| 1 |
Okay, an update: |
| 2 |
|
| 3 |
I'm writing this from my (sorta) SELinux-enabled machine now. :) |
| 4 |
|
| 5 |
There were a few little bumps in the process (you may have seen |
| 6 |
something in #gentoo-hardened), but for the most part the |
| 7 |
Install/Migrate guide was good. |
| 8 |
|
| 9 |
The two things that I will note I had to do are: |
| 10 |
|
| 11 |
* Rebuild util-linux * |
| 12 |
mount, provided by util-linux, does not have the functionality |
| 13 |
required by SELinux when coming from a non-hardened stage. In order to |
| 14 |
get this installed (without bricking anything) I had to: |
| 15 |
|
| 16 |
emerge -1 libselinux (this will also pull in libsepol) |
| 17 |
emerge -1O util-linux (-O required to prevent pols being pulled in) |
| 18 |
|
| 19 |
This should happen just prior to the first reboot (and any initrd's |
| 20 |
should be rebuilt to include the new mount binary, i guess). |
| 21 |
|
| 22 |
* Select policy type * |
| 23 |
This is more of a note on the documentation (I know it's out of date, |
| 24 |
(or at least so the wiki says) but for reference nonetheless). I'm |
| 25 |
taking the easy road in and have selected the 'targeted' policy type for |
| 26 |
now. Because of this, running ``emerge -uDN @world`` prior to setting |
| 27 |
the policy type in /etc/selinux/config causes emerge to attempt to set |
| 28 |
the wrong policy, and fail the ebuild. This is in reference to code |
| 29 |
listings 2.3 and 2.6 of the SELinux handbook. |
| 30 |
|
| 31 |
|
| 32 |
Other than that, everything has gone smoothly except for one thing: |
| 33 |
during boot, I'm getting: |
| 34 |
systemd-remount-fs[733]: mount: /run not mounted or bad option |
| 35 |
|
| 36 |
That being said, once booted, /run *is* mounted with: |
| 37 |
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
| 38 |
|
| 39 |
The relevant line in fstab is: |
| 40 |
tmpfs /run tmpfs mode=0755,nosuid,nodev,context=system_u:object_r:var_run_t 0 0 |
| 41 |
|
| 42 |
I'm not sure why this is (current thinking is perhaps a symptom of the |
| 43 |
docs being outdated) and the system seems stable for the moment. |
| 44 |
|
| 45 |
There are other errors in the logs (avc denials on udevd, for example) |
| 46 |
but I'm not too worried for the moment - I'm remaining in permissive |
| 47 |
mode specifically for that reason :) |
| 48 |
|
| 49 |
Thanks to swift for the info on merging the profiles, and any advice or |
| 50 |
suggestions on the above would be appreciated! :D |
| 51 |
|
| 52 |
Cheers; |
| 53 |
wraeth |
Archives