1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
|
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>23</version>
<date>2012-05-06</date>
<section>
<title>Installing Gentoo (Hardened)</title>
<subsection>
<title>Introduction</title>
<body>
<p>
Getting a SELinux-powered Gentoo installation doesn't require weird actions.
What you need to do is install Gentoo Linux with the correct profile, correct
kernel configuration and some file system relabelling. We seriously recommend to
use SELinux together with other hardening improvements (such as PaX /
grSecurity).
</p>
<p>
This chapter will describe the steps to install Gentoo with SELinux. We
assume that you have an existing Gentoo Linux system which you want to convert
to Gentoo with SELinux. If this is not the case, you should still read
on: you can install Gentoo with SELinux immediately if you make the
correct decisions during the installation process, based on the information in
this chapter.
</p>
</body>
</subsection>
<subsection>
<title>Performing a Standard Installation</title>
<body>
<p>
Install Gentoo Linux according to the <uri link="/doc/en/handbook">Gentoo
Handbook</uri> installation instructions. We recommend the use of the hardened
stage 3 tarballs and <c>hardened-sources</c> kernel instead of the standard
ones, but standard stage installations are also supported for SELinux.
Perform a full installation to the point that you have booted your system
into a (primitive) Gentoo base installation.
</p>
<note>
If you are an XFS user, make sure that the inode sizes of the XFS file
system is 512 byte. Since the default is 256, you will need to run the
<c>mkfs.xfs</c> command with the <c>-i size=512</c> arguments, like so:
<c>mkfs.xfs -i size=512 /dev/sda3</c>
</note>
</body>
</subsection>
<!--
<subsection>
<title>Installing the Hardened Development Overlay</title>
<body>
<p>
Although optional, we recommend to enable the <c>hardened-development</c>
overlay. The state of SELinux within Gentoo Hardened is still undergoing
major development.
</p>
<p>
Install <c>app-portage/layman</c> and add the <c>hardened-development</c>
overlay. This overlay uses a git repository, so either install <c>git</c> as
well, or set <c>USE="git"</c> in <path>/etc/make.conf</path>.
Make sure to include layman's <path>make.conf</path> in your
<path>make.conf</path> file.
</p>
<pre caption="Installing hardened-development overlay">
~# <i>emerge layman</i>
~# <i>layman -S</i>
~# <i>layman -a hardened-development</i>
~# <i>nano /etc/make.conf</i>
<comment># Add the following line at the top of your make.conf file</comment>
<i>source /var/lib/layman/make.conf</i>
</pre>
</body>
</subsection>
-->
<!--
TODO Validate after 2.20120215-r8 is stable that this is no longer
necessary? Not sure about it though : check userspace ebuilds as well.
-->
<subsection>
<title>Switching to Python 2</title>
<body>
<p>
For now, the SELinux management utilities are not compatible with Python 3 so
we recommend to switch to Python 2 until the packages are updated and fixed.
</p>
<pre caption="Switching to python 2">
~# <i>emerge '<=dev-lang/python-3.0'</i>
~# <i>eselect python list</i>
Available Python interpreters:
[1] python2.7
[2] python3.1 *
~# <i>eselect python set 1</i>
~# <i>source /etc/profile</i>
</pre>
</body>
</subsection>
<subsection>
<title>Optional: Setting the filesystem contexts</title>
<body>
<p>
If your <path>/tmp</path> location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is <c>tmp_t</c>
instead of <c>tmpfs_t</c>. Many SELinux policy objects (including various
server-level policies) assume that <path>/tmp</path> is <c>tmp_t</c>.
</p>
<p>
To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
</p>
<pre caption="Update /etc/fstab for /tmp">
<comment># For a "targeted" or "strict" policy type:</comment>
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
<comment># For an "mls" or "mcs" policy type:</comment>
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t:s0</i> 0 0
</pre>
</body>
</subsection>
<!--
<subsection>
<title>Enabling ~Arch Packages</title>
<body>
<p>
The current stable SELinux related packages are not fit for use anymore (or are
even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
the following settings to the right file (for instance
<path>/etc/portage/package.accept_keywords/selinux</path>):
</p>
<pre caption="SELinux ~arch packages">
=sys-process/vixie-cron-4.1-r11
</pre>
</body>
</subsection>
-->
<subsection>
<title>Change the Gentoo Profile</title>
<body>
<p>
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
to the right SELinux profile (for instance,
<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the older
profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are not
supported anymore.
</p>
<pre caption="Switching the Gentoo profile">
~# <i>eselect profile list</i>
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/selinux
[3] default/linux/amd64/10.0/desktop
[4] default/linux/amd64/10.0/desktop/gnome
[5] default/linux/amd64/10.0/desktop/kde
[6] default/linux/amd64/10.0/developer
[7] default/linux/amd64/10.0/no-multilib
[8] default/linux/amd64/10.0/server
[9] hardened/linux/amd64
[10] hardened/linux/amd64/selinux
[11] hardened/linux/amd64/no-multilib *
[12] hardened/linux/amd64/no-multilib/selinux
~# <i>eselect profile set 12</i>
</pre>
<note>
Starting from the profile change, Portage will warn you after every installation
that it was "Unable to set SELinux security labels". This is to be expected,
because the tools and capabilities that Portage requires to set the security
labels aren't available yet. This warning will vanish the moment the SELinux
installation is completed.
</note>
<p>
Don't update your system yet - we will need to install a couple of packages in a
particular order which Portage isn't aware of in the next couple of sections.
</p>
</body>
</subsection>
<subsection>
<title>Update make.conf</title>
<body>
<p>
Next, take a look at the following USE flags and decide if you want to enable
or disable them.
</p>
<table>
<tr>
<th>USE flag</th>
<th>Default Value</th>
<th>Description</th>
</tr>
<tr>
<ti>peer_perms</ti>
<ti>Enabled</ti>
<ti>
The peer_perms capability controls the SELinux policy network peer controls.
If set, the access control mechanisms that SELinux uses for network based
labelling are consolidated. This setting is recommended as the policy is
also updated to reflect this. If not set, the old mechanisms (NetLabel and
Labeled IPsec) are used side by side.
</ti>
</tr>
<tr>
<ti>open_perms</ti>
<ti>Enabled</ti>
<ti>
The open_perms capability enables the SELinux permission "open" for files
and file-related classes. Support for the "open" call was added a bit later
than others so support was first made optional. However, the policies have
matured sufficiently to have the open permission set.
</ti>
</tr>
<tr>
<ti>ubac</ti>
<ti>Enabled</ti>
<ti>
When disabled, the SELinux policy is built without user-based access control.
</ti>
</tr>
</table>
<p>
Make your choice and update the <c>USE</c> variable in
<path>/etc/make.conf</path>.
</p>
</body>
</subsection>
<subsection>
<title>Manual System Changes</title>
<body>
<warn>
Most, if not all of the next few changes will be resolved through regular
packages as soon as possible. However, these fixes have impact beyond the Gentoo
Hardened installations. As such, these changes will be incorporated a bit slower
than the SELinux-specific updates. For the time being, manually correcting these
situations is sufficient (and a one-time operation).
</warn>
<p>
The following changes <e>might</e> be necessary on your system, depending on the
tools or configurations that apply.
</p>
<ul>
<li>
Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
either remove those or make them a copy of their counterpart so that they
get their own security context. The <path>.old</path> files are hard links
which mess up the file labelling. For instance, <c>cp /bin/hostname
/bin/hostname.old</c>.
</li>
<!--
TODO When the fix is accepted in the portage code and that portage version is
stabilized, the change is not needed anymore.
-->
<li>
Edit <path>/etc/sandbox.conf</path> and add in
<path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
This is currently needed to work around bug <uri
link="https://bugs.gentoo.org/410687">410687</uri>.
