SELinux
From ArchWiki
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]
Running SELinux under Linux distribution requires three things: SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.
Contents |
Prerequisites
Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux.
XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space, and incurs performace penalties.
# mkfs.xfs -i size=512 /dev/sda1 (for example)
Installing needed packages
You should install at least kernel26-selinux, selinux-pam, selinux-usr-policycoreutils and selinux-refpolicy-src. Installing all SELinux connected packages is recomended.
When installing from AUR, you can use yaourt (or something similar) or download tarballs from AUR manually and build with makepkg. Especially when installing for the first time, take extreme caution, when replacing pam and coreutils packages, as they are vital to your system (having Arch Linux liveCD or liveUSB ready to use is strongly encouraged).
Package description
SELinux aware system utils
- selinux-coreutils
- Modified coreutils package compiled with SELinux support enabled
- selinux-flex
- Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.
- kernel26-selinux
- SELinux enabled kernel (replaces selinux-kernel26). Compling custom modules like virtualbox works
- selinux-pam
- pam package with pam_selinux.so
- selinux-sysvinit
- sysvinit which loads policy at startup. Be careful; It fails if SELinux policy can not be loaded!
SELinux userspace
- selinux-usr-checkpolicy
- Tools to build SELinux policy
- selinux-usr-libselinux
- Library for security-aware applications. Python bindings needed for semanage and setools now included.
- selinux-usr-libsemanage
- Library for policy management. Python bindings needed for semanage and setools now included.
- selinux-usr-libsepol
- Library for binary policy manipulation.
- selinux-usr-policycoreutils
- SELinux core utils such as newrole, setfiles, etc.
- selinux-usr-sepolgen
- A python library for parsing and modifying policy source.
SELinux policy
- selinux-refpolicy-src
- Reference policy sources
Other SELinux tools
- selinux-setools
- CLI and GUI tools to manage SELinux
Configuration
After instalation of needed packages, you have to set up a few things, so that SELinux, coud be used.
Changing boot loader configuration
You have to manually change your grub's /boot/grub/menu.lst, so that custom kernel is booted, e.g.:
# (1) Arch Linux title Arch Linux (SELinux) root (hd0,4) kernel /boot/vmlinuz26-selinux root=/dev/sda5 ro vga=775 initrd /boot/kernel26-selinux.img
Mounting selinuxfs
Add following to /etc/fstab:
none /selinux selinuxfs noauto 0 0
Don't forget to create the mountpoint:
mkdir /selinux
Main SELinux configuration file
Create /etc/selinux/config and add the following to it:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings # instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons # are protected. # strict - Full SELinux protection. SELINUXTYPE=refpolicy
Set up PAM
To get a proper security context on login, ensure the following line is present in /etc/pam.d/login, /etc/pam.d/kde, etc.:
session optional pam_selinux.so
Reference policy
As Arch Linux doesn't supply precompiled custom policy like Fedora, you'll have to compile one from refpolicy sources:
cd /etc/selinux/refpolicy/src/policy make bare make conf make load
Copy or link the compiled binary policy to /etc/policy.bin for sysvinit to find and install selinux-sysvinit:
ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin
At this moment files doesn't have any context, so you should relabel filesystem, which will take a while:
make relabel
If you use ext4 filesystem you should use fixfiles or restorecon utils as make relabel doesn't seem to be aware of ext4:
fixfiles restore restorecon -r /
Now you are ready to reboot and try out, that everything works.
Post-instalation steps
You can check that SELinux is working with sestatus. You should get something like:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: refpolicy
To maintain correct context, you can use restorecond:
touch /etc/rc.d/restorecond chmod ugo+x /etc/rc.d/restorecond
Which should contain:
#!/bin/sh restorecond
To switch to enforcing mode without reboot, you can use:
echo 1 >/selinux/enforce
Useful tools
There are some tools/commands that can greatly help with SELinux.
- restorecon: Restores the context of a file/directory (or recusively with -R) based on any policy rules
- rlpkg: Relabels any files belonging to that gentoo package to their proper security context (if they have one)
- chcon: Change the context on a specific file
- audit2allow: Reads in log messages from the AVC log file and tells you what rules would fix the error. Don't just add these rules without looking at them though, they cannot detect errors in other places (ie the application running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.