path: root/xml/selinux/hb-using-install.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->

<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->

<sections>
<version>20</version>
<date>2012-04-10</date>

<section>
<title>Installing Gentoo (Hardened)</title>
<subsection>
<title>Introduction</title>
<body>

<p>
Getting a SELinux-powered Gentoo installation doesn't require weird actions.
What you need to do is install Gentoo Linux with the correct profile, correct
kernel configuration and some file system relabelling. We seriously recommend to
use SELinux together with other hardening improvements (such as PaX /
grSecurity).
</p>

<p>
This chapter will describe the steps to install Gentoo with SELinux. We
assume that you have an existing Gentoo Linux system which you want to convert
to Gentoo with SELinux. If this is not the case, you should still read
on: you can install Gentoo with SELinux immediately if you make the
correct decisions during the installation process, based on the information in
this chapter.
</p>

</body>
</subsection>
<subsection>
<title>Performing a Standard Installation</title>
<body>

<p>
Install Gentoo Linux according to the <uri link="/doc/en/handbook">Gentoo
Handbook</uri> installation instructions. We recommend the use of the hardened
stage 3 tarballs and <c>hardened-sources</c> kernel instead of the standard
ones, but standard stage installations are also supported for SELinux.
Perform a full installation to the point that you have booted your system
into a (primitive) Gentoo base installation.
</p>

<note>
If you are an XFS user, make sure that the inode sizes of the XFS file
system is 512 byte. Since the default is 256, you will need to run the
<c>mkfs.xfs</c> command with the <c>-i size=512</c> arguments, like so:
<c>mkfs.xfs -i size=512 /dev/sda3</c>
</note>

</body>
</subsection>
<!--
<subsection>
<title>Installing the Hardened Development Overlay</title>
<body>

<p>
Although optional, we recommend to enable the <c>hardened-development</c>
overlay. The state of SELinux within Gentoo Hardened is still undergoing
major development.
</p>

<p>
Install <c>app-portage/layman</c> and add the <c>hardened-development</c>
overlay. This overlay uses a git repository, so either install <c>git</c> as
well, or set <c>USE="git"</c> in <path>/etc/make.conf</path>.
Make sure to include layman's <path>make.conf</path> in your
<path>make.conf</path> file.
</p>

<pre caption="Installing hardened-development overlay">
~# <i>emerge layman</i>

~# <i>layman -S</i>

~# <i>layman -a hardened-development</i>

~# <i>nano /etc/make.conf</i>
<comment># Add the following line at the top of your make.conf file</comment>
<i>source /var/lib/layman/make.conf</i>
</pre>

</body>
</subsection>
-->
<subsection>
<title>Switching to Python 2</title>
<body>

<p>
For now, the SELinux management utilities are not compatible with Python 3 so
we recommend to switch to Python 2 until the packages are updated and fixed.
</p>

<pre caption="Switching to python 2">
~# <i>emerge '&lt;=dev-lang/python-3.0'</i>
~# <i>eselect python list</i>
Available Python interpreters:
  [1]   python2.7
  [2]   python3.1 *

~# <i>eselect python set 1</i>
~# <i>source /etc/profile</i>
</pre>

</body>
</subsection>
<subsection>
<title>Optional: Setting the filesystem contexts</title>
<body>

<p>
If your <path>/tmp</path> location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is <c>tmp_t</c>
instead of <c>tmpfs_t</c>. Many SELinux policy objects (including various
server-level policies) assume that <path>/tmp</path> is <c>tmp_t</c>.
</p>

<p>
To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
</p>

<pre caption="Update /etc/fstab for /tmp">
<comment># For a "targeted" or "strict" policy type:</comment>
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i>  0 0

<comment># For an "mls" or "mcs" policy type:</comment>
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t:s0</i>  0 0
</pre>

</body>
</subsection>
<!--
<subsection>
<title>Enabling ~Arch Packages</title>
<body>

<p>
The current stable SELinux related packages are not fit for use anymore (or are
even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
the following settings to the right file (for instance 
<path>/etc/portage/package.accept_keywords/selinux</path>):
</p>

<pre caption="SELinux ~arch packages">
=sys-process/vixie-cron-4.1-r11
</pre>

</body>
</subsection>
-->
<subsection>
<title>Change the Gentoo Profile</title>
<body>

