https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ajes&feedformat=atomArchWiki - User contributions [en]2024-03-28T12:03:50ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=SELinux&diff=166114SELinux2011-10-16T07:15:56Z<p>Ajes: Added information about: audit</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Prerequisites==<br />
<br />
Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux. <br />
<br />
{{Note| This is probably not needed anymore:}}<br />
<br />
XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performace penalties.<br />
<br />
# mkfs.xfs -i size=512 /dev/sda1 (for example)<br />
<br />
==Installing needed packages==<br />
<br />
You should install at least {{Package AUR|linux-selinux}}, {{Package AUR|selinux-pam}}, {{Package AUR|selinux-usr-policycoreutils}} and {{Package AUR|selinux-refpolicy-src}} from the [[AUR]]. Installing all SELinux-related packages is recommended.<br />
<br />
When installing from the [[AUR]], you can use an [[AUR helper]] or download tarballs from the AUR manually and build with {{Codeline|makepkg}}. Especially when installing for the first time, take extreme caution when replacing the pam and coreutils packages, as they are vital to your system. Having the Arch Linux live CD or live USB drive ready to use is strongly encouraged.<br />
<br />
{{Warning| Do '''not''' remove {{Package Official|pam}} via sudo, as PAM is what takes care of authentication, and you just removed it. Instead first ''su'' to root and then do:<br />
pacman -Rdd pam<br />
pacman -U selinux-pam<br />
Doing {{Codeline|pacman -Rdd coreutils}}, {{Codeline|pacman -U selinux-coreutils}} may also cause you troubles, so maybe the best way is to install the {{Codeline|selinux-*}} packages from a live CD chroot to your system.}}<br />
<br />
{{Warning| Do '''not''' install {{Package AUR|selinux-sysvinit}} package unless everything is set up, as you may end up with an unbootable system. Or, do not reboot unless you have everything set up.}}<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group. Group ''selinux-system-utilities'' is used for modified packages from the {{Codeline|[core]}} repository. Group ''selinux-userspace'' contains packages from SELinux Userspace project. Security policies belong to ''selinux-policies'' group. Other packages are in ''selinux-extras'' group.<br />
<br />
====SELinux aware system utils====<br />
<br />
;{{Package AUR|linux-selinux}}<br />
:SELinux enabled kernel. Compiling custom modules like virtualbox works.<br />
<br />
;{{Package AUR|selinux-coreutils}}<br />
:Modified coreutils package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.<br />
<br />
;{{Package AUR|selinux-pam}}<br />
:PAM package with pam_selinux.so.<br />
<br />
;{{Package AUR|selinux-sysvinit}}<br />
:Sysvinit which loads policy at startup. Be careful; it fails if SELinux policy cannot be loaded!<br />
<br />
;{{Package AUR|selinux-util-linux}}<br />
:Modified util-linux package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-udev}}<br />
:Modified [[udev]] package compiled with SELinux support enabled for labeling of files in {{Filename|/dev}} to work correctly.<br />
<br />
;{{Package AUR|selinux-findutils}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible.<br />
<br />
;{{Package AUR|selinux-sudo}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets security context correctly.<br />
<br />
;{{Package AUR|selinux-procps}}<br />
:Procps package with SELinux patch based on some Fedora patches.<br />
<br />
;{{Package AUR|selinux-psmisc}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{Codeline|-Z}} option to {{Codeline|killall}}.<br />
<br />
;{{Package AUR|selinux-shadow}}<br />
:Shadow package compiled with SELinux support; contains a modified {{Filename|/etc/pam.d/login}} file to set correct security context for user after login.<br />
<br />
;{{Package AUR|selinux-cronie}}<br />
:Fedora fork of Vixie cron with SELinux enabled.<br />
<br />
;{{Package AUR|selinux-logrotate}}<br />
:Logrotate package compiled with SELinux support.<br />
<br />
;{{Package AUR|selinux-openssh}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions.<br />
<br />
====SELinux userspace====<br />
