Revision as of 16:57, September 15, 2016

Install SELinux

Important

This document is work in progress. Do not use this as a reference!

Preparation

Since Python 2.7 provides most compatibility with SELinux, we will use it as our default interpreter.

root # eselect python list
Available Python interpreters, in order of preference:
  [1]   python2.7
  [2]   python3.4
  [3]   python3.5
root # eselect python set 1

Add SELinux policy types to make.conf

/etc/portage/make.conf file

POLICY_TYPES="targeted strict"

Add SELinux mix-in

root # epro mix-in +selinux

Kernel configuration

You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.

root # emerge -av sys-kernel/hardened-sources

Kernel configuration file

General setup
  [*] Auditing support

File systems
  <*> Second extended fs support
  [*] Ext2 extended attributes
  [ ]   Ext2 POSIX Access Control Lists
  [*]   Ext2 Security Labels
  < > The Extended 3 (ext3) filesystem
  <*> The Extended 4 (ext4) filesystem
  [ ]   Ext4 POSIX Access Control Lists
  [*]   Ext4 Security Labels
  < >   Ext4 Encryption

Security options
  [*] Enable different security models
  [*] Socket and Networking Security Hooks
  [*] NSA SELinux Support
  [ ]  NSA SELinux boot parameter
  [ ]  NSA SELinux runtime disable
  [*]  NSA SELinux Development Support
  [ ]  NSA SELinux AVC Statistics
  (1)  NSA SELinux checkreqprot default value
  [ ]  NSA SELinux maximum supported policy format version
     Default security module (SELinux) --->

Reboot

Compile the kernel with the new configuration and reboot.

Install necessary SELinux packages

root # emerge -a1 checkpolicy policycoreutils

root # FEATURES="-selinux" emerge -a1 selinux-base

Choosing the SELinux policy

/etc/selinux/config

# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted

root # FEATURES="-selinux" emerge -1 selinux-base

Installation

root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy

root # emerge -auvDN @world

/etc/fstab - Setting rootcontext for /tmp and /run

# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Reboot

root # shutdown -r now

Relabeling packages

root # rlpkg -a -r
root # shutdown -r now

Setting SELinux booleans

root # setsebool -P global_ssp on

Check if users have proper roles

root # id -Z
unconfined_u:unconfined_r:unconfined_t

If your output is the same as above you are now ready to switch your SELinux to enforcing

/etc/selinux/config - Enforcing security policy

# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted

Reboot

root # shutdown -r now

Check your SELinux status

root # sestatus -v

@@ Line 14: / Line 14: @@
 }}
-=== Adding SELinux policy types to make.conf ===
+=== Add SELinux policy types to make.conf ===
 {{file|name=/etc/portage/make.conf file|body=
 POLICY_TYPES="targeted strict"
+}}
+=== Add SELinux mix-in ===
+{{console|body=
+###i## epro mix-in +selinux
 }}
@@ Line 54: / Line 59: @@
 ==== Reboot ====
 Compile the kernel with the new configuration and reboot.
+=== Install necessary SELinux packages ===
+{{console|body=
+###i## emerge -a1 checkpolicy policycoreutils
+}}
+{{console|body=
+###i## FEATURES="-selinux" emerge -a1 selinux-base
+}}
+==== Choosing the SELinux policy ====
+{{file|name=/etc/selinux/config|body=
+# This file controls the state of SELinux on the system on boot.
+# SELINUX can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE can take one of these four values:
+#       targeted - Only targeted network daemons are protected.
+#       strict   - Full SELinux protection.
+#       mls      - Full SELinux protection with Multi-Level Security
+#       mcs      - Full SELinux protection with Multi-Category Security
+#                  (mls, but only one sensitivity level)
+SELINUXTYPE=targeted
+}}
+{{console|body=
+###i## FEATURES="-selinux" emerge -1 selinux-base
+}}
+== Installation ==
+{{console|body=
+###i## FEATURES="-selinux -sesandbox" emerge selinux-base-policy
+}}
+{{console|body=
+###i## emerge -auvDN @world
+}}
+{{file|name=/etc/fstab|desc=Setting rootcontext for /tmp and /run|body=
+# For a "targeted" or "strict" policy type:
+tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
+tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
+# For an "mls" or "mcs" policy type:
+tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0
+tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0
+}}
+Reboot
+{{console|body=
+###i## shutdown -r now
+}}
+=== Relabeling packages ===
+{{console|body=
+###i## rlpkg -a -r
+###i## shutdown -r now
+}}
+Setting SELinux booleans
+{{console|body=
+###i## setsebool -P global_ssp on
+}}
+Check if users have proper roles
+{{console|body=
+###i## id -Z
+unconfined_u:unconfined_r:unconfined_t
+}}
+If your output is the same as above you are now ready to switch your SELinux to enforcing
+{{file|name=/etc/selinux/config|desc=Enforcing security policy|body=
+# This file controls the state of SELinux on the system on boot.
+# SELINUX can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+# SELINUXTYPE can take one of these four values:
+#       targeted - Only targeted network daemons are protected.
+#       strict   - Full SELinux protection.
+#       mls      - Full SELinux protection with Multi-Level Security
+#       mcs      - Full SELinux protection with Multi-Category Security
+#                  (mls, but only one sensitivity level)
+SELINUXTYPE=targeted
+}}
+Reboot
+{{console|body=
+###i## shutdown -r now
+}}
+Check your SELinux status
+{{console|body=
+###i## sestatus -v
+}}

Difference between revisions of "SELinux/Install"

Revision as of 16:57, September 15, 2016

Install SELinux

Preparation

Add SELinux policy types to make.conf

Add SELinux mix-in

Kernel configuration

Reboot

Install necessary SELinux packages

Choosing the SELinux policy

Installation

Relabeling packages

Navigation menu

Search