Viewing posts for the category Omarine User's Manual

SELinux: snapd: Confining snaps to their private domain

Snaps are applications that are installed and updated automatically using snapd. If you are using the Swift programming language, the good IDE environment for it is Visual Studio Code (vscode). Visual Studio Code is a snap and you can install it as follows:

An idea on how to find the COVID-19 pandemic vaccine

As any person on our planet needs an obligation to prevent the COVID-19 pandemic, for themself and for others, I don't hesitate to state an idea of how to find the COVID-19 vaccine

Origin of the idea

COVID-19 caused terrible global damage with no signs of decline, lasted for nearly one year without a clear effective vaccine.

COVID-19 is a non-trivial pandemic. Vaccines before mass application must be tested in humans on a large scale. That requires a scientific measure worthy of the virus to thoroughly handle, avoiding dangerous side effects for the participants in the test.

COVID-19 opened a new stage of world medicine. Old knowledge cannot solve new problems. That requires discovering new laws of knowledge instead of deducing from old laws of knowledge. This is true of all disciplines including medicine. Fortunately, we have Machine Learning to fulfill this requirement.

Theoretical basis

In the third industrial generation, digitalization has removed a lot of unnecessary information, thereby shrinking a problem's large space into small. However, the digital itself is only used to quickly handle problems that have already been solved.
Today's Machine Learning, that is, in the fourth industrial generation, especially Genetic Algorithms is capable of synthesizing knowledge into new knowledge and thus solving unsolved problems, is very suitable for assist in the treatment of the coronavirus family with a large number of complex viruses that cause pandemics as the 21st century incident.

The destruction of nature and the extinction of many animals caused by humans disrupt the ecological balance. The coronavirus family that was only adapted in animals was forced to evolve over many generations, until COVID-19 was so sophisticated that it could live in humans and transmit disease at an unexpected rate with a way that the world medicine has yet to grasp.

But we believe that if the sun is still shining, we can completely control COVID-19 and its descendants in the future.

In fact, the world medicine has not been able to accurately determine COVID-19 and its evolutionary process and cannot describe the symptoms clearly. The leaf remedies of the problem only follow the virus because it has transformed into another variant. The evidence is that the second wave of COVID-19 outbreaks is raging with greater intensity and sophistication than before. Stereotyped prevention campaigns are both omitted and redundant. As a result, the epidemic is not stopped while economic losses are heavy.

To handle the root cause, we need to know the structure, basic properties, living conditions and other professional information of COVID-19 in order to determine the vaccine properly.

Genetic Algorithms - the highest representative of evolutionary machine learning, will come up with the problem at hand as an obvious obligation.


Medical professionals, microbiologists, epidemiologists need to give analysis, known characteristics or assumptions of coronavirus ancestors since they can only live in animals, as initialization parameters. The Genetic Algorithms will then evolve them until the generation where the virus is adapted to infect humans, COVID-19 must reveal its original form.

Not only virus identification, Genetic Algorithms can aid in vaccine production. It is the most powerful tool for solving complex constraint problems with an unlimited number of variables and constraints (up to the limit of computer resources) and any nonlinear mapping. Genetic algorithms can be used to solve the multi-goal problem with a reasonable medicinal ratio: correct the disease without causing side effects while being affordable, and satisfy other arbitrary conditions of the manufacturer.  So

Medicine + Genetic Algorithms = Successfully eradicate COVID-19

I am ready to provide the algorithms and cooperate with organizations and individuals interested in this solution.

All the best,
Pham Thanh Tuyen - Author of Football Predictions

SELinux: polkit: Default security context

When using PAM services such as login, su, sudo, polkit-1, sshd, gdm-password, PAM will perform a manual domain transition with the new security context selected as the default security context. The default security context is configurable. The general configuration file is /etc/selinux/omarine/contexts/default_contexts and the configuration files for specific SELinux users are located in the /etc/selinux/omarine/contexts/users directory.

If we configure the default security contexts in the file /etc/selinux/omarine/contexts/default_contexts then PAM may be confused as it chooses the first context in a context list taken from the configuration file. Hence the safe way is to configure the default security contexts in the files in /etc/selinux/omarine/contexts/users directory for each specific SELinux user.

For example, when we run pkexec command of polkit to execute a program as the root user, the configuration file /etc/selinux/omarine/contexts/users/root will be used to get the default security context for the root user.
The type of the pkexec program file is pkexec_exec_t (this is an Omarine-specific type)

SELinux: polkit: Authorization policy and security policy

Every day you can do all daily works in the desktop environment as a normal user. Then no need to be the root, even not an administrator, you can power off the machine although really only root has capability to do so. That is because you have used the polkit authorization policy.

As an administrator, you can update passwords for users because you are authorized to an account service in the system. This service has the privileges to handle requests.

All users naturally need a network connection, authorization policy allows this by default. Administrators can even modify the network connection for all users without authentication if there is an authorization rule that allows it (this is the default authorization policy in Omarine).

Administrators can set system time and time zone based on authorization policy.

When you use a file browser, the filesystems on the drives are automatically mounted by the udisks tool, which is governed by the authorization policy.

There are many other applications that use authorization policy to create convenience for users. It also makes administration easy. However, convenience is always accompanied by security concerns. In this article we review and develop security policy in relation to authorization policy. In particular, we practice building an administrator program that updates user passwords applying authorization policy. This program is useful for administrators when the account service is not available.

Normal user, administrator, root, super user, privileged and unprivileged user, restricted user

Before going into the main part, we reinforce some concepts about users. They have different meanings depending on the specific context.
At the kernel level, there are only two kinds of user: root and normal user. root is the privileged user (technically, root has user ID of 0 so processes with an effective user ID of 0 are privileged processes) and is exempt from all kernel permission checks . Hence it is also called super user. However, since the security policy, root is no longer exempted as before and its "super" ability has also decreased. In contrast, normal users who have a user ID other than zero must undergo full permission checking and the result will, depending on their capabilities, be an unprivileged user.
It is the authorization policy that gives rise to the concept of administrator, who deal with system administration and operating tasks within the scope of the authorization policy. Thus, for authorization policy there are three kinds of user: root, administrator and normal user.
In the same view as the authorization policy, the SELinux security policy has the SELinux root corresponding to the Linux root, staff_u corresponding to the administrator and user_u corresponding to the normal user. In addition, SELinux also has users with lower rights than normal users, which can be classified as restricted user. Those are guest_u and xguest_u. Restricted users are uncommon and can be used for (mapping from) Linux system users. user_u is usually the default user.

Authorization policy

Any application that wants to apply the authorization policy needs to ship (or use) a privileged program called mechanism and an unprivileged program called subject. The mechanism is run as root or its process has the effective user ID of 0, while the subject is run as a normal user or its process has the effective user ID other than zero.

Mechanism provides the service and it can accept or deny service to requests from the subject, through the authority implemented by a polkit system daemon, polkitd

SELinux: An interesting domain transition circle

There is a domain transition situation where, through a chain of domain transitions, the domain is returned to its original domain. This interesting situation is a typical case of the transition chain so that we have an outline of how the SELinux system works. Thereby we also see much work to be done to develop security policies.

The domain transition circle executing the rpm package manager program