1 |
Okay, an update: |
2 |
|
3 |
I'm writing this from my (sorta) SELinux-enabled machine now. :) |
4 |
|
5 |
There were a few little bumps in the process (you may have seen |
6 |
something in #gentoo-hardened), but for the most part the |
7 |
Install/Migrate guide was good. |
8 |
|
9 |
The two things that I will note I had to do are: |
10 |
|
11 |
* Rebuild util-linux * |
12 |
mount, provided by util-linux, does not have the functionality |
13 |
required by SELinux when coming from a non-hardened stage. In order to |
14 |
get this installed (without bricking anything) I had to: |
15 |
|
16 |
emerge -1 libselinux (this will also pull in libsepol) |
17 |
emerge -1O util-linux (-O required to prevent pols being pulled in) |
18 |
|
19 |
This should happen just prior to the first reboot (and any initrd's |
20 |
should be rebuilt to include the new mount binary, i guess). |
21 |
|
22 |
* Select policy type * |
23 |
This is more of a note on the documentation (I know it's out of date, |
24 |
(or at least so the wiki says) but for reference nonetheless). I'm |
25 |
taking the easy road in and have selected the 'targeted' policy type for |
26 |
now. Because of this, running ``emerge -uDN @world`` prior to setting |
27 |
the policy type in /etc/selinux/config causes emerge to attempt to set |
28 |
the wrong policy, and fail the ebuild. This is in reference to code |
29 |
listings 2.3 and 2.6 of the SELinux handbook. |
30 |
|
31 |
|
32 |
Other than that, everything has gone smoothly except for one thing: |
33 |
during boot, I'm getting: |
34 |
systemd-remount-fs[733]: mount: /run not mounted or bad option |
35 |
|
36 |
That being said, once booted, /run *is* mounted with: |
37 |
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
38 |
|
39 |
The relevant line in fstab is: |
40 |
tmpfs /run tmpfs mode=0755,nosuid,nodev,context=system_u:object_r:var_run_t 0 0 |
41 |
|
42 |
I'm not sure why this is (current thinking is perhaps a symptom of the |
43 |
docs being outdated) and the system seems stable for the moment. |
44 |
|
45 |
There are other errors in the logs (avc denials on udevd, for example) |
46 |
but I'm not too worried for the moment - I'm remaining in permissive |
47 |
mode specifically for that reason :) |
48 |
|
49 |
Thanks to swift for the info on merging the profiles, and any advice or |
50 |
suggestions on the above would be appreciated! :D |
51 |
|
52 |
Cheers; |
53 |
wraeth |