openSUSE Tumbleweed SELinux and Gaming fix is now in

The big controversy over openSUSE Tumbleweed changing from apparmor to SELinux should be coming to an end soon. The devs have been working hard to get a fix pushed that will allow anyone installing wine, proton, lutris, etc to be able to use these game packages without issue. The new fix is a package that modifies SELinux remain in ‘strict’ mode while simultaneously allowing gaming to work. The…

Linux From Scratch (LFS) is a project that provides you with step-by-step instructions for building your own custom Linux system, entirely from source code.

↑↑↑とうとう、ここに辿り着いた。

、つまり、自作System だ。

とても、残念だ。

誰もが、Gentoo Linuxを使える事が、エンジニアにとっても、ユーザーにとっても、最も最適な道。

確か、2020年だと記憶する、Gentoo Linuxは、かなり酷いサイバー攻撃で、サーバーがダウンしたのは、大きなニュースになった。

そしてこの短い3年くらいで、NSA、アメリカ国家安全保障局の侵入、kernel configは、全く酷い状態になった…

もはや、Distributorとは呼べない、Gentoo Linux…

私が使ってた頃の数十倍、トラップが酷さを増している…

NSA、つまりSelinuxを無理矢理有効にし、手に負えない状態だ。。

残念だ。

Googleや、NSAなどのグローバリストのせいで、素晴らしいシステムは、泥を塗られ、彼らの独占システムとなったわけか。

馬鹿馬鹿しいしかないw🤣

完全に、エンジニアらを愚弄している、とんでもない連中、Google、NSA。

もはや、システムを自作するしかないようだ。

つまり、LFS、一からシステムを作るしか、無いかもしれない。

Basics of SELinux and Its Importance

Security-Enhanced Linux (SELinux) is a crucial component of Linux security, providing a robust mechanism for enforcing security policies that control access to resources on a system. In this blog post, we will delve into the basics of SELinux, its significance, and why every Linux administrator should understand and utilize it.

What is SELinux?

SELinux is a Linux kernel security module that provides a mechanism for supporting access control security policies. It was developed by the National Security Agency (NSA) as a series of patches to the Linux kernel and then integrated into many Linux distributions, including Red Hat Enterprise Linux (RHEL), CentOS, and Fedora.

How SELinux Works

SELinux uses a concept called Mandatory Access Control (MAC) which differs from the traditional Discretionary Access Control (DAC) used by standard Linux. In DAC, the owner of a resource determines the access control; however, in MAC, the system enforces policies that dictate the access rights, independent of the owners' preferences.

Key Components of SELinux:

Security Policies: These are sets of rules that define what actions subjects (users, processes) can perform on objects (files, directories, ports). Policies can be very granular, specifying permissions for individual actions.

Contexts: SELinux uses contexts to apply policies. Every file, process, and resource in the system has an associated context, typically defined as user:role:type.

Modes: SELinux operates in three modes:

Enforcing: SELinux policies are enforced, and violations are logged.

Permissive: SELinux policies are not enforced, but violations are logged. This is useful for debugging.

Disabled: SELinux is turned off.

Importance of SELinux

1. Enhanced Security

SELinux adds a layer of security that helps mitigate the impact of system vulnerabilities. By enforcing strict access controls, SELinux can prevent compromised applications or users from accessing sensitive data or escalating privileges.

2. Confined Domains

SELinux confines processes to specific domains, limiting their ability to interact with other processes and system resources. This containment reduces the risk of widespread damage if a process is compromised.

3. Granular Control

SELinux allows for detailed and fine-grained control over system access. Administrators can define policies that specify exactly which resources a process can access, down to the level of individual files and actions.

4. Compliance and Standards

Many industries require compliance with strict security standards and regulations. SELinux helps meet these requirements by providing robust access control mechanisms, ensuring that systems adhere to best practices and regulatory guidelines.

Basic SELinux Commands

To effectively manage SELinux, you need to be familiar with a few basic commands:

Check SELinux Status: sestatus

Change SELinux Mode: setenforce [enforcing|permissive]

View SELinux Contexts: ls -Z ps -eZ

Manage Policies: semanage fcontext -l restorecon -Rv /path/to/directory

Enabling and Configuring SELinux

Enabling SELinux

SELinux is typically enabled by default in most major distributions like RHEL, CentOS, and Fedora. However, if you need to enable it, you can do so by editing the /etc/selinux/config file:

SELINUX=enforcing

After making this change, reboot your system to apply it.

Configuring SELinux Policies

Configuring SELinux policies involves defining and applying the rules that control access. Tools like audit2allow can help generate custom policies based on logged denial messages, making it easier to fine-tune your security settings.

