Okay, an update: I'm writing this from my (sorta) SELinux-enabled machine now. :)
There were a few little bumps in the process (you may have seen something in #gentoo-hardened), but for the most part the Install/Migrate guide was good. The two things that I will note I had to do are: * Rebuild util-linux * mount, provided by util-linux, does not have the functionality required by SELinux when coming from a non-hardened stage. In order to get this installed (without bricking anything) I had to: emerge -1 libselinux (this will also pull in libsepol) emerge -1O util-linux (-O required to prevent pols being pulled in) This should happen just prior to the first reboot (and any initrd's should be rebuilt to include the new mount binary, i guess). * Select policy type * This is more of a note on the documentation (I know it's out of date, (or at least so the wiki says) but for reference nonetheless). I'm taking the easy road in and have selected the 'targeted' policy type for now. Because of this, running ``emerge -uDN @world`` prior to setting the policy type in /etc/selinux/config causes emerge to attempt to set the wrong policy, and fail the ebuild. This is in reference to code listings 2.3 and 2.6 of the SELinux handbook. Other than that, everything has gone smoothly except for one thing: during boot, I'm getting: systemd-remount-fs[733]: mount: /run not mounted or bad option That being said, once booted, /run *is* mounted with: tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) The relevant line in fstab is: tmpfs /run tmpfs mode=0755,nosuid,nodev,context=system_u:object_r:var_run_t 0 0 I'm not sure why this is (current thinking is perhaps a symptom of the docs being outdated) and the system seems stable for the moment. There are other errors in the logs (avc denials on udevd, for example) but I'm not too worried for the moment - I'm remaining in permissive mode specifically for that reason :) Thanks to swift for the info on merging the profiles, and any advice or suggestions on the above would be appreciated! :D Cheers; wraeth
signature.asc
Description: This is a digitally signed message part
