I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to focus on Xorg pretty soon now as there is a bunch of other things to do (like other applications, writing policies, patching etc.), but here is a very quick summary on the activities I had to do (apart from those in the Gentoo Hardened SELinux Handbook):
- Use a more recent reference policy to start from. I fiddled with a
live ebuild first, but am now falling back to the latest reference
policy release of Tresys, versioned
2.20100524. The implementing package (
sec-policy/selinux-base-policy) can be found in my overlay (sjvermeu).
- I use a meta package
sec-policy/selinux-policywhich pulls in the base policy as well as policies that you definitely need, but seem to work well when loaded as a module. Currently, that only includes
sec-policy/selinux-portagebut others may follow later. The main reason is that I like the modular approach and this way, I can update/patch these modules without requiring a base rebuild/reload
- Speaking of patching, the
sec-policy/selinux-portageebuild contains a patch for those who have
/var/tmpas a tmpfs filesystem
- I had to update
/lib64/rcscripts/addons/lvm-start.shso that the lvm locks are placed in
- I also had to update
/lib/dhcpcd/dhcpcd-hooks/50-dhcpcd-compatto put the
- Many binaries in /bin (part of
sys-apps/net-tools) are hard links (same inode) but different name. This gives issues with SELinux' file contexts. Quick fix is to copy rather than hardlink (for instance, cp hostname hostname.old). After this, I ran rlpkg net-tools.
- Many packages need to be unmasked (from
~amd64) as the current stable packages either don't work or are too old. The "unstable" ones seem to work pretty well though.
I know much development is being put in the SELinux state of Gentoo Hardened (just visit #gentoo-hardened if you have questions) so I'm sure things will be improving soon.