;{{Package AUR|selinux-usr-checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{Package AUR|selinux-usr-libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{Package AUR|selinux-usr-policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{Package AUR|selinux-usr-sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy====<br />
<br />
;{{Package AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{Package AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{Package AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some isues with {{Filename|/etc/rc.d/*}} labeling.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{Package AUR|selinux-setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{Package AUR|audit}}<br />
:User space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel. SELinux (AVC) will log all denials using audit. Very useful in troubleshooting SELinux. Also audit2allow use log from this program.<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
==Configuration==<br />
<br />
After the installation of needed packages, you have to set up a few things so that SELinux can be used.<br />
<br />
===Changing boot loader configuration===<br />
<br />
You have to manually change Grub's {{Filename|/boot/grub/menu.lst}} so that the custom kernel is booted, e.g.:<br />
<br />
# (1) Arch Linux<br />
title Arch Linux (SELinux)<br />
root (hd0,4)<br />
kernel /boot/'''vmlinuz-linux-selinux''' root=/dev/sda5 ro vga=775<br />
initrd /boot/'''initramfs-linux-selinux.img'''<br />
<br />
===Mounting selinuxfs===<br />
<br />
Add following to {{Filename|/etc/fstab}}:<br />
<br />
none /selinux selinuxfs noauto 0 0<br />
<br />
Do not forget to create the mountpoint:<br />
<br />
mkdir /selinux<br />
<br />
===Main SELinux configuration file===<br />
Main SELinux configuration file ({{Filename|/etc/selinux/config}}) is part of the {{Package AUR|selinux-refpolicy}} package currently in the AUR. It has default contents as follows:<br />
<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings <br />
# instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# refpolicy-arch (reference policy with <br />
# Arch Linux patch)<br />
SELINUXTYPE=refpolicy<br />
<br />
{{Note|Option {{Codeline|SELINUX<nowiki>=</nowiki>permissive}} is suitable only for testing. It gives no security. When everything is set up and working, you should change it to {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}}. Option {{Codeline|SELINUXTYPE<nowiki>=</nowiki>refpolicy}} specifies the name of used policy. Change it if you choose another name for your policy. If you plan to compile policy from source, you have to create the file yourself.}}<br />
<br />
===Set up PAM===<br />
<br />
Correctly set-up PAM is important to get a proper security context after login. If you installed {{Package AUR|selinux-shadow}} from AUR, there should be the following lines in {{Filename|/etc/pam.d/login}}:<br />
<br />
# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close<br />
# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open<br />
<br />
If not, add them to the file. Similarly for logging in via SSH in {{Filename|/etc/pam.d/sshd}}, which is part of {{Package AUR|selinux-openssh}} package.<br />
<br />
If you want to use SELinux with GUI, you should add the aforementioned lines to other files such as {{Filename|/etc/pam.d/kde}}, {{Filename|/etc/pam.d/kde-np}}, ... depending on your login manager.<br />
<br />
{{Note|Running SELinux with GUI applications in Arch Linux is not much supported at the time being.}}<br />
<br />
==Reference policy==<br />
<br />
There are currently two possible ways of installing reference policy: From a precompiled package ({{Package AUR|selinux-refpolicy}}) or from a source package ({{Package AUR|selinux-refpolicy-src}}).<br />
<br />
{{Note| It is possible to have both the source and the binary package installed. If you plan to build from source in that case, you should probably change the name of policy in {{Filename|build.conf}} to avoid overwriting of selinux-refpolicy package files.}}<br />
<br />
===Installing a precompiled refpolicy===<br />
<br />