<p>
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
to the right SELinux profile (for instance, 
<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the older
profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are not 
supported anymore.
</p>

<pre caption="Switching the Gentoo profile">
~# <i>eselect profile list</i>
Available profile symlink targets:
  [1]   default/linux/amd64/10.0
  [2]   default/linux/amd64/10.0/selinux
  [3]   default/linux/amd64/10.0/desktop
  [4]   default/linux/amd64/10.0/desktop/gnome
  [5]   default/linux/amd64/10.0/desktop/kde
  [6]   default/linux/amd64/10.0/developer
  [7]   default/linux/amd64/10.0/no-multilib
  [8]   default/linux/amd64/10.0/server
  [9]   hardened/linux/amd64
  [10]  hardened/linux/amd64/selinux
  [11]  hardened/linux/amd64/no-multilib *
  [12]  hardened/linux/amd64/no-multilib/selinux

~# <i>eselect profile set 12</i>
</pre>

<note>
Starting from the profile change, Portage will warn you after every installation
that it was "Unable to set SELinux security labels". This is to be expected,
because the tools and capabilities that Portage requires to set the security
labels aren't available yet. This warning will vanish the moment the SELinux
installation is completed.
</note>

<p>
Don't update your system yet - we will need to install a couple of packages in a
particular order which Portage isn't aware of in the next couple of sections. 
</p>

</body>
</subsection>
<subsection>
<title>Update make.conf</title>
<body>

<p>
Next, take a look at the following USE flags and decide if you want to enable
or disable them.
</p>

<table>
<tr>
  <th>USE flag</th>
  <th>Default Value</th>
  <th>Description</th>
</tr>
<tr>
  <ti>peer_perms</ti>
  <ti>Enabled</ti>
  <ti>
    The peer_perms capability controls the SELinux policy network peer controls.
    If set, the access control mechanisms that SELinux uses for network based
    labelling are consolidated. This setting is recommended as the policy is
    also updated to reflect this. If not set, the old mechanisms (NetLabel and
    Labeled IPsec) are used side by side.
  </ti>
</tr>
<tr>
  <ti>open_perms</ti>
  <ti>Enabled</ti>
  <ti>
    The open_perms capability enables the SELinux permission "open" for files
    and file-related classes. Support for the "open" call was added a bit later
    than others so support was first made optional. However, the policies have
    matured sufficiently to have the open permission set.
  </ti>
</tr>
<tr>
  <ti>ubac</ti>
  <ti>Enabled</ti>
  <ti>
    When disabled, the SELinux policy is built without user-based access control.
  </ti>
</tr>
</table>

<p>
Make your choice and update the <c>USE</c> variable in
<path>/etc/make.conf</path>.
</p>

</body>
</subsection>
<subsection>
<title>Manual System Changes</title>
<body>

<warn>
Most, if not all of the next few changes will be resolved through regular
packages as soon as possible. However, these fixes have impact beyond the Gentoo
Hardened installations. As such, these changes will be incorporated a bit slower
than the SELinux-specific updates. For the time being, manually correcting these
situations is sufficient (and a one-time operation).
</warn>

<p>
The following changes <e>might</e> be necessary on your system, depending on the
tools or configurations that apply.
</p>

<ul>
  <!-- 
  TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
  anymore 
  -->
  <li>
    If you use LVM for one or more file systems, you need to edit
    <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
    and <path>lvm-stop.sh</path> and set the config location from
    <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the 
    <path>/etc/lvm/lock</path> directory. Finally, add
    <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your
    <path>make.conf</path> file.
  </li>
  <li>
    Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
    either remove those or make them a copy of their counterpart so that they
    get their own security context. The <path>.old</path> files are hard links
    which mess up the file labelling. For instance, <c>cp /bin/hostname 
    /bin/hostname.old</c>.
  </li>
  <!--
  TODO When the fix is accepted in the portage code and that portage version is
  stabilized, the change is not needed anymore.
  -->
  <li>
    Edit <path>/etc/sandbox.conf</path> and add in
    <path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
    This is currently needed to work around bug <uri 
    link="https://bugs.gentoo.org/410687">410687</uri>.
  </li>
</ul>

</body>
</subsection>
<subsection>
<title>Installing a SELinux Kernel</title>
<body>

