[ << ]
[ < ]
[ Home ]
[ > ]
[ >> ]
1. Gentoo SELinux Installation / Conversion
1.a. Installing Gentoo (Hardened)
Getting a SELinux-powered Gentoo installation doesn't require weird actions.
What you need to do is install Gentoo Linux with the correct profile, correct
kernel configuration and some file system relabelling. We seriously recommend to
use SELinux together with other hardening improvements (such as PaX /
This chapter will describe the steps to install Gentoo with SELinux. We
assume that you have an existing Gentoo Linux system which you want to convert
to Gentoo with SELinux. If this is not the case, you should still read
on: you can install Gentoo with SELinux immediately if you make the
correct decisions during the installation process, based on the information in
Performing a Standard Installation
Install Gentoo Linux according to the Gentoo
Handbook installation instructions. We recommend the use of the hardened
stage 3 tarballs and hardened-sources kernel instead of the standard
ones, but standard stage installations are also supported for SELinux.
Perform a full installation to the point that you have booted your system
into a (primitive) Gentoo base installation.
If you are an XFS user, make sure that the inode sizes of the XFS file
system is 512 byte. Since the default is 256, you will need to run the
mkfs.xfs command with the -i size=512 arguments, like so:
mkfs.xfs -i size=512 /dev/sda3
Switching to Python 2
For now, the SELinux management utilities are not all compatible with Python 3 so
we recommend to switch to Python 2 until the packages are updated and fixed.
Code Listing 1.1: Switching to python 2
~# emerge '<=dev-lang/python-3.0'
~# eselect python list
Available Python interpreters:
 python3.1 *
~# eselect python set 1
~# source /etc/profile
Choosing a SELinux policy type
Gentoo supports four policy types within SELinux: strict,
targeted, mcs and mls.
The differentiation between strict and targeted is based upon the
unconfined domain. When loaded, the processes on your system that are not
specifically confined within a particular policy module will be part of the
unconfined domains whose purpose is to allow most activities by default (rather
than deny by default). As a result, processes that run inside unconfined
domains have no restrictions apart from those already enforced by standard Linux
security. Although running without the unconfined domains is considered more
secure, it will also be more challenging for the administrator to make sure the
system still functions properly as there are no policy modules for each and
every application "out there".
Next to targeted and strict, you can opt for mcs to allow
categorization of the process domains. This is useful on multi-tenant systems
such as web servers, virtualization hosts, ... where multiple processes will be
running, most of them in the same security domain, but in different categories.
Note though that to take advantage of the additional category support, either
the applications themselves (such as the web server or hypervisor tools) need to
configure the SELinux categories (so they need to support SELinux) or you will
need to script around to start the individual instances with separate
categories. Otherwise, mcs is just the same as targeted or
Finally, you can also select mls to differentiate security domains on
a sensitivity level. However, MLS is currently still considered experimental
in Gentoo and as such not recommended.
In case of mcs or mls, you will need to use the unconfined
USE flag to enable or disable unconfined domains in these policy types. The
strict (no unconfined domains) type does not honor the USE flag, and the
targeted (unconfined domains) type requires the USE flag set.
When you have made your choice between the SELinux policy types, save
this in your /etc/portage/make.conf file as well. That way, Portage will
only install the policy modules for that SELinux type. By default, the SELinux
profiles enable strict and targeted (with strict being the
default active type).
Code Listing 1.2: Setting the policy type in make.conf
~# nano /etc/portage/make.conf
Setting the filesystem contexts
If your /tmp location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is tmp_t
instead of tmpfs_t. Many SELinux policy objects (including various
server-level policies) assume that /tmp is tmp_t.
To configure the /tmp mount, edit your /etc/fstab:
Code Listing 1.3: Update /etc/fstab for /tmp
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0 0 0
Next, set the next line in your /etc/fstab to configure the context
for the /run location:
Code Listing 1.4: Update /etc/fstab for /run
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0
Change the Gentoo Profile
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
to the right SELinux profile (for instance,
hardened/linux/amd64/no-multilib/selinux). Note that the older
profiles (like selinux/v2refpolicy/amd64/hardened) are not
Code Listing 1.5: Switching the Gentoo profile
~# eselect profile list
Available profile symlink targets:
 hardened/linux/amd64/no-multilib *
~# eselect profile set 12
Do not rebuild your system right now - wait until this is instructed by this
document later. Rebuilding the system will pull in SELinux policies which could
make your system unreachable if you reboot after it.
Starting from the profile change, Portage will warn you after every installation
that it was "Unable to set SELinux security labels". This is to be expected,
because the tools and capabilities that Portage requires to set the security
labels aren't available yet. This warning will vanish the moment the SELinux
installation is completed.
Don't update your system yet - we will need to install a couple of packages in a
particular order which Portage isn't aware of in the next couple of sections.
Next, take a look at the following USE flags and decide if you want to enable
or disable them.
The peer_perms capability controls the SELinux policy network peer controls.
If set, the access control mechanisms that SELinux uses for network based
labelling are consolidated. This setting is recommended as the policy is
also updated to reflect this. If not set, the old mechanisms (NetLabel and
Labeled IPsec) are used side by side.
The open_perms capability enables the SELinux permission "open" for files
and file-related classes. Support for the "open" call was added a bit later
than others so support was first made optional. However, the policies have
matured sufficiently to have the open permission set.
When disabled, the SELinux policy is built without user-based access control.
When set, policy builds (except for the "strict" policy) will include the
unconfined module (thus allowing unconfined domains to exist on the system).
Make your choice and update the USE variable in
/etc/portage/make.conf or in an appropriate
/etc/portage/package.use location for the
Manual System Changes
Most, if not all of the next few changes will be resolved through regular
packages as soon as possible. However, these fixes have impact beyond the Gentoo
Hardened installations. As such, these changes will be incorporated a bit slower
than the SELinux-specific updates. For the time being, manually correcting these
situations is sufficient (and a one-time operation).
The following changes might be necessary on your system, depending on the
tools or configurations that apply.
Check if you have *.old files in /bin. If you do,
either remove those or make them a copy of their counterpart so that they
get their own security context. The .old files are hard links
which mess up the file labelling. For instance, cp /bin/hostname
Installing a SELinux Kernel
Although the default Linux kernels offer SELinux support, we recommend the use
of the sys-kernel/hardened-sources package.
Code Listing 1.6: Installing hardened-sources
~# emerge hardened-sources
Next, reconfigure the kernel with the appropriate security settings. This
includes, but is not limited to
- Support for extended attributes in the various file systems
- Support system-call auditing
- Support for SELinux
Below you can find a quick overview of the recommended settings.
Code Listing 1.7: Recommended settings for the Linux kernel configuration
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*] Enable system-call auditing support
<*> Second extended fs support
[*] Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
[ ] Ext2 execute in place support
<*> Ext3 journalling file system support
[ ] Default to 'data=ordered' in ext3
[*] Ext3 extended attributes
[ ] Ext3 POSIX Access Control Lists
[*] Ext3 Security Labels
<*> The Extended 4 (ext4) filesystem
[*] Ext4 extended attributes
[ ] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
<*> JFS filesystem support
[ ] JFS POSIX Access Control Lists
[*] JFS Security Labels
[ ] JFS debugging
[ ] JFS statistics
<*> XFS filesystem support
[ ] XFS Quota support
[ ] XFS POSIX ACL support
[ ] XFS Realtime subvolume support (EXPERIMENTAL)
[ ] XFS Debugging Support
<*> Btrfs filesystem (EXPERIMENTAL)
[ ] Btrfs POSIX Access Control Lists
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[ ] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
Default security module (SELinux) --->
We recommend to use PaX as well. More information on PaX within Gentoo Hardened
can be found in the Hardened
Gentoo PaX Quickstart Guide.
Build and install the new Linux kernel and its modules.
Next, edit /etc/fstab and add the following line:
Code Listing 1.8: Enabling selinux-specific file system options
none /selinux selinuxfs defaults 0 0
Also create this mount point
Code Listing 1.9: Creating the /selinux mountpoint
# mkdir /selinux
With the above changes made, reboot your system. Assert yourself that you are
now running a Linux kernel with SELinux enabled (the /selinux file
system should be mounted). Don't worry - SELinux is at this point not activated.
1.b. Configure SELinux
Next we will need to configure SELinux by installing the appropriate
utilities, label our file system and configure the policy.
Install Policies and Utilities
First, install the sys-apps/checkpolicy and
sys-apps/policycoreutils packages. Although these will be pulled in
as dependencies of the SELinux policy packages themselves, we need to install
these one time first - hence the -1 option.
Code Listing 2.1: Installing SELinux policy core utilities
~# emerge -1 checkpolicy policycoreutils
Next, install the SELinux policy package
(sec-policy/selinux-base-policy). This package contains the base
SELinux policy needed to get your system up and running using SELinux.
As Portage will try to label and reload policies (since the installation of
sys-apps/policycoreutils) we need to temporarily disable SELinux
support (as Portage wouldn't be able to label anything as it doesn't understand
Code Listing 2.2: Installing the SELinux policy packages
~# FEATURES="-selinux" emerge selinux-base-policy
Next, rebuild those packages affected by the profile change we did previously
through a standard world update, taking into account USE-flag changes (as the
new profile will change many default USE flags, including enabling the
selinux USE flag). Don't forget to use etc-update or
dispatch-conf afterwards as some changes to configuration files need to
Code Listing 2.3: Update your Gentoo Linux system
~# emerge -uDN world
Next, install the additional SELinux tools that you might need in the future to
debug or help with your SELinux installation. These packages are optional, but
Code Listing 2.4: Installing additional SELinux packages
~# emerge setools sepolgen checkpolicy
Finally, install the policy modules for those utilities you think you need
policies for. In the near future, this will be done automatically for you (the
packages will have an optional dependency on it, triggered by the selinux USE
flag), but until that time, you will need to install them yourself.
Code Listing 2.5: Installing SELinux modules
~# emerge --search selinux-
~# emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...
Configure the SELinux Policy
Inside /etc/selinux/config you can configure how SELinux is
configured at boot time.
