https://wiki.archlinux.org/api.php?action=feedcontributions&user=IooNag&feedformat=atomArchWiki - User contributions [en]2024-03-28T13:21:04ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=SELinux&diff=652877SELinux2021-02-20T15:56:26Z<p>IooNag: /* Changing boot loader configuration */ Document lsm option following issue reported on https://github.com/archlinuxhardened/selinux/issues/81</p>
<hr />
<div>[[Category:Access control]]<br />
[[Category:Kernel]]<br />
[[Category:Red Hat]]<br />
[[ja:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style [[Mandatory Access Control]] (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux}}, {{pkg|linux-zen}} and {{pkg|linux-hardened}} || Available in official repositories since [https://github.com/archlinux/svntogit-packages/commit/c46609a4b0325c363455264844091b71de01eddc 4.18.8].<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/SELinuxProject/refpolicy Reference Policy] as upstream || Upstream: https://github.com/SELinuxProject/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need following [[kernel parameters]] at boot: {{ic|1=selinux=1 lsm=yama,selinux,bpf}} (since [https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408 a config change in Linux 5.10.13], {{ic|1=security=selinux}} [https://github.com/archlinuxhardened/selinux/issues/81 no longer works])<br />
|-<br />
| linux-hardened || Need following [[kernel parameters]] at boot: {{ic|1=selinux=1 lsm=yama,selinux,bpf}}<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/SELinuxProject/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|secilc}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{Pkg|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|systemd-libs-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|util-linux-libs-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{Pkg|linux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
=== Changing boot loader configuration ===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|1=selinux=1 lsm=lockdown,yama,selinux,bpf}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|selinux}} in the list defined in {{ic|CONFIG_LSM}}, {{ic|1=lsm=yama,selinux,bpf}} is needed, and if it contains {{ic|1=CONFIG_SECURITY_SELINUX_BOOTPARAM=y}} {{ic|1=CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0}}, {{ic|1=selinux=1}} is needed.<br />
<br />
{{Note|1=Starting with kernel 5.10.13, the [https://www.kernel.org/doc/html/latest/bpf/bpf_lsm.html BPF] LSM kernel module is enabled by default [https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408]. It causes {{ic|1=security=selinux}} kernel parameter to fail at boot time [https://bbs.archlinux.org/viewtopic.php?id=263360].<br />
<br />
Instead, prepend {{ic|1=selinux}} to your kernel {{ic|lsm}} configuration. For example, if your LSM loaded modules (without SELinux enabled) are :<br />
<br />
{{hc|$ cat /sys/kernel/security/lsm|<br />
capability,lockdown,yama,bpf<br />
}}<br />
<br />
Then use {{ic|1=lsm=lockdown,yama,selinux,bpf}}.<br />
}}<br />
<br />
==== GRUB ====<br />
<br />
Add {{ic|1=security=selinux selinux=1}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
==== Syslinux ====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|2=<br />
LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img<br />
}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
==== systemd-boot ====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [https://github.com/SELinuxProject/refpolicy/wiki SELinuxProject] is not very good for Arch Linux, as before release 20170805 almost no file were labelled correctly. The major problems were:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} were considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduced some instability when applying labels to the whole system, as files in these folders might be seen with 2 (or 4) different labels. <br />
* systemd was not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)<br />
<br />
Since refpolicy release 20170805 these two points have been addressed, but most people submitting patches to improve the policy use an other distribution (Debian, Gentoo, RHEL, etc.). Therefore the compatibility with Arch Linux packages is not perfect (for example the policy may not support the most recent features of a program). }}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/SELinuxProject/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the [[systemd journal]]. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [https://github.com/SELinuxProject SELinux Project Homepage]<br />
** [https://github.com/SELinuxProject/refpolicy/wiki Reference Policy Homepage]<br />
** [https://github.com/SELinuxProject/setools/wiki SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=652875SELinux2021-02-20T15:50:19Z<p>IooNag: /* Current status in Arch Linux */ Replace security=selinux with lsm= in the kernel command line</p>
<hr />
<div>[[Category:Access control]]<br />
[[Category:Kernel]]<br />
[[Category:Red Hat]]<br />
[[ja:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style [[Mandatory Access Control]] (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux}}, {{pkg|linux-zen}} and {{pkg|linux-hardened}} || Available in official repositories since [https://github.com/archlinux/svntogit-packages/commit/c46609a4b0325c363455264844091b71de01eddc 4.18.8].<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/SELinuxProject/refpolicy Reference Policy] as upstream || Upstream: https://github.com/SELinuxProject/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need following [[kernel parameters]] at boot: {{ic|1=selinux=1 lsm=yama,selinux,bpf}} (since [https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408 a config change in Linux 5.10.13], {{ic|1=security=selinux}} [https://github.com/archlinuxhardened/selinux/issues/81 no longer works])<br />
|-<br />
| linux-hardened || Need following [[kernel parameters]] at boot: {{ic|1=selinux=1 lsm=yama,selinux,bpf}}<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/SELinuxProject/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|secilc}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{Pkg|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|systemd-libs-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|util-linux-libs-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{Pkg|linux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
=== Changing boot loader configuration ===<br />
<br />
{{Out of date|The {{ic|1=security=}} parameter is deprecated, use {{ic|1=lsm=}} instead.[https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html]}}<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|1=security=selinux selinux=1}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|1=security=selinux}} is needed, and if it contains {{ic|1=CONFIG_SECURITY_SELINUX_BOOTPARAM=y}} {{ic|1=CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0}}, {{ic|1=selinux=1}} is needed.<br />
<br />
{{Note|1=Starting with kernel 5.10.13, the [https://www.kernel.org/doc/html/latest/bpf/bpf_lsm.html BPF] LSM kernel module is enabled by default [https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408]. It causes {{ic|1=security=selinux}} kernel parameter to fail at boot time [https://bbs.archlinux.org/viewtopic.php?id=263360].<br />
<br />
Instead, prepend {{ic|1=selinux}} to your kernel {{ic|lsm}} configuration. For example, if your LSM loaded modules (without SELinux enabled) are :<br />
<br />
{{hc|$ cat /sys/kernel/security/lsm|<br />
capability,lockdown,yama,bpf<br />
}}<br />
<br />
Then use {{ic|1=lsm=lockdown,yama,selinux,bpf}}.<br />
}}<br />
<br />
==== GRUB ====<br />
<br />
Add {{ic|1=security=selinux selinux=1}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
==== Syslinux ====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|2=<br />
LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img<br />
}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
==== systemd-boot ====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [https://github.com/SELinuxProject/refpolicy/wiki SELinuxProject] is not very good for Arch Linux, as before release 20170805 almost no file were labelled correctly. The major problems were:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} were considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduced some instability when applying labels to the whole system, as files in these folders might be seen with 2 (or 4) different labels. <br />
* systemd was not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)<br />
<br />
Since refpolicy release 20170805 these two points have been addressed, but most people submitting patches to improve the policy use an other distribution (Debian, Gentoo, RHEL, etc.). Therefore the compatibility with Arch Linux packages is not perfect (for example the policy may not support the most recent features of a program). }}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/SELinuxProject/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the [[systemd journal]]. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [https://github.com/SELinuxProject SELinux Project Homepage]<br />
** [https://github.com/SELinuxProject/refpolicy/wiki Reference Policy Homepage]<br />
** [https://github.com/SELinuxProject/setools/wiki SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=507597SELinux2018-01-15T20:12:15Z<p>IooNag: /* SELinux aware system utilities */ remove ustr-selinux, which is no longer needed (since libsemanage 2.7)</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [[debian:SELinux/Setup#kernel|Debian Wiki]])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [https://github.com/TresysTechnology/refpolicy/wiki Tresys] is not very good for Arch Linux, as before release 20170805 almost no file were labelled correctly. The major problems were:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} were considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduced some instability when applying labels to the whole system, as files in these folders might be seen with 2 (or 4) different labels. <br />
* systemd was not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)<br />
<br />
Since refpolicy release 20170805 these two points have been addressed, but most people submitting patches to improve the policy use an other distribution (Debian, Gentoo, RHEL, etc.). Therefore the compatibility with Arch Linux packages is not perfect (for example the policy may not support the most recent features of a program). }}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486058SELinux2017-08-20T12:03:36Z<p>IooNag: /* Installing a policy */ Update URL to Tresys (the old one is a redirect to the new one)</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [https://github.com/TresysTechnology/refpolicy/wiki Tresys] is not very good for Arch Linux, as before release 20170805 almost no file were labelled correctly. The major problems were:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} were considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduced some instability when applying labels to the whole system, as files in these folders might be seen with 2 (or 4) different labels. <br />
* systemd was not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)<br />
<br />
Since refpolicy release 20170805 these two points have been addressed, but most people submitting patches to improve the policy use an other distribution (Debian, Gentoo, RHEL, etc.). Therefore the compatibility with Arch Linux packages is not perfect (for example the policy may not support the most recent features of a program). }}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486057SELinux2017-08-20T12:02:30Z<p>IooNag: /* Installing a policy */ Update the warning message as refpolicy 20170805 improved the situation greatly</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as before release 20170805 almost no file were labelled correctly. The major problems were:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} were considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduced some instability when applying labels to the whole system, as files in these folders might be seen with 2 (or 4) different labels. <br />
* systemd was not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)<br />
<br />
Since refpolicy release 20170805 these two points have been addressed, but most people submitting patches to improve the policy use an other distribution (Debian, Gentoo, RHEL, etc.). Therefore the compatibility with Arch Linux packages is not perfect (for example the policy may not support the most recent features of a program). }}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486054SELinux2017-08-20T11:53:42Z<p>IooNag: Add selinux-alpm-hook AUR package</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{AUR|selinux-alpm-hook}}<br />
:pacman hook to label files accordingly to SELinux policy when installing and updating packages<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
* Next, install {{AUR|selinux-alpm-hook}} in order to run restorecon every time pacman installs a package.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486053SELinux2017-08-20T11:47:38Z<p>IooNag: /* Via AUR */ Users can also use selinux-refpolicy-git policy package</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}} or {{AUR|selinux-refpolicy-git}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486052SELinux2017-08-20T11:45:31Z<p>IooNag: /* Via AUR */ Update instructions to make them work again since release 2.7 of the tools and libraries</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|secilc}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|libsemanage}}, {{AUR|semodule-utils}}, {{AUR|policycoreutils}}, {{AUR|selinux-python}} (which depends on {{AUR|python-ipy}}), {{AUR|mcstrans}} and {{AUR|restorecond}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed, because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can recompile some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486051SELinux2017-08-20T11:38:27Z<p>IooNag: /* SELinux policy packages */ Introduce selinux-refpolicy-git</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-git}}<br />
:Reference policy git master (https://github.com/TresysTechnology/refpolicy) built with configuration specific for Arch Linux<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486050SELinux2017-08-20T11:25:29Z<p>IooNag: /* SELinux userspace utilities */ Split policycoreutils package as was done in https://github.com/SELinuxProject/selinux/wiki/Releases#release-2017-08-04</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|mcstrans}}<br />
:Daemon which is used by libselinux to translate MCS labels<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|restorecond}}<br />
:Daemon which maintains the label of some files<br />
<br />
;{{AUR|secilc}}<br />
:Compiler for SELinux policies written in CIL (Common Intermediate Language)<br />
<br />
;{{AUR|selinux-dbus-config}}<br />
:DBus service which allows managing SELinux configuration<br />
<br />
;{{AUR|selinux-gui}}<br />
:SELinux GUI tools (system-config-selinux)<br />
<br />
;{{AUR|selinux-python}} and {{AUR|selinux-python2}}<br />
:SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)<br />
<br />
;{{AUR|selinux-sandbox}}<br />
:Sandboxing tool for SELinux<br />
<br />
;{{AUR|semodule-utils}}<br />
:Tools to handle SELinux modules when building a policy<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=486049SELinux2017-08-20T11:04:41Z<p>IooNag: /* Current status in Arch Linux */ Refpolicy release 20170805</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related|TOMOYO Linux}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (since release 20170805 the policy has integrated support for systemd and single-/usr/bin directory)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
* [[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
* [https://wiki.gentoo.org/wiki/SELinux Gentoo SELinux Handbook]<br />
* [https://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
* [https://www.nsa.gov/what-we-do/research/selinux/ NSA's Official SELinux Homepage]<br />
* [http://userspace.selinuxproject.org/ SELinux Userspace Homepage]<br />
** [http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
** [http://oss.tresys.com/projects/setools SETools Homepage]<br />
* [https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=481655SELinux2017-07-10T19:35:08Z<p>IooNag: /* Current status in Arch Linux */ refpolicy now handles systemd and merged-/usr systems</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
SELinux is not officially supported (see [https://lists.archlinux.org/pipermail/arch-general/2013-October/034352.html][https://lists.archlinux.org/pipermail/arch-general/2017-February/043149.html]). The status of unofficial support is:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented for {{pkg|linux-hardened}}, but not {{pkg|linux}} || Removed since the 3.14 official {{pkg|linux}} kernel.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Upstream: https://github.com/TresysTechnology/refpolicy (patches which integrate support for systemd and /usr merge have been merged right after release 20170204)<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| linux-hardened || SELinux support enabled, but audit support is disabled by default and needs to be enabled with audit=1 on the kernel line<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR.<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Custom kernel|rebuild them]].}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to the kernel command line. More precisely, if the kernel configuration does not set {{ic|CONFIG_DEFAULT_SECURITY_SELINUX}}, {{ic|<nowiki>security=selinux</nowiki>}} is needed, and if it contains {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM=y</nowiki>}} {{ic|<nowiki>CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0</nowiki>}}, {{ic|<nowiki>selinux=1</nowiki>}} is needed.<br />
<br />
====GRUB====<br />
<br />
Add {{ic|<nowiki>security=selinux selinux=1</nowiki>}} to {{ic|GRUB_CMDLINE_LINUX_DEFAULT}} variable in {{ic|/etc/default/grub}}<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro security=selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====systemd-boot====<br />
<br />
Create a new loader entry, for example in {{ic|/boot/loader/entries/arch-selinux.conf}}:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up [[PAM]] is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=Vagrant&diff=467612Vagrant2017-02-04T11:51:02Z<p>IooNag: /* Base Boxes for Vagrant */ Add packer-arch as a way to get a vagrant box</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[ja:Vagrant]]<br />
{{Related articles start}}<br />
{{Related|Docker}}<br />
{{Related|KVM}}<br />
{{Related|Libvirt}}<br />
{{Related|VirtualBox}}<br />
{{Related articles end}}<br />
[http://www.vagrantup.com Vagrant] is a tool for managing and configuring virtualised development environments.<br />
<br />
Vagrant has a concept of 'providers', which map to the virtualisation engine and its API. The most popular and well-supported provider is Virtualbox; plugins exist for {{ic|libvirt}}, {{ic|kvm}}, {{ic|lxc}}, {{ic|vmware}} and more.<br />
<br />
Vagrant uses a mostly declarative {{ic|Vagrantfile}} to define virtualised machines. A single Vagrantfile can define multiple machines.<br />
<br />
== Installation ==<br />
<br />
Install package {{Pkg|vagrant}}.<br />
<br />
== Plugins ==<br />
<br />
Vagrant [https://news.ycombinator.com/item?id=4408754 has a middleware architecture] providing support for powerful plugins.<br />
<br />
Plugins can be installed with Vagrant's built-in plugin manager. You can specify multiple plugins to install:<br />
<br />
$ vagrant plugin install vagrant-vbguest vagrant-share<br />
<br />
=== vagrant-libvirt ===<br />
<br />
This plugin adds a libvirt provider to Vagrant. The gcc and make packages must be installed before this plugin can be installed,<br />
and [[libvirt]] and related packages must be installed and configured before using the libvirt provider.<br />
<br />
As of September 2016 (Vagrant version 1.8.5), a normal installation of this plugin fails on Arch Linux. The plugin can be successfully installed with this workaround:<br />
<br />
$ CONFIGURE_ARGS='with-ldflags=-L/opt/vagrant/embedded/lib with-libvirt-include=/usr/include/libvirt with-libvirt-lib=/usr/lib' \<br />
GEM_HOME=~/.vagrant.d/gems GEM_PATH=$GEM_HOME:/opt/vagrant/embedded/gems PATH=/opt/vagrant/embedded/bin:$PATH \<br />
vagrant plugin install vagrant-libvirt<br />
<br />
{{Style|A better workaround is already described above}}<br />
<br />
A normal {{ic|vagrant up}} fails with {{ic|incompatible library version}} due to [https://github.com/vagrant-libvirt/vagrant-libvirt/issues/541 bug #541]. As a workaround, create and run [https://gist.github.com/robled/070e1922816bbe983623#file-reinstall-vagrant-libvirt-sh reinstall-vagrant-libvirt.sh].<br />
<br />
Once the plugin is installed the {{ic|libvirt}} provider will be available:<br />
<br />
$ vagrant up --provider=libvirt<br />
<br />
=== vagrant-lxc ===<br />
<br />
First install {{Pkg|lxc}} from the official repositories, then:<br />
<br />
$ vagrant plugin install vagrant-lxc<br />
<br />
Next, configure lxc and some systemd unit files per [https://github.com/fgrehm/vagrant-lxc/issues/109#issuecomment-21274392 this comment]. The plugin can now be used with a {{ic|Vagrantfile}} like so:<br />
<br />
VAGRANTFILE_API_VERSION = "2"<br />
<br />
Vagrant.configure("2") do |config|<br />
<br />
config.vm.define "main" do |config|<br />
<nowiki>config.vm.box = 'http://bit.ly/vagrant-lxc-wheezy64-2013-10-23'</nowiki><br />
<br />
config.vm.provider :lxc do |lxc|<br />
lxc.customize 'cgroup.memory.limit_in_bytes', '512M'<br />
end<br />
<br />
config.vm.provision :shell do |shell|<br />
shell.path = 'provision.sh'<br />
end<br />
end<br />
end<br />
<br />
The {{ic|provision.sh}} file should be a shell script beside the {{ic|Vagrantfile}}. Do whatever setup is appropriate; for example, to remove puppet, which is packaged in the above box:<br />
<br />
rm /etc/apt/sources.list.d/puppetlabs.list<br />
apt-get purge -y puppet facter hiera puppet-common puppetlabs-release ruby-rgen<br />
<br />
=== vagrant-kvm (deprecated) ===<br />
<br />
This plugin supports [[KVM]] as the virtualisation provider.<br />
<br />
Vagrant installs a self-contained rainbow environment in /opt which interacts with the system Ruby and other libraries in Arch in confusing ways ([https://github.com/adrahon/vagrant-kvm/issues/14 Issue with Ruby], [https://github.com/adrahon/vagrant-kvm/issues/161#issuecomment-38834996 Issue with Curl library]).<br />
<br />
Please see and follow [https://github.com/adrahon/vagrant-kvm/wiki/Install_on_ArchLinux the complete installation guide for Arch Linux] at vagrant-kvm wiki.<br />
<br />
== Provisioning ==<br />
<br />
''Provisioners'' allow you to automatically install software, alter and automate configurations as part of the vagrant up process. The two most common provisioners are {{Pkg|puppet}} from [[official repositories]] and {{AUR|chef}}{{Broken package link|{{aur-mirror|chef}}}} from the [[AUR]] Arch User Repository.<br />
<br />
== Base Boxes for Vagrant ==<br />
<br />
Here is a list of places to get all sorts of vagrant base boxes for different purposes: development, testing, or even production.<br />
<br />
* A well maintained up-to-date [https://github.com/terrywang/vagrantboxes/blob/master/archlinux-x86_64.md Arch Linux x86_64] base box for Vagrant<br />
<br />
* The same Arch Linux x86_64 base box can also be obtained via Vagrant Cloud by running: {{ic|vagrant init terrywang/archlinux}}<br />
<br />
* [https://vagrantcloud.com/ Vagrant Cloud] is HashiCorp's official site for Vagrant boxes. You can browse user-submitted boxes or upload your own. A single Vagrant Cloud box can support multiple providers with versioning.<br />
<br />
* [http://vagrantbox.es/ vagrantbox.es]<br/>A List of vagrant base boxes. Initiated by Gareth Rushgrove [https://twitter.com/garethr @garethr] hosted on Heroku using Nginx. See the story here: [http://www.morethanseven.net/2012/07/01/The-vagrantbox.es-story/ The Vagrantbox.es Story].<br />
<br />
* Opscode [https://github.com/opscode/bento bento]<br/>We all know what bento means in Japanese, right? In this case, they are '''NOT''' lunch boxes '''BUT''' extremely useful base boxes which can be used to test cookbooks or private chef (Chef Server and Client). Distributions included: Ubuntu Server, Debian, CentOS, Fedora and FreeBSD.<br />
<br />
* [http://puppet-vagrant-boxes.puppetlabs.com/ Puppet Labs Vagrant Boxes]<br/>Pre-rolled vagrant boxes, ready for use. Made by the folks at Puppet Labs.<br />
<br />
* [http://cloud-images.ubuntu.com/vagrant/ Vagrant Ubuntu Cloud Images]<br/>It has been there since Jan, 2013. For some reason Canonical has NOT officially promoted it yet, may be still in beta. Remember these are vanilla images, NOT very useful without Chef or Puppet.<br />
<br />
* [https://github.com/elasticdog/packer-arch packer-arch project on Github] provides configuration files to build light Arch Linux Vagrant images from the official iso image, using {{AUR|packer-io}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== No ping between host and vagrant box (host-only networking) ===<br />
Sometimes there are troubles with host-only networking not functioning. Host have no ip on vboxnet interface, host cannot ping vagrant boxes and cannot be pinged from them. This is solved by installing good old {{Pkg|net-tools}} as mentioned in [https://bbs.archlinux.org/viewtopic.php?pid=1178607#p1178607 this thread] by kevin1024<br />
<br />
=== Virtual machine is not network accessible from the Arch host OS ===<br />
As of version 1.8.4, Vagrant appears to use the deprecated {{ic|route}} command to configure routing to the virtual network interface which bridges to the virtual machine(s). If {{ic|route}} is not installed, you will not be able to access the virtual machine from the host OS due to the lack of suitable route. The solution, as mentioned above, is to install the {{Pkg|net-tools}} package, which includes the route command.<br />
<br />
=== 'vagrant up' hangs on NFS mounting (Mounting NFS shared folders...) ===<br />
Installing {{Pkg|net-tools}} package may solve this problem.<br />
<br />
=== Error starting network 'default': internal error: Failed to initialize a valid firewall backend ===<br />
Most likely the firewall dependencies were not installed. [[Install]] the {{pkg|ebtables}} and {{pkg|dnsmasq}} packages and [[restart]] the {{ic|libvirtd}} systemd service.<br />
<br />
== See also ==<br />
