diff options
Diffstat (limited to 'xml/selinux/hb-using-install.xml')
| -rw-r--r-- | xml/selinux/hb-using-install.xml | 741 |
1 files changed, 0 insertions, 741 deletions
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml deleted file mode 100644 index 672f11d..0000000 --- a/xml/selinux/hb-using-install.xml +++ /dev/null @@ -1,741 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> - -<!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> - -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ --> - -<sections> -<version>24</version> -<date>2012-05-07</date> - -<section> -<title>Installing Gentoo (Hardened)</title> -<subsection> -<title>Introduction</title> -<body> - -<p> -Getting a SELinux-powered Gentoo installation doesn't require weird actions. -What you need to do is install Gentoo Linux with the correct profile, correct -kernel configuration and some file system relabelling. We seriously recommend to -use SELinux together with other hardening improvements (such as PaX / -grSecurity). -</p> - -<p> -This chapter will describe the steps to install Gentoo with SELinux. We -assume that you have an existing Gentoo Linux system which you want to convert -to Gentoo with SELinux. If this is not the case, you should still read -on: you can install Gentoo with SELinux immediately if you make the -correct decisions during the installation process, based on the information in -this chapter. -</p> - -</body> -</subsection> -<subsection> -<title>Performing a Standard Installation</title> -<body> - -<p> -Install Gentoo Linux according to the <uri link="/doc/en/handbook">Gentoo -Handbook</uri> installation instructions. We recommend the use of the hardened -stage 3 tarballs and <c>hardened-sources</c> kernel instead of the standard -ones, but standard stage installations are also supported for SELinux. -Perform a full installation to the point that you have booted your system -into a (primitive) Gentoo base installation. -</p> - -<note> -If you are an XFS user, make sure that the inode sizes of the XFS file -system is 512 byte. Since the default is 256, you will need to run the -<c>mkfs.xfs</c> command with the <c>-i size=512</c> arguments, like so: -<c>mkfs.xfs -i size=512 /dev/sda3</c> -</note> - -</body> -</subsection> -<!-- -<subsection> -<title>Installing the Hardened Development Overlay</title> -<body> - -<p> -Although optional, we recommend to enable the <c>hardened-development</c> -overlay. The state of SELinux within Gentoo Hardened is still undergoing -major development. -</p> - -<p> -Install <c>app-portage/layman</c> and add the <c>hardened-development</c> -overlay. This overlay uses a git repository, so either install <c>git</c> as -well, or set <c>USE="git"</c> in <path>/etc/make.conf</path>. -Make sure to include layman's <path>make.conf</path> in your -<path>make.conf</path> file. -</p> - -<pre caption="Installing hardened-development overlay"> -~# <i>emerge layman</i> - -~# <i>layman -S</i> - -~# <i>layman -a hardened-development</i> - -~# <i>nano /etc/make.conf</i> -<comment># Add the following line at the top of your make.conf file</comment> -<i>source /var/lib/layman/make.conf</i> -</pre> - -</body> -</subsection> ---> -<!-- -TODO Validate after 2.20120215-r8 is stable that this is no longer -necessary? Not sure about it though : check userspace ebuilds as well. ---> -<subsection> -<title>Switching to Python 2</title> -<body> - -<p> -For now, the SELinux management utilities are not compatible with Python 3 so -we recommend to switch to Python 2 until the packages are updated and fixed. -</p> - -<pre caption="Switching to python 2"> -~# <i>emerge '<=dev-lang/python-3.0'</i> -~# <i>eselect python list</i> -Available Python interpreters: - [1] python2.7 - [2] python3.1 * - -~# <i>eselect python set 1</i> -~# <i>source /etc/profile</i> -</pre> - -</body> -</subsection> -<subsection> -<title>Optional: Setting the filesystem contexts</title> -<body> - -<p> -If your <path>/tmp</path> location is a tmpfs-mounted file system, then you need -to tell the kernel that the root context of this location is <c>tmp_t</c> -instead of <c>tmpfs_t</c>. Many SELinux policy objects (including various -server-level policies) assume that <path>/tmp</path> is <c>tmp_t</c>. -</p> - -<p> -To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>: -</p> - -<pre caption="Update /etc/fstab for /tmp"> -<comment># For a "targeted" or "strict" policy type:</comment> -tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0 - -<comment># For an "mls" or "mcs" policy type:</comment> -tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t:s0</i> 0 0 -</pre> - -</body> -</subsection> -<!-- -<subsection> -<title>Enabling ~Arch Packages</title> -<body> - -<p> -The current stable SELinux related packages are not fit for use anymore (or are -even broken) so we seriously recommend to enable ~arch packages for SELinux. Add -the following settings to the right file (for instance -<path>/etc/portage/package.accept_keywords/selinux</path>): -</p> - -<pre caption="SELinux ~arch packages"> -=sys-process/vixie-cron-4.1-r11 -</pre> - -</body> -</subsection> ---> -<subsection> -<title>Change the Gentoo Profile</title> -<body> - -<p> -Now that you have a running Gentoo Linux installation, switch the Gentoo profile -to the right SELinux profile (for instance, -<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the older -profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are not -supported anymore. -</p> - -<pre caption="Switching the Gentoo profile"> -~# <i>eselect profile list</i> -Available profile symlink targets: - [1] default/linux/amd64/10.0 - [2] default/linux/amd64/10.0/selinux - [3] default/linux/amd64/10.0/desktop - [4] default/linux/amd64/10.0/desktop/gnome - [5] default/linux/amd64/10.0/desktop/kde - [6] default/linux/amd64/10.0/developer - [7] default/linux/amd64/10.0/no-multilib - [8] default/linux/amd64/10.0/server - [9] hardened/linux/amd64 - [10] hardened/linux/amd64/selinux - [11] hardened/linux/amd64/no-multilib * - [12] hardened/linux/amd64/no-multilib/selinux - -~# <i>eselect profile set 12</i> -</pre> - -<note> -Starting from the profile change, Portage will warn you after every installation -that it was "Unable to set SELinux security labels". This is to be expected, -because the tools and capabilities that Portage requires to set the security -labels aren't available yet. This warning will vanish the moment the SELinux -installation is completed. -</note> - -<p> -Don't update your system yet - we will need to install a couple of packages in a -particular order which Portage isn't aware of in the next couple of sections. -</p> - -</body> -</subsection> -<subsection> -<title>Update make.conf</title> -<body> - -<p> -Next, take a look at the following USE flags and decide if you want to enable -or disable them. -</p> - -<table> -<tr> - <th>USE flag</th> - <th>Default Value</th> - <th>Description</th> -</tr> -<tr> - <ti>peer_perms</ti> - <ti>Enabled</ti> - <ti> - The peer_perms capability controls the SELinux policy network peer controls. - If set, the access control mechanisms that SELinux uses for network based - labelling are consolidated. This setting is recommended as the policy is - also updated to reflect this. If not set, the old mechanisms (NetLabel and - Labeled IPsec) are used side by side. - </ti> -</tr> -<tr> - <ti>open_perms</ti> - <ti>Enabled</ti> - <ti> - The open_perms capability enables the SELinux permission "open" for files - and file-related classes. Support for the "open" call was added a bit later - than others so support was first made optional. However, the policies have - matured sufficiently to have the open permission set. - </ti> -</tr> -<tr> - <ti>ubac</ti> - <ti>Enabled</ti> - <ti> - When disabled, the SELinux policy is built without user-based access control. - </ti> -</tr> -</table> - -<p> -Make your choice and update the <c>USE</c> variable in -<path>/etc/make.conf</path>. -</p> - -</body> -</subsection> -<subsection> -<title>Manual System Changes</title> -<body> - -<warn> -Most, if not all of the next few changes will be resolved through regular -packages as soon as possible. However, these fixes have impact beyond the Gentoo -Hardened installations. As such, these changes will be incorporated a bit slower -than the SELinux-specific updates. For the time being, manually correcting these -situations is sufficient (and a one-time operation). -</warn> - -<p> -The following changes <e>might</e> be necessary on your system, depending on the -tools or configurations that apply. -</p> - -<ul> - <li> - Check if you have <path>*.old</path> files in <path>/bin</path>. If you do, - either remove those or make them a copy of their counterpart so that they - get their own security context. The <path>.old</path> files are hard links - which mess up the file labelling. For instance, <c>cp /bin/hostname - /bin/hostname.old</c>. - </li> - <!-- - TODO When portage fix is stabilized, convert docs to /sys/fs/selinux - --> - <li> - Edit <path>/etc/sandbox.conf</path> and add in - <c>SANDBOX_WRITE="/sys/fs/selinux/context"</c>. This is temporarily needed - until the necessary fix (included in Portage but not stable yet) is - available. - </li> -</ul> - -</body> -</subsection> -<subsection> -<title>Installing a SELinux Kernel</title> -<body> - -<p> -Although the default Linux kernels offer SELinux support, we recommend the use -of the <path>sys-kernel/hardened-sources</path> package. -</p> - -<pre caption="Installing hardened-sources"> -<comment>(Only if you have not installed it previously of course)</comment> -~# <i>emerge hardened-sources</i> -</pre> - -<p> -Next, reconfigure the kernel with the appropriate security settings. This -includes, but is not limited to -</p> - -<ul> - <li>Support for extended attributes in the various file systems</li> - <li>Support system-call auditing</li> - <li>Support for SELinux</li> -</ul> - -<p> -Below you can find a quick overview of the recommended settings. -</p> - -<pre caption="Recommended settings for the Linux kernel configuration"> -<comment>Under "General setup"</comment> -[*] Prompt for development and/or incomplete code/drivers -[*] Auditing support -[*] Enable system-call auditing support - -<comment>Under "File systems"</comment> -<comment>(For each file system you use, make sure extended attribute support is enabled)</comment> -<*> Second extended fs support -[*] Ext2 extended attributes -[ ] Ext2 POSIX Access Control Lists -[*] Ext2 Security Labels -[ ] Ext2 execute in place support - -<*> Ext3 journalling file system support -[ ] Default to 'data=ordered' in ext3 -[*] Ext3 extended attributes -[ ] Ext3 POSIX Access Control Lists -[*] Ext3 Security Labels - -<*> The Extended 4 (ext4) filesystem -[*] Ext4 extended attributes -[ ] Ext4 POSIX Access Control Lists -[*] Ext4 Security Labels - -<*> JFS filesystem support -[ ] JFS POSIX Access Control Lists -[*] JFS Security Labels -[ ] JFS debugging -[ ] JFS statistics - -<*> XFS filesystem support -[ ] XFS Quota support -[ ] XFS POSIX ACL support -[ ] XFS Realtime subvolume support (EXPERIMENTAL) -[ ] XFS Debugging Support - -<*> Btrfs filesystem (EXPERIMENTAL) -[ ] Btrfs POSIX Access Control Lists - -<comment>Under "Security options"</comment> -[*] Enable different security models -[*] Socket and Networking Security Hooks -[*] NSA SELinux Support -[ ] NSA SELinux boot parameter -[ ] NSA SELinux runtime disable -[*] NSA SELinux Development Support -[ ] NSA SELinux AVC Statistics -(1) NSA SELinux checkreqprot default value -[ ] NSA SELinux maximum supported policy format version - Default security module (SELinux) ---> -</pre> - -<p> -We recommend to use PaX as well. More information on PaX within Gentoo Hardened -can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened -Gentoo PaX Quickstart Guide</uri>. -</p> - -<p> -Build and install the new Linux kernel and its modules. -</p> - -</body> -</subsection> -<subsection> -<title>Update fstab</title> -<body> - -<p> -Next, edit <path>/etc/fstab</path> and add the following two lines: -</p> - -<pre caption="Enabling selinux-specific file system options"> -<comment># The udev mount is due to bug #373381</comment> -udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0 -none /selinux selinuxfs defaults 0 0 -</pre> - -<note> -In case of an MLS/MCS policy, you need to have the context with sensitivity -level, so <c>...:device_t:s0</c>. -</note> - -</body> -</subsection> -<subsection> -<title>Reboot</title> -<body> - -<p> -With the above changes made, reboot your system. Assert yourself that you are -now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file -system should be mounted). Don't worry - SELinux is at this point not activated. -</p> - -</body> -</subsection> -</section> - -<section> -<title>Configure SELinux</title> -<subsection> -<title>Introduction</title> -<body> - -<p> -Next we will need to configure SELinux by installing the appropriate -utilities, label our file system and configure the policy. -</p> - -</body> -</subsection> -<subsection> -<title>Install Policies and Utilities</title> -<body> - -<p> -First, install the <path>sys-apps/checkpolicy</path> and -<path>sys-apps/policycoreutils</path> packages. Although these will be pulled in -as dependencies of the SELinux policy packages themselves, we need to install -these one time first - hence the <c>-1</c> option. -</p> - -<pre caption="Installing SELinux policy core utilities"> -~# <i>emerge -1 checkpolicy policycoreutils</i> -</pre> - -<p> -Next, install the SELinux policy package -(<path>sec-policy/selinux-base-policy</path>). This package contains the base -SELinux policy needed to get your system up and running using SELinux. -As Portage will try to label and reload policies (since the installation of -<path>sys-apps/policycoreutils</path>) we need to temporarily disable SELinux -support (as Portage wouldn't be able to label anything as it doesn't understand -it yet). -</p> - -<pre caption="Installing the SELinux policy packages"> -~# <i>FEATURES="-selinux" emerge selinux-base-policy</i> -</pre> - -<p> -Next, rebuild those packages affected by the profile change we did previously -through a standard world update, taking into account USE-flag changes (as the -new profile will change many default USE flags, including enabling the -<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or -<c>dispatch-conf</c> afterwards as some changes to configuration files need to -be made. -</p> - -<pre caption="Update your Gentoo Linux system"> -~# <i>emerge -uDN world</i> -</pre> - -<p> -Next, install the additional SELinux tools that you might need in the future to -debug or help with your SELinux installation. These packages are optional, but -recommended. -</p> - -<pre caption="Installing additional SELinux packages"> -~# <i>emerge setools sepolgen checkpolicy</i> -</pre> - -<p> -Finally, install the policy modules for those utilities you think you need -policies for. In the near future, this will be done automatically for you (the -packages will have an optional dependency on it, triggered by the selinux USE -flag), but until that time, you will need to install them yourself. -</p> - -<pre caption="Installing SELinux modules"> -~# <i>emerge --search selinux-</i> -[...] -<comment>(Select the modules you want to install)</comment> -~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i> -</pre> - -</body> -</subsection> -<subsection> -<title>Configure the SELinux Policy</title> -<body> - -<p> -Inside <path>/etc/selinux/config</path> you can configure how SELinux is -configured at boot time. -</p> - -<pre caption="Editing the /etc/selinux/config file"> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=<i>permissive</i> - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -SELINUXTYPE=<i>strict</i> -</pre> - -<p> -Within this configuration file, two variables can be set: -</p> - -<ul> - <li> - <c>SELINUX</c> sets how SELinux should behave: - <ul> - <li> - <c>enforcing</c> will enable and enforce policies. This is where we want - to go for, but you should probably start with <c>permissive</c>. - </li> - <li> - <c>permissive</c> will enable policies, but not enforce them. Any - violation is reported but not denied. This is where you should start - from as it will not impact your system yet allow you to get acquainted - with SELinux - and validate the warnings to see if you can switch - towards <c>enforcing</c> or not. - </li> - <li> - <c>disabled</c> will completely disable the policies. As this will not - show any violations as well, it is not recommended. - </li> - </ul> - </li> - <li> - <c>SELINUXTYPE</c> selects the SELinux policy type to load. - Gentoo Hardened recommends the use of <c>strict</c> for servers, and - <c>targeted</c> for desktops. The <c>mcs</c> type is supported, <c>mls</c> - is currently still considered experimental. - </li> -</ul> - -<p> -The differentiation between <c>strict</c> and <c>targeted</c> is based upon the -<e>unconfined</e> domain. When loaded, the processes on your system that are not -specifically confined within a particular policy module will be part of the -unconfined_t domain whose purpose is to allow most activities by default (rather -than deny by default). As a result, processes that run inside the unconfined_t -domain have no restrictions apart from those already enforced by standard Linux -security. Although running without the unconfined_t domain is considered more -secure, it will also be more challenging for the administrator to make sure the -system still functions properly as there are no policy modules for each and -every application "out there". -</p> - -<p> -Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow -categorization of the process domains. This is useful on multi-tenant systems -such as web servers, virtualization hosts, ... where multiple processes will be -running, most of them in the same security domain, but in different categories. -</p> - -<p> -Finally, you can also select <c>mls</c> to differentiate security domains on -a sensitivity level. However, MLS is currently still considered experimental -in Gentoo and as such not recommended. -</p> - -<p> -When you have made your choice between the SELinux policy types, save -this in your <path>/etc/make.conf</path> file as well. That way, Portage will -only install the policy modules for that SELinux type. -</p> - -<pre caption="Setting the policy type in make.conf"> -~# <i>nano /etc/make.conf</i> -POLICY_TYPES="<i>strict</i>" -</pre> - -</body> -</subsection> -<subsection> -<title>Reboot, and Label the File System</title> -<body> - -<impo> -Repeat these steps every time you have rebooted from a non-SELinux enabled -kernel into a SELinux enabled kernel, as running with a non-SELinux enabled -kernel will not update the security attributes of the files you create or -manipulate during your day-to-day activities on your system. -</impo> - -<p> -First reboot your system so that the installed policies are loaded. Now we -need to relabel your devices and openrc related files. This will apply the -correct security contexts (labels) onto the necessary files. -</p> - -<pre caption="Relabel /dev structure"> -~# <i>mkdir /mnt/gentoo</i> -~# <i>mount -o bind / /mnt/gentoo</i> - -<comment>(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</comment> -~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</i> -~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</i> -~# <i>umount /mnt/gentoo</i> -</pre> - -<p> -Next, if you have a swapfile rather than a swap partition, label it accordingly: -</p> - -<pre caption="Labelling the swap file"> -~# <i>semanage fcontext -a -t swapfile_t "/swapfile"</i> -~# <i>restorecon /swapfile</i> -</pre> - -<p> -Now relabel your entire file system. The next command will apply the correct -security context onto the files on your file system, based on the security -context information provided by the SELinux policy modules installed. -</p> - -<pre caption="Relabel the entire file system"> -~# <i>rlpkg -a -r</i> -</pre> - -<p> -If you ever have to install a SELinux policy module for a package after that -that particular package is installed, you need to run <c>rlpkg</c> for that -package to make sure that the security contexts for these files are set -correctly. For instance, if you have installed -<path>sec-policy/selinux-screen</path> after discovering that you have -<c>screen</c> on your system: -</p> - -<pre caption="Relabeling the files for a single package"> -<comment>(Make sure no screen sessions are running as their security contexts will not be adapted)</comment> -~# <i>rlpkg -t screen</i> -</pre> - -</body> -</subsection> -<subsection> -<title>Reboot and Set SELinux Booleans</title> -<body> - -<p> -Reboot your system so that the newly applied file contexts are used. Log on -and, if you have indeed installed Gentoo using the hardened sources (as we -recommended), enable the SSP SELinux boolean, allowing every domain read -access to the <path>/dev/urandom</path> device: -</p> - -<pre caption="Enabling the global_ssp boolean"> -~# <i>setsebool -P global_ssp on</i> -</pre> - -</body> -</subsection> -<subsection> -<title>Define the Administrator Accounts</title> -<body> - -<p> -If the <c>SELINUXTYPE</c> is set to <c>strict</c>, then we -need to map the account(s) you use to manage your system (those -that need access to Portage) to the <c>staff_u</c> SELinux user. If not, none -of your accounts will be able to succesfully manage the system (except for -<c>root</c>, but then you will need to login as <c>root</c> directly and not -through <c>sudo</c> or <c>su</c>.) By default, users are mapped to the -<c>user_u</c> SELinux user who doesn't have the appropriate rights (nor access -to the appropriate roles) to manage a system. Accounts that are mapped to -<c>staff_u</c> can, but might need to switch roles from <c>staff_r</c> to -<c>sysadm_r</c> before they are granted the appropriate privileges. -</p> - -<p> -Assuming that your account name is <e>john</e>: -</p> - -<pre caption="Mapping the Linux account john to the SELinux user staff_u"> -~# <i>semanage login -a -s staff_u john</i> -~# <i>restorecon -R -F /home/john</i> -</pre> - -<p> -If you later log on as <e>john</e> and want to manage your system, you will -probably need to switch your role. You can use <c>newrole</c> for this: -</p> - -<pre caption="Switching roles"> -~$ <i>id -Z</i> -staff_u:staff_r:staff_t -~$ <i>newrole -r sysadm_r</i> -Password: <comment>(Enter your password)</comment> -~$ <i>id -Z</i> -staff_u:sysadm_r:sysadm_t -</pre> - -<p> -If you however use a <c>targeted</c> policy, then the user you work with will be -of type <e>unconfined_t</e> and will already have the necessary privileges to -perform system administrative tasks. -</p> - -<p> -With that done, enjoy - your first steps into the SELinux world are now made. -</p> - -</body> -</subsection> -</section> -</sections> |