</li>
</ul>
<p>
Previously (before <path>sys-libs/libselinux-2.1.9</path> was stabilized) the
location of the SELinux file system was <path>/selinux</path>. This location can
still be used (the recent libselinux implementations are currently backwards
compatible with it) and, due to <uri link="https://bugs.gentoo.org/14779">bug
14779</uri>, is still the location to use if you do not boot with an initramfs
that premounts <path>/sys</path>.
</p>
</body>
</subsection>
<subsection>
<title>Installing a SELinux Kernel</title>
<body>
<p>
Although the default Linux kernels offer SELinux support, we recommend the use
of the <path>sys-kernel/hardened-sources</path> package.
</p>
<pre caption="Installing hardened-sources">
<comment>(Only if you have not installed it previously of course)</comment>
~# <i>emerge hardened-sources</i>
</pre>
<p>
Next, reconfigure the kernel with the appropriate security settings. This
includes, but is not limited to
</p>
<ul>
<li>Support for extended attributes in the various file systems</li>
<li>Support system-call auditing</li>
<li>Support for SELinux</li>
</ul>
<p>
Below you can find a quick overview of the recommended settings.
</p>
<pre caption="Recommended settings for the Linux kernel configuration">
<comment>Under "General setup"</comment>
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*] Enable system-call auditing support
<comment>Under "File systems"</comment>
<comment>(For each file system you use, make sure extended attribute support is enabled)</comment>
<*> Second extended fs support
[*] Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
[ ] Ext2 execute in place support
<*> Ext3 journalling file system support
[ ] Default to 'data=ordered' in ext3
[*] Ext3 extended attributes
[ ] Ext3 POSIX Access Control Lists
[*] Ext3 Security Labels
<*> The Extended 4 (ext4) filesystem
[*] Ext4 extended attributes
[ ] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
<*> JFS filesystem support
[ ] JFS POSIX Access Control Lists
[*] JFS Security Labels
[ ] JFS debugging
[ ] JFS statistics
<*> XFS filesystem support
[ ] XFS Quota support
[ ] XFS POSIX ACL support
[ ] XFS Realtime subvolume support (EXPERIMENTAL)
[ ] XFS Debugging Support
<*> Btrfs filesystem (EXPERIMENTAL)
[ ] Btrfs POSIX Access Control Lists
<comment>Under "Security options"</comment>
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[ ] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
Default security module (SELinux) --->
</pre>
<p>
We recommend to use PaX as well. More information on PaX within Gentoo Hardened
can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened
Gentoo PaX Quickstart Guide</uri>.
</p>
<p>
Build and install the new Linux kernel and its modules.
</p>
</body>
</subsection>
<subsection>
<title>Update fstab</title>
<body>
<p>
Next, edit <path>/etc/fstab</path> and add the following two lines:
</p>
<pre caption="Enabling selinux-specific file system options">
<comment># The udev mount is due to bug #373381</comment>
udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
none /sys/fs/selinux selinuxfs defaults 0 0
</pre>
<note>
In case of an MLS/MCS policy, you need to have the context with sensitivity
level, so <c>...:device_t:s0</c>.
</note>
</body>
</subsection>
<subsection>
<title>Reboot</title>
<body>
<p>
With the above changes made, reboot your system. Assert yourself that you are
now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
system should be mounted). Don't worry - SELinux is at this point not activated.
</p>
</body>
</subsection>
</section>
<section>
<title>Configure SELinux</title>
<subsection>
<title>Introduction</title>
<body>
<p>
Next we will need to configure SELinux by installing the appropriate
utilities, label our file system and configure the policy.
</p>
</body>
</subsection>
<subsection>
<title>Install Policies and Utilities</title>
<body>
<p>
First, install the <path>sys-apps/checkpolicy</path> and
<path>sys-apps/policycoreutils</path> packages. Although these will be pulled in
as dependencies of the SELinux policy packages themselves, we need to install
these one time first - hence the <c>-1</c> option.
</p>
<pre caption="Installing SELinux policy core utilities">
~# <i>emerge -1 checkpolicy policycoreutils</i>
</pre>
<p>
Next, install the SELinux policy package
(<path>sec-policy/selinux-base-policy</path>). This package contains the base
SELinux policy needed to get your system up and running using SELinux.