Troubleshooting SELinux Issues

When SELinux blocks legitimate activities, you can troubleshoot by:

Checking Logs: SELinux logs are stored in /var/log/audit/audit.log. Reviewing these logs can help identify what was denied and why.

Permissive Mode: Temporarily setting SELinux to permissive mode can help diagnose issues without enforcing policies.

Creating Custom Policies: Use tools like audit2allow to create policies that allow necessary actions without compromising security.

Conclusion

SELinux is a powerful security feature that enhances the security posture of Linux systems. By understanding its basics and importance, administrators can leverage SELinux to enforce strict access controls, mitigate risks, and comply with regulatory requirements. While it may seem complex at first, the security benefits it provides make it an essential tool for any serious Linux administrator. Embrace SELinux, and take control of your system's security today!

For more details visit www.qcsdclabs.com

Setup and Configuration of Oracle Security

Pfsense, CloudFlare,Meraki Go,Fortigate AP, AWS CloudFront,Cisco Unbrella… Oracle Cloud FW, RedHatEnterprise, SELinux, Nginx reverse Proxy Inclusive To generate SSH security scripts using OpenSSL RSA, you can use the following format: Step 1: Generate the private keyopenssl genrsa -out private.key 2048 This command will generate a private key named “private.key” with a key length of 2048…

View On WordPress

All right, since I bombarded a poor mutual yesterday...

Privacy is not security and security is not privacy. These terms are not interchangeable, but they are intrinsically linked.

While we're at this, anonymity =/= security either. For example, Tor provides the former, but not necessarily the latter, hence using Https is always essential.

It is impossible to have privacy without security, but you can have security without privacy.

A case in point is administrators being able to view any data they want due to their full-access rights to a system. That being said, there are ethics and policies that usually prevent such behavior.

Some general tips:

Operating System: Switch to Linux. Ubuntu and Linux Mint are widely used for a reason. Fedora too. And don't worry! You can keep your current operating system, apps and data. If you're on a Mac computer, you can easily partition your hard drive or SSD by using Disk Utility. If you're on Windows, you can follow this guide.

You want to go a step further? Go with Whonix or Tails. They're Linux distributions as well, but they're both aiming for security, not beauty so the interface might not be ideal for everyone. Many political activists and journalists use them.

You want anonymity? Then you need to familiarize yourself with Tor. Also, Tor and HTTPS and Tor’s weaknesses. When you're using it, don't log in to sites like Google, Facebook, Twitter etc. and make sure to stay away from Java and Javascript, because those things make you traceable.

Alternatives for dealing with censorship? i2p and Freenet.

Is ^ too much? Welp. All right. Let's see. The first step is to degoogle.

Switch to a user-friendly browser like Firefox (or better yet LibreWolf), Brave or Vivaldi. There are plenty of hardened browsers, but they can be overwhelming for a beginner.

Get an ad blocker like Ublock Origin.

Search Engine? StartPage or Duckduckgo. SearXNG too. Like I said degoogle.

Get a PGP encrypted e-mail. Check Protonmail out.

There's also Tutamail that doesn't cover PGP, but uses hybrid encryption that avoids some of the cons of PGP.

Skiff mail is also a decent option.

Use an e-mail aliasing service such as SimpleLogin or AnonAddy.

Check OpenPGP out. Claws Mail is a good e-mail client for Windows and Linux, Thunderbird for Mac OS.

Gpg4win is free and easy to use for anyone that wants to encrypt/decrypt e-mails.

Instead of Whatsapp, Facebook messenger, Telegram etc. use Signal for your encrypted insant messaging, voice and video calls.

Get a metadata cleaner.

Get a firewall like Opensnitch, Portmaster or Netguard which can block Internet for trackers.

Alternatively, go with a private DNS that blocks these trackers. NextDNS is a good paid service. Rethink a good free option.

Replace as many of your applications as you can with FOSS (free and open source) ones. Alternativeto can help you.

Always have automatic updates on. They are annoying af, I know, but they are necessary.

Keep your distance from outdated software.

Always have two-factor authentication (2FA) enabled.

Do not use your administrator account for casual stuff. If you're on Linux, you probably know you can be sudo, but not root.

On Linux distributions use AppArmor, but stay away from random antivirus scanners. Other distributions default to SELinux, which is less suited to a beginner.

Never repeat your passwords. If you can't remember them all, use a password manager like KeePass.

Encrypt your drive.

Honestly, VPNs have their uses and ProtonVPN, Mullvad and Windscribe are decent, but eh. If you don't trust your ISP, why would you trust the VPN provider that claims they don't log you when you can't verify such a thing?

