The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
SELinux/Install
Install SELinux
Preparation
Since Python 2.7 provides most compatibility with SELinux, we will use it as our default interpreter.
root # eselect python list Available Python interpreters, in order of preference: [1] python2.7 [2] python3.4 [3] python3.5 root # eselect python set 1
Add SELinux policy types to make.conf
/etc/portage/make.conf file
POLICY_TYPES="targeted strict"
Much like Gentoo, Funtoo supports 4 policy types:
- targeted
- strict
- mls
- mcs
You can have one or more of these in your make.conf, but only one can be active at a time.
In this guideline we will use targeted policy type, because it's more forgiving and beginner friendly. It's a decent type to start getting familiar with SELinux.
Targeted policy type will pull in an unconfined domain, which some experienced SELinux users might not like. If you are one of them, simply remove targeted from your policy types and choose one to your own liking.
Kernel configuration
You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.
root # emerge -av sys-kernel/hardened-sources
Under Kernel configuration file:
General setup [*] Auditing support File systems <*> Second extended fs support [*] Ext2 extended attributes [ ] Ext2 POSIX Access Control Lists [*] Ext2 Security Labels < > The Extended 3 (ext3) filesystem <*> The Extended 4 (ext4) filesystem [ ] Ext4 POSIX Access Control Lists [*] Ext4 Security Labels < > Ext4 Encryption Security options [*] Enable different security models [*] Socket and Networking Security Hooks [*] NSA SELinux Support [ ] NSA SELinux boot parameter [ ] NSA SELinux runtime disable [*] NSA SELinux Development Support [ ] NSA SELinux AVC Statistics (1) NSA SELinux checkreqprot default value [ ] NSA SELinux maximum supported policy format version Default security module (SELinux) --->
In case you decide to stick with the default debian binary kernel, you will need to pass a security=selinux
parameter to your bootloader.
Reboot
Compile the kernel with the new configuration and reboot.
Add SELinux mix-in
root # epro mix-in +selinux
Install necessary SELinux packages
root # emerge -av1 checkpolicy policycoreutils
root # FEATURES="-selinux" emerge -av1 selinux-base
Choosing the SELinux policy
/etc/selinux/config
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=targeted
The default SELinux type defined in /etc/selinux/config is strict. Since we will change it to targeted, it is neccessary to rebuild a selinux-base package, but because we already have it installed this time we will need to use FEATURES="-selinux -sesandbox" for selinux-base as well as the selinux-base-policy package.
root # FEATURES="-selinux -sesandbox" emerge -1 selinux-base
Installation
root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy
root # emerge -auvDN @world
/etc/fstab
- Setting rootcontext for /tmp and /run# For a "targeted" or "strict" policy type:
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
# For an "mls" or "mcs" policy type:
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0
Reboot
root # shutdown -r now
Relabeling packages
root # rlpkg -a -r root # shutdown -r now
Setting SELinux booleans
root # setsebool -P global_ssp on
Check if users have proper contexts
root # id -Z unconfined_u:unconfined_r:unconfined_t
If your output is the same as above you are now ready to switch your SELinux to enforcing
/etc/selinux/config
- Enforcing security policy# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=targeted
Reboot
root # shutdown -r now
Check your SELinux status
root # sestatus -v