As Portage will try to label and reload policies (since the installation of
<path>sys-apps/policycoreutils</path>) we need to temporarily disable SELinux
support (as Portage wouldn't be able to label anything as it doesn't understand
it yet).
</p>
<pre caption="Installing the SELinux policy packages">
~# <i>FEATURES="-selinux" emerge selinux-base-policy</i>
</pre>
<p>
Next, rebuild those packages affected by the profile change we did previously
through a standard world update, taking into account USE-flag changes (as the
new profile will change many default USE flags, including enabling the
<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
<c>dispatch-conf</c> afterwards as some changes to configuration files need to
be made.
</p>
<pre caption="Update your Gentoo Linux system">
~# <i>emerge -uDN world</i>
</pre>
<p>
Next, install the additional SELinux tools that you might need in the future to
debug or help with your SELinux installation. These packages are optional, but
recommended.
</p>
<pre caption="Installing additional SELinux packages">
~# <i>emerge setools sepolgen checkpolicy</i>
</pre>
<p>
Finally, install the policy modules for those utilities you think you need
policies for. In the near future, this will be done automatically for you (the
packages will have an optional dependency on it, triggered by the selinux USE
flag), but until that time, you will need to install them yourself.
</p>
<pre caption="Installing SELinux modules">
~# <i>emerge --search selinux-</i>
[...]
<comment>(Select the modules you want to install)</comment>
~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i>
</pre>
</body>
</subsection>
<subsection>
<title>Configure the SELinux Policy</title>
<body>
<p>
Inside <path>/etc/selinux/config</path> you can configure how SELinux is
configured at boot time.
</p>
<pre caption="Editing the /etc/selinux/config file">
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<i>permissive</i>
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=<i>strict</i>
</pre>
<p>
Within this configuration file, two variables can be set:
</p>
<ul>
<li>
<c>SELINUX</c> sets how SELinux should behave:
<ul>
<li>
<c>enforcing</c> will enable and enforce policies. This is where we want
to go for, but you should probably start with <c>permissive</c>.
</li>
<li>
<c>permissive</c> will enable policies, but not enforce them. Any
violation is reported but not denied. This is where you should start
from as it will not impact your system yet allow you to get acquainted
with SELinux - and validate the warnings to see if you can switch
towards <c>enforcing</c> or not.
</li>
<li>
<c>disabled</c> will completely disable the policies. As this will not
show any violations as well, it is not recommended.
</li>
</ul>
</li>
<li>
<c>SELINUXTYPE</c> selects the SELinux policy type to load.
Gentoo Hardened recommends the use of <c>strict</c> for servers, and
<c>targeted</c> for desktops. The <c>mcs</c> type is supported, <c>mls</c>
is currently still considered experimental.
</li>
</ul>
<p>
The differentiation between <c>strict</c> and <c>targeted</c> is based upon the
<e>unconfined</e> domain. When loaded, the processes on your system that are not
specifically confined within a particular policy module will be part of the
unconfined_t domain whose purpose is to allow most activities by default (rather
than deny by default). As a result, processes that run inside the unconfined_t
domain have no restrictions apart from those already enforced by standard Linux
security. Although running without the unconfined_t domain is considered more
secure, it will also be more challenging for the administrator to make sure the
system still functions properly as there are no policy modules for each and
every application "out there".
</p>
<p>
Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow
categorization of the process domains. This is useful on multi-tenant systems
such as web servers, virtualization hosts, ... where multiple processes will be
running, most of them in the same security domain, but in different categories.
</p>
<p>
Finally, you can also select <c>mls</c> to differentiate security domains on
a sensitivity level. However, MLS is currently still considered experimental
in Gentoo and as such not recommended.
</p>
<p>
When you have made your choice between the SELinux policy types, save
this in your <path>/etc/make.conf</path> file as well. That way, Portage will
only install the policy modules for that SELinux type.