<p>
Although the default Linux kernels offer SELinux support, we recommend the use
of the <path>sys-kernel/hardened-sources</path> package.
</p>

<pre caption="Installing hardened-sources">
<comment>(Only if you have not installed it previously of course)</comment>
~# <i>emerge hardened-sources</i>
</pre>

<p>
Next, reconfigure the kernel with the appropriate security settings. This
includes, but is not limited to
</p>

<ul>
  <li>Support for extended attributes in the various file systems</li>
  <li>Support system-call auditing</li>
  <li>Support for SELinux</li>
</ul>

<p>
Below you can find a quick overview of the recommended settings.
</p>

<pre caption="Recommended settings for the Linux kernel configuration">
<comment>Under "General setup"</comment>
[*] Prompt for development and/or incomplete code/drivers
[*] Auditing support
[*]   Enable system-call auditing support

<comment>Under "File systems"</comment>
<comment>(For each file system you use, make sure extended attribute support is enabled)</comment>
&lt;*&gt; Second extended fs support
[*]   Ext2 extended attributes
[ ]     Ext2 POSIX Access Control Lists
[*]     Ext2 Security Labels
[ ]   Ext2 execute in place support

&lt;*&gt; Ext3 journalling file system support
[ ]   Default to 'data=ordered' in ext3
[*]   Ext3 extended attributes
[ ]     Ext3 POSIX Access Control Lists
[*]     Ext3 Security Labels

&lt;*&gt; The Extended 4 (ext4) filesystem
[*]   Ext4 extended attributes
[ ]     Ext4 POSIX Access Control Lists
[*]     Ext4 Security Labels

&lt;*&gt; JFS filesystem support
[ ]   JFS POSIX Access Control Lists
[*]   JFS Security Labels
[ ]   JFS debugging
[ ]   JFS statistics

&lt;*&gt; XFS filesystem support
[ ]   XFS Quota support
[ ]   XFS POSIX ACL support
[ ]   XFS Realtime subvolume support (EXPERIMENTAL)
[ ]   XFS Debugging Support

&lt;*&gt; Btrfs filesystem (EXPERIMENTAL)
[ ]   Btrfs POSIX Access Control Lists

<comment>Under "Security options"</comment>
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] NSA SELinux Support
[ ]   NSA SELinux boot parameter
[ ]   NSA SELinux runtime disable
[*]   NSA SELinux Development Support
[ ]   NSA SELinux AVC Statistics
(1)   NSA SELinux checkreqprot default value
[ ]   NSA SELinux maximum supported policy format version
    Default security module (SELinux) ---&gt;
</pre>

<p>
We recommend to use PaX as well. More information on PaX within Gentoo Hardened
can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened
Gentoo PaX Quickstart Guide</uri>.
</p>

<p>
Build and install the new Linux kernel and its modules.
</p>

</body>
</subsection>
<subsection>
<title>Update fstab</title>
<body>

<p>
Next, edit <path>/etc/fstab</path> and add the following two lines:
</p>

<pre caption="Enabling selinux-specific file system options">
<comment># The udev mount is due to bug #373381</comment>
udev   /dev        tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0
none   /selinux    selinuxfs    defaults    0 0
</pre>

<note>
In case of an MLS/MCS policy, you need to have the context with sensitivity
level, so <c>...:device_t:s0</c>.
</note>

<p>
Make the <path>/selinux</path> mountpoint as well:
</p>

<pre caption="Creating the /selinux mountpoint">
~# <i>mkdir /selinux</i>
</pre>

</body>
</subsection>
<subsection>
<title>Reboot</title>
<body>

<p>
With the above changes made, reboot your system. Assert yourself that you are
now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
system should be mounted). Don't worry - SELinux is at this point not activated.
</p>

</body>
</subsection>
</section>

<section>
<title>Configure SELinux</title>
<subsection>
<title>Introduction</title>
<body>

<p>
Next we will need to configure SELinux by installing the appropriate
utilities, label our file system and configure the policy.
</p>

</body>
</subsection>
<subsection>
<title>Install Policies and Utilities</title>
<body>