Install {{Package AUR|selinux-refpolicy}} from AUR. This is a modular-otherways-vanilla refpolicy. This package includes policy headers (you can therefore compile your own modules), policy documentation and an install script which will load the policy for you and relabel your filesystem (which will likely take some time). It does not include the sources though.<br />
<br />
This package also includes the main SELinux configuration file ({{Filename|/etc/selinux/config}}) defaulting to refpolicy and permissive SELinux enforcement for testing purposes.<br />
<br />
You should verify that the policy was correctly loaded, that is if the file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has non-zero size. If so and if you have installed {{Package AUR|selinux-sysvinit}} and other needed packages, you are ready to reboot and make sure that everything works.<br />
<br />
{{Warning| On newer kernels (eg. 3.0) policy in file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has zero bytes size, because it is used new version of policy from file: {{Filename|/etc/selinux/refpolicy/policy/policy.26}}}}<br />
<br />
<br />
In case the policy was not correctly loaded you can as root use the following command inside of the {{Filename|/usr/share/selinux/refpolicy}} directory to do so:<br />
<br />
/bin/ls *.pp | /bin/grep -Ev "base.pp|enableaudit.pp" | /usr/bin/xargs /usr/sbin/semodule -s refpolicy -b base.pp -i<br />
<br />
To manually relabel your filesystem you can as root use:<br />
<br />
/sbin/restorecon -r /<br />
<br />
===Installing refpolicy from a source package===<br />
<br />
Install {{Package AUR|selinux-refpolicy-src}} from AUR. Edit the file {{Filename|/etc/selinux/refpolicy/src/policy/build.conf}} to your liking. <br />
<br />
{{Note|Build configuration file {{Filename|build.conf}} is overwritten on every selinux-refpolicy-src package upgrade, so backup your configuration.}}<br />
<br />
To build, install and load policy from source do the following. (For other possibilities consult the README file located in {{Filename|/etc/selinux/refpolicy/src/policy/}}.)<br />
<br />
cd /etc/selinux/refpolicy/src/policy<br />
make bare<br />
make conf <br />
make load<br />
<br />
Copy or link the compiled binary policy to {{Filename|/etc/policy.bin}} for sysvinit to find and install selinux-sysvinit:<br />
<br />
ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin<br />
<br />
At this moment files do not have any context, so you should relabel the whole filesystem, which will take a while:<br />
<br />
make relabel<br />
<br />
Create the main SELinux configuration file ({{Filename|/etc/selinux/config}}) according to the example in related section.<br />
<br />
Now you are ready to reboot and make sure that everything works.<br />
<br />
==Post-installation steps==<br />
{{Warning| If you didn't installed ''selinux-sysvinit'', then you will see SELinux in disabled mode, and {{Filename|/selinux}} won't be mounted.}}<br />
<br />
You can check that SELinux is working with ''sestatus''. You should get something like:<br />
<br />
SELinux status: enabled<br />
SELinuxfs mount: /selinux<br />
Current mode: permissive<br />
Mode from config file: enforcing<br />
Policy version: 24<br />
Policy from config file: refpolicy<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
touch /etc/rc.d/restorecond<br />
chmod ugo+x /etc/rc.d/restorecond<br />
<br />
Which should contain:<br />
<br />
#!/bin/sh<br />
restorecond<br />
<br />
{{Note|Do not forget to add {{Codeline|restorecond}} into your {{Codeline|DAEMONS}} array in {{Filename|/etc/rc.conf}}.}}<br />
<br />
To switch to enforcing mode without reboot, you can use:<br />
<br />
echo 1 >/selinux/enforce<br />
<br />
{{Note|If setting {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}} in {{Filename|/etc/selinux/config}} does not work for you, create {{Filename|/etc/rc.d/selinux-enforce}} containing the preceding command similarly as with restorecond daemon.}}<br />
<br />
==Useful tools==<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
*'''restorecon''': Restores the context of a file/directory (or recursively with -R) based on any policy rules <br />
*'''rlpkg''': Relabels any files belonging to that Gentoo package to their proper security context (if they have one) <br />
*'''chcon''': Change the context on a specific file <br />
*'''audit2allow''': Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.<br />
<br />
