SELinux

This article provides a HOWTO on building a Gentoo Hardened system using SELinux from scratch. It is meant to be used in conjunction with The Gentoo Handbook. You should read this article in full before starting your installation.

The Media
All you need is the standard Gentoo LiveCD/DVD

The Gentoo Handbook
Follow the Gentoo Handbook as you normally would, but there are some constraints. This article is laid out to match up with each chapter. Obviously, do what is mentioned on this article instead of the handbook where it differs.

Chapter 4: Preparing the Disks
The only file systems you may choose are: ext2, ext3, ext4, XFS, and JFS.

If you opt to use XFS, format the drive using this command:

Chapter 5: Installing the Gentoo Installation Files
Instead of grabbing the standard Stage3 Tarball, you should be able to grab the Hardened Stage3 Tarball from any mirror. Here's the path to the tarball: (Where $arch is your processor type.)

Chapter 6: Installing the Gentoo Base System
At this point, we are going to specify the Hardened SELinux profile instead of the standard profile. Change $arch to the processor type you are using.

Chapter 7: Configuring the Kernel
Immediately after you synchronize Portage, you may get a notice that a new version of Portage is available. You need to bring that up to date:

For now, ignore this message: !!! SELinux module not found. Please verify that it was installed. It pops up because you are not yet running a SELinux kernel, and because you have not yet installed the SELinux module. This will be taken care of later.

Also, do not update anything. That will be taken care of after the reboot.

Once that has finished, you can then get the kernel sources. You'll want the hardened sources:

Kernel Configuration
If this is a server for which you are building the kernel, it is recommended that you go the monolithic route instead of the modular route; build support for only what you need.

Chapter 8: Configuring your System
Edit as you normally would, but you will need to add a line for SELinux:

Chapter 9: Installing Necessary System Tools
Only and  have SELinux profiles. So, choose one or the other.

Or:

After the Reboot
Now you'll need to install some necessary packages to complete the installation of SELinux.

Install SELinux Policies
For these next two steps, you'll just want to emerge the packages with the -av switch. Do not update your system yet. The second emerge in the commands below, it is necessary to have FEATURES=-selinux set for this first time, for the package. You will not need to have it set for any future upgrades.

Edit the Policy Type
Until you've finished the installation leave the SELINUX value as permissive.

(Re-)Emerge Core Packages
Now you'll need to (re-)emerge some core packages.

Reboot
Now reboot your system and relabel the packages one more time to be safe:

Bringing the System up to Date
now replaces and. Unfortunately, those are exactly the packages that block e2fsprogs, and they are necessary in order to emerge any package. So, it's a bit tricky to get around. Additionally, Python has an update as well and it will break the link with the SELinux module. The following command will fix all of these problems in one fell swoop:

And you're done! You're now running Gentoo Hardened with SELinux.

!!! Unable to set SELinux security labels
You will see this warning/error pop up just after "Installing ". Ensure that you have an directory. ls / If you don't, create it:

And reboot.

!!! SELinux module not found. Please verify that it was installed.
You are most likely getting this error for one of two reasons.
 * 1) You have not actually emerged it, so:
 * 2) You have, advertantly or inadvertantly, updated Python to a new version, so: