Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Use systemd on Gentoo with hardened/selinux profile
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
armoken
n00b
n00b


Joined: 22 May 2020
Posts: 2

PostPosted: Fri May 22, 2020 1:00 pm    Post subject: Use systemd on Gentoo with hardened/selinux profile Reply with quote

Is it possible to use systemd on Gentoo with hardened/selinux profile?
Or I need to create custom profile which will combine settings from hardened/selinux and systemd profiles? Because I even can't unmask sys-apps/systemd or set USE-flag systemd on some package. I would like to know potential problems which may occured if I will create custom profile. Thanks.
Back to top
View user's profile Send private message
alamahant
Apprentice
Apprentice


Joined: 23 Mar 2019
Posts: 262

PostPosted: Fri May 22, 2020 1:31 pm    Post subject: Reply with quote

Yes it is.
Please use "selinux-hardened" profile and add in make.conf
Code:

USE=".........systemd -elogind -consolekit warmstarts"

Be warned though that the selinux-policy in Gentoo is not fully mature and you will have to do extensive troubleshooting if you wish to run anything else than a headless server..
That is fine if you are an selinux researcher but very distrurbing if you want a moderately functional selinux system WITH gui that can run in Enforcing mode.
Even tweaking the sebooleans and having audit2allow generate policy there will still be unexplained errors and malfunctions.
All these would be smoothened more if there was the setroubleshoot package available in Gentoo but it isnt.
I am sorry to say that but if you want selinux then go Fedora........
Or Gentoo will be ok only in permissive mode,especially if you will be running a gui.
Do you also need a GUI?

:D
Back to top
View user's profile Send private message
armoken
n00b
n00b


Joined: 22 May 2020
Posts: 2

PostPosted: Fri May 22, 2020 4:30 pm    Post subject: Reply with quote

alamahant wrote:
Yes it is.
Please use "selinux-hardened" profile and add in make.conf
Code:

USE=".........systemd -elogind -consolekit warmstarts"

Be warned though that the selinux-policy in Gentoo is not fully mature and you will have to do extensive troubleshooting if you wish to run anything else than a headless server..
That is fine if you are an selinux researcher but very distrurbing if you want a moderately functional selinux system WITH gui that can run in Enforcing mode.
Even tweaking the sebooleans and having audit2allow generate policy there will still be unexplained errors and malfunctions.
All these would be smoothened more if there was the setroubleshoot package available in Gentoo but it isnt.
I am sorry to say that but if you want selinux then go Fedora........
Or Gentoo will be ok only in permissive mode,especially if you will be running a gui.
Do you also need a GUI?

:D


Thank you so much. Yes I am need GUI, but after reading of your post I decided to postpone SELinux integration :D.
So, is the current state of Gentoo SELinux policies due to Gentoo fundamental issues or due to a lack of maintainers? :?
Back to top
View user's profile Send private message
alamahant
Apprentice
Apprentice


Joined: 23 Mar 2019
Posts: 262

PostPosted: Fri May 22, 2020 5:55 pm    Post subject: Reply with quote

I think that it is the nature of Gentoo to empower the user by giving tem extreme freedom to configure the way they like.
This happens also with selinux.
They give you the options of targeted strict ++ poliices and also USE "flags open_perms peer_perms ubac and unconfined".
So out of this extreme choice there come problems maybe partly based on MY own stupidity and making.So NO i dont think its the mainainers.
However having said that the 2 times I tried to install selinux in Gentoo and run with it an xfce desktop I had issues.
If you feel courageous give it a try,but NOT probably as your main system.
If you decide for going with a hardend-selinux-systemd-GUI setup then please also ADD these USE flags in make.conf.

Code:

USE="systemd -elogind -consolekit warmstarts \
a52 aac acpi alsa bluetooth branding cairo cdda cdr cups dbus dri dts dvd dvdr emboss \
encode exif flac gif gpm gtk icu jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg opengl pango \
pdf png policykit ppds qt5 sdl spell startup-notification svg tiff truetype vorbis udev udisks unicode \
upower usb wxwidgets X xcb x264 xml xv xvid"


You can add your own in the first line or modify some of them accordingly.
But be careful.
For selinux you will need to append
Code:

USE="..............open_perms peer_perms ubac unconfined"

...or some modified combination of these.
and also
Code:


POLICY_TYPES="<strict|targeted>"

Please read the manuals especially this
https://wiki.gentoo.org/wiki/SELinux/Installation

Also you will need to create a file /etc/portage/package.use/desktop
Code:

# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

# Andreas Sturmlechner <asturm@gentoo.org> (2020-02-05)
# Required by many packages, most notably Mozilla products
dev-lang/python sqlite

# Lars Wendler <polynomial-c@gentoo.org> (2019-03-20)
# Enable client by default. Usually desktop users need the client.
net-fs/samba client

# Andreas Sturmlechner <asturm@gentoo.org> (2018-06-09)
# Required by app-office/libreoffice
dev-libs/xmlsec nss

# Andreas Sturmlechner <asturm@gentoo.org> (2018-06-09)
# Enable sensible defaults for desktop users
dev-qt/qtwebkit:5 printsupport