==References==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
<br />
== See also ==<br />
* [[AppArmor]] (Similar to SELinux, much easier to configure, but not such complex)<br />
* [[DNSSEC]]</div>Ajeshttps://wiki.archlinux.org/index.php?title=SELinux&diff=166113SELinux2011-10-16T07:10:31Z<p>Ajes: Added some warnings. Fixed filenames.</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Prerequisites==<br />
<br />
Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux. <br />
<br />
{{Note| This is probably not needed anymore:}}<br />
<br />
XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performace penalties.<br />
<br />
# mkfs.xfs -i size=512 /dev/sda1 (for example)<br />
<br />
==Installing needed packages==<br />
<br />
You should install at least {{Package AUR|linux-selinux}}, {{Package AUR|selinux-pam}}, {{Package AUR|selinux-usr-policycoreutils}} and {{Package AUR|selinux-refpolicy-src}} from the [[AUR]]. Installing all SELinux-related packages is recommended.<br />
<br />
When installing from the [[AUR]], you can use an [[AUR helper]] or download tarballs from the AUR manually and build with {{Codeline|makepkg}}. Especially when installing for the first time, take extreme caution when replacing the pam and coreutils packages, as they are vital to your system. Having the Arch Linux live CD or live USB drive ready to use is strongly encouraged.<br />
<br />
{{Warning| Do '''not''' remove {{Package Official|pam}} via sudo, as PAM is what takes care of authentication, and you just removed it. Instead first ''su'' to root and then do:<br />
pacman -Rdd pam<br />
pacman -U selinux-pam<br />
Doing {{Codeline|pacman -Rdd coreutils}}, {{Codeline|pacman -U selinux-coreutils}} may also cause you troubles, so maybe the best way is to install the {{Codeline|selinux-*}} packages from a live CD chroot to your system.}}<br />
<br />
{{Warning| Do '''not''' install {{Package AUR|selinux-sysvinit}} package unless everything is set up, as you may end up with an unbootable system. Or, do not reboot unless you have everything set up.}}<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group. Group ''selinux-system-utilities'' is used for modified packages from the {{Codeline|[core]}} repository. Group ''selinux-userspace'' contains packages from SELinux Userspace project. Security policies belong to ''selinux-policies'' group. Other packages are in ''selinux-extras'' group.<br />
<br />
====SELinux aware system utils====<br />
<br />
;{{Package AUR|linux-selinux}}<br />
:SELinux enabled kernel. Compiling custom modules like virtualbox works.<br />
<br />
;{{Package AUR|selinux-coreutils}}<br />
:Modified coreutils package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.<br />
<br />
;{{Package AUR|selinux-pam}}<br />
:PAM package with pam_selinux.so.<br />
<br />
;{{Package AUR|selinux-sysvinit}}<br />
:Sysvinit which loads policy at startup. Be careful; it fails if SELinux policy cannot be loaded!<br />
<br />
;{{Package AUR|selinux-util-linux}}<br />
:Modified util-linux package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-udev}}<br />
:Modified [[udev]] package compiled with SELinux support enabled for labeling of files in {{Filename|/dev}} to work correctly.<br />
<br />
;{{Package AUR|selinux-findutils}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible.<br />
<br />
;{{Package AUR|selinux-sudo}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets security context correctly.<br />
<br />
;{{Package AUR|selinux-procps}}<br />
:Procps package with SELinux patch based on some Fedora patches.<br />
<br />
;{{Package AUR|selinux-psmisc}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{Codeline|-Z}} option to {{Codeline|killall}}.<br />
<br />
;{{Package AUR|selinux-shadow}}<br />
:Shadow package compiled with SELinux support; contains a modified {{Filename|/etc/pam.d/login}} file to set correct security context for user after login.<br />
<br />
;{{Package AUR|selinux-cronie}}<br />
:Fedora fork of Vixie cron with SELinux enabled.<br />
<br />
;{{Package AUR|selinux-logrotate}}<br />
:Logrotate package compiled with SELinux support.<br />
<br />
;{{Package AUR|selinux-openssh}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions.<br />
<br />
====SELinux userspace====<br />
