1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Installing Gentoo (Hardened)</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Getting a SELinux-powered Gentoo installation doesn't require weird actions.
What you need to do is install Gentoo Linux with the correct profile, correct
kernel configuration and some file system relabelling. We seriously recommend to
use SELinux together with other hardening improvements (such as PaX /
grSecurity).
</p>
<p>
This chapter will describe the steps to install Gentoo with SELinux. We
assume that you have an existing Gentoo Linux system which you want to convert
to Gentoo with SELinux. If this is not the case, you should still read
on: you can install Gentoo with SELinux immediately if you make the
correct decisions during the installation process, based on the information in
this chapter.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Performing a Standard Installation</a></p>
<p>
Install Gentoo Linux according to the <a href="http://www.gentoo.org/doc/en/handbook">Gentoo
Handbook</a> installation instructions. We recommend the use of the hardened
stage 3 tarballs and <span class="code" dir="ltr">hardened-sources</span> kernel instead of the standard
ones, but standard stage installations are also supported for SELinux.
Perform a full installation to the point that you have booted your system
into a (primitive) Gentoo base installation.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you are an XFS user, make sure that the inode sizes of the XFS file
system is 512 byte. Since the default is 256, you will need to run the
<span class="code" dir="ltr">mkfs.xfs</span> command with the <span class="code" dir="ltr">-i size=512</span> arguments, like so:
<span class="code" dir="ltr">mkfs.xfs -i size=512 /dev/sda3</span>
</p></td></tr></table>
<p class="secthead"><a name="doc_chap1_sect1">Switching to Python 2</a></p>
<p>
For now, the SELinux management utilities are not compatible with Python 3 so
we recommend to switch to Python 2 until the packages are updated and fixed.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching to python 2</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">emerge '<=dev-lang/python-3.0'</span>
~# <span class="code-input">eselect python list</span>
Available Python interpreters:
[1] python2.7
[2] python3.1 *
~# <span class="code-input">eselect python set 1</span>
~# <span class="code-input">source /etc/profile</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p>
<p>
If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span>
instead of <span class="code" dir="ltr">tmpfs_t</span>. Many SELinux policy objects (including various
server-level policies) assume that <span class="path" dir="ltr">/tmp</span> is <span class="code" dir="ltr">tmp_t</span>.
</p>
<p>
To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span class="path" dir="ltr">/etc/fstab</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for /tmp</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># For a "targeted" or "strict" policy type:</span>
tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span> 0 0
<span class="code-comment"># For an "mls" or "mcs" policy type:</span>
tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span> 0 0
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p>
<p>
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
to the right SELinux profile (for instance,
<span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span>). Note that the older
profiles (like <span class="path" dir="ltr">selinux/v2refpolicy/amd64/hardened</span>) are not
supported anymore.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching the Gentoo profile</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">eselect profile list</span>
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/selinux
[3] default/linux/amd64/10.0/desktop
[4] default/linux/amd64/10.0/desktop/gnome
[5] default/linux/amd64/10.0/desktop/kde
[6] default/linux/amd64/10.0/developer
[7] default/linux/amd64/10.0/no-multilib
[8] default/linux/amd64/10.0/server
[9] hardened/linux/amd64
[10] hardened/linux/amd64/selinux
[11] hardened/linux/amd64/no-multilib *
[12] hardened/linux/amd64/no-multilib/selinux
~# <span class="code-input">eselect profile set 12</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Starting from the profile change, Portage will warn you after every installation
that it was "Unable to set SELinux security labels". This is to be expected,
because the tools and capabilities that Portage requires to set the security
labels aren't available yet. This warning will vanish the moment the SELinux
installation is completed.
</p></td></tr></table>
<p>
Don't update your system yet - we will need to install a couple of packages in a
particular order which Portage isn't aware of in the next couple of sections.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Update make.conf</a></p>
<p>
Next, take a look at the following USE flags and decide if you want to enable
or disable them.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>USE flag</b></td>
<td class="infohead"><b>Default Value</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">peer_perms</td>
<td class="tableinfo">Enabled</td>
<td class="tableinfo">
The peer_perms capability controls the SELinux policy network peer controls.
If set, the access control mechanisms that SELinux uses for network based
labelling are consolidated. This setting is recommended as the policy is
also updated to reflect this. If not set, the old mechanisms (NetLabel and
Labeled IPsec) are used side by side.
</td>
</tr>
<tr>
<td class="tableinfo">open_perms</td>
<td class="tableinfo">Enabled</td>
<td class="tableinfo">
The open_perms capability enables the SELinux permission "open" for files
and file-related classes. Support for the "open" call was added a bit later
than others so support was first made optional. However, the policies have
matured sufficiently to have the open permission set.
