1.a. Merge a SELinux Kernel
Merge an appropriate kernel. A 2.6 kernel is required. The suggested kernel is hardened-sources.
Warning: Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they have bugs in the SELinux XFS support. |
Code Listing 1: Merge an appropriate kernel |
Any 2.6 kernel # emerge hardened-sources |
1.b. Compile the Kernel with SELinux Options
The kernel must be compiled with security module support, SELinux support, devpts, and extended attribute security labels. Refer to the main installation guide for futher kernel options.
Code Listing 2: Location and required options under menuconfig |
Under "Code maturity level options" [*] Prompt for development and/or incomplete code/drivers Under "General setup" [*] Auditing support [*] Enable system-call auditing support Under "File systems" <*> Second extended fs support (If using ext2) [*] Ext2 extended attributes [ ] Ext2 POSIX Access Control Lists [*] Ext2 Security Labels <*> Ext3 journalling file system support (If using ext3) [*] Ext3 extended attributes [ ] Ext3 POSIX Access Control Lists [*] Ext3 Security labels <*> JFS filesystem support (If using JFS) [ ] JFS POSIX Access Control Lists [*] JFS Security Labels [ ] JFS debugging [ ] JFS statistics <*> XFS filesystem support (If using XFS) [ ] Realtime support (EXPERIMENTAL) [ ] Quota support [ ] ACL support [*] Security Labels Under "Pseudo filesystems (via "File systems") [ ] /dev file system support (EXPERIMENTAL) [*] /dev/pts Extended Attributes [*] /dev/pts Security Labels [*] Virtual memory file system support (former shm fs) [*] tmpfs Extended Attributes [*] tmpfs Security Labels Under "Security options" [*] Enable different security models [*] Socket and Networking Security Hooks <*> Default Linux Capabilities [*] NSA SELinux Support [ ] NSA SELinux boot parameter [ ] NSA SELinux runtime disable [*] NSA SELinux Development Support [ ] NSA SELinux AVC Statistics (1) NSA SELinux checkreqprot default value [ ] NSA SELinux enable new secmark network controls by default [ ] NSA SELinux maximum supported policy format version |
Note: The available options may vary slightly depending on the kernel version being used. The other extended attribute options should be turned off. |
The extended attribute security labels must be turned on for devpts and your filesystem(s). Devfs is not usable in SELinux, and should be turned off. Not all options exist on older 2.6 kernels, such as Auditing support, and runtime disable. In newer kernels, the extended attributes support for proc and the virtual memory fs (tmpfs) are enabled by default; thus, no options will appear in menuconfig.
Warning: Do not enable the SELinux MLS policy option if its available, as it is not supported, and will cause your machine to not start. |
Now compile and install the kernel and modules, but do not reboot.
1.c. Update fstab
SElinuxfs must also be enabled to mount at boot. Add this to /etc/fstab:
Code Listing 3: Fstab settings for selinuxfs |
none /selinux selinuxfs defaults 0 0 |
1.d. Configure Baselayout
SELinux does not support devfs. You must configure baselayout to use either static device nodes or udev. If using udev, the device tarball must be disabled. Edit the /etc/conf.d/rc file. Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no. If you have several custom device nodes, static is suggested, otherwise udev is suggested.
Code Listing 4: Init script configuration |
# Use this variable to control the /dev management behavior. # auto - let the scripts figure out what's best at boot # devfs - use devfs (requires sys-fs/devfsd) # udev - use udev (requires sys-fs/udev) # static - let the user manage /dev RC_DEVICES="udev" # UDEV OPTION: # Set to "yes" if you want to save /dev to a tarball on shutdown # and restore it on startup. This is useful if you have a lot of # custom device nodes that udev does not handle/know about. RC_DEVICE_TARBALL="no" |
1.e. Reboot
We need to make some directories before we reboot.
Code Listing 5: Making Required Directories |
# mkdir /selinux # mkdir /sys |
Now reboot.