89 lines
4.7 KiB
Markdown
89 lines
4.7 KiB
Markdown
---
|
||
layout: post
|
||
title: "Gentoo hardened desktop with GNOME 3 – Round one"
|
||
date: 2011-05-12 20:32:41
|
||
tags: [gentoo, gnome3, selinux]
|
||
permalink: /blog/2011/5/12/gentoo-hardened-desktop-with-gnome-3-round-one
|
||
published: true
|
||
author:
|
||
name: Gergely Polonkai
|
||
email: gergely@polonkai.eu
|
||
---
|
||
|
||
After having some hard times with Ubuntu (upgrading from 10.10 to 11.04), I
|
||
decided to switch back to my old friend, Gentoo. As I’m currently learning
|
||
about Linux hardening, I decided to use the new SELinux profile, which
|
||
supports the v2 reference policy.
|
||
|
||
Installation was pretty easy, using the [Gentoo x86
|
||
Handbook](http://www.gentoo.org/doc/hu/handbook/handbook-x86.xml). This profile
|
||
automatically turns on the `USE=selinux` flag (so does the old SELinux
|
||
profile), but deprecated `FEATURE=loadpolicy` (which is turned on by the
|
||
profile, so portage will complain about it until you disable it in
|
||
`/etc/make.conf`).
|
||
|
||
For the kernel, I chose `hardened-sources-2.6.37-r7`. This seems to be recent
|
||
enough for my security testing needs. I turned on both SELinux, PaX and
|
||
grsecurity. So far, I have no problem with it, but I don’t have X installed
|
||
yet, which will screw up things for sure.
|
||
|
||
After having those hard times with Ubuntu mentioned before, I decided not to
|
||
install Grub2 yet, as it renders things unusable (eg. my Windows 7
|
||
installation, which I sometimes need at the office). So I installed Grub 0.97
|
||
(this is the only version marked as stable, as I remember), touched
|
||
`/.autorelabel`, and reboot.
|
||
|
||
My first mistake was using an UUID as the root device on the kernel parameter
|
||
list (I don’t want to list all the small mistakes like forgetting to include to
|
||
correct SATA driver from my kernel and such). Maybe I was lame, but after
|
||
including `/dev/sda5` instead of the UUID thing, it worked like…
|
||
|
||
Well, charm would not be the good word. For example, I forgot to install the
|
||
lvm2 package, so nothing was mounted except my root partition. After I
|
||
installed it with the install CD, I assumed everything will be all right, but
|
||
I was wrong.
|
||
|
||
udev and LVM is a critical point in a hardened environment. udev itself
|
||
doesn’t want to work without the `CONFIG_DEVFS_TEMPFS=y` kernel option, so I
|
||
also had to change that. It seemed that it can be done without the install CD,
|
||
as it compiled the kernel with no problems. However, when it reached the point
|
||
when it compresses the kernel with gzip, it stopped with a `Permission denied`
|
||
message (although it was running with root privileges).
|
||
|
||
The most beautiful thing in the hardened environment with Mandatory Access
|
||
Control enabled) is that root is not a real power user any more by default.
|
||
You can get this kind of messages many times. There are many tools to debug
|
||
these, I will talk about these later.
|
||
|
||
So, my gzip needed a fix. After digging a bit on the Internet, I found that
|
||
the guilty thing is text relocation, which can be corrected if gzip is
|
||
compiled with PIC enabled. Thus, I turned on `USE=pic` flag globally, and
|
||
tried to remerge gzip. Of course it failed, as it had to use gzip to unpack
|
||
the gzip sources. So it did when I tried to install the PaX tools and gradm to
|
||
turn these checks off. The install CD came to the rescue again, with which I
|
||
successfully recompiled gzip, and with this new gzip, I compressed my new
|
||
kernel, with which udev started successfully. So far, so good, let’s try to
|
||
reboot!
|
||
|
||
Damn, LVM is still not working. So I decided to finally consult the Gentoo
|
||
hardened guide. It says that the LVM startup scripts under `/lib/rcscripts/…`
|
||
must be modified, so LVM will put its lock files under `/etc/lvm/lock` instead
|
||
of `/dev/.lvm`. After this step and a reboot, LVM worked fine (finally).
|
||
|
||
The next thing was the file system labelling. SELinux should automatically
|
||
relabel the entire file system at boot time whenever it finds the
|
||
`/.autorelabel` file. Well, in my case it didn’t happen. After checking the
|
||
[Gentoo Hardening](http://wiki.gentoo.org/wiki/Hardened_Gentoo) docs, I realised that the `rlpkg` program does exactly the same
|
||
(as far as I know, it is designed specifically for Gentoo). So I ran `rlpkg`,
|
||
and was kind of shocked. It says it will relabel ext2, ext3, xfs and JFS
|
||
partitions. Oh great, no ext4 support? Well, consulting the forums and adding
|
||
some extra lines to `/etc/portage/package.keywords` solved the problem (`rlpkg`
|
||
and some dependencies had to have the `~x86` keyword set). Thus, `rlpkg`
|
||
relabelled my file systems (I checked some directories with `ls -lZ`, it seemed
|
||
good for me).
|
||
|
||
Now it seems that everything is working fine, except the tons of audit
|
||
messages. Tomorrow I will check them with `audit2why` or `audit2allow` to see if
|
||
it is related with my SELinux lameness, or with a bug in the policy included
|
||
with Gentoo.
|