This wiki was updated to MediaWiki 1.37. If you notice any issues, please report them to admin[at]opensuse.org

SDB:SELinux

Jump to: navigation, search

SELinux is flexible Mandatory Access Control (MAC) for Linux

SELinux setup

Tumbleweed

  1. Install the package selinux-policy-targeted. That will also pull in a number of tools
  2. Modify the kernel boot parameters. In /etc/default/grub add security=selinux selinux=1 to the value of GRUB_CMDLINE_LINUX_DEFAULT and run update-bootloader.
  3. In /etc/selinux/config make sure SELINUXTYPE is set to targeted
  4. To enforce the policy set SELINUX=enforcing. For initial testing it may make sense to boot in permissive mode first and check for potential error messages to avoid getting locked out.
  5. reboot

On first boot the system will label all files in the file system. So the first boot after enabling SELinux will take a while.

After that verify SELinux is on

   # sestatus 
   SELinux status:                 enabled
   SELinuxfs mount:                /sys/fs/selinux
   SELinux root directory:         /etc/selinux
   Loaded policy name:             targeted
   Current mode:                   permissive
   Mode from config file:          permissive
   Policy MLS status:              enabled
   Policy deny_unknown status:     allowed
   Memory protection checking:     requested (insecure)
   Max kernel policy version:      33


MicroOS

Same as with Tumbleweed, alternatively use transactional-update setup-selinux to perform all steps automatically and switch to enforcing mode.

Troubleshooting

If you can't fix it yourself please open a bug

List SELinux related audit events since boot

   # ausearch -ts boot -m avc

Intead of "boot" other useful options are "today" or "recent".

Analyze service failure

   # ausearch -ts recent -m avc -c sshd
   ----
   time->Tue May 18 14:47:47 2021
   type=AVC msg=audit(1621342067.432:82): avc:  denied  { read } for  pid=839 comm="sshd" name="example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1
   ----
   time->Tue May 18 14:47:47 2021
   type=AVC msg=audit(1621342067.432:83): avc:  denied  { open } for  pid=839 comm="sshd" path="/var/yp/binding/example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1
   [...]

The output of that can be piped through audit2why (from policycoreutils-python-utils package) which potentially gives some explanation. In this case the tool recommends turning on a boolean:

   Was caused by:
   The boolean nis_enabled was set incorrectly. 
   Description:
   Allow nis to enabled
   
   Allow access by executing:
   # setsebool -P nis_enabled 1

Following the instruction to use setsebool would resolve the issue in this case. To get the description of a boolean run semanage (from policycoreutils-python-utils package) and to see the changes a boolean does run sesearch (from setools-console):

semanage boolean -l | grep nis_enabled
sesearch -A -b nis_enabled

Another example:

   type=AVC msg=audit(1621342040.556:15): avc:  denied  { watch } for  pid=1 comm="systemd" path="/var/cache/cups" dev="vda2" ino=22stem_r:init_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=dir permissive=1

That one recommends to use audit2allow (from policycoreutils-python-utils package) to produce a new rule.

Using audit2allow

The audit2allow tool uses audit messages to produce rules that can be loaded into SELinux after conversion into the correct format.

   #============= init_t ==============
   allow init_t cupsd_rw_etc_t:dir watch;