<p>
First, install the <path>sys-apps/checkpolicy</path> and 
<path>sys-apps/policycoreutils</path> packages. Although these will be pulled in
as dependencies of the SELinux policy packages themselves, we need to install
these one time first - hence the <c>-1</c> option.
</p>

<pre caption="Installing SELinux policy core utilities">
~# <i>emerge -1 checkpolicy policycoreutils</i>
</pre>

<p>
Next, install the SELinux policy package 
(<path>sec-policy/selinux-base-policy</path>). This package contains the base
SELinux policy needed to get your system up and running using SELinux. 
As Portage will try to label and reload policies (since the installation of
<path>sys-apps/policycoreutils</path>) we need to temporarily disable SELinux
support (as Portage wouldn't be able to label anything as it doesn't understand
it yet).
</p>

<pre caption="Installing the SELinux policy packages">
~# <i>FEATURES="-selinux" emerge selinux-base-policy</i>
</pre>

<p>
Next, rebuild those packages affected by the profile change we did previously
through a standard world update, taking into account USE-flag changes (as the 
new profile will change many default USE flags, including enabling the 
<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
<c>dispatch-conf</c> afterwards as some changes to configuration files need to
be made.
</p>

<pre caption="Update your Gentoo Linux system">
~# <i>emerge -uDN world</i>
</pre>

<p>
Next, install the additional SELinux tools that you might need in the future to
debug or help with your SELinux installation. These packages are optional, but
recommended.
</p>

<pre caption="Installing additional SELinux packages">
~# <i>emerge setools sepolgen checkpolicy</i>
</pre>

<p>
Finally, install the policy modules for those utilities you think you need
policies for. In the near future, this will be done automatically for you (the
packages will have an optional dependency on it, triggered by the selinux USE
flag), but until that time, you will need to install them yourself.
</p>

<pre caption="Installing SELinux modules">
~# <i>emerge --search selinux-</i>
[...]
<comment>(Select the modules you want to install)</comment>
~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i>
</pre>

</body>
</subsection>
<subsection>
<title>Configure the SELinux Policy</title>
<body>

<p>
Inside <path>/etc/selinux/config</path> you can configure how SELinux is
configured at boot time.
</p>

<pre caption="Editing the /etc/selinux/config file">
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=<i>permissive</i>

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=<i>strict</i>
</pre>

<p>
Within this configuration file, two variables can be set:
</p>

<ul>
  <li>
    <c>SELINUX</c> sets how SELinux should behave:
    <ul>
      <li>
        <c>enforcing</c> will enable and enforce policies. This is where we want
        to go for, but you should probably start with <c>permissive</c>.
      </li>
      <li>
        <c>permissive</c> will enable policies, but not enforce them. Any
        violation is reported but not denied. This is where you should start
        from as it will not impact your system yet allow you to get acquainted
        with SELinux - and validate the warnings to see if you can switch
        towards <c>enforcing</c> or not.
      </li>
      <li>
        <c>disabled</c> will completely disable the policies. As this will not
        show any violations as well, it is not recommended.
      </li>
    </ul>
  </li>
  <li>
    <c>SELINUXTYPE</c> selects the SELinux policy type to load.
    Gentoo Hardened recommends the use of <c>strict</c> for servers, and
    <c>targeted</c> for desktops. The <c>mcs</c> type is supported, <c>mls</c>
    is currently still considered experimental.
  </li>
</ul>

<p>
The differentiation between <c>strict</c> and <c>targeted</c> is based upon the
<e>unconfined</e> domain. When loaded, the processes on your system that are not
specifically confined within a particular policy module will be part of the
unconfined_t domain whose purpose is to allow most activities by default (rather
than deny by default). As a result, processes that run inside the unconfined_t
domain have no restrictions apart from those already enforced by standard Linux
security. Although running without the unconfined_t domain is considered more
secure, it will also be more challenging for the administrator to make sure the
system still functions properly as there are no policy modules for each and
every application "out there".
</p>

<p>
Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow
categorization of the process domains. This is useful on multi-tenant systems
such as web servers, virtualization hosts, ... where multiple processes will be
running, most of them in the same security domain, but in different categories.
</p>

<p>
Finally, you can also select <c>mls</c> to differentiate security domains on
a sensitivity level. However, MLS is currently still considered experimental
in Gentoo and as such not recommended.
</p>

