gentoo selinux bootstrap woes...

[darminus]

Hi, I'm currently trying to install my gentoo linux following the selinux install instructions located at:

http://www.gentoo.org/proj/en/hardened/selinux-x86-install.xml

I'm at the bootstrap process, and I'm wondering if the error I'm getting is normal. Here's the error:

[darminus]

On a follow-up, has anyone completed the SELinux install on an x86, and followed the instructions in the given link above?

Those that have, I have to ask what you set your USE variable to before you began the bootstrap process?

[darminus]

Okay, adding 'selinux' to the USE variable doesn't do the trick, and searching around the forums brought me to this article:

https://forums.gentoo.org/viewtopic.php?t=80910&highlight=selinux+module

Though in that thread the problem is with emerging the selinux-sources, and not with a bootstrap. But the way that problem was resolved was by emerging python-selinux. Now, this could very well be the same problem that I am having, but in mine I don't think I can just emerge python-selinux, due to that fact that I am at the bootstrap process, and haven't even gotten a working system installed yet.

Does anyone have some insite as to where I should go from here?

EDIT:

I can recreate this same error when I try an emerge sync as well. Perhaps the problem lies in portage?

Again, any help or insite would be much appreciated.

[darminus]

Anyone out there have any ideas??

[darminus]

From the responces, I've decided to just install gentoo like normal, and then to convert it to an selinux gentoo box.

If ANY of you have any insite into the problems I did encounter, please post them here, otherwise, thanks for all your help.

[pebenito]

Actually this is not a fatal error; you could have continued. This error is seen because we don't have a SELinux LiveCD and stages. Once we have these, then this error should go away. What the error means is that the python bindings for SELinux are missing, and python-selinux needs to be merged. We'll put a note about this in the docs.
_________________
Chris PeBenito
Developer,
Hardened Gentoo Linux

[Celegans]

Chris,
Thanks for the advice. I am trying to build Gentoo-SELinux, without success. I am seeing the warnings that darminus referred to, and I don't see any mention of merging python-selinux in the SELinux install guide. When I run the bootstrap script, it runs into compile problems. I haven't fully investigated them yet (I thought I'd take a look around here for tips first), and now I'm wondering if the absence of python-selinux would result in compile failures during bootstrap. At what point (in the install process) does python-selinux need to be merged, and could you indicate the correct command (I'm new to portage)? Thanks!

[Method]

Check the updated docs and report any more problems. Soon we'll have selinux livecd's and stages which will greatly simplify the installation process. Right now it isn't very easy for beginners, so you can either try the new docs or wait for the livecd's.

Often times it's easier to install a standard gentoo system and then migrate, that way you'll have xattr and selinux support in the kernel before you start moving everything over, you might try that as well
_________________
Joshua Brindle
Gentoo Developer

[Celegans]

I have successfully built an SCSI+SMP+LVM+SELinux Gentoo system, from scratch (stage 1), which actually enforces its policy, and the whole system (including the root FS) is on logical volumes. I had to write an lvm.te from scratch, hack the lvmcreate_initrd and then hand-twiddle my initrd image, but it seems to be working nicely. I'm willing to contribute my lvm.te to the Gentoo project, if Gentoo development would like to have it.
In retrospect, this was the most difficult installation I've ever done, and I've been building Linux boxes since about '95. I worked on it a for a few hours most evenings and it took me about 6 weeks to get it to boot by itself in enforcing mode, with minimal services running (ntp, openssh,syslog-ng).
I'm just posting to express some of my experiences. I had multiple problems at just about every step. I had problems just booting the LiveCD - the SMP+AIC7xxx incompatability. Then I had serious troubles with the Gentoo-SELinux bootstrap.sh. I finally resolved these (on this thread). Setting up the system to boot itself was fairly painful, as I had to hand-roll an initrd. A lot of time was spent in the kernel-configure-build-install-hand-build-initrd-reboot-and-test treadmill, trying to get it just right.
Once the system was booting on its own, I tackled the SELinux policy problems; there were many. devfs/devfsd and SELinux don't get along very well. Auto-mounting devpts on /dev/pts seemed to help make the pts labelling problems go away. There were a variety of other problems with the stock security policy (too numerous to remember). Also, I had to author a policy to govern LVM from scratch.
Don't get me wrong - I'm a big Gentoo fan, and I know that I was attempting to assemble an extra-difficult combination of features, but I think the SELinux build needs a bunch of work.
Here is my totally subjective difficulty-o-meter for a stage 1 LVM-Gentoo-SELinux installation (with the root FS on LVM):

Noob: Claw your eyes out with a dull spoon and run away screaming!

Initiate: Forget it. You have no chance of making it work.

Experienced: Your patience will likely run out before the problems will. If you stick with it, you have 1 chance in 3.

Guru: You're looking at a lot of work and a lot of swearing; you have 3 chances in 4 to make it work. Plan on it taking a few weeks.
_________________
When the only tool you have is a hammer, all your problems start to look like nails...