Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "SELinux/Install"

From Funtoo
Jump to navigation Jump to search
Line 1: Line 1:
= Install SELinux =
= Install SELinux =
{{Important|This document is work in progress. Do not use this as a reference!}}
{{Note|Keep in mind that SELinux mix-in is a relatively new feature in Funtoo, so should you experience any bugs please use https://bugs.funtoo.org}}
__NOTITLE__
__NOTITLE__


Line 19: Line 19:
POLICY_TYPES="targeted strict"
POLICY_TYPES="targeted strict"
}}
}}
 
Much like Gentoo, Funtoo supports 4 policy types:
=== Add SELinux mix-in ===
* targeted
{{console|body=
* strict
###i## epro mix-in +selinux
* mls
}}
* mcs
You can have one or more of these in your make.conf, but only one can be active at a time.
{{Note|In this guideline we will use targeted policy type, because it's more forgiving and beginner friendly. It's a decent type to start getting familiar with SELinux.}}
{{Important|Targeted policy type will pull in an unconfined domain, which some experienced SELinux users might not like. If you are one of them,
simply remove targeted from your policy types and choose one to your own liking.}}


=== Kernel configuration ===
=== Kernel configuration ===
Line 30: Line 34:
###i## emerge -av sys-kernel/hardened-sources
###i## emerge -av sys-kernel/hardened-sources
}}
}}
{{file|name=Kernel configuration file|body=
{{kernelop|title=Kernel configuration file|desc=
General setup
General setup
   [*] Auditing support
   [*] Auditing support
Line 59: Line 63:
==== Reboot ====
==== Reboot ====
Compile the kernel with the new configuration and reboot.
Compile the kernel with the new configuration and reboot.
=== Add SELinux mix-in ===
{{console|body=
###i## epro mix-in +selinux
}}


=== Install necessary SELinux packages ===
=== Install necessary SELinux packages ===
{{console|body=
{{console|body=
###i## emerge -a1 checkpolicy policycoreutils
###i## emerge -av1 checkpolicy policycoreutils
}}
}}
{{console|body=
{{console|body=
###i## FEATURES="-selinux" emerge -a1 selinux-base
###i## FEATURES="-selinux" emerge -av1 selinux-base
}}
}}


Line 86: Line 95:
SELINUXTYPE=targeted
SELINUXTYPE=targeted
}}
}}
{{note|The default SELinux type defined in /etc/selinux/config is strict. Since we will change it to targeted, it is neccessary to rebuild a selinux-base package, but because we already have it installed this time we will need to use FEATURES{{=}}"-selinux -sesandbox" for selinux-base as well as the selinux-base-policy package.}}


{{console|body=
{{console|body=

Revision as of 00:50, September 17, 2016

Install SELinux

   Note

Keep in mind that SELinux mix-in is a relatively new feature in Funtoo, so should you experience any bugs please use https://bugs.funtoo.org


Preparation

Since Python 2.7 provides most compatibility with SELinux, we will use it as our default interpreter.

root # eselect python list
Available Python interpreters, in order of preference:
  [1]   python2.7
  [2]   python3.4
  [3]   python3.5
root # eselect python set 1

Add SELinux policy types to make.conf

   /etc/portage/make.conf file
POLICY_TYPES="targeted strict"

Much like Gentoo, Funtoo supports 4 policy types:

  • targeted
  • strict
  • mls
  • mcs

You can have one or more of these in your make.conf, but only one can be active at a time.

   Note

In this guideline we will use targeted policy type, because it's more forgiving and beginner friendly. It's a decent type to start getting familiar with SELinux.

   Important

Targeted policy type will pull in an unconfined domain, which some experienced SELinux users might not like. If you are one of them, simply remove targeted from your policy types and choose one to your own liking.

Kernel configuration

You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.

root # emerge -av sys-kernel/hardened-sources

Under Kernel configuration file:

General setup
  [*] Auditing support

File systems
  <*> Second extended fs support
  [*] Ext2 extended attributes
  [ ]   Ext2 POSIX Access Control Lists
  [*]   Ext2 Security Labels
  < > The Extended 3 (ext3) filesystem
  <*> The Extended 4 (ext4) filesystem
  [ ]   Ext4 POSIX Access Control Lists
  [*]   Ext4 Security Labels
  < >   Ext4 Encryption

Security options
  [*] Enable different security models
  [*] Socket and Networking Security Hooks
  [*] NSA SELinux Support
  [ ]  NSA SELinux boot parameter
  [ ]  NSA SELinux runtime disable
  [*]  NSA SELinux Development Support
  [ ]  NSA SELinux AVC Statistics
  (1)  NSA SELinux checkreqprot default value
  [ ]  NSA SELinux maximum supported policy format version
     Default security module (SELinux) --->

Reboot

Compile the kernel with the new configuration and reboot.

Add SELinux mix-in

root # epro mix-in +selinux

Install necessary SELinux packages

root # emerge -av1 checkpolicy policycoreutils
root # FEATURES="-selinux" emerge -av1 selinux-base

Choosing the SELinux policy

   /etc/selinux/config
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted
   Note

The default SELinux type defined in /etc/selinux/config is strict. Since we will change it to targeted, it is neccessary to rebuild a selinux-base package, but because we already have it installed this time we will need to use FEATURES="-selinux -sesandbox" for selinux-base as well as the selinux-base-policy package.

root # FEATURES="-selinux -sesandbox" emerge -1 selinux-base

Installation

root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy
root # emerge -auvDN @world
   /etc/fstab - Setting rootcontext for /tmp and /run
# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Reboot

root # shutdown -r now

Relabeling packages

root # rlpkg -a -r
root # shutdown -r now

Setting SELinux booleans

root # setsebool -P global_ssp on

Check if users have proper contexts

root # id -Z
unconfined_u:unconfined_r:unconfined_t

If your output is the same as above you are now ready to switch your SELinux to enforcing

   /etc/selinux/config - Enforcing security policy
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted

Reboot

root # shutdown -r now

Check your SELinux status

root # sestatus -v