</p>
<pre caption="Setting the policy type in make.conf">
~# <i>nano /etc/make.conf</i>
POLICY_TYPES="<i>strict</i>"
</pre>
</body>
</subsection>
<subsection>
<title>Reboot, and Label the File System</title>
<body>
<impo>
Repeat these steps every time you have rebooted from a non-SELinux enabled
kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
</impo>
<p>
First reboot your system so that the installed policies are loaded. Now we
need to relabel your devices and openrc related files. This will apply the
correct security contexts (labels) onto the necessary files.
</p>
<pre caption="Relabel /dev structure">
~# <i>mkdir /mnt/gentoo</i>
~# <i>mount -o bind / /mnt/gentoo</i>
<comment>(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</comment>
~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</i>
~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</i>
~# <i>umount /mnt/gentoo</i>
</pre>
<p>
Next, if you have a swapfile rather than a swap partition, label it accordingly:
</p>
<pre caption="Labelling the swap file">
~# <i>semanage fcontext -a -t swapfile_t "/swapfile"</i>
~# <i>restorecon /swapfile</i>
</pre>
<p>
Now relabel your entire file system. The next command will apply the correct
security context onto the files on your file system, based on the security
context information provided by the SELinux policy modules installed.
</p>
<pre caption="Relabel the entire file system">
~# <i>rlpkg -a -r</i>
</pre>
<p>
If you ever have to install a SELinux policy module for a package after that
that particular package is installed, you need to run <c>rlpkg</c> for that
package to make sure that the security contexts for these files are set
correctly. For instance, if you have installed
<path>sec-policy/selinux-screen</path> after discovering that you have
<c>screen</c> on your system:
</p>
<pre caption="Relabeling the files for a single package">
<comment>(Make sure no screen sessions are running as their security contexts will not be adapted)</comment>
~# <i>rlpkg -t screen</i>
</pre>
</body>
</subsection>
<subsection>
<title>Reboot and Set SELinux Booleans</title>
<body>
<p>
Reboot your system so that the newly applied file contexts are used. Log on
and, if you have indeed installed Gentoo using the hardened sources (as we
recommended), enable the SSP SELinux boolean, allowing every domain read
access to the <path>/dev/urandom</path> device:
</p>
<pre caption="Enabling the global_ssp boolean">
~# <i>setsebool -P global_ssp on</i>
</pre>
</body>
</subsection>
<subsection>
<title>Define the Administrator Accounts</title>
<body>
<p>
If the <c>SELINUXTYPE</c> is set to <c>strict</c>, then we
need to map the account(s) you use to manage your system (those
that need access to Portage) to the <c>staff_u</c> SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
<c>root</c>, but then you will need to login as <c>root</c> directly and not
through <c>sudo</c> or <c>su</c>.) By default, users are mapped to the
<c>user_u</c> SELinux user who doesn't have the appropriate rights (nor access
to the appropriate roles) to manage a system. Accounts that are mapped to
<c>staff_u</c> can, but might need to switch roles from <c>staff_r</c> to
<c>sysadm_r</c> before they are granted the appropriate privileges.
</p>
<p>
Assuming that your account name is <e>john</e>:
</p>
<pre caption="Mapping the Linux account john to the SELinux user staff_u">
~# <i>semanage login -a -s staff_u john</i>
~# <i>restorecon -R -F /home/john</i>
</pre>
<p>
If you later log on as <e>john</e> and want to manage your system, you will
probably need to switch your role. You can use <c>newrole</c> for this:
</p>
<pre caption="Switching roles">
~$ <i>id -Z</i>
staff_u:staff_r:staff_t
~$ <i>newrole -r sysadm_r</i>
Password: <comment>(Enter your password)</comment>
~$ <i>id -Z</i>
staff_u:sysadm_r:sysadm_t
</pre>
<p>
If you however use a <c>targeted</c> policy, then the user you work with will be
of type <e>unconfined_t</e> and will already have the necessary privileges to
perform system administrative tasks.
</p>
<p>
With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</body>
</subsection>
</section>
</sections>
|