Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/selinux/hb-selinux-conv-reboot2.html
blob: f26e1aae7a75262285c79218082b86a636f2fa47 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="../../css/main.css" type="text/css">
<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
  </title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Merge SELinux Packages</p>
<p>Merge the libraries, utilities and base-policy.  The policy version may need
   be adjusted, refer to the SELinux Overview
   for more information on policy versions.  Then load the policy.</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge base SELinux packages and policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge -1 checkpolicy policycoreutils</span>
# <span class="code-input">FEATURES=-selinux emerge -1 selinux-base-policy</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The "FEATURES=-selinux" part of the emerge command should only be used on the above command.
It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail.
</p></td></tr></table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Choose the policy type</p>
<p>
New in 2006.1, users now have the choice between the strict policy and the
targeted policy.
</p>
<p>
In the strict policy, all processes are confined.
If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy.
Strict policy is suggested for servers.
Gentoo does not support the strict policy on desktops.
</p>
<p>
The targeted policy differs with strict, as only network-facing services are
confined and local users are unconfined.  Gentoo only supports desktops with
the targeted policy.  This policy can also be used on servers.
</p>
<p>
Edit the /etc/selinux/config file to set the policy type.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config contents</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive <span class="code-comment">(This should be set permissive for the remainder of the install)</span>

# SELINUXTYPE can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict <span class="code-comment">(Set this as strict or targeted)</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Merge SELinux-patched packages</p>
<p>
  There are several system packages that have SELinux patches.  These patches
  provide a variety of additional SELinux functionality, such as displaying
  file contexts.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Remerge Packages</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
  If you find that you can't use portage due to a errors like these:
  !!! 'module' object has no attribute 'secure_rename' or
  AttributeError: 'module' object has no attribute 'getcontext', this is
  a portage bug, where it can't handle a missing python-selinux.  Merge it
  with "FEATURES=-selinux emerge python-selinux" to fix the problem.  See
  bug <a href="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</a>
  for more information.
</p></td></tr></table>
<p>There are other packages that have SELinux patches, but are optional.  These
should be remerged if they are already installed, so the SELinux patches are
applied:</p>
<ul>
<li>app-admin/logrotate</li>
<li>sys-apps/fcron</li>
<li>sys-apps/vixie-cron</li>
<li>sys-fs/device-mapper</li>
<li>sys-fs/udev</li>
<li>sys-libs/pwdb</li>
</ul>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
  Fcron and Vixie-cron are the only crons with SELinux support.
</p></td></tr></table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>The above packages are NOT an exhaustive list; they are only the most
common ones.  In general, any package installed on the system which has the
selinux USE flag should be remerged.  To see which packages may need to be
merged, you can:
emerge -upDN world

Since changing to the selinux profile has changed your USE flags, the above
will get everything that is listening to the selinux USE flag.  It will
probably also get some other stuff as well.  To actually remerge everything,
simply remove the 'p', or manually specify the packages you want to remerge.
</p></td></tr></table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Merge Application Policies</p>
<p>
  In future, when merging a package, the policy will be set as a dependency so
  that it is merged first; however, since the system is being converted, policy
  for currently installed packages must be merged.  The selinux-base-policy
  already covers most packages in the system profile.
</p>
<p>
  Look in the <span class="code" dir="ltr">/usr/portage/sec-policy</span>, it has several entries, each which
  represent a policy.  The naming scheme is selinux-PKGNAME, where PKGNAME is
  the name of the package that the policy is associated.  For example, the
  selinux-apache package is the SELinux policy package for net-www/apache.
  Merge each of the needed policy packages and then load the policy.
  If you are converting a desktop, make sure to include the selinux-desktop policy package.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Merge of Apache and BIND policies</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">ls /usr/portage/sec-policy</span>
<span class="code-comment">(many directories listed)</span>

# <span class="code-input">emerge -1 selinux-apache selinux-bind</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Label Filesystems</p>
<p>
  Before you can relabel the rest of the filesystems, you need to first relabel
  /dev.  Strictly speaking, this is only necessary if you aren't using a static
  /dev.  However, as the vast majority of current and new systems are going to
  be built with udev, this probably means you are using udev as well.  There
  are a lot of different ways to get at this problem, but the steps below are
  easy to do and work.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-input"># mkdir /mnt/gentoo
# mount -o bind / /mnt/gentoo
# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
# umount /mnt/gentoo
</span>
  </pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Remember to select one of {strict,targeted} above based on your
 enforcement mode.</p></td></tr></table>
<p>
  Now label the filesystems.  This gives each of the files in the filesystems
  a security label.  Keeping these labels consistent is important.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Label filesystems</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg -a -r</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
  There is a known issue with older versions of GRUB
  not being able to read symlinks that have been labeled.
  Please make sure you have at least GRUB 0.94 installed.
  Also rerun GRUB and reinstall it into the MBR to ensure
  the updated code is in use.
  You do have a LiveCD handy, right?
</p></td></tr></table>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reinstall GRUB on the MBR (GRUB users only)</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">grub</span>

grub&gt; root (hd0,0) <span class="code-comment">(Your boot partition)</span>
grub&gt; setup (hd0) <span class="code-comment">(Where the boot record is installed; here, it is the MBR)</span>
</pre></td></tr>
</table>
<p>
  If you've installed Gentoo using the hardened sources, then you'll need to
  tell SELinux that you are using the hardened tool-chain with ssp.  You do
  this by setting an SELinux global boolean 
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux global_ssp</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-input">setsebool -P global_ssp on</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Make sure you use the -P flag, or the setting won't survive the reboot,
and you'll likely see a lot of errors relating to /dev/null and /dev/random
</p></td></tr></table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Final reboot</p>
<p>Reboot.  Log in, then relabel again to ensure all files
are labeled correctly (some files may have been created during shutdown and
reboot)</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg -a -r</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
  It is strongly suggested to <a href="http://www.gentoo.org/main/en/lists.xml">subscribe</a>
  to the gentoo-hardened mail list.  It is generally a low traffic list, and 
  SELinux announcements are made there.
</p></td></tr></table>
<p>
  SELinux is now installed!
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated December 15, 2009</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>