Portal:SELinux

Jump to: navigation, search
Welcome to the SELinux Portal
SELinux is a Mandatory Access Control System (MAC).


Why should I enable SELinux in enforcing mode?
To understand why SELinux is important, we need to know how Linux security works without it.

Linux by default has very little in the way of security controls - you are root and have no limits to what you can do, or you are a user and can't interact with other users files or processes. Tools like sudo allow you to become root and remove all the limits you previously had.

This is why security issues (such as privilege escalation) on Linux are so damaging. Once you can become root, you have no restrictions.

In addition, users who own their own files have the discrestion to change who owns them, and change the permissions of those files. This can allow users to accidentally reveal their secrets to other accounts on the system.

SELinux changes this. SELinux labels every file and process allowing more strict rules to exist, that can even confine what root can do. This can prevent some exploits from working, and if an exploit does occur and becomes root then the attacker is still confined and limited in what they can do or see. Because this is a mandatory access control system, the user can't escape or modify the rules, preventing mistakes.

Read more about what SELinux can and can't do.

How does SELinux do that?
SELinux gives everything on your system a type. This includes processes (like sshd_t), files (like user_home_t) and even network sockets (ldap_port_t). A policy defines rules allowing or denying actions from one type to another.

You might have your user (user_t) try to read a file in your home directory (user_home_t) which is allowed.

But an attacker which compromised a process like a webserver (httpd_t) then tries to write to root's ssh keys (root_home_ssh_t) to get a backdoor, they are denied this permission.

Read more on SELinux concepts.
Report a SELinux bug
To report an issue with SELinux, please open a bug in Bugzilla. Please make sure you follow the guidelines below so that the bug can be found and processed quickly. We will then get back at you and request more information from you if needed.

You can use the bug creation template to open a bug quickly: SELinux bug creation template

Summary line

Write a summary line that contains a [SELinux] prefix tag. An example for a valid summary line can be:

[SELinux] transactional-update can't run with selinux=permissive under cloud-init

Description

Please state the following information in your bug's description:

  • Operating System: you can find this with for example by running:  hostnamectl | grep "Operating System"
  • SELinux status, mode and policy name: you can find this by running: sestatus
  • SELinux policy version and repository: you can find this for example by running: zypper info selinux-policy
  • The software (incl. version) that is affected by the SELinux issue and the error message
  • SELinux Audit log: you can retrieve the audit log e.g. for the same day using: ausearch -ts today -m avc
    • The list of AVCs is fundamental! Please always provide this information in the bug.
  • The exact steps to reproduce, i.e. how to configure and use the system to trigger the AVC
  • Any other important details: e.g. what you were trying to accomplish when the error happened, other logs
Documentation for packagers
Documentation for (open)QA / Testers
Documentation for SELinux enthusiasts
Status

openSUSE MicroOS:
SELinux enabled and in enforcing mode

openSUSE Tumbleweed:
SELinux can be manually enabled
Enable SELinux on Tumbleweed

openSUSE Leap:
SELinux can be manually enabled, but bugs will be currently treated with lower priority
Enable SELinux on Leap