<p>
When you have made your choice between the SELinux policy types, save
this in your <path>/etc/make.conf</path> file as well. That way, Portage will 
only install the policy modules for that SELinux type.
</p>

<pre caption="Setting the policy type in make.conf">
~# <i>nano /etc/make.conf</i>
POLICY_TYPES="<i>strict</i>"
</pre>

</body>
</subsection>
<subsection>
<title>Reboot, and Label the File System</title>
<body>

<impo>
Repeat these steps every time you have rebooted from a non-SELinux enabled
kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
</impo>

<p>
First reboot your system so that the installed policies are loaded. Now we
need to relabel your devices and openrc related files. This will apply the
correct security contexts (labels) onto the necessary files.
</p>

<pre caption="Relabel /dev structure">
~# <i>mkdir /mnt/gentoo</i>
~# <i>mount -o bind / /mnt/gentoo</i>

<comment>(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</comment>
~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</i>
~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</i>
~# <i>umount /mnt/gentoo</i>
</pre>

<p>
Next, if you have a swapfile rather than a swap partition, label it accordingly:
</p>

<pre caption="Labelling the swap file">
~# <i>semanage fcontext -a -t swapfile_t "/swapfile"</i>
~# <i>restorecon /swapfile</i>
</pre>

<p>
Now relabel your entire file system. The next command will apply the correct
security context onto the files on your file system, based on the security
context information provided by the SELinux policy modules installed.
</p>

<pre caption="Relabel the entire file system">
~# <i>rlpkg -a -r</i>
</pre>

<p>
If you ever have to install a SELinux policy module for a package after that
that particular package is installed, you need to run <c>rlpkg</c> for that
package to make sure that the security contexts for these files are set
correctly. For instance, if you have installed
<path>sec-policy/selinux-screen</path> after discovering that you have
<c>screen</c> on your system:
</p>

<pre caption="Relabeling the files for a single package">
<comment>(Make sure no screen sessions are running as their security contexts will not be adapted)</comment>
~# <i>rlpkg -t screen</i>
</pre>

</body>
</subsection>
<subsection>
<title>Reboot and Set SELinux Booleans</title>
<body>

<p>
Reboot your system so that the newly applied file contexts are used. Log on
and, if you have indeed installed Gentoo using the hardened sources (as we
recommended), enable the SSP SELinux boolean, allowing every domain read
access to the <path>/dev/urandom</path> device:
</p>

<pre caption="Enabling the global_ssp boolean">
~# <i>setsebool -P global_ssp on</i>
</pre>

</body>
</subsection>
<subsection>
<title>Define the Administrator Accounts</title>
<body>

<p>
If the <c>SELINUXTYPE</c> is set to <c>strict</c>, then we 
need to map the account(s) you use to manage your system (those
that need access to Portage) to the <c>staff_u</c> SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
<c>root</c>, but then you will need to login as <c>root</c> directly and not
through <c>sudo</c> or <c>su</c>.) By default, users are mapped to the
<c>user_u</c> SELinux user who doesn't have the appropriate rights (nor access
to the appropriate roles) to manage a system. Accounts that are mapped to
<c>staff_u</c> can, but might need to switch roles from <c>staff_r</c> to
<c>sysadm_r</c> before they are granted the appropriate privileges.
</p>

<p>
Assuming that your account name is <e>john</e>:
</p>

<pre caption="Mapping the Linux account john to the SELinux user staff_u">
~# <i>semanage login -a -s staff_u john</i>
~# <i>restorecon -R -F /home/john</i>
</pre>

<p>
If you later log on as <e>john</e> and want to manage your system, you will
probably need to switch your role. You can use <c>newrole</c> for this:
</p>

<pre caption="Switching roles">
~$ <i>id -Z</i>
staff_u:staff_r:staff_t
~$ <i>newrole -r sysadm_r</i>
Password: <comment>(Enter your password)</comment>
~$ <i>id -Z</i>
staff_u:sysadm_r:sysadm_t
</pre>

<p>
If you however use a <c>targeted</c> policy, then the user you work with will be
of type <e>unconfined_t</e> and will already have the necessary privileges to
perform system administrative tasks.
</p>

<p>
With that done, enjoy - your first steps into the SELinux world are now made.
</p>

</body>
</subsection>
</section>
</sections>