Gentoo Logo

Disclaimer : This document is not valid and is not maintained anymore.

[ << ] [ < ] [ Home ] [ > ] [ >> ]

1. Gentoo SELinux Installation / Conversion


1.a. Installing Gentoo (Hardened)


Getting a SELinux-powered Gentoo installation doesn't require weird actions. What you need to do is install Gentoo Linux with the correct profile, correct kernel configuration and some file system relabelling. We seriously recommend to use SELinux together with other hardening improvements (such as PaX / grSecurity).

This chapter will describe the steps to install Gentoo with SELinux. We assume that you have an existing Gentoo Linux system which you want to convert to Gentoo with SELinux. If this is not the case, you should still read on: you can install Gentoo with SELinux immediately if you make the correct decisions during the installation process, based on the information in this chapter.

Performing a Standard Installation

Install Gentoo Linux according to the Gentoo Handbook installation instructions. We recommend the use of the hardened stage 3 tarballs and hardened-sources kernel instead of the standard ones, but standard stage installations are also supported for SELinux. Perform a full installation to the point that you have booted your system into a (primitive) Gentoo base installation.

Switching to Python 2

For now, the SELinux management utilities are not all compatible with Python 3 so we recommend to switch to Python 2 until the packages are updated and fixed.

Code Listing 1.1: Switching to python 2

~# emerge '<=dev-lang/python-3.0'
~# eselect python list
Available Python interpreters:
  [1]   python2.7
  [2]   python3.1 *

~# eselect python set 1
~# source /etc/profile

Choosing a SELinux policy type

Gentoo supports four policy types within SELinux: strict, targeted, mcs and mls.

The differentiation between strict and targeted is based upon the unconfined domain. When loaded, the processes on your system that are not specifically confined within a particular policy module will be part of the unconfined domains whose purpose is to allow most activities by default (rather than deny by default). As a result, processes that run inside unconfined domains have no restrictions apart from those already enforced by standard Linux security. Although running without the unconfined domains is considered more secure, it will also be more challenging for the administrator to make sure the system still functions properly as there are no policy modules for each and every application "out there".

Next to targeted and strict, you can opt for mcs to allow categorization of the process domains. This is useful on multi-tenant systems such as web servers, virtualization hosts, ... where multiple processes will be running, most of them in the same security domain, but in different categories. Note though that to take advantage of the additional category support, either the applications themselves (such as the web server or hypervisor tools) need to configure the SELinux categories (so they need to support SELinux) or you will need to script around to start the individual instances with separate categories. Otherwise, mcs is just the same as targeted or strict.

Finally, you can also select mls to differentiate security domains on a sensitivity level. However, MLS is currently still considered experimental in Gentoo and as such not recommended.

In case of mcs or mls, you will need to use the unconfined USE flag to enable or disable unconfined domains in these policy types. The strict (no unconfined domains) type does not honor the USE flag, and the targeted (unconfined domains) type requires the USE flag set.

When you have made your choice between the SELinux policy types, save this in your /etc/portage/make.conf file as well. That way, Portage will only install the policy modules for that SELinux type. By default, the SELinux profiles enable strict and targeted (with strict being the default active type).

Code Listing 1.2: Setting the policy type in make.conf

~# nano /etc/portage/make.conf

Setting the filesystem contexts

If your /tmp location is a tmpfs-mounted file system, then you need to tell the kernel that the root context of this location is tmp_t instead of tmpfs_t. Many SELinux policy objects (including various server-level policies) assume that /tmp is tmp_t.

To configure the /tmp mount, edit your /etc/fstab:

Code Listing 1.3: Update /etc/fstab for /tmp

# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0

Next, set the next line in your /etc/fstab to configure the context for the /run location:

Code Listing 1.4: Update /etc/fstab for /run

# For a "targeted" or "strict" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Change the Gentoo Profile

Now that you have a running Gentoo Linux installation, switch the Gentoo profile to the right SELinux profile (for instance, hardened/linux/amd64/no-multilib/selinux). Note that the older profiles (like selinux/v2refpolicy/amd64/hardened) are not supported anymore.

Code Listing 1.5: Switching the Gentoo profile

~# eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/10.0
  [2]   default/linux/amd64/10.0/selinux
  [3]   default/linux/amd64/10.0/desktop
  [4]   default/linux/amd64/10.0/desktop/gnome
  [5]   default/linux/amd64/10.0/desktop/kde
  [6]   default/linux/amd64/10.0/developer
  [7]   default/linux/amd64/10.0/no-multilib
  [8]   default/linux/amd64/10.0/server
  [9]   hardened/linux/amd64
  [10]  hardened/linux/amd64/selinux
  [11]  hardened/linux/amd64/no-multilib *
  [12]  hardened/linux/amd64/no-multilib/selinux

~# eselect profile set 12

Warning: Do not rebuild your system right now - wait until this is instructed by this document later. Rebuilding the system will pull in SELinux policies which could make your system unreachable if you reboot after it.

