Portal:SELinux/Setup
SELinux setup
Tumbleweed
The following commands all assume you are running as root, or that each command is prefixed with sudo.
- ⚠️ Read ALL of these instructions before executing any commands.
- ⚠️ Ensure you carry them out in order.
- ⚠️ Do NOT skip any steps.
- Install the package selinux-policy-targeted. That will also pull in a number of tools.
zypper install selinux-policy-targeted
- Modify the kernel boot parameters. In /etc/default/grub add security=selinux selinux=1 to the value of GRUB_CMDLINE_LINUX_DEFAULT
GRUB_CMDLINE_LINUX_DEFAULT=" ... security=selinux selinux=1
- If security=apparmor is present, remove it.
- Leave all other values as they were. A complete example is:
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet security=selinux selinux=1"
- Update the grub.cfg with
update-bootloader
- Using an editor such as nano, edit /etc/selinux/config and set the values
SELINUX=permissive
SELINUXTYPE=targeted
- Request a relabel of files next boot.
touch /.autorelabel
- reboot the system
reboot
- ⚠️ check for potential error messages to avoid getting locked out from your system.
ausearch -ts boot | grep -e DEN
- After verifying there are no denials, using an editor such as nano, edit /etc/selinux/config and set the values
SELINUX=enforcing
- reboot once more
reboot
On first boot the system will label all files in the file system. So the first boot after enabling SELinux will take a while.
After that verify SELinux is on
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 33
MicroOS
Same as with Tumbleweed, alternatively use transactional-update setup-selinux to perform all steps automatically and switch to enforcing mode.
WARNING: ⚠️ There is currently no way to relabel a microos system.