Skip to content

Attraktor Cinema am 08.11.2014: Zwei schräge Vögel

Am kommenden Samstag den 08.11.2014 möchten wir euch zum Attraktor-Cinema einladen, von 20:00 bis 23:00 Uhr zeigen wir den DDR-Hackerfilm “Zwei schräge Vögel” aus dem Jahre 1989. Es kann jeder kommen, seine Freunde und was zum knabbern mitbringen und sich mit uns über dieses nostalgische Stück Hackerkultur amüsieren. Der Eintritt ist kostenfrei.

Der Film wird bei vielen Bewertungsportalen überdurchschnittlich gut bewertet. Sehen wir uns dort?

Translate to de es fr it pt ja

meetup - attraktor - selinux

Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.

Big thanks to the presenter. I turned my fear into anticipation for using it!


  • 1976 LaPadula paper released
  • DTMach as construction idea released
  • Based on FLASK, first patches to linux kernel
  • 2002 implemented as linux security module (LSM)
  • Since 2003 part of the mainline kernel
  • Fedora core was first distribution (shipped with policy)
  • Since 2007 shipped with RHEL5 EAL4+

Bell LaPadula

  • MAC
  • TE
  • RBAC
  • No read up, no write down


  • Extends DAC (directory access control)
  • mode at runtime changeable (enforcing vs permissive)
  • flexible policy
  • AVC (access vector cache)
  • root is not god anymore
  • process running in own security domain

Discretionary Access Control

  • classical security concept
  • object based access control
  • unflexible
  • rights per user
  • user can ship rights
  • uid can be changed by using suid


  • access control by using policy

TE - Type Enforcement

  • all resources have a typ/domain
  • whitelisting ruleset

Security Context

  • securityarea
  • object (user:role:domain:level)
  • subject


  • heart of selinux
  • common policis are targeted, strict and MLS
  • defines rules for access from subject of object
  • defines domain transition of a subject (when can a subject change its domain)



  • default policy
  • contains a understandable complexity
  • well choosen processes running in own domain
  • you can tweak the policy by using booleans
  • this policy should be enough for daily work
  • if you use the filesystem hirachy standard you are quite save
  • Unknown software is stored in context "unconfined"

Multi Level Security (mls)

  • everything is running under selinux policies
  • tweakable by booleans
  • only for high risk security aspects


  • enables tweaking the policy without reload
  • no knowledge about policy needed
  • booleans can set permanent
  • semanage boolean -l lists a lot of informations


  • -Z is selinux switch (ls -Z, netstat -Z)
  • cp, mkdir and so on are linked against selinux to support setting needed bytes
  • getenforec/setenforce - switching selinux mode
  • restorecon/fixfiles/chcon - changing context of subjects
  • sestatus - status
  • avcstat - status about avc
  • libselinux - the selinux
  • libsepol - all binaries linked against

Policy Management

  • setsebool/getsebool - show and set of selinux booleans
  • semanage - policy management
  • semodule -

Policy Development

  • audit2allow - builds selinux rules based on audit log
  • checkmodule - transforms rulse into binary
  • semodule_package -
  • audit2why - analyse selinux

Linux Audit Framework (LAF)

  • should be used for logging


  • you are loosing the context if your backup software does
  • tar and rsync supports :-)
Translate to de es fr it pt ja

usergroup - meetup - webPerformance - hamburg 130220

Attraktor e.v. mexikoring 21, hamburg

Soundcloud - Arbo Von Monkiewitsch

html5 audio playback widget - measuring for velocity

measure first

how to?

  • synthetic user monitoring (by phantom.js)
    • repeaable
    • doesn't show real user experience
    • good for benchmarking
  • real user monitoring (google analytics)
    • shows real user experience
    • change of user behavior impacts repeateability (e.g. side slow in asia but fast in euro)
    • impact of embedding site


  • http ping
  • fully page load
  • include all transactions
  • follow K.I.S.S., just render the page

define your goals

  • what is fast
  • don't define random goals on yourself
  • public benchmarks are good as orientation (for e.g. set up a benchmark for youtube or similar)
  • response time
  • don't simple trust your metrics

best practices

  • httparchive, pagespeed, yslow (100 - 200 ms as full page loading speed is good enough)
  • compress each connection (use varnishs or something similar for uncompressable content)
  • availability fallback -> dc
  • performance - put api in cdn (also for http or https handshake)
  • consitency - load balanced cdns

rap it up

  • measure first
  • keep it simple
  • team autonomy

phantomJs - Raj Dudi

what it is - created by ariya hidayat

  • can be integrated into jenkins
  • automation and headless testing
  • can be used for metrics measurement
  • render and dump client side html
  • current version is 1.8
  • headless (Qt)Webkit/Browser
  • javascript driven
  • ideal for
    • headless website testing -> but it is not a test framework
    • screen capture
    • page automation
    • network monitoring
  • projects
    • casperjs
    • ghostbusters
    • poltergeist

code evaluation

  • evaluate(function, arg1, arg2, ...) {object}
  • returns simple objects but no functions and closures
  • execution is sandboxed
  • dom scripting and css selector works
  • use onConsoleMessage callback to receive the console messages

get it from



hello world

console.log("Hello world"); phantom.exit();

screen capture

  • Page.render to render a screenshot
  • supports ong, jpeg, gif and pdf
  • options
    • page.clipRect = { top: 14, left: 3, width: 400, height: 300 };
    • page.paperSize = { width: '200px', height: '300px' } //for pdf output e.g., also supports borders and much more
    • page.zoomFactor = 0.25 // 1 is default
  • projects based on phantomjs
    • screenr
    • mediaqueri
    • chromanope
  • webpage api
    • var page = require('webpage').create();
    •, callback) {void}
    • page.close() {void}
    • goBack(), goForward(), title, url
    • settings{object} //enable javascript, load images, username or password, websecurity
    • page.includeJs(url, callback) {void}
    • page.injectJs(filename) {boolean}
  • webpage callbacks
    • onLoadStarted
    • onLoadFinished
    • onAlert
    • onCallback //experimental
    • onClosing
    • onConfirm
    • onConsoleMessage
    • onError
  • system API
    • var system = require('system');
    • ...
  • filesstem api
    • var fs = require('fs);
    • separator {string}
    • workingDirectory
    • ...


  • allows network sniffing
    • onResourceRequested
    • onResoureceReceived
    • TLS and SSL required for encrypted data - are they enabled?
  • error handling


  • uses qtWebKit (not used by chrome, safari and so one)
  • asynchronous api - difficult to handle for many
  • not supported
    • plugins
    • webGL
    • video and audio
    • css 3-D
    • xpath

What could i add? Thanks to the talks, yes very much. Also thanks to the attraktor, you are doing it right!

Translate to de es fr it pt ja