mpd + ncmpcpp
mpd + ncmpcpp
Yes! Awk is great, I use it all the time for text processing problems that are beyond the scope of normal filters but aren’t worth writing a whole program for. It’s pretty versatile, and you can split expressions up and chain them together when they get too complicated. Try piping the output into sh
sometime. It can be messy though and my awk
programs tend to be write-only
Yeah for me it’s been great and I do essentially leave it plugged in the whole time I’m using my PC (attached to my keys). It does require a pin entered each boot, so leaving it in would still offer security. But as someone else mentioned getting kwallet PAM working would make things easier in any case
Lol. I press a button on the device (which I unlocked with a pin before boot), but it would be nice to have the DB unlock automatically
Personally, I’ve relied on an OnlyKey for a few years (with backups and an extra fallback device) and haven’t needed to type passwords since. This doesn’t help with the number of prompts, but it does make them easier to dismiss.
I do use autologin, but I don’t use a system wallet (only KeePassXC, which I do need to unlock manually). Autologin with system wallets can be tricky, but I’ve had some luck setting it up in the past. You might want to check out this wiki for PAM configuration.
I usually use Awk to do the heavy lifting within my Bash scripts (e.g. arg parsing, filtering, stream transformation), or I’ll embed a Node.JS script for anything more advanced. In some cases, I’ll use eval to process generated bash syntax, or I’ll pipe into sh (which can be a good way to set up multiprocessing). I’ve also wanted to try zx, but I generally just stick to inlining since it saves a dependency.
I started by writing small scripts to automate things, but really got into it after learning how fun it can be to make the computer do stuff. I also see it as a kind of creative outlet, but in general I just want to learn how to fix anything in software if I’m not satisfied with how it works.
If you’re willing to spend the time to learn how to write custom policies, SELinux can be used for this, to some extent. It’s highly customizable and can sandbox your apps, but the process of doing so is quite complicated. I wrote a small guide on custom policy management on Gentoo in another comment if you’re interested.
There’s also apparently a “sandbox” feature, but I don’t know much about it. I just write my own policies and make them as strict as possible.
As an example, my web browser can’t access my home directory or anything except its own directories, and nobody (including my own user), except root and a few select processes (gpg, gpg-agent, git, pass) can access my gnupg directory.
This only covers security/permissions, and doesn’t include many of the other benefits of containerization or isolation. You could also try KVM with libvirt and Gentoo VMs; that works pretty well (despite update times) and I did that for a while with some success.
np! Hope it helps; it’s a big pain but I do think it’s pretty secure if configured correctly
I’m happy with it so far! No swipe typing, and it’s pretty difficult to land on the right key, but I’ve found that I’m getting better at using it with time, especially after customizing it to my liking
Awesome! Here are a few things that come to mind:
Make sure you have some aliases/functions for common operations:
audit2allow -a
to view audit violations (or -d
for dmesg audits)
-r
to add a requires statement for module constructionrestorecon -Rv
to recursively apply file contexts from policy (or -FRv
to also apply user context)rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log
to clear audit logs
chown -R user:user PATH; chcon -R -u user_u PATH
to recursively change labels to user
semanage fcontext -a -t TYPE PATH -s $SEUSER
to add a custom file context to the policy
semanage fcontext -a -t "user_secrets_t" "/home/[^/]+/.secrets(/.*)?" -s user_u
.fc
file,
but in any case a custom policy is needed to create custom typessemanage fcontext -d PATH
to remove a custom file contextsemanage fcontext -lC
to list custom file contextssemodule -DB
to rebuild policy with all dontaudit rules disabled
audit2allow
doesn’t show anythingsemodule -B
to rebuild policy (with dontaudit rules)semodule -i MODULE.pp
to install a modulesemodule -r MODULE
to remove a moduleAlso a few scripts for policy creation and management are essential. There are two basic approaches to policy creation: modules and policy modules.
Modules: can be used to modify AVC rules and are pretty simple
# a violation has occurred that you want to allow or dontaudit
echo "module my_allow 1.0;" > my_allow.te
audit2allow -ar >> my_allow.te
# verify that my_allow.te has what you expect
cat my_allow.te
# build and install the module (replace mcs with whatever policy you are using)
make -f /usr/share/selinux/mcs/include/Makefile my_allow.pp
semodule -i my_allow.pp
# clear audit logs
rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log
Policy modules: can do anything, but are complicated, and the tools for creating them are mostly based on Red Hat.
