Difference between revisions of "SELinux"

From ArchWiki
Jump to: navigation, search
(The Reference Policy: Removed section)
(Add detailed package status and create special status section)
(16 intermediate revisions by 6 users not shown)
Line 5: Line 5:
  
 
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.
 
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.
 +
 +
==Current status in Arch Linux==
 +
 +
Current status of those elements in Arch Linux:
 +
 +
{| class="wikitable" border="1" cellpadding="5" cellspacing="0"
 +
! Name !! Status !! Available at
 +
|-
 +
| SELinux enabled kernel || Bug submitted: https://bugs.archlinux.org/task/37578 || Expected in 3.13 official Arch kernel
 +
|-
 +
| SELinux Userspace tools and libraries || Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux || Work is done at https://github.com/Siosm/siosm-selinux
 +
|-
 +
| SELinux Policy || Work in progress, will probably be named selinux-policy-arch || No working repository for now.
 +
|}
 +
 +
Summary of changes in AUR as compared to official core packages:
 +
 +
{| class="wikitable" border="1" cellpadding="5" cellspacing="0"
 +
! Name !! Status and comments
 +
|-
 +
| linux-selinux || Outdated (3.12.*): SELinux expected in 3.13 official Arch kernel
 +
|-
 +
| coreutils || Need a rebuild to link with libselinux
 +
|-
 +
| cronie || Need a rebuild with '--with-selinux' flag
 +
|-
 +
| findutils || Need SELinux patch, already upstream
 +
|-
 +
| openssh || Need a rebuild with '--with-selinux' flag
 +
|-
 +
| pam || Need a rebuild with '--enable-selinux' flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere
 +
|-
 +
| pambase || Configuration changes to add pam_selinux.so
 +
|-
 +
| psmisc || Need a patch, already upstream. Will be in version 22.21
 +
|-
 +
| shadow || Need a rebuild with '-lselinux' and '--with-selinux' flags
 +
|-
 +
| sudo || Need a rebuild with '--enable-selinux' flag
 +
|-
 +
| systemd || Need a rebuild with '--enable-selinux' flag
 +
|-
 +
| util-linux || Need a rebuild with '--enable-selinux' flag
 +
|-
 +
|}
 +
 +
All of the other SELinux related packages may be included without risks.
  
 
==Concepts: Mandatory Access Controls==
 
==Concepts: Mandatory Access Controls==
Line 55: Line 102:
  
 
===Preparing the Kernel===
 
===Preparing the Kernel===
 +
 +
{{Note|The user siosm has an unofficial repository with the package {{aur|linux-selinux}}. This is a standard kernel with selinux enabled. If you do not wish to dabble around with kernel configurations, simply add his repository and install {{aur|linux-selinux}} normally via pacman. The instructions for enabling his repository are given in [[SELinux#Via_Unofficial_Repository|this section]].}}
  
 
By default, the Arch Kernel does not have the SELinux LSM enabled. To check, you can issue the command:
 
By default, the Arch Kernel does not have the SELinux LSM enabled. To check, you can issue the command:
  
  $ zcat /proc/config.gz | grep -i selinux
+
  $ zgrep -i selinux /proc/config.gz
  
 
To which your output should be something of the sort:
 
To which your output should be something of the sort:
Line 64: Line 113:
 
{{bc|<nowiki># CONFIG_SECURITY_SELINUX is not set</nowiki>}}
 
{{bc|<nowiki># CONFIG_SECURITY_SELINUX is not set</nowiki>}}
  
if you have a stock kernel running. If you are in the mind to build a custom kernel, the following options should be enabled for maximum security, performance and effectiveness:
+
if you have a stock kernel running. If you are considering to build a custom kernel, the following options should be enabled for maximum security, performance and effectiveness:
  
 
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT_ARCH=y
 
{{hc|config.selinux-custom|<nowiki>CONFIG_AUDIT_ARCH=y
Line 158: Line 207:
 
:SELinux enabled kernel. It's not really needed, however, installing it comes recommended if you aren't a kernel tweaker.
 
:SELinux enabled kernel. It's not really needed, however, installing it comes recommended if you aren't a kernel tweaker.
  
