Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
SELinux/Install
< SELinux
Jump to navigation
Jump to search
Install SELinux
Important
This document is work in progress. Do not use this as a reference!
Preparation
Since Python 2.7 provides most compatibility with SELinux, we will use it as our default interpreter.
root # eselect python list Available Python interpreters, in order of preference: [1] python2.7 [2] python3.4 [3] python3.5 root # eselect python set 1
Add SELinux policy types to make.conf
/etc/portage/make.conf file
POLICY_TYPES="targeted strict"
Add SELinux mix-in
root # epro mix-in +selinux
Kernel configuration
You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.
root # emerge -av sys-kernel/hardened-sources
Kernel configuration file
General setup
[*] Auditing support
File systems
<*> Second extended fs support
[*] Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
< > The Extended 3 (ext3) filesystem
<*> The Extended 4 (ext4) filesystem
[ ] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
< > Ext4 Encryption
Security options
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[ ] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
Default security module (SELinux) --->
Reboot
Compile the kernel with the new configuration and reboot.
Install necessary SELinux packages
root # emerge -a1 checkpolicy policycoreutils
root # FEATURES="-selinux" emerge -a1 selinux-base
Choosing the SELinux policy
/etc/selinux/config
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=targeted
root # FEATURES="-selinux -sesandbox" emerge -1 selinux-base
Installation
root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy
root # emerge -auvDN @world
/etc/fstab
- Setting rootcontext for /tmp and /run# For a "targeted" or "strict" policy type:
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
# For an "mls" or "mcs" policy type:
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0
Reboot
root # shutdown -r now
Relabeling packages
root # rlpkg -a -r root # shutdown -r now
Setting SELinux booleans
root # setsebool -P global_ssp on
Check if users have proper contexts
root # id -Z unconfined_u:unconfined_r:unconfined_t
If your output is the same as above you are now ready to switch your SELinux to enforcing
/etc/selinux/config
- Enforcing security policy# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=targeted
Reboot
root # shutdown -r now
Check your SELinux status
root # sestatus -v