Creating a new type:
# generate foo.fc, foo.if, and foo.te
sepolicy generate --newtype -t foo_var_lib_t -n foo
# note: see sepolicy-generate(8); sepolicy generate only supports the following
# type suffixes, but its output files can be adapted to your use case
# _tmp_t
# _unit_file_t
# _var_cache_t
# _var_lib_t
# _var_log_t
# _var_run_t
# _var_spool_t
# _port_t
# modify the .fc file with the desired file contexts, for example (with s0 for mcs)
# /path/to/context/target -- gen_context(system_u:object_r:type_t,s0)
#
# note: the "--" matches regular files, -d for directories, -c for character
# devices, -l for symbolic links, -b for block devices, or can be omitted
# to match anything. also, as mentioned before, I often have better luck
# with `semanage fcontext`, especially for user directories
vi foo.fc
# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile foo.pp
semodule -i foo.pp
# use restorecon to adjust the file contexts of any paths you have
# by default, all operations involving this type will be denied
# (and are sometimes not audited)
semodule -DB # --disable_dontaudit
# ... use the type, collect violations ...
audit2allow -ar >> foo.te
# if dontaudit is disabled, you'll likely have a lot things to remove from here
vi foo.te
# ... repeat until rules regarding type are fully defined
Creating a new application type:
# sepolicy-generate is made for Red Hat,
# but you can use --application to get started
# creates a bunch of files that define bar_t and bar_exec_t
sepolicy generate --application -n bar [-u USER] CMD
# remove the line making the app permissive (up to you, but
# I prefer using audit violations to define the permissions)
perl -i -00 -pe 's/^permissive bar_t;\n\n//g' bar.te
# ensure that the file bar_exec_t file context points to the right bin:
vi bar.fc
# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile bar.pp
semodule -i bar.pp
# ... use the application, update AVC rules, repeat ...
If your target application is interpreted, you’ll need to write a custom C program that launches the interpreter in a specific context, then write your policy around that application. For example, you should execv something like this: /usr/bin/runcon -u user_u -t my_script_t /bin/bash PROG
.
Totally, props on taking it on as your first distro! Haha, yeah a week of pain sounds about right. My last Gentoo setup took an entire month (off and on), but I was doing something crazy (Qubes-like, every application in its own Gentoo VM, strict SELinux on host and guests)… ended up ditching that because I got comfortable enough with SELinux to write stronger policies for everything important, which is good enough for me.
I had the benefit of using other distros before trying Gentoo, so my first attempt at it wasn’t so bad (but still took two full days). It’s definitely taught me way more than any other distro, including Arch (although Arch was a very good stepping stone). I don’t think I could go back to anything else at this point
Yep! Gotta love the flexibility of it
Ah gotcha, just asking because I’ve never used it before. Good to know that Gentoo supports hardening it
Oh good to know! Thanks for the tips. What do you like about musl over glibc?
I would look into Gentoo’s Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it’s really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it’s probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it’s really flexible, and learning SELinux is useful
Nice :). It’s pretty basic but has just enough configuration options for what I need. It’s basically just an app drawer and favorites drawer, but you can set the favorites drawer to never close and the app drawer to never open.
The UI tools are pretty limited and I had to play around with a screenshot in GIMP and re-arrange the exported settings file in order to get my favorites ordered as desired (possible without doing that, but slow). But since setting it up everything has been pretty smooth
Kvaesitso is pretty slick! I just tried it for a bit, and it looks well-written. I like having all my icons shrunk down and compressed on my desktop, so it’s not quite what I’m looking for, but I tried Discreet Launcher after your comment and was able to configure it pretty well to my liking. Still missing some features that I like from OpenLauncher but it has what I need
Oh good point, thanks for the heads up. I see that the last release was a few years ago and there are a lot of open issues. I haven’t had too many problems with it, but a launcher is something you don’t want to have security vulnerabilities for. Will look around for an alternative
I suppose the most tangible benefit I get out of it is embedding a custom initramfs into the kernel and using it as an EFI stub. And I usually disable module loading and compile in everything I need, which feels cleaner. Also I make sure to tune the settings for my CPU and GPU, enable various virtualization options, and force SELinux to always remain active, among other things.