* [http://docs.vagrantup.com/v2/getting-started/project_setup.html official Vagrant documentation]<br />
* [[Wikipedia:Vagrant (software)]]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=425314SELinux2016-03-12T10:21:07Z<p>IooNag: /* Current status in Arch Linux */ typo in shadow package description</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=425313SELinux2016-03-12T10:20:24Z<p>IooNag: /* Current status in Arch Linux */ findutils 4.6.0 now integrates SELinux support</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need a rebuild with libselinux installed to enable SELinux-specific options<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, visit [[wikipedia:Mandatory access control]].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[[wikipedia:Security-Enhanced_Linux|Security Enhanced Linux]]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=418510SELinux2016-01-31T12:57:05Z<p>IooNag: /* Installing SELinux */ Document Vagrant</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need SELinux patch for 4.4.2, already upstream<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
===Testing in a Vagrant virtual machine===<br />
<br />
It is possible to use [[Vagrant]] to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux/_vagrant<br />
vagrant up<br />
vagrant ssh<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=418509SELinux2016-01-31T12:48:51Z<p>IooNag: /* Installation */ Update</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need SELinux patch for 4.4.2, already upstream<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
===Preparing the Kernel===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. By default, the Arch Kernel does not have the SELinux LSM enabled. If you are using Arch Linux packaged kernel ({{pkg|linux}}), there is an AUR package which adds the configuration options for SELinux, {{aur|linux-selinux}}. Otherwise, when you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
Here is the complete list of options which need to be enabled on Linux 4.3.3 to use SELinux :<br />
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT=y<br />
CONFIG_AUDITSYSCALL=y<br />
CONFIG_AUDIT_WATCH=y<br />
CONFIG_AUDIT_TREE=y<br />
CONFIG_NETLABEL=y<br />
CONFIG_IP_NF_SECURITY=m<br />
CONFIG_IP6_NF_SECURITY=m<br />
CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br />
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y<br />
CONFIG_NFSD_V4_SECURITY_LABEL=y<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_NETWORK=y<br />
CONFIG_SECURITY_PATH=y<br />
CONFIG_LSM_MMAP_MIN_ADDR=65536<br />
CONFIG_SECURITY_SELINUX=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM=y<br />
CONFIG_SECURITY_SELINUX_DISABLE=y<br />
CONFIG_SECURITY_SELINUX_DEVELOP=y<br />
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1<br />
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1<br />
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y<br />
CONFIG_SECURITY_SELINUX_AVC_STATS=y<br />
CONFIG_DEFAULT_SECURITY_SELINUX=y</nowiki>}}<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via AUR ====<br />
<br />
* First, install SELinux userspace tools and libraries, in this order (because of the dependencies): {{AUR|libsepol}}, {{AUR|libselinux}}, {{AUR|checkpolicy}}, {{AUR|setools}}, {{AUR|ustr-selinux}}, {{AUR|libsemanage}} (which needs {{pkg|python2-ipy}} from the ''community'' repository) and {{AUR|sepolgen}}.<br />
* Then install {{AUR|pambase-selinux}} and {{AUR|pam-selinux}} and make sure you can login again after the installation completed , because files in {{ic|/etc/pam.d/}} got removed and created when {{pkg|pambase}} got replaced with {{AUR|pambase-selinux}}.<br />
* Next you can install {{AUR|libcgroup}} and {{AUR|policycoreutils}}, before recompiling some core packages by installing: {{AUR|coreutils-selinux}}, {{AUR|findutils-selinux}}, {{AUR|iproute2-selinux}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}}, {{AUR|shadow-selinux}}, {{AUR|cronie-selinux}}<br />
* Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}} and restore your {{ic|/etc/sudoers}} (it is overridden when this package is installed as a replacement of {{pkg|sudo}}).<br />
* Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed ({{bug|39767}}), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install {{AUR|systemd-selinux}}.<br />
* Next, install {{AUR|dbus-selinux}}.<br />
<br />
After all these steps, you can install a SELinux kernel (like {{AUR|linux-selinux}}) and a policy (like {{AUR|selinux-refpolicy-arch}}).<br />
<br />
==== Using the GitHub repository ====<br />
<br />
All packages are maintained at https://github.com/archlinuxhardened/selinux . This repository also contains a script named {{ic|build_and_install_all.sh}} which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):<br />
<br />
git clone https://github.com/archlinuxhardened/selinux<br />
cd selinux<br />
./recv_gpg_keys.sh<br />
./build_and_install_all.sh<br />
<br />
Of course, it is possible to modify the content of {{ic|build_and_install_all.sh}} before running it, for example if you already have SELinux support in your kernel.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=418507SELinux2016-01-31T11:31:59Z<p>IooNag: /* SELinux policy packages */ Udpate information about policy packages</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need SELinux patch for 4.4.2, already upstream<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in {{AUR|selinux-refpolicy-arch}} is mainly a way to perform updates between Refpolicy releases.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}{{Broken package link|{{aur-mirror|selinux-flex}}}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still is not even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|dbus-selinux}} and {{AUR|checkpolicy}}. Finally, install {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}. Because of cyclic makedepends between these two packages which will not be fixed ([https://bugs.archlinux.org/task/39767 FS#39767]), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install the source package {{AUR|systemd-selinux}}.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=418504SELinux2016-01-31T11:28:09Z<p>IooNag: /* SELinux aware system utilities */ Update</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need SELinux patch for 4.4.2, already upstream<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|ustr-selinux}}<br />
:Patched ustr package needed only to build {{AUR|libsemanage}}. It replaces the {{pkg|ustr}} package, which does not work with recent gcc ({{bug|46445}}).<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of [[Systemd]]. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|dbus-selinux}}<br />
:An SELinux aware version of [[D-Bus]]. It replaces the {{pkg|dbus}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|iproute2-selinux}}<br />
:iproute2 package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|ss}}. It replaces the {{pkg|iproute2}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:[[OpenSSH]] package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}{{Broken package link|{{aur-mirror|selinux-refpolicy}}}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}{{Broken package link|{{aur-mirror|selinux-flex}}}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still is not even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|dbus-selinux}} and {{AUR|checkpolicy}}. Finally, install {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}. Because of cyclic makedepends between these two packages which will not be fixed ([https://bugs.archlinux.org/task/39767 FS#39767]), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install the source package {{AUR|systemd-selinux}}.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=418502SELinux2016-01-31T11:12:40Z<p>IooNag: /* Current status in Arch Linux */ Update section</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: The main complaint was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Implemented in AUR: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, using [https://github.com/TresysTechnology/refpolicy Reference Policy] as upstream || Work in progress at https://github.com/archlinuxhardened/selinux-policy-arch/<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild with {{ic|--with-selinux}} flag to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| dbus || Need a rebuild with {{ic|--enable-libaudit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| findutils || Need SELinux patch for 4.4.2, already upstream<br />
|-<br />
| iproute2 || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| logrotate || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a recent versions of libselinux<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so to {{ic|/etc/pam.d/system-login}}<br />
|-<br />
