Aus immerda
Zur Navigation springen Zur Suche springen

The Basic is the Handbook from Gentoo:

just follow it.

After the finale reboote ( It's good to do a

emerge -e world

so every package get's rebuilded with the new hardened portage.

additional stuff


  • it is nice to have some handy alias, which help to do easy common tasks
alias makereload='make -C /etc/security/selinux/src/policy reload' #to reload the policy or filesettings
alias relabel='/usr/bin/make -C /etc/security/selinux relabel' #to relabel all drives
alias relabelit='/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts `pwd`' #to relabel the cwd and all its subdirs
alias setfilesit='/usr/sbin/setfiles /etc/selinux/file_contexts/file_contexts'
alias dm='/bin/dmesg | /usr/bin/audit2allow' #to pipe the selinux msgs to get allow statements
alias dm_clear='/bin/dmesg -c | /usr/bin/audit2allow' #ditto but clear the kernel msg buffer


  • if you don't enforce on bootup hardly it is good to have a startscript which will do that for you:

# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

depend() {
        after sshd

start() {
        ebegin "enforcing selinux"
        echo "1" > /selinux/enforce
        eend $?

stop() {
        ebegin "sorry deinforcing only as sysadm possible"
        eend $?

restart() {
        ebegin "sorry deinforcing only as sysadm possible"
        eend $?

add it with:

rc-update add enforce default

other tools

  • /usr/local/sbin/s0
echo -n "es war   : "
cat /selinux/enforce
setenforce 0
echo -n "und jetzt: "
cat /selinux/enforce
  • /usr/local/sbin/s1
echo -n "es war   : "
cat /selinux/enforce
if [ `/usr/bin/id | /bin/grep sysadm_r | /usr/bin/wc -l` -gt 0 ] ; then
       # if /etc/shadow has wrong permissions.. we have a big problem:
       /usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /etc
       # now it should be safe to enforce ...
       /usr/sbin/setenforce 1
       echo "YOU ARE NOT SYSADM_R: not changeing enforcement mode (do 'newrole -r sysmad_r')"
echo -n "und jetzt: "
cat /selinux/enforce
  • /usr/local/sbin/relabelall
cd /etc/security/selinux/src/policy
make reload
make relabel
/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts /dev



As with an enabled SELinux you'll need for each program a policy to run, this policy must also be loaded:

 * Policy has not been loaded.  It is strongly suggested
 * that the policy be loaded before continuing!!

 * Automatic policy loading can be enabled by adding
 * "loadpolicy" to the FEATURES in make.conf.

-> edit


and add loadpolicy to the FEATURES flag. (mostly there isn't any variable like this yet.