When I was younger and still stuck thinking in terms of concrete current implementations more than abstract semantics and their best possible implementations, I kept wanting to bypass the standard library, especially in low-level languages like C, because the standard library had code paths I didn't need.

If I knew I didn't need my newly allocated memory to start zeroed out, I disliked calling calloc, because a naive implementation of calloc implies extra work, and most implementations would imply extra work at least some of the time. Because I failed to conceive of the OS and hardware having extremely efficient code and circuitry for giving us zeroed out memory pages, and I failed to conceive of optimizing compilers generating code which doesn't bother zeroing out that memory if you truly never read those bytes before writing them.

If I just wanted one memory allocation for the lifetime of the program, I disliked calling malloc at all, because most malloc implementations have a complex memory allocator which is only more optimal for larger and churnier memory usage. I wanted to call the rawest, most direct memory allocation operation - for example, on modern Linux that's an mmap system call asking for an anonymous page (or for a mapping of /dev/zero, although I later learned of sloppy/overbroad SELinux policies in production, f.e. on some Android devices, which reject opening or mapping /dev/zero). Or I wanted to just manually try to grow the stack (and have raw feedback from the kernel if I didn't have enough). Because I was stuck thinking about what the concrete implementations I had on hand would do. Instead, I should've been imagining the optimizing compiler which can look at a simple "malloc", and at everything else in the code, and at any optimization preferences and other information passed in when invoking the compiler, and just compile that malloc as a raw memory system call, or as a stack allocation, if that's actually the best thing to do in that situation.

Painstakingly chipping away at this has been one of the most liberating and healing things for me as a software developer. This is why I eventually realized that we should "code for the optimizer" rather than optimizing by hand in almost every situation. But it took the overwhelming accumulation of examples of actual real-world situations where automatic optimizations beat manual fiddling, or did just as well, and where the manual fiddling was actively counter-productive.

I wish they taught this in schools or something. Just one class, one semester, which is mostly just a showcase of "here's some code. here's how it could be inefficient. how might we optimize this? yeah, yeah, cool, cool... good ideas class. Now here's what a modern compiler can do if you just give it the simple code that doesn't try to optimize. Notice how it did everything you thought of, plus things you didn't. And oh look, if we change the optimization tuning from execution speed to memory usage for example, the compiler can optimize the simple code totally differently, but our hand-optimized code is stuck using more memory, because the compiler can no longer discern the relevant intent and invariants in this code - and neither could a human, without extensive comments and context".

I know lots of developers just don't care, but it would go a long way towards either unblocking or constructively directing the type of developer who can be very productive but would otherwise spend too much time prematurely or needlessly optimizing in the wrong places.

Something I didn’t realize until last week was at the entire gaming industry is under Microsoft’s heel. With windows and Xbox having that huge of a monopoly on the market meaning, if you really want your game to take off or have any popularity, you have to make it compatible with windows before Linux or Mac.

which is horrible because windows is the worst operating system on fucking earth 

I apart from the difficulties in having an anti cheat with Linux I can kind of understand but then again, it can be done by some SELinux enforcement but still. The fact I HAVE to use windows to game is horrible and I hate bill gates

過去 10 年間、さまざまなスキャンダルにより NSA に対して多くの悪い報道があったため、一部のオープンソース愛好家は NSA の SELinux への関与を疑問視し、その他の批判的な発言をしています。 SELinux に関与し続けている NSA 開発者はいますが、Linux 6.6 以降では、「NSA」への参照が削除されています。これは、これが NSA だけの問題ではないことを反映するためでもあります。 NSA への参照を削除する「selinux: de-brand SELinux」というタイトルのパッチの一部。 本日、 SELinux プル リクエストが 送信され、仮想メモリがデフォルトで実行可能かどうかの通知、新しいネットワーク監査ヘルパー、さまざまな防御機能の改善などが追加されました。 PRで気になったのは以下の点です。 - 小規模な管理上の変更 Stephen Smalley 氏は電子メール アドレスを更新し、SELinux を「NSA SELinux」から単に「SELinux」に「ブランド解除」しました。 私たちは元の NSA 申請からは長い道のりを歩んできましたが、現時点では SELinux を真のコミュニティ プロジェクトと考えているため、NSA ブランドを削除することは理にかなっています。 SELinux コードと Kconfig テキストから「NSA」参照を削除するパッチでは、次のものが追加されます。 Kconfig のヘルプ テキストとコメント内の「NSA SELinux」を単に「SELinux」に変更します。 NSA は当初の主要な開発者であり、SELinux の保守を支援し続けていますが、SELinux は開発者とメンテナーの幅広いコミュニティに移行してからかなりの時間が経っています。 SELinux は、20 年近くにわ��ってメインライン Linux カーネルの一部として機能しており、 多くの個人や組織からの寄付。 そのため、Linux 6.6 では、カーネル内に組み込まれてから約 20 年が経過し、NSA SELinux への参照はなくなりました。

Linux 6.6 の SELinux が米国 NSA でその起源への参照を削除 - Phoronix

Viewing the comments, the discussions center around "knowing how to modify config files without breaking the system".