;{{AUR|selinux-coreutils}}
+
;{{AUR|coreutils-selinux}}
 
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package
 
:Modified coreutils package compiled with SELinux support enabled. It replaces the {{pkg|coreutils}} package
  
Line 164: Line 213:
 
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.
 
:Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the {{pkg|flex}} package.
  
;{{AUR|selinux-pam}} and {{aur|selinux-pambase}}
+
;{{AUR|pam-selinux}} and {{aur|pambase-selinux}}
 
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}}  and {{pkg|pambase}} packages respectively.
 
:PAM package with pam_selinux.so. and the underlying base package. They replace the {{pkg|pam}}  and {{pkg|pambase}} packages respectively.
  
;{{AUR|selinux-systemd}}
+
;{{AUR|systemd-selinux}}
 
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.
 
:An SELinux aware version of Systemd. It replaces the {{pkg|systemd}} package.
  
;{{AUR|selinux-util-linux}}
+
;{{AUR|util-linux-selinux}}
 
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.
 
:Modified util-linux package compiled with SELinux support enabled. It replaces the {{pkg|util-linux}} package.
  
;{{AUR|selinux-findutils}}
+
;{{AUR|findutils-selinux}}
 
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.
 
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the {{pkg|findutils}} package.
  
;{{AUR|selinux-sudo}}
+
;{{AUR|sudo-selinux}}
 
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.
 
:Modified [[sudo]] package compiled with SELinux support which sets the security context correctly. It replaces the {{pkg|sudo}} package.
  
;{{AUR|selinux-psmisc}}
+
;{{AUR|psmisc-selinux}}
 
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.
 
:Psmisc package compiled with SELinux support; for example, it adds the {{ic|-Z}} option to {{ic|killall}}. It replaces the {{pkg|psmisc}} package.
  
;{{AUR|selinux-shadow}}
+
;{{AUR|shadow-selinux}}
 
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.
 
:Shadow package compiled with SELinux support; contains a modified {{ic|/etc/pam.d/login}} file to set correct security context for user after login. It replaces the {{pkg|shadow}} package.
  
;{{AUR|selinux-cronie}}
+
;{{AUR|cronie-selinux}}
 
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.
 
:Fedora fork of Vixie cron with SELinux enabled. It replaces the {{pkg|cronie}} package.
  
Line 191: Line 240:
 
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.
 
:Logrotate package compiled with SELinux support. It replaces the {{pkg|logrotate}} package.
  
;{{AUR|selinux-openssh}}
+
;{{AUR|openssh-selinux}}
 
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.
 
:OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the {{pkg|openssh}} package.
  
 
====SELinux userspace utilities====
 
====SELinux userspace utilities====
;{{AUR|selinux-usr-checkpolicy}}
+
;{{AUR|checkpolicy}}
 
:Tools to build SELinux policy
 
:Tools to build SELinux policy
  
;{{AUR|selinux-usr-libselinux}}
+
;{{AUR|libselinux}}
 
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.
 
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.
  
;{{AUR|selinux-usr-libsemanage}}
+
;{{AUR|libsemanage}}
 
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.
 
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.
  
;{{AUR|selinux-usr-libsepol}}
+
;{{AUR|libsepol}}
 
:Library for binary policy manipulation.
 
:Library for binary policy manipulation.
  
;{{AUR|selinux-usr-policycoreutils}}
+
;{{AUR|policycoreutils}}
 
:SELinux core utils such as newrole, setfiles, etc.
 
:SELinux core utils such as newrole, setfiles, etc.
  
;{{AUR|selinux-usr-sepolgen}}
+
;{{AUR|sepolgen}}
 
:A Python library for parsing and modifying policy source.
 
:A Python library for parsing and modifying policy source.
  
Line 228: Line 277:
 
====Other SELinux tools====
 
====Other SELinux tools====
  
;{{AUR|selinux-setools}}
+
;{{AUR|setools}}
 
:CLI and GUI tools to manage SELinux
 
:CLI and GUI tools to manage SELinux
  
;{{AUR|audit}}
+
;{{pkg|audit}}
 
:This is the only package mentioned here which is available in the official repos. These are the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel. SELinux (AVC) will log all denials using audit. Very useful in troubleshooting SELinux. Also {{ic|audit2allow}} uses logs from this program.
 
:This is the only package mentioned here which is available in the official repos. These are the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel. SELinux (AVC) will log all denials using audit. Very useful in troubleshooting SELinux. Also {{ic|audit2allow}} uses logs from this program.
  