;{{Package AUR|selinux-usr-checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{Package AUR|selinux-usr-libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{Package AUR|selinux-usr-policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{Package AUR|selinux-usr-sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy====<br />
<br />
;{{Package AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{Package AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{Package AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some isues with {{Filename|/etc/rc.d/*}} labeling.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{Package AUR|selinux-setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
==Configuration==<br />
<br />
After the installation of needed packages, you have to set up a few things so that SELinux can be used.<br />
<br />
===Changing boot loader configuration===<br />
<br />
You have to manually change Grub's {{Filename|/boot/grub/menu.lst}} so that the custom kernel is booted, e.g.:<br />
<br />
# (1) Arch Linux<br />
title Arch Linux (SELinux)<br />
root (hd0,4)<br />
kernel /boot/'''vmlinuz-linux-selinux''' root=/dev/sda5 ro vga=775<br />
initrd /boot/'''initramfs-linux-selinux.img'''<br />
<br />
===Mounting selinuxfs===<br />
<br />
Add following to {{Filename|/etc/fstab}}:<br />
<br />
none /selinux selinuxfs noauto 0 0<br />
<br />
Do not forget to create the mountpoint:<br />
<br />
mkdir /selinux<br />
<br />
===Main SELinux configuration file===<br />
Main SELinux configuration file ({{Filename|/etc/selinux/config}}) is part of the {{Package AUR|selinux-refpolicy}} package currently in the AUR. It has default contents as follows:<br />
<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings <br />
# instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# refpolicy-arch (reference policy with <br />
# Arch Linux patch)<br />
SELINUXTYPE=refpolicy<br />
<br />
{{Note|Option {{Codeline|SELINUX<nowiki>=</nowiki>permissive}} is suitable only for testing. It gives no security. When everything is set up and working, you should change it to {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}}. Option {{Codeline|SELINUXTYPE<nowiki>=</nowiki>refpolicy}} specifies the name of used policy. Change it if you choose another name for your policy. If you plan to compile policy from source, you have to create the file yourself.}}<br />
<br />
===Set up PAM===<br />
<br />
Correctly set-up PAM is important to get a proper security context after login. If you installed {{Package AUR|selinux-shadow}} from AUR, there should be the following lines in {{Filename|/etc/pam.d/login}}:<br />
<br />
# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close<br />
# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open<br />
<br />
If not, add them to the file. Similarly for logging in via SSH in {{Filename|/etc/pam.d/sshd}}, which is part of {{Package AUR|selinux-openssh}} package.<br />
<br />
If you want to use SELinux with GUI, you should add the aforementioned lines to other files such as {{Filename|/etc/pam.d/kde}}, {{Filename|/etc/pam.d/kde-np}}, ... depending on your login manager.<br />
<br />
{{Note|Running SELinux with GUI applications in Arch Linux is not much supported at the time being.}}<br />
<br />
==Reference policy==<br />
<br />
There are currently two possible ways of installing reference policy: From a precompiled package ({{Package AUR|selinux-refpolicy}}) or from a source package ({{Package AUR|selinux-refpolicy-src}}).<br />
<br />
{{Note| It is possible to have both the source and the binary package installed. If you plan to build from source in that case, you should probably change the name of policy in {{Filename|build.conf}} to avoid overwriting of selinux-refpolicy package files.}}<br />
<br />
===Installing a precompiled refpolicy===<br />
<br />
Install {{Package AUR|selinux-refpolicy}} from AUR. This is a modular-otherways-vanilla refpolicy. This package includes policy headers (you can therefore compile your own modules), policy documentation and an install script which will load the policy for you and relabel your filesystem (which will likely take some time). It does not include the sources though.<br />
<br />
