89 lines
		
	
	
		
			4.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			89 lines
		
	
	
		
			4.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | ||
| layout:    post
 | ||
| title:     "Gentoo hardened desktop with GNOME 3 – Round one"
 | ||
| date:      2011-05-12 20:32:41+00:00
 | ||
| tags:      [gentoo, gnome3, selinux]
 | ||
| permalink: /blog/2011/5/12/gentoo-hardened-desktop-with-gnome-3-round-one
 | ||
| published: true
 | ||
| author:
 | ||
|     name: Gergely Polonkai
 | ||
|     email: gergely@polonkai.eu
 | ||
| ---
 | ||
| 
 | ||
| After having some hard times with Ubuntu (upgrading from 10.10 to 11.04), I
 | ||
| decided to switch back to my old friend, Gentoo. As I’m currently learning
 | ||
| about Linux hardening, I decided to use the new SELinux profile, which
 | ||
| supports the v2 reference policy.
 | ||
| 
 | ||
| Installation was pretty easy, using the [Gentoo x86
 | ||
| Handbook](http://www.gentoo.org/doc/hu/handbook/handbook-x86.xml). This profile
 | ||
| automatically turns on the `USE=selinux` flag (so does the old SELinux
 | ||
| profile), but deprecated `FEATURE=loadpolicy` (which is turned on by the
 | ||
| profile, so portage will complain about it until you disable it in
 | ||
| `/etc/make.conf`).
 | ||
| 
 | ||
| For the kernel, I chose `hardened-sources-2.6.37-r7`. This seems to be recent
 | ||
| enough for my security testing needs. I turned on both SELinux, PaX and
 | ||
| grsecurity. So far, I have no problem with it, but I don’t have X installed
 | ||
| yet, which will screw up things for sure.
 | ||
| 
 | ||
| After having those hard times with Ubuntu mentioned before, I decided not to
 | ||
| install Grub2 yet, as it renders things unusable (eg. my Windows 7
 | ||
| installation, which I sometimes need at the office). So I installed Grub 0.97
 | ||
| (this is the only version marked as stable, as I remember), touched
 | ||
| `/.autorelabel`, and reboot.
 | ||
| 
 | ||
| My first mistake was using an UUID as the root device on the kernel parameter
 | ||
| list (I don’t want to list all the small mistakes like forgetting to include to
 | ||
| correct SATA driver from my kernel and such). Maybe I was lame, but after
 | ||
| including `/dev/sda5` instead of the UUID thing, it worked like…
 | ||
| 
 | ||
| Well, charm would not be the good word. For example, I forgot to install the
 | ||
| lvm2 package, so nothing was mounted except my root partition. After I
 | ||
| installed it with the install CD, I assumed everything will be all right, but
 | ||
| I was wrong.
 | ||
| 
 | ||
| udev and LVM is a critical point in a hardened environment. udev itself
 | ||
| doesn’t want to work without the `CONFIG_DEVFS_TEMPFS=y` kernel option, so I
 | ||
| also had to change that. It seemed that it can be done without the install CD,
 | ||
| as it compiled the kernel with no problems. However, when it reached the point
 | ||
| when it compresses the kernel with gzip, it stopped with a `Permission denied`
 | ||
| message (although it was running with root privileges).
 | ||
| 
 | ||
| The most beautiful thing in the hardened environment with Mandatory Access
 | ||
| Control enabled) is that root is not a real power user any more by default.
 | ||
| You can get this kind of messages many times. There are many tools to debug
 | ||
| these, I will talk about these later.
 | ||
| 
 | ||
| So, my gzip needed a fix. After digging a bit on the Internet, I found that
 | ||
| the guilty thing is text relocation, which can be corrected if gzip is
 | ||
| compiled with PIC enabled. Thus, I turned on `USE=pic` flag globally, and
 | ||
| tried to remerge gzip. Of course it failed, as it had to use gzip to unpack
 | ||
| the gzip sources. So it did when I tried to install the PaX tools and gradm to
 | ||
| turn these checks off. The install CD came to the rescue again, with which I
 | ||
| successfully recompiled gzip, and with this new gzip, I compressed my new
 | ||
| kernel, with which udev started successfully. So far, so good, let’s try to
 | ||
| reboot!
 | ||
| 
 | ||
| Damn, LVM is still not working. So I decided to finally consult the Gentoo
 | ||
| hardened guide. It says that the LVM startup scripts under `/lib/rcscripts/…`
 | ||
| must be modified, so LVM will put its lock files under `/etc/lvm/lock` instead
 | ||
| of `/dev/.lvm`. After this step and a reboot, LVM worked fine (finally).
 | ||
| 
 | ||
| The next thing was the file system labelling. SELinux should automatically
 | ||
| relabel the entire file system at boot time whenever it finds the
 | ||
| `/.autorelabel` file. Well, in my case it didn’t happen. After checking the
 | ||
| [Gentoo Hardening](http://wiki.gentoo.org/wiki/Hardened_Gentoo) docs, I realised that the `rlpkg` program does exactly the same
 | ||
| (as far as I know, it is designed specifically for Gentoo). So I ran `rlpkg`,
 | ||
| and was kind of shocked. It says it will relabel ext2, ext3, xfs and JFS
 | ||
| partitions. Oh great, no ext4 support? Well, consulting the forums and adding
 | ||
| some extra lines to `/etc/portage/package.keywords` solved the problem (`rlpkg`
 | ||
| and some dependencies had to have the `~x86` keyword set). Thus, `rlpkg`
 | ||
| relabelled my file systems (I checked some directories with `ls -lZ`, it seemed
 | ||
| good for me).
 | ||
| 
 | ||
| Now it seems that everything is working fine, except the tons of audit
 | ||
| messages. Tomorrow I will check them with `audit2why` or `audit2allow` to see if
 | ||
| it is related with my SELinux lameness, or with a bug in the policy included
 | ||
| with Gentoo.
 |