Note: Starting from the profile change, Portage will warn you after every installation that it was "Unable to set SELinux security labels". This is to be expected, because the tools and capabilities that Portage requires to set the security labels aren't available yet. This warning will vanish the moment the SELinux installation is completed.

Don't update your system yet - we will need to install a couple of packages in a particular order which Portage isn't aware of in the next couple of sections.

Update make.conf

Next, take a look at the following USE flags and decide if you want to enable or disable them.

USE flag Default Value Description
peer_perms Enabled The peer_perms capability controls the SELinux policy network peer controls. If set, the access control mechanisms that SELinux uses for network based labelling are consolidated. This setting is recommended as the policy is also updated to reflect this. If not set, the old mechanisms (NetLabel and Labeled IPsec) are used side by side.
open_perms Enabled The open_perms capability enables the SELinux permission "open" for files and file-related classes. Support for the "open" call was added a bit later than others so support was first made optional. However, the policies have matured sufficiently to have the open permission set.
ubac Enabled When disabled, the SELinux policy is built without user-based access control.
unconfined Disabled When set, policy builds (except for the "strict" policy) will include the unconfined module (thus allowing unconfined domains to exist on the system).

Make your choice and update the USE variable in /etc/portage/make.conf or in an appropriate /etc/portage/package.use location for the sec-policy/selinux-base package.

Manual System Changes

Warning: Most, if not all of the next few changes will be resolved through regular packages as soon as possible. However, these fixes have impact beyond the Gentoo Hardened installations. As such, these changes will be incorporated a bit slower than the SELinux-specific updates. For the time being, manually correcting these situations is sufficient (and a one-time operation).

The following changes might be necessary on your system, depending on the tools or configurations that apply.

  • Check if you have *.old files in /bin. If you do, either remove those or make them a copy of their counterpart so that they get their own security context. The .old files are hard links which mess up the file labelling. For instance, cp /bin/hostname /bin/hostname.old.

Installing a SELinux Kernel

Although the default Linux kernels offer SELinux support, we recommend the use of the sys-kernel/hardened-sources package.

Code Listing 1.6: Installing hardened-sources

(Only if you have not installed it previously of course)
~# emerge hardened-sources

Next, reconfigure the kernel with the appropriate security settings. This includes, but is not limited to

  • Support for extended attributes in the various file systems
  • Support system-call auditing
  • Support for SELinux

Below you can find a quick overview of the recommended settings.

Code Listing 1.7: Recommended settings for the Linux kernel configuration

Under "General setup"
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*]   Enable system-call auditing support

Under "File systems"
(For each file system you use, make sure extended attribute support is enabled)
<*> Second extended fs support
[*]   Ext2 extended attributes
[ ]     Ext2 POSIX Access Control Lists
[*]     Ext2 Security Labels
[ ]   Ext2 execute in place support

<*> Ext3 journalling file system support
[ ]   Default to 'data=ordered' in ext3
[*]   Ext3 extended attributes
[ ]     Ext3 POSIX Access Control Lists
[*]     Ext3 Security Labels

<*> The Extended 4 (ext4) filesystem
[*]   Ext4 extended attributes
[ ]     Ext4 POSIX Access Control Lists
[*]     Ext4 Security Labels

<*> JFS filesystem support
[ ]   JFS POSIX Access Control Lists
[*]   JFS Security Labels
[ ]   JFS debugging
[ ]   JFS statistics

<*> XFS filesystem support
[ ]   XFS Quota support
[ ]   XFS POSIX ACL support
[ ]   XFS Realtime subvolume support (EXPERIMENTAL)
[ ]   XFS Debugging Support

<*> Btrfs filesystem (EXPERIMENTAL)
[ ]   Btrfs POSIX Access Control Lists

Under "Security options"
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ]   NSA SELinux boot parameter
[ ]   NSA SELinux runtime disable
[*]   NSA SELinux Development Support
[ ]   NSA SELinux AVC Statistics
(1)   NSA SELinux checkreqprot default value
[ ]   NSA SELinux maximum supported policy format version
    Default security module (SELinux) --->

We recommend to use PaX as well. More information on PaX within Gentoo Hardened can be found in the Hardened Gentoo PaX Quickstart Guide.

