Gentoo support for SE Linux is experimental but installs (as of 2005 Oct 20) with only minor hiccups. There are two options: add SE Linux support to an already-installed Gentoo system; build a hardened SE Linux Gentoo system from scratch. Both are well described in the Gentoo x86 SELinux Handbook.
Building a hardened SE Linux Gentoo system from scratch I encountered the following three hiccups (each easily solved via Google):
* Starting eth0
* apipa : missing required function interface_exists
Cured by
emerge sys-apps/net-tools
which contains such useful tools as ifconfig...
Policy version: 19
Kernel version: 18
WARNING: Policy verion mismatch
.
.
/usr/sbin/load_policy: security_load_policy failed
The solution is to change the value of POLICYCOMPAT appropriately
in the Makefile.
!!! SELinux module not found. Please verify that it was installed.
The solution is in the SELinux Gentoo FAQ — remerge
python-selinux:
emerge dev-python/python-selinux
and (probably) relabel (make -C /selinux/<DOTS>/src/<DOTS> relabel).
First, you need a kernel with SELinux support.
(If at any point during a boot sequence you see error messages such as selinuxfs unknown then you've probably booted a kernel which does not support SELinux by mistake.)
Immediately after installation from an Etch installation CD, with kernel-image-2.6.8-2-386 installed:
fgrep SELIN /boot/config-2.6.8-2-386yielded
# CONFIG_SECURITY_SELINUX is not set(hardly suprising) but after apt-get install linux-image-686 fgrep SELIN /boot/config-2.6.12-1-686 yielded
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
# ...selinux=1
CONFIG_SECURITY_SELINUX_DISABLE=y
# ...enforcing=0
CONFIG_SECURITY_SELINUX_DEVELOP=y
# ...machine boots into permissive mode --- must be manually
# switched to enforcing mode
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
In addition to the above, SELinux requires extended attributes on the filesystems in use — in my case Ext3 (at the time of writing ReiserFS does not support XATTR):
fgrep XATTR /boot/config-2.6.12-1-686yielded
CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y
In addition to basic SELinux support and extended-attribute support for the filesystem, AUDIT support is virtually a necessity (in order to debug your security policy). My Debian kernel output no SELinux-related logs (no /var/log/audit or /var/log/audit.log; no avc-related entries in /var/log/kern.log; no auditd process.
fgrep AUDIT /boot/config-<version>yielded
# CONFIG_AUDIT is not setAnd from the Unofficial SELinux FAQ:
| The main kernel auditing functionality (as opposed to the minimum needed to log basic AVC messages) is enabled when the auditd is started or if the kernel is booted with the parameter "audit=1". This auditing functionality is now required to display the path names when SE Linux denies access to files, so for best logging functionality you should have auditd running or boot with "audit=1". |
| Debian does not yet have an auditd, it should be packaged soon. |
Downloaded 2.6.13.4 from www.kernel.org and built with
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
and
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT3_FS_XATTR=y
and
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
After reboot avc-related logs began appearing in kern.log.
Depending on the details of your kernel SELinux configuration (see the make menuconfig help for more) you may need some kernel command-line arguments, one to switch on SELinux, the other to select whether the security policy is enforced, or whether breaches are simply logged. Until your policy is fully debugged, don't enforce policy:
kernel /vmlinuz-<version> root=<rootdev> selinux=1 enforcing=0
The following package should already be installed:
| libselinux1 | share libraries |
Check, e.g.,
ldd /usr/sbin/sshd
ldd /usr/sbin/logrotate
ldd /usr/sbin/dpkg
or
ps --context # ...or ps -Z
ls --context # ...or ls -Z
id --context # ...or id -Z
In my installation coreutils was not linked against libselinux1 (e.g., ls -Z failed; id did not return SELinux context). Adding
###http://www.coker.com.au/selinux/ deb http://people.debian.org/~srivasta/ packages/to /etc/apt/sources.list and
Package: * Pin: release l=unstable Pin-Priority: 1100to /etc/apt/preferences with apt-get install coreutils fixed the problem.
