[ << ] [ < ] [ Home ] [ > ] [ >> ]

1. Gentoo SELinux Installation / Conversion

• Installing Gentoo (Hardened)
• Configure SELinux

1.a. Installing Gentoo (Hardened)

Introduction

Getting a SELinux-powered Gentoo installation doesn't require weird actions. What you need to do is install Gentoo Linux with the correct profile, correct kernel configuration and some file system relabelling. We seriously recommend to use SELinux together with other hardening improvements (such as PaX / grSecurity).

This chapter will describe the steps to install Gentoo with SELinux. We assume that you have an existing Gentoo Linux system which you want to convert to Gentoo with SELinux. If this is not the case, you should still read on: you can install Gentoo with SELinux immediately if you make the correct decisions during the installation process, based on the information in this chapter.

Performing a Standard Installation

Install Gentoo Linux according to the Gentoo Handbook installation instructions. We recommend the use of the hardened stage 3 tarballs and hardened-sources kernel instead of the standard ones, but standard stage installations are also supported for SELinux. Perform a full installation to the point that you have booted your system into a (primitive) Gentoo base installation.

Switching to Python 2

For now, the SELinux management utilities are not all compatible with Python 3 so we recommend to switch to Python 2 until the packages are updated and fixed.

~# emerge '<=dev-lang/python-3.0'
~# eselect python list
Available Python interpreters:
  [1]   python2.7
  [2]   python3.1 *

~# eselect python set 1
~# source /etc/profile

Choosing a SELinux policy type

Gentoo supports four policy types within SELinux: strict, targeted, mcs and mls.

The differentiation between strict and targeted is based upon the unconfined domain. When loaded, the processes on your system that are not specifically confined within a particular policy module will be part of the unconfined domains whose purpose is to allow most activities by default (rather than deny by default). As a result, processes that run inside unconfined domains have no restrictions apart from those already enforced by standard Linux security. Although running without the unconfined domains is considered more secure, it will also be more challenging for the administrator to make sure the system still functions properly as there are no policy modules for each and every application "out there".

Next to targeted and strict, you can opt for mcs to allow categorization of the process domains. This is useful on multi-tenant systems such as web servers, virtualization hosts, ... where multiple processes will be running, most of them in the same security domain, but in different categories. Note though that to take advantage of the additional category support, either the applications themselves (such as the web server or hypervisor tools) need to configure the SELinux categories (so they need to support SELinux) or you will need to script around to start the individual instances with separate categories. Otherwise, mcs is just the same as targeted or strict.

Finally, you can also select mls to differentiate security domains on a sensitivity level. However, MLS is currently still considered experimental in Gentoo and as such not recommended.

In case of mcs or mls, you will need to use the unconfined USE flag to enable or disable unconfined domains in these policy types. The strict (no unconfined domains) type does not honor the USE flag, and the targeted (unconfined domains) type requires the USE flag set.

When you have made your choice between the SELinux policy types, save this in your /etc/make.conf file as well. That way, Portage will only install the policy modules for that SELinux type. By default, the SELinux profiles enable strict and targeted (with strict being the default active type).

~# nano /etc/make.conf
POLICY_TYPES="strict"

Setting the filesystem contexts

If your /tmp location is a tmpfs-mounted file system, then you need to tell the kernel that the root context of this location is tmp_t instead of tmpfs_t. Many SELinux policy objects (including various server-level policies) assume that /tmp is tmp_t.

To configure the /tmp mount, edit your /etc/fstab:

# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0

Next, set the next line in your /etc/fstab to configure the context for the /run location:

# For a "targeted" or "strict" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Change the Gentoo Profile

Now that you have a running Gentoo Linux installation, switch the Gentoo profile to the right SELinux profile (for instance, hardened/linux/amd64/no-multilib/selinux). Note that the older profiles (like selinux/v2refpolicy/amd64/hardened) are not supported anymore.

~# eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/10.0
  [2]   default/linux/amd64/10.0/selinux
  [3]   default/linux/amd64/10.0/desktop
  [4]   default/linux/amd64/10.0/desktop/gnome
  [5]   default/linux/amd64/10.0/desktop/kde
  [6]   default/linux/amd64/10.0/developer
  [7]   default/linux/amd64/10.0/no-multilib
  [8]   default/linux/amd64/10.0/server
  [9]   hardened/linux/amd64
  [10]  hardened/linux/amd64/selinux
  [11]  hardened/linux/amd64/no-multilib *
  [12]  hardened/linux/amd64/no-multilib/selinux

~# eselect profile set 12

Don't update your system yet - we will need to install a couple of packages in a particular order which Portage isn't aware of in the next couple of sections.

Update make.conf

Next, take a look at the following USE flags and decide if you want to enable or disable them.

