SELinux

From ArchWiki

Jump to: navigation, search

Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]

Running SELinux under Linux distribution requires three things: SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

Contents

Prerequisites

Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux.

Note: This is probably not needed anymore:

XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space, and incurs performace penalties.

 # mkfs.xfs -i size=512 /dev/sda1  (for example)

Installing needed packages

You should install at least kernel26-selinux, selinux-pam, selinux-usr-policycoreutils and selinux-refpolicy-src. Installing all SELinux connected packages is recomended.

Note: As of 16th November 2009 SELinux related packages has been moved to the AUR. So you have to build packages by yourself acording to supplied PKGBUILDs. Don't worry building kernel package on ASUS eee PC takes like three hours (while doing some other work) and the other packages are really small. Packages have been updated, some were deleted and the kernel package is now kernel26-selinux not selinux-kernel26 to comply more with Arch Linux conventions. It may not be a clean upgrade, so be cautious.

When installing from AUR, you can use yaourt (or something similar) or download tarballs from AUR manually and build with makepkg. Especially when installing for the first time, take extreme caution, when replacing pam and coreutils packages, as they are vital to your system (having Arch Linux liveCD or liveUSB ready to use is strongly encouraged).

Warning: Do not do yaourt -Rd pam, yaourt -U selinux-pam via sudo, as PAM is what takes care of authentication and you just removed it. Instead first su to root and then do pacman -Rd pam, pacman -U selinux-pam. Doing pacman -Rd coreutils, pacman -U selinux-coreutils may also cause you troubles, so maybe the best way is to install selinux packages from liveCD chroot to your system.
Warning: Do not install selinux-sysvinit package unless everything is set up, you may end with unbootable system. Or don't reboot, unless you have everything setup.

Package description

SELinux aware system utils

selinux-coreutils
Modified coreutils package compiled with SELinux support enabled
selinux-flex
Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.
kernel26-selinux
SELinux enabled kernel (replaces selinux-kernel26). Compling custom modules like virtualbox works
selinux-pam
pam package with pam_selinux.so
selinux-sysvinit
sysvinit which loads policy at startup. Be careful; It fails if SELinux policy can not be loaded!

SELinux userspace

selinux-usr-checkpolicy
Tools to build SELinux policy
selinux-usr-libselinux
Library for security-aware applications. Python bindings needed for semanage and setools now included.
selinux-usr-libsemanage
Library for policy management. Python bindings needed for semanage and setools now included.
selinux-usr-libsepol
Library for binary policy manipulation.
selinux-usr-policycoreutils
SELinux core utils such as newrole, setfiles, etc.
selinux-usr-sepolgen
A python library for parsing and modifying policy source.

SELinux policy

selinux-refpolicy-src
Reference policy sources

Other SELinux tools

selinux-setools
CLI and GUI tools to manage SELinux
Note: If using proprietary drivers, such as NVIDIA graphics drivers, you may need to rebuild them for custom kernels.

Configuration

After instalation of needed packages, you have to set up a few things, so that SELinux, coud be used.

Changing boot loader configuration

You have to manually change your grub's /boot/grub/menu.lst, so that custom kernel is booted, e.g.:

# (1) Arch Linux
title  Arch Linux (SELinux)
root   (hd0,4)
kernel /boot/vmlinuz26-selinux root=/dev/sda5 ro vga=775
initrd /boot/kernel26-selinux.img

Mounting selinuxfs

Add following to /etc/fstab:

none   /selinux   selinuxfs   noauto   0   0

Don't forget to create the mountpoint:

mkdir /selinux

Main SELinux configuration file

Create /etc/selinux/config and add the following to it:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings 
#			instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons 
#			are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=refpolicy
Note: Option SELINUX=permissive is suitable only for testing. It gives no security. When everything is set up and working, you should change it to SELINUX=enforcing. Option SELINUXTYPE=refpolicy specifies the name of used policy. Change it, if you choose another name for your policy.

Set up PAM

To get a proper security context on login, ensure the following line is present in /etc/pam.d/login, /etc/pam.d/kde, etc.:

session	optional	pam_selinux.so

Reference policy

As Arch Linux doesn't supply precompiled custom policy like Fedora, you'll have to compile one from refpolicy sources:

Note: Build configuration is located in file build.conf, which is rewriten on every selinux-refpolicy-src package upgrade, so back your configuration up.
cd /etc/selinux/refpolicy/src/policy
make bare
make conf 
make load

Copy or link the compiled binary policy to /etc/policy.bin for sysvinit to find and install selinux-sysvinit:

ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin

At this moment files doesn't have any context, so you should relabel filesystem, which will take a while:

make relabel

If you use ext4 filesystem you should use fixfiles or restorecon utils as make relabel doesn't seem to be aware of ext4:

fixfiles restore
restorecon -r /

Now you are ready to reboot and try out, that everything works.

Post-instalation steps

You can check that SELinux is working with sestatus. You should get something like:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        refpolicy

To maintain correct context, you can use restorecond:

touch /etc/rc.d/restorecond
chmod ugo+x /etc/rc.d/restorecond

Which should contain:

#!/bin/sh
restorecond
Note: Don't forget to add restorecond into your daemons array in /etc/rc.conf

To switch to enforcing mode without reboot, you can use:

echo 1 >/selinux/enforce
Note: If setting SELINUX=enforcing in /etc/selinux/config doesn't work for you, create /etc/rc.d/selinux-enforce containing preceeding command similarly as with restorecond daemon.


Useful tools

There are some tools/commands that can greatly help with SELinux.

  • restorecon: Restores the context of a file/directory (or recusively with -R) based on any policy rules
  • rlpkg: Relabels any files belonging to that gentoo package to their proper security context (if they have one)
  • chcon: Change the context on a specific file
  • audit2allow: Reads in log messages from the AVC log file and tells you what rules would fix the error. Don't just add these rules without looking at them though, they cannot detect errors in other places (ie the application running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.

References

Personal tools