Only know phone apps? Dig deeper. Learn how to root your own phone: Android and iPhone. Fuck Apple. It's your phone. Root it. This is a start. The smart phone is nothing but a locked down small (but powerful) COMPUTER with each app running in its own sandbox. But there are chinks in its armor. Break out of that prison and reach the underlying file system. Learn how to disable SELinux and bypass Knox. Copious amounts of info on youtube, (underground) forums and blogs. Once you're done, go even deeper, switch to another platform and/or hardware device.

another thought about "gen z and gen alpha don't know how to use computers, just phone apps" is that this is intentionally the direction tech companies have pushed things in, they don't want users to understand anything about the underlying system, they want you to just buy a subscription to a thing and if it doesn't do what you need it to, you just upgrade to the more expensive one. users who look at configuration files are their worst nightmare

Ngl I much prefer selinux over apparmor

With RHCA in Infrastructure, You Can…

In the fast-paced world of IT infrastructure, being just certified is no longer enough. Organizations are looking for professionals who can design, secure, automate, and optimize enterprise environments at scale. That’s where the Red Hat Certified Architect (RHCA) in Infrastructure stands out.

If you’ve already earned your RHCE (Red Hat Certified Engineer), the RHCA path elevates your expertise to the next level—proving you can not only implement solutions, but also architect them.

So, with RHCA in Infrastructure, you can...

1. Design Complex, Scalable Systems

RHCA holders are trained to build resilient, high-availability environments using tools like Red Hat Enterprise Linux, Ansible Automation Platform, and Red Hat Satellite. Whether it's an on-premise data center or a hybrid cloud environment, you can design architectures that meet enterprise-grade performance, security, and compliance requirements.

2. Lead IT Automation Initiatives

Automation is the backbone of modern infrastructure. With RHCA, you gain deep knowledge of Ansible at scale, helping organizations reduce manual tasks, enforce consistency, and accelerate deployment times.

3. Implement Enterprise-Grade Security

RHCA training includes expertise in SELinux, identity management, system hardening, and patch management, ensuring infrastructure is not just functional, but also secure by design.

4. Streamline Hybrid Cloud and Edge Deployments

As more organizations adopt Open Hybrid Cloud strategies, RHCA in Infrastructure equips you with the skills to extend your data center across private and public cloud platforms, and even to edge locations—using tools like Red Hat Insights and Red Hat Smart Management.

5. Drive Infrastructure as Code (IaC) Adoption

Modern infrastructure requires repeatable, version-controlled deployments. With RHCA, you’re capable of implementing Infrastructure as Code using Ansible and GitOps practices, bringing DevOps principles to IT operations.

6. Gain Recognition as a Thought Leader

RHCA isn’t just a certification; it’s a validation of expert-level proficiency. It distinguishes you in job markets, helps in career growth, and positions you as a trusted advisor or consultant in the enterprise IT ecosystem.

7. Command Higher Salaries and Strategic Roles

Professionals with RHCA are often considered for senior architect roles, principal engineer, or infrastructure lead positions. Your ability to align technology with business goals makes you a key strategic asset in any organization.

Conclusion

In a world driven by complexity, compliance, and cloud, the RHCA in Infrastructure isn't just about Red Hat—it’s about mastering modern IT. Whether you're looking to lead transformation projects, standardize infrastructure across geographies, or automate operations for efficiency and scale, RHCA puts you in the driver's seat.

So yes, with RHCA in Infrastructure, you can—design smarter, lead confidently, and shape the future of enterprise IT.

For more info kindly check - https://training.hawkstack.com/red-hat-certified-architect/

Chromium…no tak to je síla…

S těmi prohlížeči to začíná být vážné, protože u Firekrysy se asi už úplně zbláznili, takže po zralé úvaze, no, Vivaldi či Opera je pořád totéž co Chromium, jen jsou tam nějaké přílepky, které potencionálně můžou znamenat průšvih��� No tak přesně takhle to není, ono asi záleží na jaké verzi je to založené či co s tím autoři udělali, neb. Na Opeře/Vivaldi nebyl problém nainstalovat adblock…na chromiu to problém je. I prosté vypnutí ukončení se zavřením posledního okna byla ve Vivaldi i Opeře jedna položka v nastaveních, v Chromiu na to potřebujete plugin. Opera/Vivaldi potřebuje na zablokování service-workerů plugin, ale ten není problém nainstalovat a není problém kontrolovat že to funguje. V Chromiu to opět problém je, přičemž přes service-workery jsou implementované pluginy, takže tuto funkcionalitu nemůžete zabít.