Make your choice and update the USE variable in /etc/make.conf or in an appropriate /etc/portage/package.use location for the sec-policy/selinux-base package.

Manual System Changes

The following changes might be necessary on your system, depending on the tools or configurations that apply.

• Check if you have *.old files in /bin. If you do, either remove those or make them a copy of their counterpart so that they get their own security context. The .old files are hard links which mess up the file labelling. For instance, cp /bin/hostname /bin/hostname.old.

Installing a SELinux Kernel

Although the default Linux kernels offer SELinux support, we recommend the use of the sys-kernel/hardened-sources package.

(Only if you have not installed it previously of course)
~# emerge hardened-sources

Next, reconfigure the kernel with the appropriate security settings. This includes, but is not limited to

• Support for extended attributes in the various file systems
• Support system-call auditing
• Support for SELinux

Below you can find a quick overview of the recommended settings.

Under "General setup"
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*]   Enable system-call auditing support

Under "File systems"
(For each file system you use, make sure extended attribute support is enabled)
<*> Second extended fs support
[*]   Ext2 extended attributes
[ ]     Ext2 POSIX Access Control Lists
[*]     Ext2 Security Labels
[ ]   Ext2 execute in place support

<*> Ext3 journalling file system support
[ ]   Default to 'data=ordered' in ext3
[*]   Ext3 extended attributes
[ ]     Ext3 POSIX Access Control Lists
[*]     Ext3 Security Labels

<*> The Extended 4 (ext4) filesystem
[*]   Ext4 extended attributes
[ ]     Ext4 POSIX Access Control Lists
[*]     Ext4 Security Labels

<*> JFS filesystem support
[ ]   JFS POSIX Access Control Lists
[*]   JFS Security Labels
[ ]   JFS debugging
[ ]   JFS statistics

<*> XFS filesystem support
[ ]   XFS Quota support
[ ]   XFS POSIX ACL support
[ ]   XFS Realtime subvolume support (EXPERIMENTAL)
[ ]   XFS Debugging Support

<*> Btrfs filesystem (EXPERIMENTAL)
[ ]   Btrfs POSIX Access Control Lists

Under "Security options"
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ]   NSA SELinux boot parameter
[ ]   NSA SELinux runtime disable
[*]   NSA SELinux Development Support
[ ]   NSA SELinux AVC Statistics
(1)   NSA SELinux checkreqprot default value
[ ]   NSA SELinux maximum supported policy format version
    Default security module (SELinux) --->

We recommend to use PaX as well. More information on PaX within Gentoo Hardened can be found in the Hardened Gentoo PaX Quickstart Guide.

Build and install the new Linux kernel and its modules.

Update fstab

Next, edit /etc/fstab and add the following line:

none   /selinux         selinuxfs    defaults    0 0

Also create this mount point

# mkdir /selinux

Reboot

With the above changes made, reboot your system. Assert yourself that you are now running a Linux kernel with SELinux enabled (the /selinux file system should be mounted). Don't worry - SELinux is at this point not activated.

1.b. Configure SELinux

Introduction

Next we will need to configure SELinux by installing the appropriate utilities, label our file system and configure the policy.

Install Policies and Utilities

First, install the sys-apps/checkpolicy and sys-apps/policycoreutils packages. Although these will be pulled in as dependencies of the SELinux policy packages themselves, we need to install these one time first - hence the -1 option.

~# emerge -1 checkpolicy policycoreutils

Next, install the SELinux policy package (sec-policy/selinux-base-policy). This package contains the base SELinux policy needed to get your system up and running using SELinux. As Portage will try to label and reload policies (since the installation of sys-apps/policycoreutils) we need to temporarily disable SELinux support (as Portage wouldn't be able to label anything as it doesn't understand it yet).

~# FEATURES="-selinux" emerge selinux-base-policy

Next, rebuild those packages affected by the profile change we did previously through a standard world update, taking into account USE-flag changes (as the new profile will change many default USE flags, including enabling the selinux USE flag). Don't forget to use etc-update or dispatch-conf afterwards as some changes to configuration files need to be made.

~# emerge -uDN world

Next, install the additional SELinux tools that you might need in the future to debug or help with your SELinux installation. These packages are optional, but recommended.

~# emerge setools sepolgen checkpolicy

Finally, install the policy modules for those utilities you think you need policies for. In the near future, this will be done automatically for you (the packages will have an optional dependency on it, triggered by the selinux USE flag), but until that time, you will need to install them yourself.

~# emerge --search selinux-
[...]
(Select the modules you want to install)
~# emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...

Configure the SELinux Policy

Inside /etc/selinux/config you can configure how SELinux is configured at boot time.

