After having some hard times with Ubuntu (upgrading from 10.10 to 11.04), I decided to switch back to my old friend, Gentoo. As I’m currently learning about Linux hardening, I decided to use the new SELinux profile, which supports the v2 reference policy.
Installation was pretty easy, using the Gentoo x86 Handbook. This profile automatically turns on the USE=selinux flag (so does the old SELinux profile), but deprecated FEATURE=loadpolicy (which is turned on by the profile, so portage will complain about it until you disable it in /etc/make.conf).
For the kernel, I chose hardened-sources-2.6.37-r7. This seems to be recent enough for my security testing needs. I turned on both SELinux, PaX and grsecurity. So far, I have no problem with it, but I don’t have X installed yet, which will screw up things for sure.
After having those hard times with Ubuntu mentioned before, I decided not to install Grub2 yet, as it renders things unusable (eg. my Windows 7 installation, which I sometimes need at the office). So I installed Grub 0.97 (this is the only version marked as stable, as I remember), touched /.autorelabel, and reboot.
My first mistake was using an UUID as the root device on the kernel parameter list (I don’t want to list all the small mistakes like forgetting to include to correct SATA driver from my kernel and such). Maybe I was lame, but after including /dev/sda5 instead of the UUID thing, it worked like…
Well, charm would not be the good word. For example, I forgot to install the lvm2 package, so nothing was mounted except my root partition. After I installed it with the install CD, I assumed everything will be all right, but I was wrong.
udev and LVM is a critical point in a hardened environment. udev itself doesn’t want to work without the CONFIG_DEVFS_TEMPFS=y kernel option, so I also had to change that. It seemed that it can be done without the install CD, as it compiled the kernel with no problems. However, when it reached the point when it compresses the kernel with gzip, it stopped with a Permission denied message (although it was running with root privileges).
The most beautiful thing in the hardened environment with Mandatory Access Control enabled is that root is not a real power user any more by default. You can get this kind of messages many times. There are many tools to debug these, I will talk about these later.
So, my gzip needed a fix. After digging a bit on the Internet, I found that the guilty thing is text relocation, which can be corrected if gzip is compiled with PIC enabled. Thus, I turned on USE=pic flag globally, and tried to remerge gzip. Of course it failed, as it had to use gzip to unpack the gzip sources. So it did when I tried to install the PaX tools and gradm to turn these checks off. The install CD came to the rescue again, with which I successfully recompiled gzip, and with this new gzip, I compressed my new kernel, with which udev started successfully. So far, so good, let’s try to reboot!
Damn, LVM is still not working. So I decided to finally consult the Gentoo hardened guide. It says that the LVM startup scripts under /lib/rcscripts/… must be modified, so LVM will put its lock files under /etc/lvm/lock instead of /dev/.lvm. After this step and a reboot, LVM worked fine (finally).
The next thing was the file system labelling. SELinux should automatically relabel the entire file system at boot time whenever it finds the /.autorelabel file. Well, in my case it didn’t happen. After checking the Gentoo Hardening docs, I realised that the rlpkg program does exactly the same (as far as I know, it is designed specifically for Gentoo). So I ran rlpkg, and was kind of shocked. It says it will relabel ext2, ext3, xfs and JFS partitions. Oh great, no ext4 support? Well, consulting the forums and adding some extra lines to /etc/portage/package.keywords solved the problem (rlpkg and some dependencies had to have the ~x86 keyword set). Thus, rlpkg relabelled my file systems (I checked some directories with ls -lZ, it seemed good for me).
Now it seems that everything is working fine, except the tons of audit messages. Tomorrow I will check them with audit2why or audit2allow to see if it is related with my SELinux lameness, or with a bug in the policy included with Gentoo.