| psmisc || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| shadow || Need a rebuild with {ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-audit}} and {{ic|--enable-selinux}} flags<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wreaked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux|Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}{{Broken package link|{{aur-mirror|selinux-flex}}}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}{{Broken package link|{{aur-mirror|selinux-refpolicy}}}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}{{Broken package link|{{aur-mirror|selinux-flex}}}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still is not even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|dbus-selinux}} and {{AUR|checkpolicy}}. Finally, install {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}. Because of cyclic makedepends between these two packages which will not be fixed ([https://bugs.archlinux.org/task/39767 FS#39767]), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install the source package {{AUR|systemd-selinux}}.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you have installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
*[https://web.archive.org/web/20140816115906/http://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ ArchLinux, SELinux and You (archived)]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=359558SELinux2015-02-05T14:54:19Z<p>IooNag: /* Changing boot loader configuration */ Add security=selinux selinux=1 boot options and Gummiboot config</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: Main complain was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| findutils || Need SELinux patch, already upstream<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so<br />
|-<br />
| psmisc || Need a patch, already upstream. Will be in version 22.21<br />
|-<br />
| shadow || Need a rebuild with {{ic|-lselinux}} and {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux | Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
A lot of credit for this section must go to [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] for his outstanding work and documentation.<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}. However, do not use {{ic|yaourt -S pambase-selinux pam-selinux}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
{{Tip|The {{AUR|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|dbus-selinux}} and {{AUR|checkpolicy}}. Finally, install {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}. Because of cyclic makedepends between these two packages which will not be fixed ([https://bugs.archlinux.org/task/39767 FS#39767]), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install the source package {{AUR|systemd-selinux}}.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you've installed a new kernel, make sure that you update your bootloader accordingly to boot on it. Moreover you may need to add "security=selinux selinux=1" to the kernel command line. More precisely, if the kernel configuration does not set CONFIG_DEFAULT_SECURITY_SELINUX, "security=selinux" is needed, and if it contains CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0, "selinux=1" is needed.<br />
<br />
====GRUB====<br />
<br />
Add "security=selinux selinux=1" GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro selinux selinux=1<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
====Gummiboot====<br />
<br />
Create a new loader entry, for example in /boot/loader/entries/arch-selinux.conf:<br />
<br />
{{hc|/boot/loader/entries/arch-selinux.conf|2=<br />
title Arch Linux SELinux<br />
linux /vmlinuz-linux-selinux<br />
initrd /initramfs-linux-selinux.img<br />
options root=/dev/sda2 ro selinux=1 security=selinux<br />
}}<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=352954SELinux2014-12-26T11:32:03Z<p>IooNag: /* Via AUR */ Update AUR installation instructions</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: Main complain was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| findutils || Need SELinux patch, already upstream<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so<br />
|-<br />
| psmisc || Need a patch, already upstream. Will be in version 22.21<br />
|-<br />
| shadow || Need a rebuild with {{ic|-lselinux}} and {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux | Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
A lot of credit for this section must go to [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] for his outstanding work and documentation.<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}. However, do not use {{ic|yaourt -S pambase-selinux pam-selinux}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
{{Tip|The {{AUR|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|dbus-selinux}} and {{AUR|checkpolicy}}. Finally, install {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}. Because of cyclic makedepends between these two packages which will not be fixed ([https://bugs.archlinux.org/task/39767 FS#39767]), you need to build the source package {{AUR|systemd-selinux}}, install {{AUR|libsystemd-selinux}}, build and install {{AUR|util-linux-selinux}} (with {{AUR|libutil-linux-selinux}}) and rebuild and install the source package {{AUR|systemd-selinux}}.<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you've installed a new kernel, make sure that you update your bootloader accordingly<br />
<br />
====GRUB====<br />
<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux_(%E6%97%A5%E6%9C%AC%E8%AA%9E)&diff=352941SELinux (日本語)2014-12-26T10:03:24Z<p>IooNag: /* AUR を使用 */ Christmas wiki cleanup: selinux-logrotate was renamed to logrotate-selinux</p>
<hr />
<div>[[Category:Security (日本語)]]<br />
[[Category:Kernel (日本語)]]<br />
[[en:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start (日本語)}}<br />
{{Related2|Security (日本語)|セキュリティ}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) は Linux カーネルの Linux Security Module (LSM) を使って、アメリカ国防総省式の強制アクセス制御などの様々なセキュリティポリシーを提供する Linux の機能です。Linux ディストリビューションではなく、むしろ Linux や BSD などの Unix ライクなオペレーティングシステムに使うことができる改造セットと言えます。<br />
<br />
Linux ディストリビューションで SELinux を動かすには3つのことが必要です: SELinux が有効になったカーネル、SELinux のユーザースペースツールとライブラリ、そして SELinux のポリシー (大半はリファレンスポリシーがベース) です。また、SELinux 機能を有効にするパッチをあててコンパイルする必要がある Linux プログラムも存在します。<br />
<br />
==Arch Linux における現在の状態==<br />
<br />
Arch Linux におけるそれぞれの要素の現状:<br />
<br />
{| class="wikitable"<br />
! 名前 !! 状態 !! 入手先<br />
|-<br />
| SELinux が有効になったカーネル || 実装済み || 公式の Arch カーネルでは 3.14 から削除されています: audit を無効化する Kconfig のオプションがデフォルトで存在しないのが主な理由です。AUR から利用可能です。<br />
|-<br />
| SELinux のユーザースペースツールとライブラリ || 作業中: https://aur.archlinux.org/packages/?O=0&K=selinux || https://github.com/archlinuxhardened/selinux に成果があります。<br />
|-<br />
| SELinux のポリシー || 作業中です。おそらく selinux-policy-arch という名前が付けられるでしょう。 || 今のところリポジトリは存在しません。<br />
|}<br />
<br />
公式の core パッケージと AUR にあるパッケージの変更点:<br />
<br />
{| class="wikitable"<br />
! 名前 !! 状態とコメント<br />
|-<br />
| linux || KConfig オプションを有効にしてリビルドする必要があります。<br />
|-<br />
| coreutils || libselinux とリンクしてリビルドする必要があります。<br />
|-<br />
| cronie || {{ic|--with-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
| findutils || SELinux のパッチが必要です。上流では既に含まれています。<br />
|-<br />
| openssh || {{ic|--with-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
| pam || Linux-PAM のために {{ic|--enable-selinux}} フラグを使ってリビルドする必要があります。pam_unix2 のパッチが必要で、他のライブラリで実装されている関数を削除します。<br />
|-<br />
| pambase || 設定を変更して pam_selinux.so を追加しています。<br />
|-<br />
| psmisc || パッチが必要です。上流では既に含まれています。バージョン 22.21 で含まれる予定です。<br />
|-<br />
| shadow || {{ic|-lselinux}} と {{ic|--with-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
| sudo || {{ic|--enable-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
| systemd || {{ic|--enable-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
| util-linux || {{ic|--enable-selinux}} フラグを使ってリビルドする必要があります。<br />
|-<br />
|}<br />
<br />
他の SELinux 関連のパッケージは変更を加えずに安全に使うことができます。<br />
<br />
==強制アクセス制御==<br />
<br />
{{Note|このセクションはビギナーのために書かれています。SELinux が何でどういう仕組みで動作するのか知っている場合は、インストールの項にスキップしてください。}}<br />
<br />
SELinux を有効にする前に、SELinux が何をするのか理解したほうが良いでしょう。簡単に言うと、SELinux は Linux で''強制アクセス制御 (Mandatory Access Control, MAC)'' を実施します。SELinux と対比するように、伝統的なユーザー/グループ/rwx のパーミッションは一種の''任意アクセス制御 (Discretionary Access Control, DAC)''です。MAC は DAC と異なり、セキュリティポリシーとその実行が完全に区別されています。<br />
<br />
例として ''sudo'' コマンドの使用が挙げられます。DAC が使用されている場合、sudo は root への一時的な権限昇格を許可し、プロセスはシステム全体に制限なくアクセスできるようになります。しかしながら、MAC を使用した場合、プロセスがアクセスできる特定のファイルセットをセキュリティ管理者が指定しておけば、どんな権限昇格を用いたとしても、セキュリティポリシーが変わらないかぎり、プロセスがアクセスできるファイルは制限されます。そのため、SELinux が動作しているマシンで ''sudo'' を使ってポリシーが許可しないファイルにアクセスしようとしても、アクセスは不可能です。<br />
<br />
他の例としては、ファイルに与えられる伝統的な (-rwxr-xr-x) タイプのパーミッションがあります。DAC の下では、パーミッションはユーザーによって変更できます。しかしながら、MAC の下では、セキュリティ管理者が特定のファイルのパーミッションを凍結することが可能です。ファイルに関連するポリシーが変更されないかぎり、ファイルのパーミッションをユーザーが変更することは不可能になります。<br />
<br />
このことが、ウェブサーバーなど、危険にさらされる可能性のあるプロセスで特に有用なのは想像に難くないでしょう。DAC が使われている場合、権限昇格ができるプログラムを奪取されて大損害を被る危険が十分あるのです。<br />
<br />
もっと詳しい情報は、Wikipedia の [[Wikipedia:ja:強制アクセス制御|MAC]] のページを見て下さい。<br />
<br />
==SELinux のインストール==<br />
<br />
===パッケージ===<br />
<br />
SELinux 関連のパッケージは全て、AUR の ''selinux'' グループか [[Unofficial user repositories (日本語)#siosm-selinux|Siosm の非公式リポジトリ]]に含まれています。<br />
<br />
====SELinux 対応のシステムユーティリティ====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:SELinux のサポートを有効にしてコンパイルされた修正版 coreutils パッケージ。{{pkg|coreutils}} パッケージを置き換えます。<br />
<br />
;{{AUR|selinux-flex}}<br />
:checkpolicy のビルドに必要な Flex。通常の flex パッケージでは checkmodule コマンドが失敗します。{{pkg|flex}} パッケージを置き換えます。<br />
<br />
;{{AUR|pam-selinux}} と {{AUR|pambase-selinux}}<br />
:pam_selinux.so が入った PAM パッケージとそのベースパッケージ。それぞれ {{pkg|pam}} と {{pkg|pambase}} パッケージを置き換えます。<br />
<br />
;{{AUR|systemd-selinux}}<br />
:SELinux 対応版の Systemd。{{pkg|systemd}} パッケージを置き換えます。<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:SELinux のサポートを有効にしてコンパイルされた修正版 util-linux パッケージ。{{pkg|util-linux}} パッケージを置き換えます。<br />
<br />
;{{AUR|findutils-selinux}}<br />
:指定したセキュリティコンテキストを使ってファイルの検索をできるようにするため SELinux のサポートを有効にしてコンパイルされたパッチ済みの findutils パッケージ。{{pkg|findutils}} パッケージを置き換えます。<br />
<br />
;{{AUR|sudo-selinux}}<br />
:適切にセキュリティコンテキストを設定する SELinux サポートを有効にしてコンパイルされた修正版 [[sudo (日本語)|sudo]] パッケージ。{{pkg|sudo}} パッケージを置き換えます。<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:SELinux サポートを有効にしてコンパイルされた Psmisc パッケージ。例えば、{{ic|killall}} に {{ic|-Z}} オプションを追加します。{{pkg|psmisc}} パッケージを置き換えます。<br />
<br />
;{{AUR|shadow-selinux}}<br />
:SELinux サポートを有効にしてコンパイルされた Shadow パッケージ。ログイン後のユーザーに適切なセキュリティコンテキストを設定するように修正された {{ic|/etc/pam.d/login}} ファイルが含まれています。{{pkg|shadow}} パッケージを置き換えます。<br />
<br />
;{{AUR|cronie-selinux}}<br />
:SELinux を有効にした Vixie cron の Fedora フォーク。{{pkg|cronie}} パッケージを置き換えます。<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:SELinux サポートを有効にしてコンパイルされた Logrotate パッケージ。{{pkg|logrotate}} パッケージを置き換えます。<br />
<br />
;{{AUR|openssh-selinux}}<br />
:ユーザーセッションのセキュリティコンテキストを設定するように SELinux サポートを有効にしてコンパイルされた OpenSSH パッケージ。{{pkg|openssh}} パッケージを置き換えます。<br />
<br />
====SELinux のユーザースペースユーティリティ====<br />
;{{AUR|checkpolicy}}<br />
:SELinux ポリシーを作成するためのツール<br />
<br />
;{{AUR|libselinux}}<br />
:セキュリティが求められるアプリケーションのためのライブラリ。''semanage'' と ''setools'' に必要な Python バインディングが含まれています。<br />
<br />
;{{AUR|libsemanage}}<br />
:ポリシー管理のためのライブラリ。''semanage'' と ''setools'' に必要な Python バインディングが含まれています。<br />
<br />
;{{AUR|libsepol}}<br />
:バイナリポリシーの操作のためのライブラリ。<br />
<br />
;{{AUR|policycoreutils}}<br />
:newrole や setfiles などの SELinux のコアユーティリティ。<br />
<br />
;{{AUR|sepolgen}}<br />
:ポリシーソースを解析・修正するための Python ライブラリ。<br />
<br />
====SELinux のポリシーパッケージ====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:コンパイル済みモジュールのバニラなリファレンスポリシー。ヘッダーやドキュメントは付いていますがソースは付いていません。<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:リファレンスポリシーのソース<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:コンパイル済みモジュールのリファレンスポリシー。ヘッダーやドキュメントは付いていますがソースは付いていません。Arch Linux の Refpolicy パッチが含まれていますが、2011年2月現在、{{ic|/etc/rc.d/*}} のラベリングに関する問題を修正しているだけです。<br />
<br />
{{Note|''selinux-refpolicy-arch'' パッケージが最後に更新されたのは2011年であり、今でも使えるかは不確かです。}}<br />
<br />
====その他の SELinux のツール====<br />
<br />
;{{AUR|setools}}<br />
:SELinux を管理するための CLI と GUI ツール。<br />
<br />
=== インストール ===<br />
<br />
SELinux の使用をサポートしているファイルシステムは ext2, ext3, ext4, JFS, [[XFS (日本語)|XFS]], [[Btrfs (日本語)|BtrFS]] だけです。3.13 のカーネルアップデートから、SELinux を動作させるのに必要なオプションはデフォルトのカーネル設定で有効になっており、デフォルトで何の問題もないはずです。カスタムカーネルを使用する場合は、コンフィグで Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}}, {{ic|CONFIG_SECURITY_SELINUX}} を有効にするようにしてください (ソース: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])。<br />
<br />
{{Note|[[NVIDIA (日本語)|NVIDIA]] グラフィックドライバーなどの、プロプライエタリなドライバーを使っている場合、カスタムカーネルを使うために[[NVIDIA (日本語)#Alternate install: カスタムカーネル|リビルド]]する必要があります。}}<br />
<br />
必要な SELinux パッケージをインストールする方法は2つあります。<br />
<br />
==== 非公式リポジトリを使用 ====<br />
<br />
{{ic|pacman.conf}} に [[Unofficial user repositories (日本語)#siosm-selinux|siosm-selinux]] リポジトリを追加して Siosm のキーを[[Pacman-key (日本語)#非公式のキーの追加|追加]]してください。<br />
<br />
それから {{ic|su -}} コマンドを使うか root でログインして以下のパッケージをインストールします:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|以上のパッケージをインストールするのに ''sudo'' コマンドは使わないで下さい。''sudo'' の認証に使われる {{Pkg|pam}} が置き換わるためです。}}<br />
<br />
==== AUR を使用 ====<br />
<br />
このセクションは主に [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] のドキュメントによります。<br />
<br />
最初にインストールが必要なのは {{AUR|pambase-selinux}} と {{AUR|pam-selinux}} です。ただし、{{ic|yaourt -S selinux-pam selinux-pambase}} を使ったり、ビルドした後にパッケージをインストールするのに {{ic|sudo}} を使わないで下さい。pam が認証を処理しているためです。そのため、{{ic|makepkg}} を使って通常ユーザーでパッケージをビルドしてから、''root'' で {{ic|pacman -U <packagename>}} を実行してインストールしてください。<br />
<br />
次に、AUR から {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}}, {{AUR|psmisc-selinux}} をビルドしてインストール、''community'' リポジトリから {{pkg|python2-ipy}} をインストールする必要があります。<br />
<br />
{{Tip|{{AUR|openssh-selinux}} パッケージは gui 環境でビルドする必要があります。そうしないとコンパイル中に ''pairs.sh'' のテストが失敗します。}}<br />
<br />
そして {{AUR|setools}} パッケージです。このパッケージをビルドするには、{{pkg|jdk7-openjdk}} パッケージをインストールして、{{ic|JAVA_HOME}} 変数を正しく設定しておく必要があります。設定されてない場合はパッケージをインストールした後に、次を実行:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
その後、{{ic|/etc/sudoers}} ファイルをバックアップします。{{AUR|sudo-selinux}}, {{AUR|checkpolicy}}, {{AUR|util-linux-selinux}}, {{AUR|systemd-selinux}} をインストールしてください。<br />
<br />
===ブートローダーの設定の変更===<br />
<br />
新しいカーネルをインストールしたら、ブートローダーの設定を更新してください。<br />
<br />
====GRUB====<br />
<br />
次のコマンドを実行:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
{{ic|syslinux.cfg}} ファイルを編集して一番最後に以下を追加:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
"linux-selinux" は使用するカーネルにあわせて適当に変更してください。<br />
<br />
===PAM の確認===<br />
<br />
ログイン後に適切なセキュリティコンテキストを得るために PAM を正しく設定する必要があります。以下の行が {{ic|/etc/pam.d/system-login}} に存在するか確認してください:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===ポリシーのインストール===<br />
<br />
{{Warning|[http://oss.tresys.com/projects/refpolicy Tresys] によるリファレンスポリシーはあまり Arch Linux に適しているとは言えません。ほとんどのファイルが正しくラベル付けされてないからです。しかしながら、執筆時点では、Archer には他に選択肢がありません。この問題の解決について何か発展があったら、ぜひ [[AUR (日本語)|AUR]] で共有してください。主な問題は以下の通りです:<br />
<br />
* {{ic|/lib}} と {{ic|/usr/lib}} は別のディレクトリとして扱われています ({{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}}, {{ic|/usr/sbin}} も同様)。そのせいでシステム全体にラベルを適用する時に不安定になります。<br />
* systemd はまだサポートされていません (refpolicy のメインデベロッパーである C. PeBenito は2014年10月に GitHub で systemd に対応する作業を行っていることを発表しています: http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html )。}}<br />
<br />
ポリシーは SELinux の基幹です。ポリシーによって SELinux の挙動は左右されます。現在 AUR にはリファレンスポリシーだけが存在します。リファレンスポリシーをインストールするには、ソースファイルを使う必要があり、{{AUR|selinux-refpolicy-src}} パッケージから取得するか https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release から最新のリリースをダウンロードすることができます。AUR のパッケージを使う場合、{{ic|/etc/selinux/refpolicy/src/policy}} まで移動して以下のコマンドを実行してリファレンスポリシーをインストールしてください:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
SELinux ポリシーの書き方を知っているならば上記のコマンドを実行する前に存分にポリシーを調整することができます。コマンドはしばらく時間がかかりジョブを実行してシステムの1つのコアに負担をかけます、心配は要りません。のんびりと構えてコマンドを実行させておいて下さい。<br />
<br />
リファレンスポリシーをロードするには次を実行:<br />
{{bc|# make load}}<br />
<br />
そして、以下の内容で {{ic|/etc/selinux/config}} ファイルを作成してください (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
ここで、再起動が必要です。再起動したら、次を実行してファイルシステムにラベルを付けて下さい:<br />
<br />
# restorecon -r /<br />
<br />
その後、以下の内容で {{ic|requiredmod.te}} ファイルを作成します:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
そして以下のコマンドを実行してください:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==インストール後の作業==<br />
<br />
SELinux が動作しているかは {{ic|sestatus}} で確認できます。以下のように表示されるはずです:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
コンテキストを適切に維持するには、''restorecond'' を使います:<br />
<br />
# systemctl enable restorecond<br />
<br />
再起動しないで enforcing モードに切り替えたい場合、次のコマンドを使います:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===スワップファイル===<br />
<br />
スワップパーティションの代わりにスワップファイルを使う場合、適切なセキュリティコンテキストを設定するために次のコマンドを実行してください:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==SELinux の使い方==<br />
<br />
SELinux は伝統的な Unix のアクセス制御とは異なる方法でセキュリティを定義します。SELinux を理解するにはサンプルを見るのが一番です。例えば、apache のホームページの SELinux セキュリティコンテキストは以下のようになります:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
最初の3つと最後のカラムは (Arch) Linux ユーザーなら誰でも見覚えがあるはずです。新しいのは4番目のカラムであり以下のフォーマットになっています:<br />
<br />
user:role:type[:level]<br />
<br />
それぞれを説明すると:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
これが重要になるのは、自分でポリシーを作成して、SELinux の基本的な構成要素にしたいという場合です。ほとんどの場合リファレンスポリシーで十分間に合うので、理解する必要はありません。ただし、あなたがパワーユーザーであり何か特別な必要性があるのであれば、自ら SELinux のポリシーを作成する方法を学ぶ絶好の機会でしょう。<br />
<br />
SELinux の仕組みを理解したい人には [http://www.fosteringlinux.com/tag/selinux/ こちら] のシリーズを読むのをおすすめします。<br />
<br />
==トラブルシューティング==<br />
<br />
SELinux のエラーは systemd の journal で確認できます。例えば {{ic|system_u:system_r:policykit_t:s0}} ラベルに関する SELinux のメッセージを表示するには、次を実行:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===便利なツール===<br />
<br />
SELinux を補助するツール/コマンドがいくつか存在します。<br />
<br />
;restorecon: ポリシールールに基づいてファイル/ディレクトリのコンテキストを付け直す ({{ic|-R}} を付けると再帰的に実行)。<br />
;chcon: 指定したファイルのコンテキストを変更。<br />
<br />
===問題の報告===<br />
<br />
問題の報告は GitHub でしてください: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==参照==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/ja/hardened/selinux/selinux-handbook.xml Gentoo SELinux ハンドブック]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora プロジェクトの SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA の SELinux 公式ホームページ]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy ホームページ]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace ホームページ]<br />
*[http://oss.tresys.com/projects/setools SETools ホームページ]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=352933SELinux2014-12-26T09:58:57Z<p>IooNag: /* Via AUR */ Christmas wiki cleanup: selinux-logrotate was renamed to logrotate-selinux</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Kernel]]<br />
[[ja:SELinux]]<br />
[[ru:SELinux]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: Main complain was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| findutils || Need SELinux patch, already upstream<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so<br />
|-<br />
| psmisc || Need a patch, already upstream. Will be in version 22.21<br />
|-<br />
| shadow || Need a rebuild with {{ic|-lselinux}} and {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux | Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
A lot of credit for this section must go to [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] for his outstanding work and documentation.<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}. However, do not use {{ic|yaourt -S selinux-pam selinux-pambase}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|logrotate-selinux}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
{{Tip|The {{AUR|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|checkpolicy}}, {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you've installed a new kernel, make sure that you update your bootloader accordingly<br />
<br />
====GRUB====<br />
<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.<br />
<br />
To load the reference policy run:<br />
{{bc|# make load}}<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=344561SELinux2014-11-13T23:20:33Z<p>IooNag: /* Installing a policy */ Explain a little bit why there is no Arch SELinux policy right now</p>
<hr />
<div>[[ru:SELinux]]<br />
[[Category:Security]]<br />
[[Category:Kernel]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: Main complain was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| findutils || Need SELinux patch, already upstream<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so<br />
|-<br />
| psmisc || Need a patch, already upstream. Will be in version 22.21<br />
|-<br />
| shadow || Need a rebuild with {{ic|-lselinux}} and {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux | Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
A lot of credit for this section must go to [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] for his outstanding work and documentation.<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}. However, do not use {{ic|yaourt -S selinux-pam selinux-pambase}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|selinux-logrotate}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
{{Tip|The {{AUR|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|checkpolicy}}, {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you've installed a new kernel, make sure that you update your bootloader accordingly<br />
<br />
====GRUB====<br />
<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]. The major problems are:<br />
<br />
* {{ic|/lib}} and {{ic|/usr/lib}} are considered different (and also {{ic|/bin}}, {{ic|/sbin}}, {{ic|/usr/bin}} and {{ic|/usr/sbin}}). This introduces some instability when applying labels to the whole system, as files in these folders may be seen with 2 (or 4) different labels. <br />
* systemd is not yet supported (C. PeBenito, main developer of the refpolicy, announced its willingness to work on it in its github repository in October 2014, http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html)}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]</div>IooNaghttps://wiki.archlinux.org/index.php?title=SELinux&diff=344560SELinux2014-11-13T23:03:57Z<p>IooNag: /* Installing a policy */ Remove PKGBUILD tweak for selinux-refpolicy-src and add link to github releases of refpolicy</p>
<hr />
<div>[[ru:SELinux]]<br />
[[Category:Security]]<br />
[[Category:Kernel]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related|AppArmor}}<br />
{{Related articles end}}<br />
<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Current status in Arch Linux==<br />
<br />
Current status of those elements in Arch Linux:<br />
<br />
{| class="wikitable"<br />
! Name !! Status !! Available at<br />
|-<br />
| SELinux enabled kernel || Implemented || Removed since the 3.14 official Arch kernel: Main complain was the lack of Kconfig option to disable audit by default. Available in the AUR.<br />
|-<br />
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/archlinuxhardened/selinux<br />
|-<br />
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.<br />
|}<br />
<br />
Summary of changes in AUR as compared to official core packages:<br />
<br />
{| class="wikitable"<br />
! Name !! Status and comments<br />
|-<br />
| linux || Need a rebuild with some KConfig options enabled<br />
|-<br />
| coreutils || Need a rebuild to link with libselinux<br />
|-<br />
| cronie || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| findutils || Need SELinux patch, already upstream<br />
|-<br />
| openssh || Need a rebuild with {{ic|--with-selinux}} flag<br />
|-<br />
| pam || Need a rebuild with {{ic|--enable-selinux}} flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere<br />
|-<br />
| pambase || Configuration changes to add pam_selinux.so<br />
|-<br />
| psmisc || Need a patch, already upstream. Will be in version 22.21<br />
|-<br />
| shadow || Need a rebuild with {{ic|-lselinux}} and {{ic|--with-selinux}} flags<br />
|-<br />
| sudo || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| systemd || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
| util-linux || Need a rebuild with {{ic|--enable-selinux}} flag<br />
|-<br />
|}<br />
<br />
All of the other SELinux-related packages may be included without changes nor risks.<br />
<br />
==Concepts: Mandatory Access Controls==<br />
<br />
{{Note|This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.}}<br />
<br />
Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces ''Mandatory Access Controls (MACs)'' on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of ''Discretionary Access Control (DAC)''. MACs are different from DACs because security policy and its execution are completely separated.<br />
<br />
An example would be the use of the ''sudo'' command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if ''sudo'' is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.<br />
<br />
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.<br />
<br />
As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.<br />
<br />
For further information, do visit the [https://en.wikipedia.org/wiki/Mandatory_access_control MAC Wikipedia page].<br />
<br />
==Installing SELinux==<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group in the AUR as well as in [[Unofficial user repositories#siosm-selinux | Siosm's unofficial repository]].<br />
<br />
====SELinux aware system utilities====<br />
<br />
;{{AUR|coreutils-selinux}}<br />
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package<br />
<br />
;{{AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.<br />
<br />
;{{AUR|pam-selinux}} and {{AUR|pambase-selinux}}<br />
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}} and {{pkg|pambase}} packages respectively.<br />
<br />
;{{AUR|systemd-selinux}}<br />
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.<br />
<br />
;{{AUR|util-linux-selinux}}<br />
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.<br />
<br />
;{{AUR|findutils-selinux}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.<br />
<br />
;{{AUR|sudo-selinux}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.<br />
<br />
;{{AUR|psmisc-selinux}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.<br />
<br />
;{{AUR|shadow-selinux}}<br />
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.<br />
<br />
;{{AUR|cronie-selinux}}<br />
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.<br />
<br />
;{{AUR|logrotate-selinux}}<br />
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.<br />
<br />
;{{AUR|openssh-selinux}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.<br />
<br />
====SELinux userspace utilities====<br />
;{{AUR|checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{AUR|libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{AUR|libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{AUR|policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{AUR|sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy packages====<br />
<br />
;{{AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with {{ic|/etc/rc.d/*}} labeling.<br />
<br />
{{Note|The ''selinux-refpolicy-arch'' package was last updated in 2011, hence it seems doubtful that it is useful any longer.}}<br />
<br />
====Other SELinux tools====<br />
<br />
;{{AUR|setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
=== Installation ===<br />
<br />
Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Since the 3.13 kernel update, the options required for SELinux to work on any system are enabled in the default kernel configuration, hence there should be no problems by default. If you are using a custom kernel, please do make sure that Xattr (Extended Attributes), {{ic|CONFIG_AUDIT}} and {{ic|CONFIG_SECURITY_SELINUX}} are enabled in your config. (Source: [http://wiki.debian.org/SELinux/Setup#kernel Debian Wiki])<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
There are two methods to install the requisite SELinux packages.<br />
<br />
==== Via Unofficial Repository ====<br />
<br />
Add the [[Unofficial user repositories#siosm-selinux|siosm-selinux]] repository into {{ic|pacman.conf}} and [[Pacman-key#Adding_unofficial_keys|add]] Siosm's key. <br />
<br />
Then install the following packages by either using the {{ic|su -}} command or by logging in as root:<br />
<br />
* ''pambase-selinux''<br />
* ''pam-selinux''<br />
* ''coreutils-selinux''<br />
* ''libsemanage''<br />
* ''shadow-selinux''<br />
* ''libcgroup''<br />
* ''policycoreutils''<br />
* ''cronie-selinux''<br />
* ''findutils-selinux''<br />
* ''selinux-flex''<br />
* ''selinux-logrotate''<br />
* ''openssh-selinux''<br />
* ''psmisc-selinux''<br />
* ''python2-ipy''<br />
* ''setools''<br />
* ''systemd-selinux''<br />
<br />
{{Warning|Do not use the ''sudo'' command to install these packages. This is because {{Pkg|pam}}, which is used for ''sudo'' authentication, is being replaced.}}<br />
<br />
==== Via AUR ====<br />
<br />
A lot of credit for this section must go to [https://jamesthebard.net/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole jamesthebard] for his outstanding work and documentation.<br />
<br />
The first install needs to be of {{AUR|pambase-selinux}} and {{AUR|pam-selinux}}. However, do not use {{ic|yaourt -S selinux-pam selinux-pambase}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.<br />
<br />
Next, you need to build and install {{AUR|coreutils-selinux}}, {{AUR|libsemanage}}, {{AUR|shadow-selinux}}, {{AUR|libcgroup}}, {{AUR|policycoreutils}}, {{AUR|cronie-selinux}}, {{AUR|findutils-selinux}}, {{AUR|selinux-flex}}, {{AUR|selinux-logrotate}}, {{AUR|openssh-selinux}} and {{AUR|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.<br />
<br />
{{Tip|The {{AUR|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}<br />
<br />
Now comes the {{AUR|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:<br />
<br />
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk<br />
<br />
Next, backup your {{ic|/etc/sudoers}} file. Install {{AUR|sudo-selinux}}, {{AUR|checkpolicy}}, {{AUR|util-linux-selinux}} and {{AUR|systemd-selinux}}<br />
<br />
===Changing boot loader configuration===<br />
<br />
If you've installed a new kernel, make sure that you update your bootloader accordingly<br />
<br />
====GRUB====<br />
<br />
Run the following command:<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
====Syslinux====<br />
<br />
Change your syslinux.cfg file by adding:<br />
<br />
{{hc|/boot/syslinux/syslinux.cfg|<nowiki>LABEL arch-selinux<br />
LINUX ../vmlinuz-linux-selinux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-selinux.img</nowiki>}}<br />
<br />
at the end. Change "linux-selinux" to whatever kernel you are using.<br />
<br />
===Checking PAM===<br />
<br />
A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in {{ic|/etc/pam.d/system-login}}:<br />
<br />
{{bc|# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close}}<br />
<br />
{{bc|# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open}}<br />
<br />
===Installing a policy===<br />
<br />
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]].}}<br />
<br />
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{AUR|selinux-refpolicy-src}} or by downloading the latest release on https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:<br />
<br />
{{bc|# make bare<br />
# make conf<br />
# make install}}<br />
<br />
to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.<br />
<br />
Then, make the file {{ic|/etc/selinux/config}} with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):<br />
<br />
{{hc|/etc/selinux/config|<nowiki># This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.<br />
# disabled - No SELinux policy is loaded.<br />
# This is not a recommended setting, for it may cause problems with file labelling<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load<br />
SELINUXTYPE=refpolicy</nowiki>}}<br />
<br />
Now, you may reboot. After rebooting, run:<br />
<br />
# restorecon -r /<br />
<br />
to label your filesystem.<br />
<br />
Now, make a file {{ic|requiredmod.te}} with the contents:<br />
<br />
{{hc|requiredmod.te|<nowiki>module requiredmod 1.0;<br />
<br />
require {<br />
type devpts_t;<br />
type kernel_t;<br />
type device_t;<br />
type var_run_t;<br />
type udev_t;<br />
type hugetlbfs_t;<br />
type udev_tbl_t;<br />
type tmpfs_t;<br />
class sock_file write;<br />
class unix_stream_socket { read write ioctl };<br />
class capability2 block_suspend;<br />
class dir { write add_name };<br />
class filesystem associate;<br />
}<br />
<br />
#============= devpts_t ==============<br />
allow devpts_t device_t:filesystem associate;<br />
<br />
#============= hugetlbfs_t ==============<br />
allow hugetlbfs_t device_t:filesystem associate;<br />
<br />
#============= kernel_t ==============<br />
allow kernel_t self:capability2 block_suspend;<br />
<br />
#============= tmpfs_t ==============<br />
allow tmpfs_t device_t:filesystem associate;<br />
<br />
#============= udev_t ==============<br />
allow udev_t kernel_t:unix_stream_socket { read write ioctl };<br />
allow udev_t udev_tbl_t:dir { write add_name };<br />
allow udev_t var_run_t:sock_file write;</nowiki>}}<br />
<br />
and run the following commands:<br />
<br />
{{bc|<nowiki># checkmodule -m -o requiredmod.mod requiredmod.te<br />
# semodule_package -o requiredmod.pp -m requiredmod.mod<br />
# semodule -i requiredmod.pp</nowiki>}}<br />
<br />
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:<br />
<br />
{{bc|<nowiki>SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: refpolicy<br />
Current mode: permissive<br />
Mode from config file: permissive<br />
Policy MLS status: disabled<br />
Policy deny_unknown status: allowed<br />
Max kernel policy version: 28</nowiki>}}<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
# systemctl enable restorecond<br />
<br />
To switch to enforcing mode without rebooting, you can use:<br />
<br />
# echo 1 > /sys/fs/selinux/enforce<br />
<br />
===Swapfiles===<br />
<br />
If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:<br />
<br />
{{bc|# semanage fcontext -a -t swapfile_t "/path/to/swapfile"<br />
# restorecon /path/to/swapfile}}<br />
<br />
==Working with SELinux==<br />
<br />
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:<br />
<br />
$ls -lZ /var/www/html/index.html<br />
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html<br />
<br />
The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:<br />
<br />
user:role:type[:level]<br />
<br />
To explain:<br />
#'''User:''' The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.<br />
#'''Role:''' The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.<br />
#'''Type:''' When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.<br />
#'''Level:''' This optional field can also be know as a range and is only present if the policy supports MCS or MLS.<br />
<br />
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.<br />
<br />
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.<br />
<br />
==Troubleshooting==<br />
<br />
The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label {{ic|system_u:system_r:policykit_t:s0}} (for example), you would need to run:<br />
<br />
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0<br />
<br />
===Useful tools===<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules <br />
;chcon: Change the context on a specific file<br />
<br />
===Reporting issues===<br />
<br />
Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues<br />
<br />
==See also==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]</div>IooNag