Portal:MicroOS/SELinux

Jump to: navigation, search

SELinux is a security enhancement to Linux which allows users and administrators more control over access control.

It consist of a policy loaded on the system at boot time which constrained the access of users and applications to resources.

Quick Start

After installing openSUSE MicroOS, just run: 

 transactional-update setup-selinux

and reboot the system.

The output of sestatus should be something like: 

 SELinux status:                 enabled
 SELinuxfs mount:                /sys/fs/selinux
 SELinux root directory:         /etc/selinux
 Loaded policy name:             targeted
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy MLS status:              enabled
 Policy deny_unknown status:     allowed
 Memory protection checking:     requested (insecure)
 Max kernel policy version:      31

Configuration

Kernel commandline options

SELinux can only be enabled or disabled during boot via kernel commandline options. The deprecated interface to disable it from userland got disabled.

  • Enable SELinux in enforcing mode: security=selinux selinux=1
  • Enable SELinux in permissive mode: security=selinux selinux=1 enforcing=0
  • Disable SELinux: selinux=0

Boot parameters can be changed by editing GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and running transactional-update grub.cfg.

Icon-warning.png
Warning: After booting with disabled SELinux you have to autorelabel again, otherwise unlabelled files could lead to unbootable system!

Configuration file

The configuration file /etc/selinux/config contains:

  • SELINUX=[enforcing|permissive] to configure enforcing or permissive mode.
  • SELINUXTYPE=targeted to specify the to be loaded policy. Currently only targeted is supported.

Relabel of filesystem

During boot, the filesystem can be relabed. There are two ways to start this process during the next reboot: touch /etc/selinux/.autorelabel and reboot or use the autorelabel kernel commandline option at the next reboot.

The standard file /.autorelabel can not be used, as the root filesystem is read-only and thus not writeable. To enforce the relabeling of all files, use echo "-F" > /etc/selinux/.autorelabel.

Local ssh forwarding

To use ssh forwarding to connect to a local vnc server, virtual machine, or container you will need to enable this SELinux option: 

setsebool -P nis_enabled 1

Note that the relevant sshd options (e.g. AllowTcpForwarding) are enabled by default and should not need to be changed. See also: SDB:SELinux

bind9 / named does not start

Update: It was decided by the SELinux team on 26.08.24 to enable the named_write_master_zones boolean by default in the targeted policy

named was not allowed to write to master zones0 (see bug) by SELinux.

This means, if you set up a system after that, this error should not occur. If you set up a system before that, it will be set as default but your local configuration will still have the boolean disabled. So you will need to enable it via: 

setsebool -P named_write_master_zones 1


Container

Volumes

Using volumes with podman or docker:

  • :z will relabel with a shared label so other containers ran read and write the volume.
  • :Z will relabel with a private label so that only this specific container can read and write the volume.

Documentation

Mailing List

The SELinux mailing list for openSUSE is: selinux@lists.opensuse.org

To subscribe visit https://lists.opensuse.org/manage/lists/selinux.lists.opensuse.org/ or send a mail to selinux-join@lists.opensuse.org

List Archive: https://lists.opensuse.org/archives/list/selinux@lists.opensuse.org

Retrieved from "https://en.opensuse.org/index.php?title=Portal:MicroOS/SELinux&oldid=189014"