# Andreas Sturmlechner <asturm@gentoo.org> (2017-11-30)
# Not required, but makes life easier with Qt; bug #457934
app-arch/unzip natspec

# Andreas Sturmlechner <asturm@gentoo.org> (2017-11-30)
# Required by dev-qt/qtcore
dev-libs/libpcre pcre16
dev-libs/libpcre2 pcre16

# Andreas Sturmlechner <asturm@gentoo.org> (2017-11-30)
# Required by kde-frameworks/kwayland
dev-qt/qtgui:5 egl libinput

# Required by dev-qt/qtwebengine
media-libs/libvpx svc

# Andreas Sturmlechner <asturm@gentoo.org> (2017-11-30)
# Avoid circular dependency when installing from scratch
dev-util/cmake -qt5

# Andreas Sturmlechner <asturm@gentoo.org> (2017-08-04)
# Required by flac and mp3
kde-apps/k3b taglib
kde-frameworks/kfilemetadata taglib

# Brian Evans <grknight@gentoo.org> (2017-07-18)
# Don't force users to enable gd on PHP due to desktop defaults
dev-lang/php -exif -truetype

# Ilya Tumaykin <itumaykin+gentoo@gmail.com> (2017-02-02)
# Enable luajit for OSC and youtube-dl support by default.
# Override default +sdl from desktop profile and disable sdl outputs.
# These outputs are for systems without a proper audio/video support.
media-video/mpv lua luajit -sdl

# Mike Gilbert <floppym@gentoo.org> (2017-01-04)
# Needed by x11-misc/xdg-utils.
app-text/xmlto text

# Ben de Groot <yngwin@gentoo.org> (2015-02-18)
# Enable sensible defaults for desktop users (bug #540046)
dev-python/PyQt5 gui multimedia network printsupport widgets

# Samuli Suominen <ssuominen@gentoo.org> (2014-07-24)
# Because targets/desktop/make.defaults has USE="bluetooth" but net-libs/libpcap doesn't
# support BlueZ 5.x, disable USE="bluetooth" by default to avoid conflicting packages:
net-libs/libpcap -bluetooth

# Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> (2014-05-08)
# Enable x11-libs/libxcb[xkb] as it is needed by x11-libs/libxkbcommon[X]
# and the X flag is enabled by default in the desktop profile
x11-libs/libxcb xkb

# Samuli Suominen <ssuominen@gentoo.org> (2011-09-27)
# Required by mozilla browsers wrt #372419
media-libs/libpng apng

# Samuli Suominen <ssuominen@gentoo.org> (2010-12-19)
# gudev, required by freedesktop.org udev helpers like udisks and upower
# introspection, exception, enabled from here instead of ebuild to skip extra deps for a system package
dev-libs/libgudev introspection
sys-fs/eudev introspection
virtual/libgudev introspection

# Samuli Suominen <ssuominen@gentoo.org> (2010-12-19)
# Support for desktop file icons
xfce-base/xfdesktop thunar

# Chris Gianelloni <wolf31o2@gentoo.org> (2008-03-26)
# While we may need LDAP client support, who needs the server on a desktop?
# Did I mention that this also fixes the horrible perl dependency hell, too?
net-nds/openldap minimal
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# Alexandre Rostovtsev <tetromino@gentoo.org> (2014-06-03)
# Ensure shared-mime-info is pulled in by glib, otherwise GNOME, XFCE, and
# numerous gtk-based applications will break, see bug #511894
dev-libs/glib mime


But if you feel strong enough to do all these by combining profiles then do so...
Come on give it a try....
Its fun.......
:D :D
Back to top
View user's profile Send private message
Vulgar
n00b
n00b


Joined: 15 Sep 2004
Posts: 54

PostPosted: Wed May 27, 2020 9:49 am    Post subject: Reply with quote

If your not running services, a server to provide services to other computers. Do not install un-trusted packages. Running a firewall is debatable, no services to protect, yet no harm in running an extra layer, it that layer is trusted.

Selinux is debatable, developed by nsa & redhat, just like systemd developed by redhat. UEFI is debatable, more code, larger attack surface, plus you must trust the code itself.

Bios boot, OpenRC or Runit usually does everything needed. Less can be more. But then they, them, those, have been known to sideline the usual avenues and go directly to the heart & or throat. Freedom of choice is debatable.

https://www.computerworld.com/article/2885069/theres-no-way-of-knowing-if-the-nsas-spyware-is-on-your-hard-drive.html
https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/
https://www.zdnet.com/article/us-government-pushed-tech-firms-to-hand-over-source-code/
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
https://www.nsa.gov/what-we-do/research/selinux/
https://uefi.org/sites/default/files/resources/UEFI%20Firmware%20-%20Security%20Concerns%20and%20Best%20Practices.pdf
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
https://www.gnu.org/proprietary/proprietary.html
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum