Home Wiki > SDB:SELinux
Sign up | Login

SDB:SELinux

tagline: From openSUSE

SELinux is Security Enhanced Linux developed by the NSA. It is designed to provide extra control and security features to the Linux kernel and to root.

SELinux and openSUSE 13.1

Use the instructions for openSUSE 12.3 below. Only the minimum policy has been tested so far.

SELinux and openSUSE 12.3

There are a couple of steps you have to make to actually use SELinux on 12.3.
First, you'll need a selinux policy installed. SELinux policy is a set of rules that are checked and enforced by the Linux kernel. Currently we package two such policies: selinux-policy-targeted and selinux-policy-mls.

At least one of these two have to be installed to successfully use SELinux. The policy package should pull in most of the needed dependencies except policycoreutils-python, which supplies the semanage program.
Tip: better use packages from security:SELinux project, because they contain the most recent changes.

Anytime, you can use a selinux-ready script to check whether your system is ready to use SELinux. If it finds something out of order, it'll suggest the needed steps to fix it. Example output of selinux-ready:

Start checking your system if it is selinux-ready or not:
        check_dir: OK. /selinux exists.
        check_filesystem: OK. Filesystem 'securityfs' exists.
        check_filesystem: OK. Filesystem 'selinuxfs' exists.
        check_boot: Assuming GRUB2 as bootloader.
        check_boot: ERR. Boot-parameter missing for booting the kernel.
                    Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.
        check_mkinitrd: ERR. Unable to locate '/boot/unknown'
        check_packages: OK. All essential packages are installed
        check_config: OK. Config file seems to be there.
        check_pam: OK. Your PAM configuration seems to be correct.
        check_runlevel: OK. restorecond is enabled on your system

The next thing you have to do, is to tell the kernel to boot to a SELinux-aware environment. This is achieved by passing parameters to the kernel "security=selinux selinux=1 enforcing=0". The easiest way to do this is using YAST:
Start the YaST2 bootloader module. Under "Section Management", select a kernel section and edit it. In the "Section Settings" panel check the "Enable SELinux" checkbox. This will add the required boot parameters to the kernel command line. (Please note, that the "Enable SELinux" checkbox might not be there. In this case add the kernel parameters to the bootloader config as mentioned above.)

Then enable restorecond with:

systemctl enable restorecond

Note that you cannot start restorecond until you boot a kernel with the parameters mentioned above, so let's just enable it for now, without starting.

Create a default context for users:

semanage login -a -s sysadm_u root
semanage login -a -s user_u <your_username>

Don't get scared by missing context for "/var/lib/nobody", we'll fix it by running restorecon later.

Add PAM module pam_selinux:

pam-config -a --selinux

To ensure that all SELinux log messages will be written to /var/log/audit/audit.log, you should enable auditd daemon with:

systemctl enable auditd

If everything went OK, you can now reboot your system.

Now use sestatus to check whether you are using SELinux. Output from sestatus command (as root) should be something like:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

SELinux has two modes of operation: permissive and enforcing.
In enforcing mode SELinux denies access based on SELinux policy rules. In permissive mode SELinux does not deny access, the incidents are logged only.
So far, due to lack of testing, permissive mode is used by default.
Only the minimal server install has been currently tested, so be prepared for unpleasant surprises if you dare to run your desktop in enforcing mode :-)

Next you should check if the filesystem is labeled correctly.

You can list file labels with ls -Z, similarly use ps -Z for running processes.
If everything is labeled as file_t and/or system services (eg. sshd) are running as kernel_t, you will have to manually relabel the files and reboot after that.
Relabelling is done using:

restorecon -R /


You should now have a SELinux enabled openSUSE system.

If you have problems, feel free to ask on opensuse-factory mailing list. If you find a bug, you can report it via http://bugzilla.opensuse.org/

SELinux and openSUSE 11.3

Start the YaST2 bootloader module. Under "Section Management", select a kernel section and edit it. In the "Section Settings" panel check the "Enable SELinux" checkbox. This will add the required boot parameters to the kernel command line. Clicking on 'OK' twice should write the new boot configuration.

Now run selinux-ready. Output from selinux-ready should be:

Start checking your system if it is selinux-ready or not:
        check_dir: OK. /selinux exists.
        check_filesystem: OK. Filesystem 'securityfs' exists.
        check_boot: Assuming GRUB as bootloader.
        check_boot: OK. Kernel 'vmlinuz-2.6.34-12-default' has boot-parameter 'selinux=1'
        check_mkinitrd: OK. Your initrd seems to be correct.
        check_packages: OK. All essential packages are installed
        check_config: OK. Config file seems to be there.
        check_initupstart: OK. init_upstart in refpolicy-standard/booleans is set to 1.
        check_pam: OK. Your PAM configuration seems to be correct.
        check_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.

If there's any problems indicated here, they should be fixed.

Consider 'fixfiles onboot' if security contexts on the filesystem need to be setup.

Reboot.

Output from sestatus command (as root) should be:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        refpolicy-standard

SELinux and openSUSE 11.2

In 11.2 exists a "Enable SELinux" checkbox in the YaST2 bootloader module.

File:Enable selinux.jpeg
Enable SELinux in YaST2 Bootloader

Clicking this checkbox adds the following kernel boot parameters to your default kernel: security=selinux selinux=1 enforcing=0 (enforcing should enabled after all policies work smoothly). This parameters can be added manually too, of course. Reboot your machine and run the sestatus command as root, the output should be:

 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: permissive
 Policy version: 23
 Policy from config file: refpolicy-standard

When something goes wrong here, use this selinux-ready script from the libselinux package to get a diagnosis.

linux # selinux-ready
Start checking your system to see if it is selinux-ready or not:
        check_dir: OK. /selinux exists.
        check_filesystem: OK. Filesystem 'selinuxfs' exists.
        check_boot: Assuming GRUB as bootloader.
        check_boot: OK. Kernel 'vmlinuz-2.6.31-rc4-1-default' has boot-parameter 'security=selinux.*selinux=1.*enforcing=?'
        check_mkinitrd: OK. Your initrd seems to be correct.
        check_packages: OK. All essential packages are installed
        check_config: OK. Config file seems to be there.

SELinux and openSUSE 11.1

  • add the following line into into /lib/mkinitrd/scripts/boot-boot.sh (see this patch for details)
/bin/mount /root/proc
  • after you modified the script just run mkinitrd to replace the old initrd in /boot
  • use YaST2 -> System -> Boot Loader to modify the "Optional Kernel Command Line Parameter" field by adding selinux=1 enforcing=0 (enforcing should enabled after all policies work smoothly)
  • openSUSE 11.1 does not come with default policies, add the following repository
zypper ar http://download.opensuse.org/repositories/security:/SELinux/openSUSE_11.1/ selinux
  • install SELinux packages
zypper in checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1
  • create selinux directory
 mkdir /selinux
  • file /etc/selinux/config should have the following content:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=refpolicy-standard
  • reboot the machine, login as root and run sestatus command, the output should be:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 23
Policy from config file: refpolicy-standard

SELinux and openSUSE 11.0

  • SELinux cannot be enabled for 11.0, because core packages aren't patched for use with SELinux libraries