Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
SELinux conversion questions
erikmack at gmail
Feb 23, 2014, 4:18 PM
Post #1 of 4 (2414 views)
Permalink
I'm attempting to convert my laptop to SELinux using the conversion guide,
and I've run into a few snags with documentation. I've consulted the
troubleshooting page, archives and forums, and now am reaching out directly.

1) When I get to the world update ('emerge -uDN world'), every package
fails at install with 'Failed to set SELinux security labels.' Don't I
also need 'FEATURES="-selinux"' for that step (like the preceding step)?

2) The conversion guide states 'We recommend to use PaX as well'. Would it
be accurate (and maybe helpful) to append 'but installing without PaX can
be accomplished with USE=-pax_kernel in make.conf'? I configured this
change because I don't want to learn PaX today but all hardened profiles
include USE=pax_kernel in make.defaults, making PaX more of a requirement
than a recommendation. I assume that allowing USE=pax_kernel on a non-PaX
kernel (I'm building the kernel from gentoo-sources not hardened-sources)
is invalid.

3) The conversion guide states 'switch the Gentoo profile to the right
SELinux profile' but then immediately shows an example which selects '[11]
hardened/linux/amd64/no-multilib *', a non-SELinux profile. Shouldn't
item [10] or [12] be selected?

I have a feeling these are all documentation bugs but as a hardened-n00b, I
don't know what I don't know.

Thanks all, especially devs, for all the hard work into making Gentoo great.

Erik
Re: SELinux conversion questions [ In reply to ]
admiralnemo at gmail
Feb 23, 2014, 6:00 PM
Post #2 of 4 (2357 views)
Permalink
On 02/23/2014 06:18 PM, Erik Mackdanz wrote:
> I'm attempting to convert my laptop to SELinux using the conversion
> guide, and I've run into a few snags with documentation. I've consulted
> the troubleshooting page, archives and forums, and now am reaching out
> directly.
>
> 1) When I get to the world update ('emerge -uDN world'), every package
> fails at install with 'Failed to set SELinux security labels.' Don't I
> also need 'FEATURES="-selinux"' for that step (like the preceding step)?
>
I am fairly sure FEATURES=selinux is pretty important at this step; this
is where you are re-installing all packages with SELinux support, and
the security labels are supposed to be set.

I had the same problem, though, on a recent conversion. In my case, the
problem was emerge was using python3, but the selinux module only exists
for python2. Try setting python2.7 as your default interpreter, or
re-emerge portage with USE=python2. The latter is what I did and now
everything works fine.

--
♫Dustin
http://dustin.hatch.name/
Re: SELinux conversion questions [ In reply to ]
erikmack at gmail
Feb 24, 2014, 6:32 PM
Post #3 of 4 (2353 views)
Permalink
Thank you. I confirmed that portage had been running under python 2.7.

I found the problem, though... I'd set POLICY_TYPES="targeted" in
make.conf, and therefore portage installed policies into
/etc/selinux/targeted only. However, running /usr/sbin/selinuxconfig and
catting /etc/selinux/config both made clear that 'strict' was a requirement.

I've worked through it by setting POLICY_TYPES="strict targeted", then
rebuilding selinux-base and selinux-base-policy. I feel like this is
another documentation bug - the user should be told either that 'strict' is
initially required in make.conf, or that /etc/selinux/config must be edited
before the selinux-base-policy install.

Anyway, thanks again. I'm sure I'll be back...

Erik


On Sun, Feb 23, 2014 at 8:00 PM, Dustin C. Hatch <admiralnemo@gmail.com>wrote:

> On 02/23/2014 06:18 PM, Erik Mackdanz wrote:
> > I'm attempting to convert my laptop to SELinux using the conversion
> > guide, and I've run into a few snags with documentation. I've consulted
> > the troubleshooting page, archives and forums, and now am reaching out
> > directly.
> >
> > 1) When I get to the world update ('emerge -uDN world'), every package
> > fails at install with 'Failed to set SELinux security labels.' Don't I
> > also need 'FEATURES="-selinux"' for that step (like the preceding step)?
> >
> I am fairly sure FEATURES=selinux is pretty important at this step; this
> is where you are re-installing all packages with SELinux support, and
> the security labels are supposed to be set.
>
> I had the same problem, though, on a recent conversion. In my case, the
> problem was emerge was using python3, but the selinux module only exists
> for python2. Try setting python2.7 as your default interpreter, or
> re-emerge portage with USE=python2. The latter is what I did and now
> everything works fine.
>
> --
> ♫Dustin
> http://dustin.hatch.name/
>
>
Re: SELinux conversion questions [ In reply to ]
sven.vermeulen at siphos
Feb 24, 2014, 11:16 PM
Post #4 of 4 (2357 views)
Permalink
Indeed, the step "Configure the SELinux policy" needs to be done the moment
that /etc/selinux/config is made available and before the world upgrade.

Strict isn't a requirement but it is of course important to configure it
(the policy type) correctly beforehand.
On Feb 25, 2014 3:33 AM, "Erik Mackdanz" <erikmack@gmail.com> wrote:

> Thank you. I confirmed that portage had been running under python 2.7.
>
> I found the problem, though... I'd set POLICY_TYPES="targeted" in
> make.conf, and therefore portage installed policies into
> /etc/selinux/targeted only. However, running /usr/sbin/selinuxconfig and
> catting /etc/selinux/config both made clear that 'strict' was a requirement.
>
> I've worked through it by setting POLICY_TYPES="strict targeted", then
> rebuilding selinux-base and selinux-base-policy. I feel like this is
> another documentation bug - the user should be told either that 'strict' is
> initially required in make.conf, or that /etc/selinux/config must be edited
> before the selinux-base-policy install.
>
> Anyway, thanks again. I'm sure I'll be back...
>
> Erik
>
>
> On Sun, Feb 23, 2014 at 8:00 PM, Dustin C. Hatch <admiralnemo@gmail.com>wrote:
>
>> On 02/23/2014 06:18 PM, Erik Mackdanz wrote:
>> > I'm attempting to convert my laptop to SELinux using the conversion
>> > guide, and I've run into a few snags with documentation. I've consulted
>> > the troubleshooting page, archives and forums, and now am reaching out
>> > directly.
>> >
>> > 1) When I get to the world update ('emerge -uDN world'), every package
>> > fails at install with 'Failed to set SELinux security labels.' Don't I
>> > also need 'FEATURES="-selinux"' for that step (like the preceding step)?
>> >
>> I am fairly sure FEATURES=selinux is pretty important at this step; this
>> is where you are re-installing all packages with SELinux support, and
>> the security labels are supposed to be set.
>>
>> I had the same problem, though, on a recent conversion. In my case, the
>> problem was emerge was using python3, but the selinux module only exists
>> for python2. Try setting python2.7 as your default interpreter, or
>> re-emerge portage with USE=python2. The latter is what I did and now
>> everything works fine.
>>
>> --
>> ♫Dustin
>> http://dustin.hatch.name/
>>
>>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal