux-tar-star-gzip-bzip2-xz-und-zip/

Vergleich von Archivierung und Kompression unter Linux: tar/star, gzip, bzip2, xz und zip

https://andreas-moor.de/vergleich-von-archivierung-und-kompression-unter-linux-tar-star-gzip-bzip2-xz-und-zip/

[Перевод] SELinux: интеграция с Zabbix и другими инструментами

Всем привет! Мы делаем проекты по Zabbix, накопили большую экспертизу и решили сделать переводы нескольких статей, которые нам показались интересными и полезными. Наверняка, будут полезны и вам. Также своим опытом делимся в телеграм-канале zabbix_ru , где вы можете найти полезные материалы и записи наших вебинаров, опубликованных на нашем ютуб-канале (прим. переводчика). Миграция с MySQL на PostgreSQL — первая статья цикла переводов. В этой статье подробно рассмотрены основы SELinux, его правильная интеграция с Zabbix и способы эффективного создания собственных политик SELinux для решения распространённых проблем. Также показано, как контролировать SELinux непосредственно в Zabbix, что поможет повысить безопасность системы и упростить повседневное администрирование. Данное руководство предназначено для дистрибутивов на основе RPM (RHEL, CentOS, Rocky Linux, AlmaLinux, Fedora, …).

https://habr.com/ru/articles/970716/

#zabbix #linux #selinux #gals_software

Alerta: Molduras digitais Uhale com Android estão a descarregar malware ao iniciar
🔗 https://tugatech.com.pt/t74274-alerta-molduras-digitais-uhale-com-android-estao-a-descarregar-malware-ao-iniciar

#AES #amazon #android #apple #base #botnet #chave #criptografia #cve #dex #google #grave #malware #marcas #riscos #root #segurança #SELinux #sem #servidor #vulnerabilidades 

Auf meinem Arbeitslaptop läuft nun endlich #Linux statt Windows – aus Gründen leider wohl nur auf Zeit. :tux: :fedora: #Fedora wurde die Distri der Wahl, weil ich das mal richtig im Alltag testen will ich im Job vor allem mit #RedHat basierten Servern arbeite. Fedora Workstation macht Spaß! Teste aktuell auch ausgiebig #Gnome (privat nutze ich seit Jahren #Plasma).

Vom eigentlich ganz coolen #WSL unter Windows hatte ich inzwischen die Fresse gestrichen voll: Immer wieder brauchte ich komplizierte Workarounds für bestimmte Netzwerksachen und um Windows und #WSL2 korrekt zu verbinden.

Trotz wirklich langjähriger #Linux-Erfahrung brauchte ich da auch den ein oder anderen Tipp von einem Kollegen (z.B. Mounten von Netzwerklaufwerken im AD-Umfeld via #SSSD) und habe auch ewig an der korrekten HTTP-Proxy-Konfiguration gebastelt. Die Sicherheitsschicht #SELinux interferierte dann noch beim #OpenVPN. Man muss dazu aber auch sagen: Das sind alles ganz schöne Spezialprobleme, die man auch in anderen Varianten unter Windows hat und ebenso Gefrickel erfordern. Aber jetzt läuft alles. 🙂

Also #SELinux with /etc as #overlayfs leads to some really strange issues. Init scripts (which run as initrc_t) get various actions denied with the audit log message listing scontext=mount_t. The labels on the files look correct. If I switch to an r/w rootfs with /etc in it those issues just go away. Same if I use overlayfs and make noop edits to individual scripts so they are stored in the "upper" dir of the overlay. ​:blobcateyes:​

One option would be to dig into how overlayfs works and interacts with SELinux. Another would be to work on restructuring things so /etc is only for local config (anything preinstalled in /usr) and drop the overlay. ​:neocat_think:​

Who is using chroot with php-fpm? Is it worth it?

AlmaLinux 10 vai ativar o repositório CRB por defeito para acabar com dores de cabeça
🔗 https://tugatech.com.pt/t71567-almalinux-10-vai-ativar-o-repositorio-crb-por-defeito-para-acabar-com-dores-de-cabeca

#blog #linux #metadados #SELinux #software 

So, to allow a linux vm to access a directory from Fedora host with virtio-9p, I'll need to run:

# semanage fcontext -a -t svirt_home_t "/some/dir"
# restorecon -vR /some/dir

Idk why sealert offers this non-working solution instead. It's really weird.:

# semanage fcontext -a -t virt_image_t 'dir'
# restorecon -v 'dir'

#fedora #linux #selinux #qemu #kvm #vm #virtualmachines #9p #virtio #fedora42 #virtmanager

As an aside, LMDE (Debian) works just fine for me for #gaming. #RetroArch runs great, there are no issues with Feral #Gamemode or #SELinux issues (unlike my most recent tests with Fedora or openSUSE), I use #flatpaks so my gaming applications come with their own updated mesa and other drivers, and if I need a newer kernel I could always hit up #backports. And nvidia sucks so I wouldn't bother with them anyway.

