User:Merovingians
From Gentoo Wiki
Test Page for Formatting (Prior to Wiki Updates)
Hardware
Supermicro X13SWA-TF Motherboard
KERNEL X13SWA-TF
[*] General setup --->
Processor type and features --->
Bus options (PCI etc.) --->
[*] Networking support --->
Device Drivers --->
[*] PCI support --->
Bus devices
[*] Block devices --->
NVME Support --->
Misc devices --->
[*] Networking device support --->
[*] Ethernet driver support --->
Marvell AQC113C 10Gbe
[*] aQuantia devices
<M> aQuantia AQtion(tm) Support
Intel Ethernet Controller i210AT
[*] aQuantia devices
<M> aQuantia AQtion(tm) Support
Input device support --->
I2C support --->
<M> I3C support --->
<M> Sound card support --->
[*] IOMMU Hardware Support --->
[*] Trusted Execution Environment support --->
Gentoo Hardened SELinux
KERNEL
[*] Networking support --->
Networking options --->
<*> Open vSwitch
In case you ever want to use tagged VLANs
<*> 802.1Q VLAN Support
[*] GVRP (GARP VLAN Registration Protocol) support
In case you ever want to setup QoS rules
[*] QoS and/or fair queueing --->
<M> ...
Note
This is a test on what a note looks like.
This is a test on what a note looks like.
SELinux Multi-Category Security (MCS) & Multi-Level Security (MLS)
Note
SELinux was previously installed using SELinux Installation Guide and running in permissive and strict.
SELinux was previously installed using SELinux Installation Guide and running in permissive and strict.
Configuring the SELinux policy
Update the main configuration file at /etc/selinux/config by changing the SELINUXTYPE to either mcs or mcs.
FILE
/etc/selinux/config# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=mcs
Update the policy store in /etc/portage/make.conf to include both mcs and pls.
FILE
/etc/portage/make.conf# SELinux
POLICY_TYPES="strict targeted mcs mls"
Rebuilding policies and utilities
Rebuild the sec-policy/selinux-base package, then re-install the core SELinux policies through the sec-policy/selinux-base-policy packages.
root #FEATURES="-selinux" emerge -1av selinux-baseroot #FEATURES="-selinux -sesandbox" emerge -1av selinux-baseroot #FEATURES="-selinux -sesandbox" emerge -1av selinux-base-policyRebuild sec-policy/selinux-policykit and sec-policy/selinux-dbus, otherwise /etc/selinux/mcs/contexts/files/file_contexts and /etc/selinux/mls/contexts/files/file_contexts will not be present in the system and relabeling will be impossible (see bug #891963)
root #FEATURES="-selinux -sesandbox" emerge -1av selinux-policykit selinux-dbusReload modules
Rebuild & Reload SELinux Module
root #semodule -BRRedefine the administrator accounts
Note
Somewhere along the process the administrator accounts were removed and therefore had to be re-added.
Somewhere along the process the administrator accounts were removed and therefore had to be re-added.
root #semanage login -a -s staff_u <username>root #restorecon -R -F /home/<username>root #setatus -vvSELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mcs Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 Process contexts: Current context: staff_u:sysadm_r:sysadm_t:s0 Init context: system_u:system_r:init_t:s0 /sbin/agetty system_u:system_r:getty_t:s0 File contexts: Controlling terminal: staff_u:object_r:user_devpts_t:s0 /sbin/init system_u:object_r:init_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /sbin/openrc system_u:object_r:rc_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t:s0 /usr/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /usr/bin/newrole system_u:object_r:newrole_exec_t:s0 /lib/libc.so.6 system_u:object_r:lib_t:s0 /lib/ld-linux.so.2 system_u:object_r:ld_so_t:s0
Rebuild all selinux packages
root #emerge --ask --verbose --update --deep --newuse @worldRelabel the filesystem.
root #rlpkg -aQEMU & Libvirt
Libvirt/QEMU guest (OPNsense)
QEMU/Linux guest (OPNsense)
FILE
/etc/conf.d/netconfig_enp142s0f0="null"
config_enp142s0f1="null"
config_enp142s0f2="null"
config_enp142s0f3="null"
root #lspci|grep -i 3508e:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) 8e:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) 8e:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) 8e:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
FILE
/srv/vm/opnsense/bind_vfio_NicIntel350.sh#!/bin/bash
#
# Isolate each ethernet port
port0="0000:8e:00.0"
# Obtain Vendor ID
port0_vd="$(cat /sys/bus/pci/devices/$port0/vendor) $(cat /sys/bus/pci/devices/$port0/device)"
# Bind to VFIO
function bind_vfio {
echo "$port0" > "/sys/bus/pci/devices/$port0/driver/unbind"
}
# Unbind
function unbind_vfio {
echo "$port0_vd" > "/sys/bus/pci/drivers/vfio-pci/remove_id"
}
root #ovs-vsctl add-br vbrlan0
root #ovs-vsctl add-bond vbrlan0 bond0 enp142s0f1 enp142s0f2 enp142s0f3
root #ovs-vsctl show Bridge vbrlan0
Port vbrlan0
Interface vbrlan0
type: internal
Port bond0
Interface enp142s0f1
Interface enp142s0f3
Interface enp142s0f2