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict

Within this configuration file, two variables can be set:

• SELINUX sets how SELinux should behave:
  • enforcing will enable and enforce policies. This is where we want to go for, but you should probably start with permissive.
  • permissive will enable policies, but not enforce them. Any violation is reported but not denied. This is where you should start from as it will not impact your system yet allow you to get acquainted with SELinux - and validate the warnings to see if you can switch towards enforcing or not.
  • disabled will completely disable the policies. As this will not show any violations as well, it is not recommended.
• SELINUXTYPE selects the SELinux policy type to load. Most development is done using the strict (as it provides full confinement) type, although the others are supported as well.

Reboot, and Label the File System

First reboot your system so that the installed policies are loaded. Now we need to relabel your devices and openrc related files. This will apply the correct security contexts (labels) onto the necessary files.

~# mkdir /mnt/gentoo
~# mount -o bind / /mnt/gentoo

(Substitute the "strict" in the next command with "targeted" if that is your
SELINUXTYPE selection, and use "lib" instead of "lib64" if you have a 32-bit system)
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64
~# umount /mnt/gentoo

Next, if you have a swapfile rather than a swap partition, label it accordingly:

~# semanage fcontext -a -t swapfile_t "/swapfile"
~# restorecon /swapfile

Now relabel your entire file system. The next command will apply the correct security context onto the files on your file system, based on the security context information provided by the SELinux policy modules installed.

~# rlpkg -a -r

If you ever have to install a SELinux policy module for a package after that that particular package is installed, you need to run rlpkg for that package to make sure that the security contexts for these files are set correctly. For instance, if you have installed sec-policy/selinux-screen after discovering that you have screen on your system:

(Make sure no screen sessions are running as their security contexts will not be adapted)
~# rlpkg -t screen

Enable the selinux_gentoo service

Gentoo provides an init script called selinux_gentoo which restores the contexts of dynamically created files and devices or pseudo file systems (/dev (optionally) and /sys) as those file systems cannot persist context changes across reboots.

The init script also supports booting in permissive mode first (for instance if you have a custom initramfs that fails to work in enforcing mode) and switch to enforcing mode later.

Enable the init script using rc-update add selinux_gentoo boot and update your boot loader configuration with the following boot options:

• nosetenforce if you boot with enforcing=0 and do not want the init script to switch back to enforcing mode (if configured in /etc/selinux/config). If your /etc/selinux/config file is configured to boot in permissive mode, this init script will not change this behavior.
• norestorecon if you do not want to restore the contexts of /dev.

# Boot in SELinux permissive and switch to enforcing later
# Requires /etc/selinux/config to have SELINUX=enforcing
title Gentoo Hardened/SELinux
root (hd0,0)
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 ...

# Boot in SELinux permissive and stay in permissive, even if
# /etc/selinux:config has SELINUX=encorcing
title Gentoo Hardened/SELinux
root (hd0,0)
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 nosetenforce ...

Reboot and Set SELinux Booleans

Reboot your system so that the newly applied file contexts are used. Log on and, if you have indeed installed Gentoo using the hardened sources (as we recommended), enable the SSP SELinux boolean, allowing every domain read access to the /dev/urandom device:

~# setsebool -P global_ssp on

Define the Administrator Accounts

If the SELINUXTYPE is set to strict, then we need to map the account(s) you use to manage your system (those that need access to Portage) to the staff_u SELinux user. If not, none of your accounts will be able to succesfully manage the system (except for root, but then you will need to login as root directly and not through sudo or su.) By default, users are mapped to the user_u SELinux user who doesn't have the appropriate rights (nor access to the appropriate roles) to manage a system. Accounts that are mapped to staff_u can, but might need to switch roles from staff_r to sysadm_r before they are granted the appropriate privileges.

Assuming that your account name is john:

~# semanage login -a -s staff_u john
~# restorecon -R -F /home/john

If you later log on as john and want to manage your system, you will probably need to switch your role. You can use newrole for this:

~$ id -Z
staff_u:staff_r:staff_t
~$ newrole -r sysadm_r
Password: (Enter your password)
~$ id -Z
staff_u:sysadm_r:sysadm_t

If you however use a targeted policy, then the user you work with will be of type unconfined_t and will already have the necessary privileges to perform system administrative tasks.

With that done, enjoy - your first steps into the SELinux world are now made.

Supporting Service Administration

By default, the Gentoo Hardened SELinux policies will allow the sysadm_t domain access to all services. However, some of these services have policies that allow them to be assigned to individual, non-root users. This requires the user to be granted the system_r role (meaning the user can, under certain circumstances, have his role change towards the system role).

It is therefor recommended to grant the system_r role to the administrative SELinux user you are going to use most. This most likely is the root and staff_u SELinux user.

# semanage user -a -R "staff_r sysadm_r system_r" root
# semanage user -a -R "staff_r sysadm_r system_r" staff_u

[ << ] [ < ] [ Home ] [ > ] [ >> ]

The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.