Code Listing 2.6: Editing the /etc/selinux/config file
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
Within this configuration file, two variables can be set:
SELINUX sets how SELinux should behave:
enforcing will enable and enforce policies. This is where we want
to go for, but you should probably start with permissive.
permissive will enable policies, but not enforce them. Any
violation is reported but not denied. This is where you should start
from as it will not impact your system yet allow you to get acquainted
with SELinux - and validate the warnings to see if you can switch
towards enforcing or not.
disabled will completely disable the policies. As this will not
show any violations as well, it is not recommended.
SELINUXTYPE selects the SELinux policy type to load. Most development
is done using the strict (as it provides full confinement) type,
although the others are supported as well.
Reboot, and Label the File System
Repeat these steps every time you have rebooted from a non-SELinux enabled
kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
First reboot your system so that the installed policies are loaded. Now we
need to relabel your devices and openrc related files. This will apply the
correct security contexts (labels) onto the necessary files.
Code Listing 2.7: Relabel /dev structure
~# mkdir /mnt/gentoo
~# mount -o bind / /mnt/gentoo
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64
~# umount /mnt/gentoo
Next, if you have a swapfile rather than a swap partition, label it accordingly:
Code Listing 2.8: Labelling the swap file
~# semanage fcontext -a -t swapfile_t "/swapfile"
~# restorecon /swapfile
Now relabel your entire file system. The next command will apply the correct
security context onto the files on your file system, based on the security
context information provided by the SELinux policy modules installed.
Code Listing 2.9: Relabel the entire file system
~# rlpkg -a -r
If you ever have to install a SELinux policy module for a package after that
that particular package is installed, you need to run rlpkg for that
package to make sure that the security contexts for these files are set
correctly. For instance, if you have installed
sec-policy/selinux-screen after discovering that you have
screen on your system:
Code Listing 2.10: Relabeling the files for a single package
~# rlpkg -t screen
Enable the selinux_gentoo service
Gentoo provides an init script called selinux_gentoo which restores
the contexts of dynamically created files and devices or pseudo file systems
(/dev (optionally) and /sys) as those file systems
cannot persist context changes across reboots.
The init script also supports booting in permissive mode first (for instance if
you have a custom initramfs that fails to work in enforcing mode) and switch to
enforcing mode later.
Enable the init script using rc-update add selinux_gentoo boot and update
your boot loader configuration with the following boot options:
nosetenforce if you boot with enforcing=0 and do not
want the init script to switch back to enforcing mode (if configured in
/etc/selinux/config). If your /etc/selinux/config
file is configured to boot in permissive mode, this init script will not
change this behavior.
norestorecon if you do not want to restore the contexts of
Code Listing 2.11: Example GRUB configuration
title Gentoo Hardened/SELinux
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 ...
title Gentoo Hardened/SELinux
kernel /boot/kernel root=/dev/vg/root ... enforcing=0 nosetenforce ...
Reboot and Set SELinux Booleans
Reboot your system so that the newly applied file contexts are used. Log on
and, if you have indeed installed Gentoo using the hardened sources (as we
recommended), enable the SSP SELinux boolean, allowing every domain read
access to the /dev/urandom device:
Code Listing 2.12: Enabling the global_ssp boolean
~# setsebool -P global_ssp on
Define the Administrator Accounts
If the SELINUXTYPE is set to strict, then we
need to map the account(s) you use to manage your system (those
that need access to Portage) to the staff_u SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
root, but then you will need to login as root directly and not
through sudo or su.) By default, users are mapped to the
user_u SELinux user who doesn't have the appropriate rights (nor access
to the appropriate roles) to manage a system. Accounts that are mapped to
staff_u can, but might need to switch roles from staff_r to
sysadm_r before they are granted the appropriate privileges.
Assuming that your account name is john:
Code Listing 2.13: Mapping the Linux account john to the SELinux user staff_u
~# semanage login -a -s staff_u john
~# restorecon -R -F /home/john
If you later log on as john and want to manage your system, you will
probably need to switch your role. You can use newrole for this:
Code Listing 2.14: Switching roles
~$ id -Z
~$ newrole -r sysadm_r
~$ id -Z
If you however use a targeted policy, then the user you work with will be
of type unconfined_t and will already have the necessary privileges to
perform system administrative tasks.
With that done, enjoy - your first steps into the SELinux world are now made.
Supporting Service Administration
By default, the Gentoo Hardened SELinux policies will allow the sysadm_t domain
access to all services. However, some of these services have policies that allow
them to be assigned to individual, non-root users. This requires the user to be
granted the system_r role (meaning the user can, under certain
circumstances, have his role change towards the system role).
It is therefor recommended to grant the system_r role to the
administrative SELinux user you are going to use most. This most likely is the
root and staff_u SELinux user.
Code Listing 2.15: Granting the system_r role to the staff and root user
# semanage user -m -R "staff_r sysadm_r system_r" root
# semanage user -m -R "staff_r sysadm_r system_r" staff_u
[ << ]
[ < ]
[ Home ]
[ > ]
[ >> ]
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.