Gentoo SELinux安装(x86)

AlexChao

基本同gentoo的普通安装方法，
需要注意的几点：

1.下载selinux stage
比如stage1-x86-selinux-2004.2.tar.bz2安装基本系统
chroot时要
# mount -t proc none /mnt/gentoo/proc
# mount -t selinuxfs none /mnt/gentoo/selinux
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
# emerge sync.........

2.安装配置内核时(对了，selinux仅支持ext2/3 ,xfs)
selinux-sources (the base 2.4 kernel source with SELinux patch),
hardened-sources (kernel source patched with SELinux and other security features),
hardened-dev-sources (kernel v2.6 source patched with other security features)
推荐用hardened-dev-sources,

# emerge hardened-dev-sources

make menuconfig时注意

1. Under "Code maturity level options"
   
2. [*] Prompt for development and/or incomplete code/drivers
   
3. 
   
4. Under "General setup"
   
5. [*] Auditing support
   
6. 
   
7. Under "File systems"
   
8. <*> Second extended fs support (If using ext2)
   
9. [*]   Ext2 extended attributes
   
10. [ ]     Ext2 POSIX Access Control Lists
    
11. [*]     Ext2 Security Labels
    
12. <*> Ext3 journalling file system support (If using ext3)
    
13. [*]   Ext3 extended attributes
    
14. [ ]     Ext3 POSIX Access Control Lists
    
15. [*]     Ext3 security labels   
    
16. <*> XFS filesystem support (If using XFS)
    
17. [ ]   Realtime support (EXPERIMENTAL)
    
18. [ ]   Quota support
    
19. [ ]   ACL support
    
20. [*]   Security Labels
    
21. 
    
22. [*] /proc file system support
    
23. [ ] /dev file system support (EXPERIMENTAL)
    
24. [*] /dev/pts file system for Unix98 PTYs (This option does not appear in 2.6, it is always on)
    
25. [*]   /dev/pts Extended Attributes
    
26. [*]     /dev/pts Security Labels   
    
27. [*] Virtual memory file system support (former shm fs)
    
28. 
    
29. Under "Security options"
    
30. [*] Enable different security models
    
31. [*] Socket and Networking Security Hooks
    
32. <*> Capabilities Support
    
33. [*] NSA SELinux Support
    
34. [ ]   NSA SELinux boot parameter
    
35. [ ]   NSA SELinux runtime disable
    
36. [*]   NSA SELinux Development Support
    
37. [ ]   NSA SELinux MLS policy (EXPERIMENTAL)
    
38. 
    

复制代码

3.写/etc/fstab
默认的
none        /proc     proc        defaults          0 0
none        /dev/shm  tmpfs       defaults          0 0
none        /dev/pts  devpts      gid=5,mode=620    0 0
none        /selinux  selinuxfs   defaults          0 0
不要去掉了

4.安装完成后，准备重启时要relabel the filesystems：

# cd /etc/security/selinux/src/policy/
Adjust policy version if needed.
# make load
# make chroot_relabel

重启
# exit
# umount /mnt/gentoo/proc /mnt/gentoo/selinux /mnt/gentoo
# reboot

再次relabel:
# cd /etc/security/selinux/src/policy
# make relabel

接下来增加一个普通用户，emerge xorg gnome什么的

Phaedo

什么是SELinux？

xlwcat

安全增强linux