Sysop:SELinuxConvertingGentooToSelinux
Zur Navigation springen
Zur Suche springen
The Basic is the Handbook from Gentoo:
just follow it.
After the finale reboote (http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=3#doc_chap5) It's good to do a
emerge -e world
so every package get's rebuilded with the new hardened portage.
additional stuff
aliases
- it is nice to have some handy alias, which help to do easy common tasks
alias makereload='make -C /etc/security/selinux/src/policy reload' #to reload the policy or filesettings alias relabel='/usr/bin/make -C /etc/security/selinux relabel' #to relabel all drives alias relabelit='/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts `pwd`' #to relabel the cwd and all its subdirs alias setfilesit='/usr/sbin/setfiles /etc/selinux/file_contexts/file_contexts' alias dm='/bin/dmesg | /usr/bin/audit2allow' #to pipe the selinux msgs to get allow statements alias dm_clear='/bin/dmesg -c | /usr/bin/audit2allow' #ditto but clear the kernel msg buffer
startscript
- if you don't enforce on bootup hardly it is good to have a startscript which will do that for you:
#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
after sshd
}
start() {
ebegin "enforcing selinux"
echo "1" > /selinux/enforce
eend $?
}
stop() {
ebegin "sorry deinforcing only as sysadm possible"
eend $?
}
restart() {
ebegin "sorry deinforcing only as sysadm possible"
eend $?
}
add it with:
rc-update add enforce default
other tools
- /usr/local/sbin/s0
#!/bin/bash echo -n "es war : " cat /selinux/enforce echo setenforce 0 echo -n "und jetzt: " cat /selinux/enforce echo
- /usr/local/sbin/s1
#!/bin/bash
echo -n "es war : "
cat /selinux/enforce
echo
if [ `/usr/bin/id | /bin/grep sysadm_r | /usr/bin/wc -l` -gt 0 ] ; then
# if /etc/shadow has wrong permissions.. we have a big problem:
/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /etc
# now it should be safe to enforce ...
/usr/sbin/setenforce 1
else
echo "YOU ARE NOT SYSADM_R: not changeing enforcement mode (do 'newrole -r sysmad_r')"
fi
echo -n "und jetzt: "
cat /selinux/enforce
echo
- /usr/local/sbin/relabelall
#!/bin/bash cd /etc/security/selinux/src/policy make reload make relabel /usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /dev
Notes
loadpolicy
As with an enabled SELinux you'll need for each program a policy to run, this policy must also be loaded:
* Policy has not been loaded. It is strongly suggested * that the policy be loaded before continuing!! * Automatic policy loading can be enabled by adding * "loadpolicy" to the FEATURES in make.conf.
-> edit
/etc/make.conf
and add loadpolicy to the FEATURES flag. (mostly there isn't any variable like this yet.
FEATURES="loadpolicy"