The following SELinux-related packages need to be added to your installation — see package installation:
| selinux-policy-default | sample policy files for many common programs, e.g., sendmail, X... |
| checkpolicy | security policy compiler |
| policycoreutils | core utilities required for basic operation of an SELinux system (such as newrole, load_policy) |
| selinux-utils | utilities to get and set process and file security contexts, and to obtain security policy decisions |
| selinux-doc | documentation (optional) |
At the time of writing (2005 Oct 24) only testing (Etch) and unstable (Sid) contain selinux-policy-default, so unless you want to write your policy from scratch (you don't), grab the packages from testing or unstable.
Unless you have a very old system, you'll already have libselinux1, so
apt-get install checkpolicy policycoreutils selinux-utils
Ensure you have booted into a SELinux-supporting kernel before installing this package else you'll get
Installing the new SE Linux policy mount: unknown filesystem type 'selinuxfs' dpkg: error processing selinux-policy-default (--configure): subprocess post-installation script returned error exit status 32 Errors were encountered while processing: selinux-policy-default
With a suitable kernel booted (if necessary with selinux=1 enforcing=0)
apt-get install selinux-policy-defaultDuring this installation you'll be asked about installation of individual policy .te files — one for each domain:
Removal of unwanted policy files Do you want domains/program/udev.te:udev - Linux configurable dynamic device naming support Yes/No/Display [Y/n/d]?The safest answer to each is Y in each case — you can always change later.
As the installation of this package finishes you should see something like this:
Setting up selinux-policy-default (1.26-5) ... Compiling policy ... /usr/bin/checkpolicy: loading policy configuration from policy.conf /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 19) to /etc/selinux/./policy/policy.19 Building file contexts files... Validating file contexts files ... Installing file contexts files... Compiling policy ... /usr/bin/checkpolicy: loading policy configuration from policy.conf /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 20) to /etc/selinux/./policy/policy.20
none /selinux selinuxfs noauto 0 0
As part of the installation of selinux-policy-default the security policy was compiled (make policy) and loaded (make load). Next the filesystems must be labeled with their correct security context:
make -C /etc/selinux/src relabel(this can take a while).
Add this to /etc/pam.d/login:
session required pam_selinux.soelse on (even root, console login)
No directory, loggin in with HOME=/
Cannot execute /bin/bash: permission denied
So that a user is offered a choice of contexts on login, where such a choice exists, change the above to this
session required pam_selinux.so multiple
su
-- in addition su seems to change context (from user_t) only if a
similar line is added to /etc/pam.d/su
su
-- in addition su seems to change context (from user_t) only if a
similar line is added to /etc/pam.d/su
run_init se_dpkg, se_apt-get
--
-- /usr/share/doc/selinux-doc -- /etc/selinux -- /selinux
apt-get install attr
-- sshd crashes
-- logs might help with ssh...
-- indeed do:
fgrep avc kern.log | grep sshd
Oct 25 14:54:18 pinback kernel: audit(1130252058.315:233222): avc: denied { write } for pid=3530 comm="sshd" name="[4064]" dev=sockfs ino=4064 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=sock_file
Oct 25 14:54:18 pinback kernel: audit(1130252058.375:233259): avc: denied { read } for pid=3639 comm="sshd" name="[4065]" dev=sockfs ino=4065 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=sock_file
Oct 25 14:54:18 pinback kernel: audit(1130252058.519:233570): avc: denied { getattr } for pid=3639 comm="sshd" name="[4078]" dev=sockfs ino=4078 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=sock_file
Oct 25 14:54:22 pinback kernel: audit(1130252062.019:233999): avc: denied { search } for pid=3639 comm="sshd" name="home" dev=hda10 ino=482385 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t tclass=dir
first, ls -lZ / shows that /home has default_t ---- on gentoo it
has home_root_t, so chcon it and all is well
sockfs...
audit2allow: allow sshd_t self:sock_file { getattr read write };
and sticking this in /etc/selinux/src/domains/program/ssh.te then "make load"
indeed works! But why this not needed on gentoo? Its not there --- compared
policy.conf on gentoo and debian --- same with regard to sockets.
debian> lsof | grep ssh
gentoo> lsof | grep ssh
shows that on debian sshd uses unix sockets, and on gentoo it does not!
debian is v4.2p1 while gentoo is 3.9p1 --- but 3.8 uses sockets on another
debian box...
X11 forwarding (xauth) uses unix-socket!!!!!!!!!!!! and xauth is not even
installed on the gentoo box...
******************************
audit2why
audit2allow
| ...previous | cont's... |