Home | Content | Search | Navigation | Toolbox | Actions | In other languages

SELinux

From openSUSE

SELinux and openSUSE 11.2

In 11.2 exists a "Enable SELinux" checkbox in the YaST2 bootloader module.

Enable SELinux in YaST2 Bootloader

Clicking this checkbox adds the following kernel boot parameters to your default kernel: security=selinux selinux=1 enforcing=0 (enforcing should enabled after all policies work smoothly). This parameters can be added manually too, of course. Reboot your machine and run the sestatus command as root, the output should be: 

 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: permissive
 Policy version: 23
 Policy from config file: refpolicy-standard

When something wents wrong here use the selinux-ready script from the libselinux package to get a diagnosis. 

linux # selinux-ready
Start checking your system to see if it is selinux-ready or not:
        check_dir: OK. /selinux exists.
        check_filesystem: OK. Filesystem 'selinuxfs' exists.
        check_boot: Assuming GRUB as bootloader.
        check_boot: OK. Kernel 'vmlinuz-2.6.31-rc4-1-default' has boot-parameter 'security=selinux.*selinux=1.*enforcing=?'
        check_mkinitrd: OK. Your initrd seems to be correct.
        check_packages: OK. All essential packages are installed
        check_config: OK. Config file seems to be there.

SELinux and openSUSE 11.1

  • add the following line into into /lib/mkinitrd/scripts/boot-boot.sh (see this patch for details) 
/bin/mount /root/proc
  • after you modified the script just run mkinitrd to replace the old initrd in /boot
  • use YaST2 -> System -> Boot Loader to modify the "Optional Kernel Command Line Parameter" field by adding selinux=1 enforcing=0 (enforcing should enabled after all policies work smoothly)
  • openSUSE 11.1 does not come with default policies, add the following repository 
zypper ar http://download.opensuse.org/repositories/security:/SELinux/openSUSE_11.1/ selinux
  • install SELinux packages 
zypper in checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1
  • create selinux directory 
 mkdir /selinux
  • file /etc/selinux/config should have the following content: 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=refpolicy-standard
  • reboot the machine, login as root and run sestatus command, the output should be: 
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 23
Policy from config file: refpolicy-standard

SELinux and openSUSE 11.0

  • SELinux cannot be enabled for 11.0, because core packages aren't patched for use with SELinux libraries
Retrieved from "http://en.opensuse.org/SELinux"
The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified on 9 August 2009, at 12:00. This page has been accessed 1,368 times.

Founded by Novell