# Is now a good time to convert to selinux?

## 0n0w1c

I have been running on gentoo for about two years so I am fairly comfortable with it. I am getting an itchy trigger finger to try selinux.. I am using great restraint from just doing it now and asking questions later...

The line in the hardened docs about the workstation not being supported has stopped me.

Even redhat installs selinux by default these days... so why so much caution with gentoo?

Am I really asking for trouble if I convert?

emerge info:

```

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r9-tao i686)

=================================================================

System uname: 2.6.11-gentoo-r9-tao i686 AMD Athlon(tm) MP 2400+

Gentoo Base System version 1.6.12

Python:              dev-lang/python-2.3.5 [2.3.5 (#2, Apr 30 2005, 18:06:53)]

ccache version 2.3 [enabled]

dev-lang/python:     2.3.5

sys-apps/sandbox:    [Not Present]

sys-devel/autoconf:  2.13, 2.59-r6

sys-devel/automake:  1.8.5-r3, 1.5, 1.6.3, 1.9.5, 1.7.9-r1, 1.4_p6

sys-devel/binutils:  2.15.92.0.2-r10

sys-devel/libtool:   1.5.16

virtual/os-headers:  2.6.8.1-r2

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CFLAGS="-Os -march=athlon-mp -ftracer -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control"

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

CXXFLAGS="-Os -march=athlon-mp -ftracer -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"

GENTOO_MIRRORS="ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ http://gentoo.seren.com/gentoo ftp://mirrors.tds.net/gentoo"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="x86 3dnow X Xaw3d acpi alsa apache2 avi bitmap-fonts bonobo cdr cgi crypt cups curl cyrus dba dga dvd dvdr eds emboss encode esd ethereal fam fastcgi fbcon font-server foomaticdb fortran gcc-libffi gd gd-external gdbm gif gimp gimpprint gnome gnomedb gnustep gphoto2 gpm gs gstreamer gtk gtk2 gtkhtml ialsa imagemagick imap imlib imlib2 ipv6 ipv6arpa java javascript jikes jit jpeg junit lcd lcms ldap lesstif libg++ libgda libwww mad md5sum mikmod mime mmx mmx2 motif mozilla mp3 mpeg mplayer ncurses network nls nocardbus nptl objc odbc ogg oggvorbis opengl openssh oss pam pdflib perl php png posix prelude pwdb python qt quicktime radeon readline real sasl sdk sdl snmp speex spell sse sse2 ssl svga tcltk tcpd tiff transcode truetype truetype-fonts type1-fonts unicode usb videos vim-with-x vorbis wmf xfs xinetd xml2 xmms xprint xv xvid zeo zlib video_cards_radeon userland_GNU kernel_linux elibc_glibc"

Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

```

world (sorted):

```

app-admin/logrotate

app-admin/syslog-ng

app-cdr/cdrecord-prodvd

app-cdr/xcdroast

app-editors/nano

app-office/openoffice

app-portage/gentoolkit

app-portage/ufed

app-text/acroread

app-text/rcs

dev-java/blackdown-jdk

dev-php/mod_php

dev-php/php

dev-util/ccache

dev-util/ddd

dev-util/eclipse-sdk

dev-util/strace

dev-util/subversion

gnome-base/gnome

gnome-extra/gnome-audio

mail-client/mozilla-thunderbird

mail-mta/postfix

media-fonts/aquafont

media-fonts/aquapfont

media-fonts/artwiz-fonts

media-fonts/corefonts

media-fonts/freefonts

media-fonts/gnu-gs-fonts-other

media-fonts/intlfonts

media-fonts/lfpfonts-fix

media-fonts/lfpfonts-var

media-fonts/sharefonts

media-fonts/tengwar-fonts

media-fonts/ttf-bitstream-vera

media-fonts/ttf-gentium

media-fonts/urw-fonts

media-gfx/splashutils

media-libs/win32codecs

media-sound/alsa-utils

media-video/mplayer

net-analyzer/tcpdump

net-analyzer/tcptraceroute

net-analyzer/traceroute

net-dns/bind

net-dns/bind-tools

net-firewall/firestarter

net-firewall/iptables

net-ftp/gftp

net-ftp/vsftpd

net-im/gaim

net-mail/cyrus-imap-admin

net-mail/cyrus-imapd

net-misc/netkit-telnetd

net-misc/ntp

net-misc/rdesktop

net-print/hpoj

net-www/mplayerplug-in

net-www/netscape-flash

sys-apps/acl

sys-apps/hotplug

sys-apps/slocate

sys-boot/grub

sys-fs/lvm2

sys-fs/udev

sys-kernel/gentoo-sources

sys-libs/glibc

sys-process/vixie-cron

www-client/links

www-client/mozilla-firefox

x11-libs/gtk+

x11-misc/numlockx

x11-misc/xpad

x11-misc/xscreensaver

x11-misc/xsetleds

xfce-base/xfce4

xfce-base/xfce4-extras

xfce-base/xfdesktop

xfce-extra/terminal

xfce-extra/xfce4-weather

```

----------

## Master Shake

You know I kinda want to do some selinux stuff too.  But I'm thinking that its going to be easier to reinstall the entire system from scratch with selinux support.  I know my brother tried to install selinux on a computer that was running slackware.  He did it, but after awhile he was just too pissed off at the thing.

----------

## nixnut

Redhat/fedora are not running a full selinux system by default. They are using what they call the targeted policy by default (there is also strict policy). That means that only the applications for which the have created policies run restricted by selinux, all other applications run unrestricted. The available policies cover mainly the basic system and server applications. Desktop applications mostly run unrestricted.

Gentoo does not have a targeted policy, so everything runs restricted by selinux if you enable enforcing mode. Unfortunately Gentoo does not have much policies for desktop applications at the moment, though people are working on it.

----------

## 0n0w1c

Well, I made the leap!

So after, rather than before, I ask... can I get back? If so... is there a howto?

Just asking... so far so good.

----------

## 0n0w1c

While I am asking and seemingly determined to b0rk my system... how about PAX?

For those that may be wondering... the road via conversion to selinux was not without a few issues, your mileage may vary.

Splashutils can not be compiled with a hardened gcc (no issue for me, I just unmerged it).

Most every large package needed to be re-emerged because of the selinux, hardened or ldap use flags.

The biggest issue is that ufed keeps adding the "-selinux" flag... is my config missing something?

gdm has an issue with logging in as a normal user, "Unable to set executable context" in permissive mode. I have not looked into this yet, I simply re-emerged it with "-selinux" until I have time to figure it out.

I am holding off on re-emerging openoffice (hardened flag)... won't version 2 be available soon, even with ~x86?

----------

## 0n0w1c

 *Quote:*   

> 
> 
> gdm has an issue with logging in as a normal user, "Unable to set executable context" in permissive mode. I have not looked into this yet, I simply re-emerged it with "-selinux" until I have time to figure it out.
> 
> 

 

The issue is just what the error states.

The solution:

Edit /etc/security/selinux/src/policy/users, adding the user to the bottom of the file, per the gentoo docs.

I added the user account with "roles { staff_r sysadm_r }" so that it could go superuser. I have not yet tried it with a non-wheel user but I suspect it will work.

----------

## kalisphoenix

I dunno.  I just started a clean install with SELinux and, when I emerged hardened-sources, I returned to find that SELinux decided to UNmerge everything on my system (including portage and every other useful prog).  I'm going to give it another try, but I'm not sure I'm digging this...

----------

## Cinquero

It would be quite nice to have some sort of user module for SELinux, ie. something that allows me to run SELinux unconstrained but force domain transitions for specific processes. It would be really great if such a thing could be integrated with KDE.

Typical use cases:

1.) Set up a rule that automatically forces a domain transition for every process which connects to a network socket.

2.) Limit access permissions for firefox, licq etc. to ~/.mozilla and /usr etc.

Modifying the SELinux rules interactively would be even better: start from a not-allowed-to-do-anything policy and then, when the app tries to do something, pop up a message window and decide to grant or deny that specific permission...

That would be even very useful to "write" policy files for all sorts of apps and daemons.

----------

## Maedhros

Moved from Installing Gentoo to Networking & Security.

----------