Build and install the new Linux kernel and its modules.

Update fstab

Next, edit /etc/fstab and add the following line:

Code Listing 1.8: Enabling selinux-specific file system options

none   /selinux         selinuxfs    defaults    0 0

Also create this mount point

Code Listing 1.9: Creating the /selinux mountpoint

# mkdir /selinux


With the above changes made, reboot your system. Assert yourself that you are now running a Linux kernel with SELinux enabled (the /selinux file system should be mounted). Don't worry - SELinux is at this point not activated.

1.b. Configure SELinux


Next we will need to configure SELinux by installing the appropriate utilities, label our file system and configure the policy.

Install Policies and Utilities, Part One

First, install the sys-apps/checkpolicy and sys-apps/policycoreutils packages. Although these will be pulled in as dependencies of the SELinux policy packages themselves, we need to install these one time first - hence the -1 option.

Code Listing 2.1: Installing SELinux policy core utilities

~# emerge -1 checkpolicy policycoreutils

Next, we install the base SELinux policy package. This package provides the SELinux configuration file which we need to adjust prior to building all other SELinux packages.

Code Listing 2.2: Installing the SELinux base policy package

~# FEATURES="-selinux" emerge -1 selinux-base

Configure the SELinux Policy

Inside /etc/selinux/config you can now configure how SELinux is configured at boot time.

Code Listing 2.3: Editing the /etc/selinux/config file

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)

Within this configuration file, two variables can be set:

  • SELINUX sets how SELinux should behave:
    • enforcing will enable and enforce policies. This is where we want to go for, but you should probably start with permissive.
    • permissive will enable policies, but not enforce them. Any violation is reported but not denied. This is where you should start from as it will not impact your system yet allow you to get acquainted with SELinux - and validate the warnings to see if you can switch towards enforcing or not.
    • disabled will completely disable the policies. As this will not show any violations as well, it is not recommended.
  • SELINUXTYPE selects the SELinux policy type to load. Most development is done using the strict (as it provides full confinement) type, although the others are supported as well.

Make sure that the SELINUX variable is set to permissive right now. We will switch to enforcing later.

Install Policies and Utilities, Part Two

We can now continue with the installation of the SELinux policies. Rebuild the selinux-base package if you changed SELINUXTYPE to something else than strict, and then install the core SELinux policies through the sec-policy/selinux-base-policy package. This package contains the core SELinux policies needed to get your system up and running using SELinux. As Portage will try to label and reload policies (since the installation of sys-apps/policycoreutils) we need to temporarily disable SELinux support again (as Portage wouldn't be able to label anything as it doesn't understand it yet).

Code Listing 2.4: Installing the SELinux policy packages

~# FEATURES="-selinux" emerge -1 selinux-base
~# FEATURES="-selinux" emerge selinux-base-policy

Next, rebuild those packages affected by the profile change we did previously through a standard world update, taking into account USE-flag changes (as the new profile will change many default USE flags, including enabling the selinux USE flag). Don't forget to use etc-update or dispatch-conf afterwards as some changes to configuration files need to be made.

Code Listing 2.5: Update your Gentoo Linux system

~# emerge -uDN world

Next, install the additional SELinux tools that you might need in the future to debug or help with your SELinux installation. These packages are optional, but recommended.

Code Listing 2.6: Installing additional SELinux packages

~# emerge setools sepolgen checkpolicy

Finally, install the policy modules for those utilities you think you need policies for. In the near future, this will be done automatically for you (the packages will have an optional dependency on it, triggered by the selinux USE flag), but until that time, you will need to install them yourself.

Code Listing 2.7: Installing SELinux modules

~# emerge --search selinux-
(Select the modules you want to install)
~# emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...

Reboot, and Label the File System

Important: Repeat these steps every time you have rebooted from a non-SELinux enabled kernel into a SELinux enabled kernel, as running with a non-SELinux enabled kernel will not update the security attributes of the files you create or manipulate during your day-to-day activities on your system.

First reboot your system so that the installed policies are loaded. Now we need to relabel your devices and openrc related files. This will apply the correct security contexts (labels) onto the necessary files.

Code Listing 2.8: Relabel /dev structure

~# mkdir /mnt/gentoo
~# mount -o bind / /mnt/gentoo

(Substitute the "strict" in the next command with "targeted" if that is your
SELINUXTYPE selection, and use "lib" instead of "lib64" if you have a 32-bit system)
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64
~# umount /mnt/gentoo

Next, if you have a swapfile rather than a swap partition, label it accordingly:

Code Listing 2.9: Labelling the swap file

~# semanage fcontext -a -t swapfile_t "/swapfile"
~# restorecon /swapfile

Now relabel your entire file system. The next command will apply the correct security context onto the files on your file system, based on the security context information provided by the SELinux policy modules installed.

Code Listing 2.10: Relabel the entire file system

~# rlpkg -a -r

If you ever have to install a SELinux policy module for a package after that that particular package is installed, you need to run rlpkg for that package to make sure that the security contexts for these files are set correctly. For instance, if you have installed sec-policy/selinux-screen after discovering that you have screen on your system:

Code Listing 2.11: Relabeling the files for a single package

(Make sure no screen sessions are running as their security contexts will not be adapted)
~# rlpkg -t screen

Enable the selinux_gentoo service

Gentoo provides an init script called selinux_gentoo which restores the contexts of dynamically created files and devices or pseudo file systems (/dev (optionally) and /sys) as those file systems cannot persist context changes across reboots.

The init script also supports booting in permissive mode first (for instance if you have a custom initramfs that fails to work in enforcing mode) and switch to enforcing mode later.

Enable the init script using rc-update add selinux_gentoo boot and update your boot loader configuration with the following boot options:

  • nosetenforce if you boot with enforcing=0 and do not want the init script to switch back to enforcing mode (if configured in /etc/selinux/config). If your /etc/selinux/config file is configured to boot in permissive mode, this init script will not change this behavior.
  • norestorecon if you do not want to restore the contexts of /dev.

Code Listing 2.12: Example GRUB configuration

# Boot in SELinux permissive and switch to enforcing later
# Requires /etc/selinux/config to have SELINUX=enforcing
title Gentoo Hardened/SELinux
root (hd0,0)
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 ...

# Boot in SELinux permissive and stay in permissive, even if
# /etc/selinux:config has SELINUX=encorcing
title Gentoo Hardened/SELinux
root (hd0,0)
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 nosetenforce ...

Reboot and Set SELinux Booleans

Reboot your system so that the newly applied file contexts are used. Log on and, if you have indeed installed Gentoo using the hardened sources (as we recommended), enable the SSP SELinux boolean, allowing every domain read access to the /dev/urandom device:

Code Listing 2.13: Enabling the global_ssp boolean

~# setsebool -P global_ssp on

Define the Administrator Accounts

If the SELINUXTYPE is set to strict, then we need to map the account(s) you use to manage your system (those that need access to Portage) to the staff_u SELinux user. If not, none of your accounts will be able to succesfully manage the system (except for root, but then you will need to login as root directly and not through sudo or su.) By default, users are mapped to the user_u SELinux user who doesn't have the appropriate rights (nor access to the appropriate roles) to manage a system. Accounts that are mapped to staff_u can, but might need to switch roles from staff_r to sysadm_r before they are granted the appropriate privileges.

Assuming that your account name is john:

Code Listing 2.14: Mapping the Linux account john to the SELinux user staff_u

~# semanage login -a -s staff_u john
~# restorecon -R -F /home/john

If you later log on as john and want to manage your system, you will probably need to switch your role. You can use newrole for this:

Code Listing 2.15: Switching roles

~$ id -Z
~$ newrole -r sysadm_r
Password: (Enter your password)
~$ id -Z

If you however use a targeted policy, then the user you work with will be of type unconfined_t and will already have the necessary privileges to perform system administrative tasks.

With that done, enjoy - your first steps into the SELinux world are now made.

Supporting Service Administration

By default, the Gentoo Hardened SELinux policies will allow the sysadm_t domain access to all services. However, some of these services have policies that allow them to be assigned to individual, non-root users. This requires the user to be granted the system_r role (meaning the user can, under certain circumstances, have his role change towards the system role).

It is therefor recommended to grant the system_r role to the administrative SELinux user you are going to use most. This most likely is the root and staff_u SELinux user.

Code Listing 2.16: Granting the system_r role to the staff and root user

# semanage user -m -R "staff_r sysadm_r system_r" root
# semanage user -m -R "staff_r sysadm_r system_r" staff_u

[ << ] [ < ] [ Home ] [ > ] [ >> ]


View all

Page updated March 6, 2014

Summary: To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with the correct Hardened profile (or convert to the Hardened profile) and then update your system to become a SELinux-managed system. This chapter will guide you through this process.

Chris PeBenito

Sven Vermeulen

Chris Richards

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.