Portal:SELinux/Setup
Setup SELinux on new tumbleweed installations
For new installations you can choose "SELinux" as security system instead of "AppArmor" in the installer and skip the steps below.
Setup SELinux on existing tumbleweed systems
The following guide shows you how to set up SELinux on Tumbleweed on an existing installations. In case AppArmor was enabled on the existing system before, this guide also disables AppArmor as mandatory access control system and replaces it with SELinux. If you have customized AppArmor profiles for applications that are not covered by SELinux policies, consider migrating them by creating a custom policy.
The following commands all assume you are running as root, or that each command is prefixed with sudo.
- ⚠️ Read ALL of these instructions before executing any commands.
- ⚠️ Ensure you carry them out in order.
- ⚠️ Do NOT skip any steps.
- Install the package selinux-policy-targeted. That will also pull in a number of tools.
zypper install selinux-policy-targeted
- Modify the kernel boot parameters. In /etc/default/grub add security=selinux selinux=1 to the value of GRUB_CMDLINE_LINUX_DEFAULT
GRUB_CMDLINE_LINUX_DEFAULT=" ... security=selinux selinux=1
- If security=apparmor is present, remove it.
- Leave all other values as they were. A complete example is:
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet security=selinux selinux=1"
- Update the grub.cfg with
update-bootloader
- Using an editor such as nano, edit /etc/selinux/config and set the values
SELINUX=permissive
SELINUXTYPE=targeted
- Request a relabel of files next boot.
touch /.autorelabel
- reboot the system
reboot
- ⚠️ check for potential error messages to avoid getting locked out from your system.
ausearch -ts boot | grep -e DEN
- After verifying there are no denials, using an editor such as nano, edit /etc/selinux/config and set the values
SELINUX=enforcing
- reboot once more
reboot
On first boot the system will label all files in the file system. So the first boot after enabling SELinux will take a while.
After that verify SELinux is on
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 33
MicroOS
You can use
transactional-update setup-selinux
to perform all steps automatically and switch to enforcing mode.