If I really needed to I could always run #testing or #unstable.

As an aside, LMDE (Debian) works just fine for me for #gaming. #RetroArch runs great, there are no issues with Feral #Gamemode or #SELinux issues (unlike my most recent tests with Fedora or openSUSE), I use #flatpaks so my gaming applications come with their own updated mesa and other drivers, and if I need a newer kernel I could always hit up #backports. And nvidia sucks so I wouldn't bother with them anyway.

If I really needed to I could always run #testing or #unstable.

Newsupdate 02/25 - #Python3.14, #FOSDEM 2025, #GNOME48 Beta, #KDE #Plasma6.3, #openSUSE und #SELinux - #FOCUS_ON: #Linux - #Podcast:

Python 3.14 und KDE Plasma 6.3 erscheinen, während sich der Umfang des kommenden GNOME 48 abzeichnet. Das SELFHTML-Projekt wird 30 Jahre alt und mit RePebble wird einem längst totgesagtem Projekt neues Leben eingehaucht. In der Kernel-Mailingliste entfacht ein Streit über Rust - mit Auswirkungen für das Kernel- und Asahi Linux-Projekt.

https://focusonlinux.podigee.io/147-newsupdate-0225-python-314-fosdem-2025-gnome-48-beta-kde-plasma-63-opensuse-und-selinux

💡 If you have SELinux enabled on your Linux system, you can view the context of an object as follows @opensuse @fedora #ZikTIPS #Sysadmin #SELinux #CLI #OpenSUSE #Linux

For a file:
ls -Z [FILE] e.g.
ls -Z /etc/selinux/config

For a process:
ps -eZ | grep [PROCESS_NAME] e.g.
ps -eZ | grep apache2

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

@Gentoo_eV Given that I get a KVM console in time, I will demonstrate my installation guide (https://gentoo.duxsco.de/) in English using a #Hetzner dedicated server.

• What? Beyond Secure Boot – Measured Boot on Gentoo Linux?
• When? Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)
• Where? Video call via BigBlueButton: https://bbb.gentoo-ev.org/

The final setup will feature:

• #SecureBoot: All EFI binaries and unified kernel images are signed.
• #MeasuredBoot: #clevis and #tang will be used to check the system for manipulations via #TPM 2.0 PCRs and for remote LUKS unlock (you don't need tty).
• Fully encrypted: Except for ESPs, all partitions are #LUKS encrypted.
• #RAID: Except for ESPs, #btrfs and #mdadm based #RAID are used for all partitions.
• Rescue System: A customised #SystemRescue (https://www.system-rescue.org/) supports SSH logins and provides a convenient chroot.sh script.
• Hardened #Gentoo #Linux for a highly secure, high stability production environment.
• If enough time is left at the end, #SELinux which provides Mandatory Access Control using type enforcement and role-based access control

📬 noexec-Bypass macht Linux-Systeme anfällig für Schadcode
#ITSicherheit #Linux #LinuxSicherheit #noexec #noexecbypass #SELinux #Sicherheitslücke https://sc.tarnkappe.info/5f4977

Mfw I receive a ”hardened” #RHEL image to deploy for a new application, and discover #SELinux has been disabled and the relevant directories for this deployment have been recursively #chmod ‘ed 777. 😑

Good news everybody! @uutils's @rust rewrite of #coreutils in @fedora is getting #ACL and #SELinux support soon!

Grab packages from the #COPR repo to get this early

https://copr.fedorainfracloud.org/coprs/salimma/rust-coreutils/

#Linux #rust #packaging

I've just merged a huge PR to my #Orked (O-tomated RKE Distribution - GREAT NAME I KNOW) that makes it easier than ever for anyone to set up a production-ready #RKE2 #Kubernetes cluster in their #homelab.

With this collection of scripts, all you need to do is just provision the nodes required, including a login/management node, and run the scripts right from the login node to configure all of the other nodes to make up the cluster. This setup includes:

- Configuring the Login node with any required or essential dependencies (such as #Helm, #Docker, #k9s, #kubens, #kubectx, etc.)

- Setup passwordless #SSH access from the Login node to the rest of the Kubernetes nodes

- Update the hosts file for strictly necessary name resolution on the Login node and between the Kubernetes nodes

- Necessary, best practice configurations for all of the Kubernetes nodes including networking configuration, disabling unnecessary services, disabling swap, loading required modules, etc.

