HOWTO_Null_Selinux_on_non-SELinux_profile
Rationale
SELinux was merged as a standard feature in the 2.6 kernel long ago. There is a seperate SELinux profile in Gentoo, but it has been slow getting into the main profile, mostly because other some of hardened stuff does not work with glibc 2.4/gcc 4.1. However, the hardened stuff is not needed to use SELinux anyway (but does complement it nicely).
SELinux has lots of potential, but currently, Red Hat/Fedora is the only major distributor that has it enabled by default.
The first step into getting SELinux into the mainstream on Gentoo is to create a "null" SELinux environment - one with all utilities SELinux aware and capable, but no policies. The resulting environment must not produce any more errors without the policy, and the existence of SELinux should be (almost) invisible. This way, users can "test drive" as much as SELinux as desired - either the Gentoo provided ones, the reference policy, or a self-written one.
Backing up
Adding SELinux support
Unmasking the "selinux" use flag
Create (or edit) the file (and any intermediate directories as needed) - /etc/portage/profile/use.mask and add the following line:
| File: /etc/portage/profile/use.mask |
-selinux |
This (somewhat counterintuitively) excludes the "selinux" USE flag being masked, as opposed to the more intuitive method of including the "selinux" USE being unmasked Essentially, the method used is the "double negative" way of doing it - because there is no /etc/portage/profile/use.unmask
Append "selinux" to USE
Either edit /etc/make.conf or - if gentoolkit installed:
euse -E selinux
Prevent SELinux policies from being installed
For this, it is possible to (ab)use /etc/portage/profile/package.provided. In previous versions of Portage, this was referred to as "injecting" a package.
find /usr/portage/sec-policy -mindepth 1 -maxdepth 1 -type d -name selinux\* -printf '%p-99999999\n' | cut -d/ -f 4- >> /etc/portage/profile/package.provided
If there is SELinux stuff in that file (unlikely, in fact most likely this file does not even exist yet), it must be removed (either before or after - possibly using "sort -u" or "uniq")
Disable "selinux" USE flag for busybox
Either do:
| File: /etc/portage/package.use/busybox |
sys-apps/busybox -selinux |
OR
| File: /etc/portage/package.use |
sys-apps/busybox -selinux |
Rebuild portage with SELinux support
emerge -1N sys-apps/portage
Re-emerge packages with "selinux" USE flag
emerge -uND world
As glibc is one of the things that uses the "selinux" USE flag, this could take a while.
Update configuration files
Either use etc-update or dispatch-conf
Create the /selinux directory
mkdir /selinux
Reboot
shutdown -r now
Verifying the userspace
The system should rebooted normally, with no changes in operation, as
- The kernel doesn't have SELinux support
- There are no policies loaded
Installing an SELinux enabled kernel
Read the SELinux Handbook
Read the Gentoo SELinux Handbook and compile a kernel with SELinux support. The other stuff may be skipped, as the policies and labeling (may) be done later
TIP: Disabling SELinux on an SELinux kernel
It is possible to have use the same kernel for both SELinux and not. For the non-selinux kernel, add selinux=0 to the kernel command line
TIP: Append "selinux" and "loadpolicy" to FEATURES
Portage can manage labels of packages it installs/removed. /etc/make.conf will need to be edited manually, as there is no corresponding "efeature" like there is "euse".
| File: /etc/make.conf |
FEATURES="selinux loadpolicy" |
TIP: Skipping /selinux in /etc/fstab
/selinux need not be added to /etc/fstab - if SELinux is enabled, it will be automounted anyway - which is good because the bootscripts would complain when SELinux is disabled (or not compiled in).
Verifying the new kernel
After the SELinux enabled kernel (if the instructions in the SELinux handbook were followed, the kernel should be in permissive mode), everything should be the same as before, as there are no policies loaded. However, the /selinux directory should now be populated.
Peparing for the first SELinux boot
Emerging the policies Portage
Now simply remove all the SELinux policies from /etc/portage/profile/package.provided then
emerge -uD world
Now that Gentoo uses the reference policy; this is almost certainly what you are going want to do. Note that quite a few fackages have corresponding selinux policies but are not automatically pulled in by USE=selinux. In that case, you'll have to emerge the policy manally.
Enable restorecond at boot
Easy enough:
rc-update add restorecond boot
Set auto-relabeling
For SELinux to work correctly, the files need to be labeled properly. For the files to be labeled properly, the policy needs to be loaded. The policy needs to be loaded for SELinux to work correctly. Ad nauseam. To break out of this loop, we can have the files auto-labeled early in the boot stage.
touch /.autorelabel
Configuring the policy store
Finally, the policy store needs to be configured. This is easy, just edit /etc/selinux/config. By default, it loads in permissive mode and the strict policy. The strict policy is too tight for all but the most draconian environments, almost everyone will want to change this to targeted. On the other hands, it probably better to to start in permissive mode on the first boot, and then switch to enforcing mode to see what kind of errors will occur without rendering your system totally inoperable.
Reboot
Reboot now. It is technically possible to load the policy now, however its NOT recommended because existing processes won't be labeled correctly.
Undoing the process
This process is completely reversible
Re-masking the SELinux flag
Remove the "-selinux" flag from /etc/portage/profile/use.mask. If that would make /etc/portage/profile/use.mask empty, it may be deleted instead.
Removing the SELinux USE flag
Either edit /etc/make.conf or - if gentoolkit is installed:
euse -D selinux
Removing "selinux" and "loadpolicy" from FEATURES
/etc/make.conf will have to be edited manually, as there is no corresponding "efeature" like there is "euse".
Re-emerge all packages without SELinux support
emerge -uND world
Un-provide the SELinux policies
Remove all the sec-policy/* stuff from /etc/portage/profile/package.provided by hand. If that would make /etc/portage/profile/package.provided empty, it may be deleted, instead. If /etc/portage/profile directory is now empty, it may be deleted if desired.
Clean out remaining SELinux cruft
At least Portage 2.1.1 is recommened before doing this
emerge -a --depclean
TIP: Checking link consistency
Gentoolkit users, can check to make sure all the SELinux stuff is gone and nothing is broken.
revdep-rebuild -p
Remove /selinux
If a non-SELinux kernel is booted (or SELinux disabled), the /selinux may be removed.
rmdir /selinux
Recompile the kernel without SELinux
Optionally, recompile the kernel without SELinux support, or leave the selinux=0 on the kernel command line for the same effect.
Clearing the extended attributes
The name of the extended attribute used for SElinux is called security.selinux. To see what files have the attributes, use (replace / with the filesystem's mount point)
find / -xdev -exec getfattr -n security.selinux {} \;
To clear the attributes:
find / -xdev -exec setfattr -x security.selinux {} \;
Miscellany
While doing this process (and undoing it), my gdm stopped displaying the background.svg image in the themes; the background was simply grey and it was emittering errors in the syslog:
Mar 27 10:59:15 ardvarc gdmgreeter[8643]: GLib-GObject-WARNING: invalid (NULL) pointer instance Mar 27 10:59:15 ardvarc gdmgreeter[8643]: GLib-GObject-CRITICAL: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
Re-emerging gnome-base/librsvg fixed it.
See Also
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.