SELinux/Install

From Funtoo
Jump to: navigation, search

Preparation

Add SELinux policy types to make.conf

   /etc/portage/make.conf file
POLICY_TYPES="targeted strict"

SELinux has 4 policy types:

  • targeted
  • strict
  • mls
  • mcs

You can have one or more of these in your make.conf, but only one can be active at a time.

   Note

In this guideline we will use targeted policy type, because it's more forgiving and beginner friendly. It's a decent type to start getting familiar with SELinux.

   Important

Targeted policy type will pull in an unconfined domain, which some experienced SELinux users might not like. If you are one of them, simply remove targeted from your policy types and choose one to your own liking.

Kernel configuration

You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.

root # emerge -av sys-kernel/hardened-sources

Under Kernel configuration file:

General setup
  [*] Auditing support

File systems
  <*> Second extended fs support
  [*] Ext2 extended attributes
  [ ]   Ext2 POSIX Access Control Lists
  [*]   Ext2 Security Labels
  < > The Extended 3 (ext3) filesystem
  <*> The Extended 4 (ext4) filesystem
  [ ]   Ext4 POSIX Access Control Lists
  [*]   Ext4 Security Labels
  < >   Ext4 Encryption

Security options
  [*] Enable different security models
  [*] Socket and Networking Security Hooks
  [*] NSA SELinux Support
  [ ]  NSA SELinux boot parameter
  [ ]  NSA SELinux runtime disable
  [*]  NSA SELinux Development Support
  [ ]  NSA SELinux AVC Statistics
  (1)  NSA SELinux checkreqprot default value
  [ ]  NSA SELinux maximum supported policy format version
     Default security module (SELinux) --->
   Note

In case you decide to stick with the default debian binary kernel, you will need to pass a security=selinux parameter to your bootloader.

Reboot

Compile the kernel with the new configuration and reboot.

Add SELinux mix-in

root # epro mix-in +selinux

Install necessary SELinux packages

root # emerge -av1 checkpolicy policycoreutils
root # FEATURES="-selinux" emerge -av1 selinux-base

Choosing the SELinux policy

   /etc/selinux/config
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted
   Note

The default SELinux type defined in /etc/selinux/config is strict. Since we will change it to targeted, it is neccessary to rebuild a selinux-base package, but because we already have it installed this time we will need to use FEATURES="-selinux -sesandbox" for selinux-base as well as the selinux-base-policy package.

root # FEATURES="-selinux -sesandbox" emerge -1 selinux-base

Installation

root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy
root # emerge -auvDNt @world
   /etc/fstab - Setting rootcontext for /tmp and /run
# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Reboot

root # shutdown -r now

Relabeling packages

root # rlpkg -a -r
root # shutdown -r now

Setting SELinux booleans

root # setsebool -P global_ssp on

Check if users have proper contexts

root # id -Z
unconfined_u:unconfined_r:unconfined_t

If your output is the same as above you are now ready to switch your SELinux to enforcing

   /etc/selinux/config - Enforcing security policy
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted

Reboot

root # shutdown -r now

Check your SELinux status

root # sestatus -v