AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > OS, Software, Firmware, and BIOS > Linux

Linux Questions and information concerning Linux


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 15th December, 2009, 08:17 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Getting SELinux working on Gentoo

I'm creating this thread to document some of the issues I've encountered and what I had to do to fix them, so that I'll have this information somewhere should I need it again.

So, first off, the box I'm working with is a dual PIII. I followed the instructions documented in the Gentoo SELinux Handbook. Those instructions basically boil down to getting a minimal gentoo-hardened system running, and then converting to SELinux by switching to the selinux/2007.0/x86/hardened profile and recompiling the system and then the world.

Some things I've run into so far:
Errors with the boot caused by incorrect permissions in /dev. If you choose to use udev (which most systems do), then you have to relabel the static /dev directory to give it the proper permissions before udev is started, or you'll have all kinds of problems getting through the boot when you switch on SELinux. To resolve this, do something like the following:

Code:
mkdir /mnt/realroot
mount ROOT /mnt/realroot
restorecon -R /dev
umount /mnt/realroot
rmdir /mnt/realroot
Substitute your actual root file system (mine is /dev/sda3) for ROOT above.

/etc/init.d/udev-mount doesn't correctly set contexts on the device nodes it creates when the tmpfs is mounted at /dev for udev. Because of this, you will get errors during startup indicated that /dev/null couldn't be written to (you may also see errors on console and tty). To resolve this, find the line that says:
Code:
[ -c /dev/null ] || mknod -m 666 /dev/null c 1 3
(it's at line 56 on my system, inside the seed_dev function)

add the following directly below it:
Code:
restorecon /dev/null
At the bottom of the seed_dev function (line 74 on my system), right before the 'return 0' statement, add 'restorecon -R /dev' so that it looks like this:

Code:
restorecon -R /dev
return 0

Last edited by Gizmo; 15th December, 2009 at 08:19 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 16th December, 2009, 05:44 AM
Member
 
Join Date: April 2005
Location: AZ
Posts: 2,446

At what point should a person consider moving to a hardened system and or SElinux?

I run a VPN from the shop back to my home server (linux) mainly for backing up and retrieving data, I am the only user and pretty much just use a set of rules to protect from internet threats.
__________________
Biostar TForce X58 - Core i7 920 - 12GB Corsair Dominator DDR3 - EVGA 560ti - PCP&C 750W - Dual boot, Arch Linux/WinXP
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 16th December, 2009, 06:06 AM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Good question, how vulnerable are we?
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 16th December, 2009, 06:20 AM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Quote:
Originally Posted by Daniel ~ View Post
Good question, how vulnerable are we?
Hopefully, less vulnerable than others.

You'll understand if I don't want to get into a discussion of our potential areas of vulnerability in an open forum.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 16th December, 2009, 06:30 AM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Quote:
Originally Posted by ccperf721p View Post
At what point should a person consider moving to a hardened system and or SElinux?

I run a VPN from the shop back to my home server (linux) mainly for backing up and retrieving data, I am the only user and pretty much just use a set of rules to protect from internet threats.
I'm sure you already know this Cliff, but for the sake of others who might be reading this, I'm going to reiterate a couple of things I've had drilled into me over the years:
  1. NO useful system is incapable of being compromised. The only 'secure' system is locked in a vault with very bad tempered security guards, even worse tempered guard dogs, no power, and no connection to the outside world.
  2. Security is about risk mitigation. How much is your data worth to someone else, and how difficult is it to get? If your data are worth less than the effort it takes to get them, then they are 'reasonably secure'.

I should mention also that you need to evaluate how much your SYSTEM might be worth to a spammer or hacker. Maybe it doesn't carry any data, but provides the entry-point to a network that could potentially be of value.

In your specific instance, with a decent set of firewall rules and the VPN port being the only thing exposed, you can probably get away with running just a bog standard Gentoo system. However, <I> would run hardened just as a matter of course for two reasons:
  1. The hardened tool-chain includes compiler changes that make various types of compromises including stack smashing attacks more difficult to pull off.
  2. The hardened tree tends to run about 6 months (figure varies by package, but that seems to be about the average) behind the vanilla tree, meaning that stuff tends to be more well tested and stable.

Of course, there may be something in the vanilla tree that isn't in the hardened tree, but that's the great thing about Portage; if you need to you can adjust your use flags for that particular package and get a version that isn't, strictly speaking, in your profile. Or, barring that, you can always do a custom overlay with your own packages, or just go get the source and compile the thing yourself and forget about package management altogether.

Last edited by Gizmo; 16th December, 2009 at 06:32 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 16th December, 2009, 07:36 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Quote:
Originally Posted by Gizmo View Post
Hopefully, less vulnerable than others.

You'll understand if I don't want to get into a discussion of our potential areas of vulnerability in an open forum.
Sorry Gizmo, I meant how vulnerable are as desktop users of Linux when we don't use SElinux... how scared would I be if I had any sense? ":O}
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic


Last edited by Daniel ~; 16th December, 2009 at 07:41 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 16th December, 2009, 09:03 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I think SELinux is generally WAY overkill for desktop Linux users, for two reasons:
  1. Unless you are foolish enough to run as root, the user isn't going to have enough permissions to do anything to the system that can't be fixed, likely by simply deleting a few files. Aside from the fact that desktop Linux is a very small target market, thus making it not worthwhile to exploit, the user privilege issue is part of the reason that malware writers don't target Linux.
  2. Fedora (and, I assume, most other desktop Linuxen that implement SELinux) uses 'targeted' SELinux policy. Targeted policy only affects services that are running. Since a desktop machine typically won't be running services that are available to the network, what protection you DO get is largely superfluous.

That's just my opinion. That and $1 will get you a cup of coffee, so take it for what it's worth.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 16th December, 2009, 11:37 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Like most I'll wait till I have a problem before I inconvenience myself...":O}

Thanks Gizmo
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 18th December, 2009, 10:05 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I'm working with the Gentoo SELinux devs on a new policy for Gentoo. Hopefully when we are done the issues I was starting to document here, and others I've encountered, will be resolved.

If any of you want to play with this and help out, let me know and I'll give you instructions on what needs to be done.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gentoo overlay concept ThunderRd Linux 22 15th December, 2009 03:05 PM
AOA Gentoo Install Guide ccperf721p OS, Software, Firmware, and BIOS 20 23rd December, 2007 08:04 PM
AOA Gentoo Install Guide ccperf721p AOA FAQ 2 1st November, 2007 09:50 PM
Gentoo installation issue... Áedán OS, Software, Firmware, and BIOS 5 9th December, 2004 11:14 PM
Geforce2 TV Out on Gentoo Áedán OS, Software, Firmware, and BIOS 7 15th February, 2004 07:32 PM


All times are GMT +1. The time now is 12:38 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0