SDB:SELinux
SELinux is flexible Mandatory Access Control (MAC) for Linux
SELinux setup
Tumbleweed
- Install the package selinux-policy-targeted. That will also pull in a number of tools
- Modify the kernel boot parameters. In /etc/default/grub add security=selinux selinux=1 to the value of GRUB_CMDLINE_LINUX_DEFAULT and run update-bootloader.
- In /etc/selinux/config make sure SELINUXTYPE is set to targeted
- To enforce the policy set SELINUX=enforcing. For initial testing it may make sense to boot in permissive mode first and check for potential error messages to avoid getting locked out.
- reboot
On first boot the system will label all files in the file system. So the first boot after enabling SELinux will take a while.
After that verify SELinux is on
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 33
MicroOS
Same as with Tumbleweed, alternatively use transactional-update setup-selinux to perform all steps automatically and switch to enforcing mode.
Troubleshooting
If you can't fix it yourself please open a bug
List SELinux related audit events since boot
# ausearch -ts boot -m avc
Intead of "boot" other useful options are "today" or "recent".
Analyze service failure
# ausearch -ts recent -m avc -c sshd ---- time->Tue May 18 14:47:47 2021 type=AVC msg=audit(1621342067.432:82): avc: denied { read } for pid=839 comm="sshd" name="example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1 ---- time->Tue May 18 14:47:47 2021 type=AVC msg=audit(1621342067.432:83): avc: denied { open } for pid=839 comm="sshd" path="/var/yp/binding/example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1 [...]
The output of that can be piped through audit2why (from policycoreutils-python-utils package) which potentially gives some explanation. In this case the tool recommends turning on a boolean:
Was caused by: The boolean nis_enabled was set incorrectly. Description: Allow nis to enabled Allow access by executing: # setsebool -P nis_enabled 1
Following the instruction to use setsebool would resolve the issue in this case. To get the description of a boolean run semanage (from policycoreutils-python-utils package) and to see the changes a boolean does run sesearch (from setools-console):
semanage boolean -l | grep nis_enabled
sesearch -A -b nis_enabled
Another example:
type=AVC msg=audit(1621342040.556:15): avc: denied { watch } for pid=1 comm="systemd" path="/var/cache/cups" dev="vda2" ino=22stem_r:init_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=dir permissive=1
That one recommends to use audit2allow (from policycoreutils-python-utils package) to produce a new rule.
Using audit2allow
The audit2allow tool uses audit messages to produce rules that can be loaded into SELinux after conversion into the correct format.
#============= init_t ============== allow init_t cupsd_rw_etc_t:dir watch;