Category Archives: Uncategorized

SELinux Insanity: Doing the same thing over-and-over and expecting security convergence

Every time a piece of software encounters a new access pattern, the answer is to tweak the policy. Then tweak it again. Then tweak it again. Then tweak it again. Then tweak it again. At what point does this stop being a security model and start becoming an endless process of granting exceptions?

There is one thing in open source software that consistently consumes more time than it has any right to.

SELinux.

Every few weeks it seems like another SELinux issue appears.

Implementing a new feature? Fix SELinux. Fixing a bug? Fix SELinux. Scratching your butt? Gotta fix your SELinux policy. Repeat forever.

At some point we should start asking the question: What exactly is this accomplishing?

The Concept

The idea is straightforward. If an attacker compromises a process, SELinux limits what that process can access. The attacker is confined to a security domain and prevented from reaching resources outside that domain.

That’s a reasonable goal.

I’m not arguing against the idea of mandatory access control. I’m questioning whether this was the right tradeoff.

The Cost of Convergence

If a piece of software has been around for twenty years, and enough users have run into enough denials, and enough maintainers have added enough exceptions, then sure, maybe the policy eventually becomes stable.

But what a ridiculous way to get there.

The model seems to be: run the software, wait for SELinux to break something, examine the denial, add a rule, repeat until users stop complaining.

That’s not design. That’s playing whac-a-mole.

We’re not thoughtfully defining a security model. We’re painfully discovering the application’s behavior by tripping over every possible thing it might need to do.

An Engineering Failure

SELinux asks us to accept that defining a security model requires years of stumbling over ourselves. I have a hard time believing that’s the best we can come up with.

Surely there must be a middle ground somewhere between “the application can do anything it wants” and “the application can’t do anything until we’ve spent the next several years teaching SELinux how it works.”

At some point we should be willing to ask whether there is a better way to solve this problem.

I don’t have the answer.

But I’m no longer satisfied with pretending that SELinux is the answer.

Himmelblau Workshop – Hands-On Integration on April 21 in Germany

On April 22, 2026—one day after the 25th sambaXP—the first official Himmelblau Workshop will take place in Göttingen, Germany.

At last year’s sambaXP, I presented “Azure Entra ID Authentication in Samba Using the Himmelblaud Daemon”.
Since then, the project has evolved rapidly, moving from a technical introduction to practical deployment.

My workshop this year builds on that foundation and is aimed at:

  • Linux system administrators
  • Identity and Entra ID engineers
  • Intune and device management teams
  • IT professionals managing hybrid Linux environments

Participants will work hands-on with Linux clients, both with and without a GUI, and will configure:

  • Entra ID authentication
  • Multi-factor authentication
  • Policy enforcement
  • License management
  • Intune-based device management

The session uses the current stable Himmelblau release. Entra ID accounts will be provided, so no personal tenant or prior setup is required.

If you are responsible for integrating Linux systems with Entra ID and want to move from protocol discussion to real-world implementation, this workshop provides a structured, practical environment.

Registration for the workshop is required and available at sambaxp.org.

Also, take the opportunity to explore this year’s sambaXP: my talk, “Linux Meets Intune: From Enrollment to Enforcement in Himmelblau,” is scheduled for Day 1 of the conference—I’d be glad to have you join!

Certificate Auto Enrollment from Samba

Certificate Auto Enrollment available in Samba 4.16

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. As of Samba 4.16, Linux clients can now auto enroll for certificates just like a Windows client.

Samba’s Certificate Auto Enrollment uses the certmonger service to keep track of certificates. It also uses the cepces plugin to certmonger. The sscep command is also used to download the trust chain.

Certificate Auto Enrollment is compatible with both Winbind and SSSD.

Certificate Auto Enrollment is initiated using Samba’s Group Policy client, samba-gpupdate. The Samba wiki has more details on how to setup Group Policy, and how to configure Certificate Auto Enrollment.

Group Policy Management Console for Linux

I’m working on a YaST module that imitates the behavior of the Group Policy Management Console in linux.

You can install it on openSUSE Tumbleweed via:
sudo zypper in yast2-python-bindings
sudo zypper ar https://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_Tumbleweed/ samba
sudo zypper ref && sudo zypper in yast-gpmc

Then run it with:
yast2 gpmc

It requires yast2-python-bindings version 4.0+, which is only available in openSUSE Tumbleweed at the moment (although it’ll be in the next version of SLE).

YaST and Python, the new bindings

YaST has had python bindings for about 10 years, but there has been no maintainer for the last 4 years, and they’ve slowly gone kaput.

That has changed. Python+YaST is back. The syntax is (or should be) backwards compatible with <= 3.x of the yast-python-bindings, but you can now write python yast via code very similar to the ruby code.
There are also lots of examples now (thanks to noelp and his hackweek project).

We’re working on a couple of yast modules via the yast-python-bindings:
https://github.com/dmulder/yast-gpmc
https://github.com/noelpower/yast-aduc/tree/wip-aduc

Corporate email on gnome-shell with davmail + geary + california

My new favorite corporate email solution is davmail + geary + california in gnome-shell.

Geary is still a little buggy (version 0.8.3), but I love how light weight it is, while still doing (most of) what I need it to. It really needs html signature support, but that’s the only thing missing that I really use.

Davmail appears to be very stable. I run it in server mode on startup with an init script.

Now all I need is a decent calendar solution. The new gnome app California appears to be the best bet. It’s very buggy in version 0.2. My biggest issue is that overlapping events aren’t handled well. I’m hoping they’ve got that worked out in 0.4.

It feels more fluid using native gnome-shell apps for my corporate email and calendar. Thanks Yorba and davmail!