Portal:SELinux/Setup

Jump to: navigation, search

Setup SELinux on new Tumbleweed installations

For new installations you can choose "SELinux" as security system instead of "AppArmor" in the installer and skip the steps below.

For Build 20250211 onwards, this is selected by default.

Setup SELinux on existing Tumbleweed systems

The following guide shows you how to set up SELinux on Tumbleweed on an existing installations. In case AppArmor was enabled on the existing system before, this guide also disables AppArmor as mandatory access control system and replaces it with SELinux. If you have customized AppArmor profiles for applications that are not covered by SELinux policies, consider migrating them by creating a custom policy.

The following commands all assume you are running as root, or that each command is prefixed with sudo.

  1. ⚠️ Read ALL of these instructions before executing any commands.
  2. ⚠️ Ensure you carry them out in order.
  3. ⚠️ Do NOT skip any steps.
  4. Install the package selinux pattern. That will also pull in a number of tools. 
    zypper install -t pattern selinux
  5. Modify the kernel boot parameters.
    1. For systems using grub (default)
      1. In /etc/default/grub add security=selinux selinux=1 to the value of GRUB_CMDLINE_LINUX_DEFAULT 
        GRUB_CMDLINE_LINUX_DEFAULT=" ... security=selinux selinux=1
      2. If security=apparmor is present, remove it.
      3. Leave all other values as they were. A complete example is: 
        GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet security=selinux selinux=1"
      4. Update the grub.cfg with 
        update-bootloader
    2. For systems using systemd-boot (experimental)
      1. Add the SELinux kernel cmdline options to /etc/kernel/cmdline by executing: 
        pbl --add-option "security=selinux selinux=1"
      2. Add the kernel cmdline options to systemd boot configuration in /boot/efi/loader/entries/ by executing: 
        sdbootutil add-all-kernels
      3. Rebuild initrd for the selinux-autorelabel script by executing: 
        sdbootutil mkinitrd
  6. Using an editor such as nano, edit /etc/selinux/config and set the values 
    SELINUX=permissive
    SELINUXTYPE=targeted
  7. Request a relabel of files next boot.
    touch /.autorelabel
  8. Reboot the system 
    reboot
    On first boot the system will label all files in the file system. So the first boot after enabling SELinux will take a while.
  9. ⚠️ check for potential error messages to avoid getting locked out from your system. 
    ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
    If you see any errors, this is a good time to open a bug.
  10. After verifying there are no denials, using an editor such as nano, edit /etc/selinux/config and set the values 
    SELINUX=enforcing
  11. reboot once more 
    reboot

After that verify SELinux is on 

   # sestatus 
   SELinux status:                 enabled
   SELinuxfs mount:                /sys/fs/selinux
   SELinux root directory:         /etc/selinux
   Loaded policy name:             targeted
   Current mode:                   enforcing
   Mode from config file:          enforcing
   Policy MLS status:              enabled
   Policy deny_unknown status:     allowed
   Memory protection checking:     actual (secure)
   Max kernel policy version:      33
Retrieved from "https://en.opensuse.org/index.php?title=Portal:SELinux/Setup&oldid=193683"