</td>
</tr>
<tr>
<td class="tableinfo">ubac</td>
<td class="tableinfo">Enabled</td>
<td class="tableinfo">
When disabled, the SELinux policy is built without user-based access control.
</td>
</tr>
</table>
<p>
Make your choice and update the <span class="code" dir="ltr">USE</span> variable in
<span class="path" dir="ltr">/etc/make.conf</span>.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Manual System Changes</a></p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
Most, if not all of the next few changes will be resolved through regular
packages as soon as possible. However, these fixes have impact beyond the Gentoo
Hardened installations. As such, these changes will be incorporated a bit slower
than the SELinux-specific updates. For the time being, manually correcting these
situations is sufficient (and a one-time operation).
</p></td></tr></table>
<p>
The following changes <span class="emphasis">might</span> be necessary on your system, depending on the
tools or configurations that apply.
</p>
<ul>
<li>
If you use LVM for one or more file systems, you need to edit
<span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>)
and <span class="path" dir="ltr">lvm-stop.sh</span> and set the config location from
<span class="path" dir="ltr">/dev/.lvm</span> to <span class="path" dir="ltr">/etc/lvm/lock</span>. Next, create the
<span class="path" dir="ltr">/etc/lvm/lock</span> directory. Finally, add
<span class="path" dir="ltr">/lib(64)/rcscripts/addons</span> to <span class="code" dir="ltr">CONFIG_PROTECT</span> in your
<span class="path" dir="ltr">make.conf</span> file.
</li>
<li>
Check if you have <span class="path" dir="ltr">*.old</span> files in <span class="path" dir="ltr">/bin</span>. If you do,
either remove those or make them a copy of their counterpart so that they
get their own security context. The <span class="path" dir="ltr">.old</span> files are hard links
which mess up the file labelling. For instance, <span class="code" dir="ltr">cp /bin/hostname
/bin/hostname.old</span>.
</li>
<li>
Edit <span class="path" dir="ltr">/etc/sandbox.conf</span> and add in
<span class="path" dir="ltr">/sys/fs/selinux/context</span> to the <span class="code" dir="ltr">SANDBOX_WRITE</span> parameter.
This is currently needed to work around bug <a href="https://bugs.gentoo.org/410687">410687</a>.
</li>
</ul>
<p class="secthead"><a name="doc_chap1_sect1">Installing a SELinux Kernel</a></p>
<p>
Although the default Linux kernels offer SELinux support, we recommend the use
of the <span class="path" dir="ltr">sys-kernel/hardened-sources</span> package.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing hardened-sources</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">(Only if you have not installed it previously of course)</span>
~# <span class="code-input">emerge hardened-sources</span>
</pre></td></tr>
</table>
<p>
Next, reconfigure the kernel with the appropriate security settings. This
includes, but is not limited to
</p>
<ul>
<li>Support for extended attributes in the various file systems</li>
<li>Support system-call auditing</li>
<li>Support for SELinux</li>
</ul>
<p>
Below you can find a quick overview of the recommended settings.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recommended settings for the Linux kernel configuration</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Under "General setup"</span>
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*] Enable system-call auditing support
<span class="code-comment">Under "File systems"</span>
<span class="code-comment">(For each file system you use, make sure extended attribute support is enabled)</span>
<*> Second extended fs support
[*] Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
[ ] Ext2 execute in place support
<*> Ext3 journalling file system support
[ ] Default to 'data=ordered' in ext3
[*] Ext3 extended attributes
[ ] Ext3 POSIX Access Control Lists
[*] Ext3 Security Labels
<*> The Extended 4 (ext4) filesystem
[*] Ext4 extended attributes
[ ] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
<*> JFS filesystem support
[ ] JFS POSIX Access Control Lists
[*] JFS Security Labels
[ ] JFS debugging
[ ] JFS statistics
<*> XFS filesystem support
[ ] XFS Quota support
[ ] XFS POSIX ACL support
[ ] XFS Realtime subvolume support (EXPERIMENTAL)
[ ] XFS Debugging Support
<*> Btrfs filesystem (EXPERIMENTAL)
[ ] Btrfs POSIX Access Control Lists
<span class="code-comment">Under "Security options"</span>
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[ ] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
Default security module (SELinux) --->
</pre></td></tr>
</table>
<p>
We recommend to use PaX as well. More information on PaX within Gentoo Hardened
can be found in the <a href="pax-quickstart.html">Hardened
Gentoo PaX Quickstart Guide</a>.
</p>
<p>
Build and install the new Linux kernel and its modules.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Update fstab</a></p>
<p>
Next, edit <span class="path" dir="ltr">/etc/fstab</span> and add the following two lines:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling selinux-specific file system options</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># The udev mount is due to bug #373381</span>
udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
none /selinux selinuxfs defaults 0 0
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
In case of an MLS/MCS policy, you need to have the context with sensitivity
level, so <span class="code" dir="ltr">...:device_t:s0</span>.
</p></td></tr></table>
<p>
Make the <span class="path" dir="ltr">/selinux</span> mountpoint as well:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating the /selinux mountpoint</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">mkdir /selinux</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p>
<p>
With the above changes made, reboot your system. Assert yourself that you are
now running a Linux kernel with SELinux enabled (the <span class="path" dir="ltr">/selinux</span> file
system should be mounted). Don't worry - SELinux is at this point not activated.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Configure SELinux</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Next we will need to configure SELinux by installing the appropriate
utilities, label our file system and configure the policy.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Install Policies and Utilities</a></p>
<p>
First, install the <span class="path" dir="ltr">sys-apps/checkpolicy</span> and
<span class="path" dir="ltr">sys-apps/policycoreutils</span> packages. Although these will be pulled in
as dependencies of the SELinux policy packages themselves, we need to install
these one time first - hence the <span class="code" dir="ltr">-1</span> option.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux policy core utilities</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">emerge -1 checkpolicy policycoreutils</span>
</pre></td></tr>
</table>
<p>
Next, install the SELinux policy package
(<span class="path" dir="ltr">sec-policy/selinux-base-policy</span>). This package contains the base
SELinux policy needed to get your system up and running using SELinux.
As Portage will try to label and reload policies (since the installation of
<span class="path" dir="ltr">sys-apps/policycoreutils</span>) we need to temporarily disable SELinux
support (as Portage wouldn't be able to label anything as it doesn't understand
it yet).
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the SELinux policy packages</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">FEATURES="-selinux" emerge selinux-base-policy</span>
</pre></td></tr>
</table>
<p>
Next, rebuild those packages affected by the profile change we did previously
through a standard world update, taking into account USE-flag changes (as the
new profile will change many default USE flags, including enabling the
<span class="code" dir="ltr">selinux</span> USE flag). Don't forget to use <span class="code" dir="ltr">etc-update</span> or
<span class="code" dir="ltr">dispatch-conf</span> afterwards as some changes to configuration files need to
be made.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update your Gentoo Linux system</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">emerge -uDN world</span>
</pre></td></tr>
</table>
<p>
Next, install the additional SELinux tools that you might need in the future to
debug or help with your SELinux installation. These packages are optional, but
recommended.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing additional SELinux packages</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">emerge setools sepolgen checkpolicy</span>
</pre></td></tr>
</table>
<p>
Finally, install the policy modules for those utilities you think you need
policies for. In the near future, this will be done automatically for you (the
packages will have an optional dependency on it, triggered by the selinux USE
flag), but until that time, you will need to install them yourself.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux modules</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">emerge --search selinux-</span>
[...]
<span class="code-comment">(Select the modules you want to install)</span>
~# <span class="code-input">emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Configure the SELinux Policy</a></p>
<p>
Inside <span class="path" dir="ltr">/etc/selinux/config</span> you can configure how SELinux is
configured at boot time.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Editing the /etc/selinux/config file</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<span class="code-input">permissive</span>
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=<span class="code-input">strict</span>
</pre></td></tr>
</table>
<p>
Within this configuration file, two variables can be set:
</p>
<ul>
<li>
<span class="code" dir="ltr">SELINUX</span> sets how SELinux should behave:
<ul>
<li>
<span class="code" dir="ltr">enforcing</span> will enable and enforce policies. This is where we want
to go for, but you should probably start with <span class="code" dir="ltr">permissive</span>.
</li>
<li>
<span class="code" dir="ltr">permissive</span> will enable policies, but not enforce them. Any
violation is reported but not denied. This is where you should start
from as it will not impact your system yet allow you to get acquainted
with SELinux - and validate the warnings to see if you can switch
towards <span class="code" dir="ltr">enforcing</span> or not.
</li>
<li>
<span class="code" dir="ltr">disabled</span> will completely disable the policies. As this will not
show any violations as well, it is not recommended.
</li>
</ul>
</li>
<li>
<span class="code" dir="ltr">SELINUXTYPE</span> selects the SELinux policy type to load.
Gentoo Hardened recommends the use of <span class="code" dir="ltr">strict</span> for servers, and
<span class="code" dir="ltr">targeted</span> for desktops. The <span class="code" dir="ltr">mcs</span> type is supported, <span class="code" dir="ltr">mls</span>
is currently still considered experimental.