- Installation and configuration of RKE2 on all the Kubernetes nodes and joining them together as a cluster

- Installation and configuration of #Longhorn storage, including formatting/configuring their virtual disks on the Worker nodes

- Deployment and configuration of #MetalLB as the cluster's load-balancer

- Deployment and configuration of #Ingress #NGINX as the ingress controller and reverse proxy for the cluster - this helps manage external access to the services in the cluster

- Setup and configuration of #cert-manager to obtain and renew #LetsEncrypt certs automatically - supports both #DNS and HTTP validation with #Cloudflare

- Installation and configuration of #csi-driver-smb which adds support for integrating your external SMB storage to the Kubernetes cluster

Besides these, there are also some other helper scripts to make certain related tasks easy such as a script to set a unique static IP address and hostname, and another to toggle #SELinux enforcement to on or off - should you need to turn it off (temporarily).

If you already have an existing RKE2 cluster, there's a step-by-step guide on how you could use it to easily configure and join additional nodes to your cluster if you're planning on expanding.

Orked currently expects and supports #RockyLinux 8+ (should also support any other #RHEL distros such as #AlmaLinux), but I am planning to improve the project over time by adding more #Linux distros, #IPv6 support, and possibly even #K3s for a more lightweight #RaspberryPi cluster for example.

I've used this exact setup to deploy and manage vital services to hundreds of unique clients/organisations that I've become obsessed with sharing it to everyone and making it easier to get started. If this is something that interests you, feel free to check it out!

If you're wondering what to deploy on a Kubernetes cluster - feel free to also check out my #mika helm chart repo 🥳

🔗 https://github.com/irfanhakim-as/orked

🔗 https://github.com/irfanhakim-as/charts

I've just merged a huge PR to my #Orked (O-tomated RKE Distribution - GREAT NAME I KNOW) that makes it easier than ever for anyone to set up a production-ready #RKE2 #Kubernetes cluster in their #homelab.

With this collection of scripts, all you need to do is just provision the nodes required, including a login/management node, and run the scripts right from the login node to configure all of the other nodes to make up the cluster. This setup includes:

- Configuring the Login node with any required or essential dependencies (such as #Helm, #Docker, #k9s, #kubens, #kubectx, etc.)

- Setup passwordless #SSH access from the Login node to the rest of the Kubernetes nodes

- Update the hosts file for strictly necessary name resolution on the Login node and between the Kubernetes nodes

- Necessary, best practice configurations for all of the Kubernetes nodes including networking configuration, disabling unnecessary services, disabling swap, loading required modules, etc.

- Installation and configuration of RKE2 on all the Kubernetes nodes and joining them together as a cluster

- Installation and configuration of #Longhorn storage, including formatting/configuring their virtual disks on the Worker nodes

- Deployment and configuration of #MetalLB as the cluster's load-balancer

- Deployment and configuration of #Ingress #NGINX as the ingress controller and reverse proxy for the cluster - this helps manage external access to the services in the cluster

- Setup and configuration of #cert-manager to obtain and renew #LetsEncrypt certs automatically - supports both #DNS and HTTP validation with #Cloudflare

- Installation and configuration of #csi-driver-smb which adds support for integrating your external SMB storage to the Kubernetes cluster

Besides these, there are also some other helper scripts to make certain related tasks easy such as a script to set a unique static IP address and hostname, and another to toggle #SELinux enforcement to on or off - should you need to turn it off (temporarily).

If you already have an existing RKE2 cluster, there's a step-by-step guide on how you could use it to easily configure and join additional nodes to your cluster if you're planning on expanding.

Orked currently expects and supports #RockyLinux 8+ (should also support any other #RHEL distros such as #AlmaLinux), but I am planning to improve the project over time by adding more #Linux distros, #IPv6 support, and possibly even #K3s for a more lightweight #RaspberryPi cluster for example.

I've used this exact setup to deploy and manage vital services to hundreds of unique clients/organisations that I've become obsessed with sharing it to everyone and making it easier to get started. If this is something that interests you, feel free to check it out!

If you're wondering what to deploy on a Kubernetes cluster - feel free to also check out my #mika helm chart repo 🥳

🔗 https://github.com/irfanhakim-as/orked

🔗 https://github.com/irfanhakim-as/charts

I've just merged a huge PR to my #Orked (O-tomated RKE Distribution - GREAT NAME I KNOW) that makes it easier than ever for anyone to set up a production-ready #RKE2 #Kubernetes cluster in their #homelab.

With this collection of scripts, all you need to do is just provision the nodes required, including a login/management node, and run the scripts right from the login node to configure all of the other nodes to make up the cluster. This setup includes:

- Configuring the Login node with any required or essential dependencies (such as #Helm, #Docker, #k9s, #kubens, #kubectx, etc.)

