Gentoo Linux Handbook Page --

1.a. Merge SELinux Packages

Merge the libraries, utilities and base-policy. The policy version may need be adjusted, refer to the SELinux Overview for more information on policy versions. Then load the policy.

Code Listing 1: Merge base SELinux packages and policy

# emerge checkpolicy policycoreutils
# emerge selinux-base-policy

1.b. Choose the policy type

New in 2006.1, users now have the choice between the strict policy and the targeted policy.

In the strict policy, all processes are confined. If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy. Strict policy is suggested for servers. Gentoo does not support the strict policy on desktops.

The targeted policy differs with strict, as only network-facing services are confined and local users are unconfined. Gentoo only supports desktops with the targeted policy. This policy can also be used on servers.

Edit the /etc/selinux/config file to set the policy type.

Code Listing 2: /etc/selinux/config contents

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive (This should be set permissive for the remainder of the install)

# SELINUXTYPE can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict (Set this as strict or targeted)

1.c. Merge SELinux-patched packages

There are several system packages that have SELinux patches. These patches provide a variety of additional SELinux functionality, such as displaying file contexts.

Code Listing 3: Remerge Packages

# emerge sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux

Note: If you find that you can't use portage due to a errors like these: !!! 'module' object has no attribute 'secure_rename' or AttributeError: 'module' object has no attribute 'getcontext', this is a portage bug, where it can't handle a missing python-selinux. Merge it with "USE=-selinux emerge python-selinux" to fix the problem. See bug #122517 for more information.

There are other packages that have SELinux patches, but are optional. These should be remerged if they are already installed, so the SELinux patches are applied:

app-admin/logrotate
sys-apps/fcron
sys-apps/vixie-cron
sys-fs/device-mapper
sys-fs/udev
sys-libs/pwdb

Note: Fcron and Vixie-cron are the only crons with SELinux support.

1.d. Merge Application Policies

In future, when merging a package, the policy will be set as a dependency so that it is merged first; however, since the system is being converted, policy for currently installed packages must be merged. The selinux-base-policy already covers most packages in the system profile.

Look in the /usr/portage/sec-policy, it has several entries, each which represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is the name of the package that the policy is associated. For example, the selinux-apache package is the SELinux policy package for net-www/apache. Merge each of the needed policy packages and then load the policy. If you are converting a desktop, make sure to include the selinux-desktop policy package.

Code Listing 4: Example Merge of Apache and BIND policies

# ls /usr/portage/sec-policy
(many directories listed)

# emerge selinux-apache selinux-bind

1.e. Label Filesystems

Now label the filesystems. This gives each of the files in the filesystems a security label. Keeping these labels consistent is important.

Code Listing 5: Label filesystems

# rlpkg -a -r

Warning: There is a known issue with older versions of GRUB not being able to read symlinks that have been labeled. Please make sure you have at least GRUB 0.94 installed. Also rerun GRUB and reinstall it into the MBR to ensure the updated code is in use. You do have a LiveCD handy, right?

Code Listing 6: Reinstall GRUB on the MBR (GRUB users only)

# grub

grub> root (hd0,0) (Your boot partition)
grub> setup (hd0) (Where the boot record is installed; here, it is the MBR)

1.f. Final reboot

Reboot. Log in, then relabel again to ensure all files are labeled correctly (some files may have been created during shutdown and reboot)

Code Listing 7: Relabel

# rlpkg -a -r

Note: It is strongly suggested to subscribe to the gentoo-hardened mail list. It is generally a low traffic list, and SELinux announcements are made there.

SELinux is now installed!