This package also includes the main SELinux configuration file ({{Filename|/etc/selinux/config}}) defaulting to refpolicy and permissive SELinux enforcement for testing purposes.<br />
<br />
You should verify that the policy was correctly loaded, that is if the file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has non-zero size. If so and if you have installed {{Package AUR|selinux-sysvinit}} and other needed packages, you are ready to reboot and make sure that everything works.<br />
<br />
{{Warning| On newer kernels (eg. 3.0) policy in file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has zero bytes size, because it is used new version of policy from file: {{Filename|/etc/selinux/refpolicy/policy/policy.26}}}}<br />
<br />
<br />
In case the policy was not correctly loaded you can as root use the following command inside of the {{Filename|/usr/share/selinux/refpolicy}} directory to do so:<br />
<br />
/bin/ls *.pp | /bin/grep -Ev "base.pp|enableaudit.pp" | /usr/bin/xargs /usr/sbin/semodule -s refpolicy -b base.pp -i<br />
<br />
To manually relabel your filesystem you can as root use:<br />
<br />
/sbin/restorecon -r /<br />
<br />
===Installing refpolicy from a source package===<br />
<br />
Install {{Package AUR|selinux-refpolicy-src}} from AUR. Edit the file {{Filename|/etc/selinux/refpolicy/src/policy/build.conf}} to your liking. <br />
<br />
{{Note|Build configuration file {{Filename|build.conf}} is overwritten on every selinux-refpolicy-src package upgrade, so backup your configuration.}}<br />
<br />
To build, install and load policy from source do the following. (For other possibilities consult the README file located in {{Filename|/etc/selinux/refpolicy/src/policy/}}.)<br />
<br />
cd /etc/selinux/refpolicy/src/policy<br />
make bare<br />
make conf <br />
make load<br />
<br />
Copy or link the compiled binary policy to {{Filename|/etc/policy.bin}} for sysvinit to find and install selinux-sysvinit:<br />
<br />
ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin<br />
<br />
At this moment files do not have any context, so you should relabel the whole filesystem, which will take a while:<br />
<br />
make relabel<br />
<br />
Create the main SELinux configuration file ({{Filename|/etc/selinux/config}}) according to the example in related section.<br />
<br />
Now you are ready to reboot and make sure that everything works.<br />
<br />
==Post-installation steps==<br />
{{Warning| If you didn't installed ''selinux-sysvinit'', then you will see SELinux in disabled mode, and {{Filename|/selinux}} won't be mounted.}}<br />
<br />
You can check that SELinux is working with ''sestatus''. You should get something like:<br />
<br />
SELinux status: enabled<br />
SELinuxfs mount: /selinux<br />
Current mode: permissive<br />
Mode from config file: enforcing<br />
Policy version: 24<br />
Policy from config file: refpolicy<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
touch /etc/rc.d/restorecond<br />
chmod ugo+x /etc/rc.d/restorecond<br />
<br />
Which should contain:<br />
<br />
#!/bin/sh<br />
restorecond<br />
<br />
{{Note|Do not forget to add {{Codeline|restorecond}} into your {{Codeline|DAEMONS}} array in {{Filename|/etc/rc.conf}}.}}<br />
<br />
To switch to enforcing mode without reboot, you can use:<br />
<br />
echo 1 >/selinux/enforce<br />
<br />
{{Note|If setting {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}} in {{Filename|/etc/selinux/config}} does not work for you, create {{Filename|/etc/rc.d/selinux-enforce}} containing the preceding command similarly as with restorecond daemon.}}<br />
<br />
==Useful tools==<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
*'''restorecon''': Restores the context of a file/directory (or recursively with -R) based on any policy rules <br />
*'''rlpkg''': Relabels any files belonging to that Gentoo package to their proper security context (if they have one) <br />
*'''chcon''': Change the context on a specific file <br />
*'''audit2allow''': Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.<br />
<br />
==References==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
<br />
== See also ==<br />
* [[AppArmor]] (Similar to SELinux, much easier to configure, but not such complex)<br />
* [[DNSSEC]]</div>Ajes