- Setup passwordless #SSH access from the Login node to the rest of the Kubernetes nodes

- Update the hosts file for strictly necessary name resolution on the Login node and between the Kubernetes nodes

- Necessary, best practice configurations for all of the Kubernetes nodes including networking configuration, disabling unnecessary services, disabling swap, loading required modules, etc.

- Installation and configuration of RKE2 on all the Kubernetes nodes and joining them together as a cluster

- Installation and configuration of #Longhorn storage, including formatting/configuring their virtual disks on the Worker nodes

- Deployment and configuration of #MetalLB as the cluster's load-balancer

- Deployment and configuration of #Ingress #NGINX as the ingress controller and reverse proxy for the cluster - this helps manage external access to the services in the cluster

- Setup and configuration of #cert-manager to obtain and renew #LetsEncrypt certs automatically - supports both #DNS and HTTP validation with #Cloudflare

- Installation and configuration of #csi-driver-smb which adds support for integrating your external SMB storage to the Kubernetes cluster

Besides these, there are also some other helper scripts to make certain related tasks easy such as a script to set a unique static IP address and hostname, and another to toggle #SELinux enforcement to on or off - should you need to turn it off (temporarily).

If you already have an existing RKE2 cluster, there's a step-by-step guide on how you could use it to easily configure and join additional nodes to your cluster if you're planning on expanding.

Orked currently expects and supports #RockyLinux 8+ (should also support any other #RHEL distros such as #AlmaLinux), but I am planning to improve the project over time by adding more #Linux distros, #IPv6 support, and possibly even #K3s for a more lightweight #RaspberryPi cluster for example.

I've used this exact setup to deploy and manage vital services to hundreds of unique clients/organisations that I've become obsessed with sharing it to everyone and making it easier to get started. If this is something that interests you, feel free to check it out!

If you're wondering what to deploy on a Kubernetes cluster - feel free to also check out my #mika helm chart repo 🥳

🔗 https://github.com/irfanhakim-as/orked

🔗 https://github.com/irfanhakim-as/charts

I've just merged a huge PR to my #Orked (O-tomated RKE Distribution - GREAT NAME I KNOW) that makes it easier than ever for anyone to set up a production-ready #RKE2 #Kubernetes cluster in their #homelab.

With this collection of scripts, all you need to do is just provision the nodes required, including a login/management node, and run the scripts right from the login node to configure all of the other nodes to make up the cluster. This setup includes:

- Configuring the Login node with any required or essential dependencies (such as #Helm, #Docker, #k9s, #kubens, #kubectx, etc.)

- Setup passwordless #SSH access from the Login node to the rest of the Kubernetes nodes

- Update the hosts file for strictly necessary name resolution on the Login node and between the Kubernetes nodes

- Necessary, best practice configurations for all of the Kubernetes nodes including networking configuration, disabling unnecessary services, disabling swap, loading required modules, etc.

- Installation and configuration of RKE2 on all the Kubernetes nodes and joining them together as a cluster

- Installation and configuration of #Longhorn storage, including formatting/configuring their virtual disks on the Worker nodes

- Deployment and configuration of #MetalLB as the cluster's load-balancer

- Deployment and configuration of #Ingress #NGINX as the ingress controller and reverse proxy for the cluster - this helps manage external access to the services in the cluster

- Setup and configuration of #cert-manager to obtain and renew #LetsEncrypt certs automatically - supports both #DNS and HTTP validation with #Cloudflare

- Installation and configuration of #csi-driver-smb which adds support for integrating your external SMB storage to the Kubernetes cluster

Besides these, there are also some other helper scripts to make certain related tasks easy such as a script to set a unique static IP address and hostname, and another to toggle #SELinux enforcement to on or off - should you need to turn it off (temporarily).

If you already have an existing RKE2 cluster, there's a step-by-step guide on how you could use it to easily configure and join additional nodes to your cluster if you're planning on expanding.

Orked currently expects and supports #RockyLinux 8+ (should also support any other #RHEL distros such as #AlmaLinux), but I am planning to improve the project over time by adding more #Linux distros, #IPv6 support, and possibly even #K3s for a more lightweight #RaspberryPi cluster for example.

I've used this exact setup to deploy and manage vital services to hundreds of unique clients/organisations that I've become obsessed with sharing it to everyone and making it easier to get started. If this is something that interests you, feel free to check it out!

If you're wondering what to deploy on a Kubernetes cluster - feel free to also check out my #mika helm chart repo 🥳

🔗 https://github.com/irfanhakim-as/orked

🔗 https://github.com/irfanhakim-as/charts