Chris PeBenito Sven Vermeulen Chris Richards This is the Gentoo SELinux Handbook. 3.00 2010-12-01 In this part we cover what SELinux is and how it is positioned within the Gentoo/Hardened project. Security is more than enabling a certain framework or installing a different Linux kernel. It is a way of working / administrating your Gentoo Linux system. We cover a few (generic) best practices, and then elaborate on what Mandatory Access Control is and how SELinux fills in this gap. To be able to properly work with SELinux, it is vital that you understand a few of its concepts like domains, domain transitions and file contexts. Without a basic understanding of these aspects, it will be difficult to understand how SELinux policies work and how to troubleshoot if things go wrong. To streamline SELinux policy development, a reference policy is being developed that is used by all SELinux-supporting distributions. In this chapter we give some intel on what this reference policy is and why it is brought to life, but also how this policy functions and how its development is progressing. We also cover the basics on SELinux policies in general. With the theoretic stuff behind us, let us start by installing Gentoo/Hardened with a SELinux kernel as well as the SELinux tools. To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with the correct Hardened profile (or convert to the Hardened profile) and then update your system to become a SELinux-managed system. This chapter will guide you through this process. Before we start with SELinux, we first take a step back and get to know a few commands. As we are currently running a SELinux enabled system (but in permissive mode) we can now get acquainted with the various SELinux-specific commands. Once SELinux is active, we first start by running the system in permissive mode. In this chapter, we tell you how to get acquainted with SELinux more in-depth with live command information, but without interfering with the standard access controls (i.e. in permissive mode). Once you believe that the system can be ran in enforcing mode, we switch the system to verify if this is true. Once verified, the next step is to (re)boot in enforcing mode. Finally, if we are confident that the enforcing is working properly and that the system is still doing its job correctly, we fix the enforcing mode so that it cannot be disabled anymore. Far from all packages where SELinux policy modules are available for have a corresponding package in Gentoo/Hardened. In this chapter, we help you to add more modules yourself or create your own modules for those packages that have no SELinux policies yet. Additional resources and referenced materials within this book are mentioned in this appendix. Everything made by a human can and will fail. In this chapter we will try to keep track of all potential issues you might come across and how to resolve them. This Gentoo Hardened SELinux handbook gives a first introduction to SELinux and how it is integrated in Gentoo Hardened. But more seasoned administrators will most definitely want to read up on the more advanced uses (and managerial challenges) of SELinux - which we definitely recommend. A non-exhaustive list is compiled in this chapter.