===Installation===
+
=== Installation ===
 +
 
 +
After making sure that an SELinux enabled kernel has been installed, there are two methods to install the requisite SELinux packages.
 +
 
 +
==== Via Unofficial Repository ====
 +
 
 +
Arch Linux user [https://tim.siosm.fr/about/ Siosm] has created an unofficial repository for the maintenance of the SELinux packages in the AUR. In order to install from them, add his repository by adding the following lines to the end of your {{ic|/etc/pacman.conf}}:
 +
 
 +
{{bc|<nowiki>[siosm-selinux]
 +
Server = http://repo.siosm.fr/$repo/</nowiki>}}
 +
 
 +
Add his GPG key by running as root:
 +
 
 +
{{bc|# pacman-key --add siosm_gpg.pub
 +
# pacman-key --lsign-key C8D83B6AE4B8685A7290545FDB27818F78688F83}}
 +
 
 +
If you haven't already, install an SELinux enabled kernel from this repository (linux-selinux). Now install the following by either using the {{ic|su -}} command or by logging in as root:
 +
 
 +
{{ic|{{aur|pambase-selinux}} {{aur|pam-selinux}} {{aur|coreutils-selinux}} {{aur|libsemanage}} {{aur|shadow-selinux}} {{aur|libcgroup}} {{aur|policycoreutils}} {{aur|cronie-selinux}} {{aur|findutils-selinux}} {{aur|selinux-flex}} {{aur|selinux-logrotate}} {{aur|openssh-selinux}} {{aur|psmisc-selinux}} {{pkg|python2-ipy}} {{aur|setools}} {{aur|systemd-selinux}}}}
 +
 
 +
{{Warning|Do not use the {{ic|sudo}} command to install these. This is because pam, which is used for sudo authentication, is being replaced here}}
 +
 
 +
==== Via AUR ====
  
 
A lot of credit for this section must go to [http://www.jamesthebard.net/site/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ jamesthebard] for his outstanding work and documentation.
 
A lot of credit for this section must go to [http://www.jamesthebard.net/site/archlinux-selinux-and-you-a-trip-down-the-rabbit-hole/ jamesthebard] for his outstanding work and documentation.
  
The first install needs to be of {{aur|selinux-pambase}} and {{aur|selinux-pam}}. However, do not use {{ic|yaourt -S selinux-pam selinux-pambase}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.
+
The first install needs to be of {{aur|pambase-selinux}} and {{aur|pam-selinux}}. However, do not use {{ic|yaourt -S selinux-pam selinux-pambase}} or use {{ic|sudo}} after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using {{ic|makepkg}} and installed by ''root'' using a simple {{ic|pacman -U <packagename>}}.
  
Next, you need to build and install {{aur|selinux-coreutils}}, {{aur|selinux-usr-libsemanage}}, {{aur|selinux-shadow}}, {{aur|libcgroup}}, {{aur|selinux-usr-policycoreutils}}, {{aur|selinux-cronie}}, {{aur|selinux-findutils}}, {{aur|selinux-flex}}, {{aur|selinux-logrotate}}, {{aur|selinux-openssh}} and {{aur|selinux-psmisc}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.
+
Next, you need to build and install {{aur|coreutils-selinux}}, {{aur|libsemanage}}, {{aur|shadow-selinux}}, {{aur|libcgroup}}, {{aur|policycoreutils}}, {{aur|cronie-selinux}}, {{aur|findutils-selinux}}, {{aur|selinux-flex}}, {{aur|selinux-logrotate}}, {{aur|openssh-selinux}} and {{aur|psmisc-selinux}} from the AUR and {{pkg|python2-ipy}} from the ''community'' repository.
  
{{Tip|The {{aur|selinux-openssh}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}
+
{{Tip|The {{aur|openssh-selinux}} package needs to be built in a gui environment else it fails in the ''pairs.sh'' test during compilation.}}
  
Next, the swig package needs to be downgraded to version 2.0.4-3, else the package {{aur|selinux-setools}} gives an error. The [http://arm.konnichi.com/ Arch Rollback machine] may be used for the same.
+
Next, the swig package needs to be [[Downgrading_Packages|downgraded]] to version 2.0.4-3, else the package {{aur|setools}} gives an error.
  