K tomu všemu máte všechny radosti spojené s prohlížeči založenými na chromiu a electron aplikacemi, jako je onen podivný sandboxing, který „vás chrání tím, že přes su-bit získává rootovská práva“ (je až fascinující jak něco takto absurdního může veřejnost akceptovat…ale viditelně může), díky čemuž musíte mít aktivní věci jako selinux/apparmor, neb prostě už nemáte jiné prostředky jak tohle krotit.

No, takže asi tak.

Comparison of Ubuntu, Debian, and Yocto for IIoT and Edge Computing

In industrial IoT (IIoT) and edge computing scenarios, Ubuntu, Debian, and Yocto Project each have unique advantages. Below is a detailed comparison and recommendations for these three systems:

1. Ubuntu (ARM)

Advantages

Ready-to-use: Provides official ARM images (e.g., Ubuntu Server 22.04 LTS) supporting hardware like Raspberry Pi and NVIDIA Jetson, requiring no complex configuration.

Cloud-native support: Built-in tools like MicroK8s, Docker, and Kubernetes, ideal for edge-cloud collaboration.

Long-term support (LTS): 5 years of security updates, meeting industrial stability requirements.

Rich software ecosystem: Access to AI/ML tools (e.g., TensorFlow Lite) and databases (e.g., PostgreSQL ARM-optimized) via APT and Snap Store.

Use Cases

Rapid prototyping: Quick deployment of Python/Node.js applications on edge gateways.

AI edge inference: Running computer vision models (e.g., ROS 2 + Ubuntu) on Jetson devices.

Lightweight K8s clusters: Edge nodes managed by MicroK8s.

Limitations

Higher resource usage (minimum ~512MB RAM), unsuitable for ultra-low-power devices.

2. Debian (ARM)

Advantages

Exceptional stability: Packages undergo rigorous testing, ideal for 24/7 industrial operation.

Lightweight: Minimal installation requires only 128MB RAM; GUI-free versions available.

Long-term support: Up to 10+ years of security updates via Debian LTS (with commercial support).

Hardware compatibility: Supports older or niche ARM chips (e.g., TI Sitara series).

Use Cases

Industrial controllers: PLCs, HMIs, and other devices requiring deterministic responses.

Network edge devices: Firewalls, protocol gateways (e.g., Modbus-to-MQTT).

Critical systems (medical/transport): Compliance with IEC 62304/DO-178C certifications.

Limitations

Older software versions (e.g., default GCC version); newer features require backports.

3. Yocto Project

Advantages

Full customization: Tailor everything from kernel to user space, generating minimal images (<50MB possible).

Real-time extensions: Supports Xenomai/Preempt-RT patches for μs-level latency.

Cross-platform portability: Single recipe set adapts to multiple hardware platforms (e.g., NXP i.MX6 → i.MX8).

Security design: Built-in industrial-grade features like SELinux and dm-verity.

Use Cases

Custom industrial devices: Requires specific kernel configurations or proprietary drivers (e.g., CAN-FD bus support).

High real-time systems: Robotic motion control, CNC machines.

Resource-constrained terminals: Sensor nodes running lightweight stacks (e.g., Zephyr+FreeRTOS hybrid deployment).

Limitations

Steep learning curve (BitBake syntax required); longer development cycles.

4. Comparison Summary

5. Selection Recommendations

Choose Ubuntu ARM: For rapid deployment of edge AI applications (e.g., vision detection on Jetson) or deep integration with public clouds (e.g., AWS IoT Greengrass).

Choose Debian ARM: For mission-critical industrial equipment (e.g., substation monitoring) where stability outweighs feature novelty.

Choose Yocto Project: For custom hardware development (e.g., proprietary industrial boards) or strict real-time/safety certification (e.g., ISO 13849) requirements.

6. Hybrid Architecture Example

Smart factory edge node:

Real-time control layer: RTOS built with Yocto (controlling robotic arms)

Data processing layer: Debian running OPC UA servers

Cloud connectivity layer: Ubuntu Server managing K8s edge clusters

Combining these systems based on specific needs can maximize the efficiency of IIoT edge computing.