Sysop:SELinuxConvertingGentooToSelinux

Aus immerda
Zur Navigation springen Zur Suche springen

The Basic is the Handbook from Gentoo:

just follow it.

After the finale reboote (http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=3#doc_chap5) It's good to do a 

emerge -e world

so every package get's rebuilded with the new hardened portage.

additional stuff

aliases

  • it is nice to have some handy alias, which help to do easy common tasks
alias makereload='make -C /etc/security/selinux/src/policy reload' #to reload the policy or filesettings
alias relabel='/usr/bin/make -C /etc/security/selinux relabel' #to relabel all drives
alias relabelit='/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts `pwd`' #to relabel the cwd and all its subdirs
alias setfilesit='/usr/sbin/setfiles /etc/selinux/file_contexts/file_contexts'
alias dm='/bin/dmesg | /usr/bin/audit2allow' #to pipe the selinux msgs to get allow statements
alias dm_clear='/bin/dmesg -c | /usr/bin/audit2allow' #ditto but clear the kernel msg buffer

startscript

  • if you don't enforce on bootup hardly it is good to have a startscript which will do that for you:

#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

depend() {
        after sshd
}

start() {
        ebegin "enforcing selinux"
        echo "1" > /selinux/enforce
        eend $?
}

stop() {
        ebegin "sorry deinforcing only as sysadm possible"
        eend $?
}

restart() {
        ebegin "sorry deinforcing only as sysadm possible"
        eend $?
}

add it with: 

rc-update add enforce default

other tools

  • /usr/local/sbin/s0
#!/bin/bash
echo -n "es war   : "
cat /selinux/enforce
echo
setenforce 0
echo -n "und jetzt: "
cat /selinux/enforce
echo
  • /usr/local/sbin/s1
#!/bin/bash
echo -n "es war   : "
cat /selinux/enforce
echo
if [ `/usr/bin/id | /bin/grep sysadm_r | /usr/bin/wc -l` -gt 0 ] ; then
       # if /etc/shadow has wrong permissions.. we have a big problem:
       /usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /etc
       # now it should be safe to enforce ...
       /usr/sbin/setenforce 1
else
       echo "YOU ARE NOT SYSADM_R: not changeing enforcement mode (do 'newrole -r sysmad_r')"
fi
echo -n "und jetzt: "
cat /selinux/enforce
echo
  • /usr/local/sbin/relabelall
#!/bin/bash
cd /etc/security/selinux/src/policy
make reload
make relabel
/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /dev

Notes

loadpolicy

As with an enabled SELinux you'll need for each program a policy to run, this policy must also be loaded: 

 * Policy has not been loaded.  It is strongly suggested
 * that the policy be loaded before continuing!!

 * Automatic policy loading can be enabled by adding
 * "loadpolicy" to the FEATURES in make.conf.

-> edit 

/etc/make.conf

and add loadpolicy to the FEATURES flag. (mostly there isn't any variable like this yet. 

FEATURES="loadpolicy"
Abgerufen von „https://wiki.immerda.ch/index.php?title=Sysop:SELinuxConvertingGentooToSelinux&oldid=7937