dante-robinson

Linux Security Guide

Table of Contents

Sysctl
Bootloader
Mandatory Access Control
Sandboxing
Root Tweaks
Extra Tweaks

Caesurus

Recently started working on policy migration to a new system. The following errors are cryptic and it took some digging to figure out what was going on. I saw others online had the same errors but the general fix seemed to be "load the new policy". But didn't really go into details of how policies are fixed.

Compiling targeted netmgr module
Creating targeted netmgr.pp policy package
Loading targeted modules: netmgr
Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/netmgr/cil:50
/usr/sbin/semodule:  Failed!
make: *** [/usr/share/selinux/devel/include/Makefile:145: reload] Error 1

Cause: fc file contains a type that it can't resolve. So using:

ageis

security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict