4.7 KiB
layout | title | date | tags | permalink | published | author | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
post | Gentoo hardened desktop with GNOME 3 – Round one | 2011-05-12 20:32:41 |
|
/blog/2011/5/12/gentoo-hardened-desktop-with-gnome-3-round-one | true |
|
After having some hard times with Ubuntu (upgrading from 10.10 to 11.04), I decided to switch back to my old friend, Gentoo. As I’m currently learning about Linux hardening, I decided to use the new SELinux profile, which supports the v2 reference policy.
Installation was pretty easy, using the Gentoo x86
Handbook. This profile
automatically turns on the USE=selinux
flag (so does the old SELinux
profile), but deprecated FEATURE=loadpolicy
(which is turned on by the
profile, so portage will complain about it until you disable it in
/etc/make.conf
).
For the kernel, I chose hardened-sources-2.6.37-r7
. This seems to be recent
enough for my security testing needs. I turned on both SELinux, PaX and
grsecurity. So far, I have no problem with it, but I don’t have X installed
yet, which will screw up things for sure.
After having those hard times with Ubuntu mentioned before, I decided not to
install Grub2 yet, as it renders things unusable (eg. my Windows 7
installation, which I sometimes need at the office). So I installed Grub 0.97
(this is the only version marked as stable, as I remember), touched
/.autorelabel
, and reboot.
My first mistake was using an UUID as the root device on the kernel parameter
list (I don’t want to list all the small mistakes like forgetting to include to
correct SATA driver from my kernel and such). Maybe I was lame, but after
including /dev/sda5
instead of the UUID thing, it worked like…
Well, charm would not be the good word. For example, I forgot to install the lvm2 package, so nothing was mounted except my root partition. After I installed it with the install CD, I assumed everything will be all right, but I was wrong.
udev and LVM is a critical point in a hardened environment. udev itself
doesn’t want to work without the CONFIG_DEVFS_TEMPFS=y
kernel option, so I
also had to change that. It seemed that it can be done without the install CD,
as it compiled the kernel with no problems. However, when it reached the point
when it compresses the kernel with gzip, it stopped with a Permission denied
message (although it was running with root privileges).
The most beautiful thing in the hardened environment with Mandatory Access Control enabled) is that root is not a real power user any more by default. You can get this kind of messages many times. There are many tools to debug these, I will talk about these later.
So, my gzip needed a fix. After digging a bit on the Internet, I found that
the guilty thing is text relocation, which can be corrected if gzip is
compiled with PIC enabled. Thus, I turned on USE=pic
flag globally, and
tried to remerge gzip. Of course it failed, as it had to use gzip to unpack
the gzip sources. So it did when I tried to install the PaX tools and gradm to
turn these checks off. The install CD came to the rescue again, with which I
successfully recompiled gzip, and with this new gzip, I compressed my new
kernel, with which udev started successfully. So far, so good, let’s try to
reboot!
Damn, LVM is still not working. So I decided to finally consult the Gentoo
hardened guide. It says that the LVM startup scripts under /lib/rcscripts/…
must be modified, so LVM will put its lock files under /etc/lvm/lock
instead
of /dev/.lvm
. After this step and a reboot, LVM worked fine (finally).
The next thing was the file system labelling. SELinux should automatically
relabel the entire file system at boot time whenever it finds the
/.autorelabel
file. Well, in my case it didn’t happen. After checking the
Gentoo Hardening docs, I realised that the rlpkg
program does exactly the same
(as far as I know, it is designed specifically for Gentoo). So I ran rlpkg
,
and was kind of shocked. It says it will relabel ext2, ext3, xfs and JFS
partitions. Oh great, no ext4 support? Well, consulting the forums and adding
some extra lines to /etc/portage/package.keywords
solved the problem (rlpkg
and some dependencies had to have the ~x86
keyword set). Thus, rlpkg
relabelled my file systems (I checked some directories with ls -lZ
, it seemed
good for me).
Now it seems that everything is working fine, except the tons of audit
messages. Tomorrow I will check them with audit2why
or audit2allow
to see if
it is related with my SELinux lameness, or with a bug in the policy included
with Gentoo.