</li>
</ul>
<p>
The differentiation between <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> is based upon the
<span class="emphasis">unconfined</span> domain. When loaded, the processes on your system that are not
specifically confined within a particular policy module will be part of the
unconfined_t domain whose purpose is to allow most activities by default (rather
than deny by default). As a result, processes that run inside the unconfined_t
domain have no restrictions apart from those already enforced by standard Linux
security. Although running without the unconfined_t domain is considered more
secure, it will also be more challenging for the administrator to make sure the
system still functions properly as there are no policy modules for each and
every application "out there".
</p>
<p>
Next to <span class="code" dir="ltr">targeted</span> and <span class="code" dir="ltr">strict</span>, you can opt for <span class="code" dir="ltr">mcs</span> to allow
categorization of the process domains. This is useful on multi-tenant systems
such as web servers, virtualization hosts, ... where multiple processes will be
running, most of them in the same security domain, but in different categories.
</p>
<p>
Finally, you can also select <span class="code" dir="ltr">mls</span> to differentiate security domains on
a sensitivity level. However, MLS is currently still considered experimental
in Gentoo and as such not recommended.
</p>
<p>
When you have made your choice between the SELinux policy types, save
this in your <span class="path" dir="ltr">/etc/make.conf</span> file as well. That way, Portage will
only install the policy modules for that SELinux type.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting the policy type in make.conf</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">nano /etc/make.conf</span>
POLICY_TYPES="<span class="code-input">strict</span>"
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Reboot, and Label the File System</a></p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Repeat these steps every time you have rebooted from a non-SELinux enabled
kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
</p></td></tr></table>
<p>
First reboot your system so that the installed policies are loaded. Now we
need to relabel your devices and openrc related files. This will apply the
correct security contexts (labels) onto the necessary files.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">mkdir /mnt/gentoo</span>
~# <span class="code-input">mount -o bind / /mnt/gentoo</span>
<span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span>
~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span>
~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span>
~# <span class="code-input">umount /mnt/gentoo</span>
</pre></td></tr>
</table>
<p>
Next, if you have a swapfile rather than a swap partition, label it accordingly:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Labelling the swap file</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">semanage fcontext -a -t swapfile_t "http://www.gentoo.org/swapfile"</span>
~# <span class="code-input">restorecon /swapfile</span>
</pre></td></tr>
</table>
<p>
Now relabel your entire file system. The next command will apply the correct
security context onto the files on your file system, based on the security
context information provided by the SELinux policy modules installed.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel the entire file system</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">rlpkg -a -r</span>
</pre></td></tr>
</table>
<p>
If you ever have to install a SELinux policy module for a package after that
that particular package is installed, you need to run <span class="code" dir="ltr">rlpkg</span> for that
package to make sure that the security contexts for these files are set
correctly. For instance, if you have installed
<span class="path" dir="ltr">sec-policy/selinux-screen</span> after discovering that you have
<span class="code" dir="ltr">screen</span> on your system:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the files for a single package</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">(Make sure no screen sessions are running as their security contexts will not be adapted)</span>
~# <span class="code-input">rlpkg -t screen</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
<p>
Reboot your system so that the newly applied file contexts are used. Log on
and, if you have indeed installed Gentoo using the hardened sources (as we
recommended), enable the SSP SELinux boolean, allowing every domain read
access to the <span class="path" dir="ltr">/dev/urandom</span> device:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">setsebool -P global_ssp on</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
<p>
If the <span class="code" dir="ltr">SELINUXTYPE</span> is set to <span class="code" dir="ltr">strict</span>, then we
need to map the account(s) you use to manage your system (those
that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
through <span class="code" dir="ltr">sudo</span> or <span class="code" dir="ltr">su</span>.) By default, users are mapped to the
<span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the appropriate rights (nor access
to the appropriate roles) to manage a system. Accounts that are mapped to
<span class="code" dir="ltr">staff_u</span> can, but might need to switch roles from <span class="code" dir="ltr">staff_r</span> to
<span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate privileges.
</p>
<p>
Assuming that your account name is <span class="emphasis">john</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">semanage login -a -s staff_u john</span>
~# <span class="code-input">restorecon -R -F /home/john</span>
</pre></td></tr>
</table>
<p>
If you later log on as <span class="emphasis">john</span> and want to manage your system, you will
probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">id -Z</span>
staff_u:staff_r:staff_t
~$ <span class="code-input">newrole -r sysadm_r</span>
Password: <span class="code-comment">(Enter your password)</span>
~$ <span class="code-input">id -Z</span>
staff_u:sysadm_r:sysadm_t
</pre></td></tr>
</table>
<p>
If you however use a <span class="code" dir="ltr">targeted</span> policy, then the user you work with will be
of type <span class="emphasis">unconfined_t</span> and will already have the necessary privileges to
perform system administrative tasks.
</p>
<p>
With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb