Jump to content
Read the Funtoo Newsletter: Summer 2023 ×

SELinux packages updated in 1.4 -- and SELinux-next development


Recommended Posts

  • Funtoo Linux BDFL

Hey All,

I've gone ahead and updated Funtoo Linux 1.4 to contain the latest implementation of SELinux from Gentoo. SELinux is working well under Funtoo now. To use it, see the SELinux page on the Funtoo wiki. Also reference the https://wiki.gentoo.org/wiki/SELinux/Installation and https://wiki.gentoo.org/wiki/SELinux pages for documentation reference. These Gentoo wiki pages were originally put together by SwiFT and are excellent, and the SELinux team has kept them up-to-date (I must give credit where credit is due ?. We need to work on our modest SELinux wiki  page here to improve it: https://www.funtoo.org/SELinux

If you are new to SELinux, here are the basic steps. Enable the SELinux mix-in, emerge the SELinux tools as well as policies, rebuild world and etc-update, apply security labels to files, enable in kernel in "permissive mode" -- where it just logs things but doesn't "block" anything, and then start to play.

In your /etc/boot.conf, you'll want to add "security=selinux enforcing=0" to your "params +=" line and re-run "ego boot update" to get the kernel booting properly. This is assuming you are using debian-sources or debian-sources-lts.

Funtoo is also helping perfinion (find him in #gentoo-base on freenode) in Gentoo test the SELinux-next security policies. Here is how you can test them:

1. Add the following to package.keywords: sec-policy/selinux-* **
2. Then emerge @selinux-rebuild to reinstall all the 9999 policies (to be used with 2.9 userspace)
3. Do a full relabel.
4. Reboot.

Then, you can run and start auditd which will generate logs of what SELinux activity is going on. After your initial reboot into the new SELinux, start auditd with empty logs, and keep it running as you go about your business. After a few days of using Funtoo as you normally would, these logs can be useful to the SELinux team to determine if the new policies are working as expected.

Of particular interest is the use of elogind under SELinux. Once using the new SELinux-next policies, 'ps auxfZ | grep logind' should be in the systemd_logind_t domain.

Thanks to perfinion and the SELinux team for moving SELinux forward! Let's help them ?

 

 

 

 

 

 

 

Link to comment
Share on other sites

×
×
  • Create New...