Now comes the {{aur|selinux-setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:
+
Now comes the {{aur|setools}} package. For this, do make sure that you have the {{pkg|jdk7-openjdk}} package installed, in order for the {{ic|JAVA_HOME}} variable to be set properly. If it still isn't even after installing the package, run:
  
 
  $ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk
 
  $ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk
Line 256: Line 327:
 
'bwidget>=1.8')</nowiki>}}
 
'bwidget>=1.8')</nowiki>}}
  
Next, backup your {{ic|/etc/sudoers}} file. Install {{aur|selinux-sudo}}, {{aur|selinux-usr-checkpolicy}}, {{aur|selinux-util-linux}} and {{pkg|audit}}.
+
Next, backup your {{ic|/etc/sudoers}} file. Install {{aur|sudo-selinux}}, {{aur|checkpolicy}}, {{aur|util-linux-selinux}} and {{pkg|audit}}.
  
Install {{aur|selinux-systemd}}. Make sure that you change the PKGBUILD so that the {{ic|build()}} section looks this way:
+
Install {{aur|systemd-selinux}}. Make sure that you change the PKGBUILD so that the {{ic|build()}} section looks this way:
  
 
{{bc|<nowiki>build() {
 
{{bc|<nowiki>build() {
Line 281: Line 352:
  
 
before installing.
 
before installing.
 +
 +
{{Warning|1=Another way to install ''systemd'' is by getting the official PKGBUILD file and making the changes as shown above. However, as of the current version of ''systemd'' (204-2) in the official repos, running the ''audit'' daemon (auditd.service) causes the creation of an ordering cycle on basic.target causing certain sockets and services to fail. The current version of ''selinux-systemd'' in the AUR is 203-1 which has no problems of this sort. [https://bbs.archlinux.org/viewtopic.php?id=164041 This] forum post may be referred to for more details and solutions (when they become available).}}
  
 
===Changing boot loader configuration===
 
===Changing boot loader configuration===
Line 315: Line 388:
 
===Installing a policy===
 
===Installing a policy===
  
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]]}}
+
{{Warning|The reference policy as given by [http://oss.tresys.com/projects/refpolicy Tresys] is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the [[AUR]].}}
  
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{aur|selinux-refpolicy-src}}. Change the {{ic|pkgver}} to 20130423 and the sha256sums to {{ic|6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4}} and build the file. Now, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:
+
Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package {{aur|selinux-refpolicy-src}}. Change the {{ic|pkgver}} to {{ic|20130424}} and the {{ic|sha256sums}} to {{ic|6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4}} and build the file. Now, navigate to {{ic|/etc/selinux/refpolicy/src/policy}} and run the following commands:
  
 
{{bc|# make bare
 
{{bc|# make bare
Line 396: Line 469:
  
 
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.
 
This is required to remove a few messages from {{ic|/var/log/audit/audit.log}} which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.
 
==Troubleshooting==
 
 
Because of the way the installation is done, SELinux will output its messages to {{ic|/var/log/audit/audit.log}}. Another place to look for SELinux errors is the systemd journal. In general, your {{ic|audit.log}} messages will be many and varied, but you really want to look out for AVC messages, for they are the ones warning you of an SELinux policy transgression by a file or user. They look something like:
 
 
{{bc|<nowiki>type=AVC msg=audit(1369578264.750:12): avc:  denied  { execmem } for  pid=473 comm="polkitd" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process</nowiki>}}
 
 
It is a good idea to learn how to use the {{ic|audit2why}} and {{ic|audit2allow}} commands. The first command will tell you what the cryptic messages in your {{ic|audit.log}} actually mean while the second will translate them into installable policies. In order to transform all your {{ic|audit.log}} error messages to a single policy called "examplemod", use the following commands:
 
 
{{bc|<nowiki># audit2allow -i /var/log/audit/audit.log -m examplemod > examplemod.te
 
# checkmodule -m -o examplemod.mod examplemod.te
 
# semodule_package -o examplemod.pp -m examplemod.mod
 
# semodule -i examplemod.pp</nowiki>}}
 
 
There will be times when the {{ic|audit2why}} command will simply tell you what to do along with the command needed to do so. In that case, simply copy-paste what you need to.
 
  
 
==Post-installation steps==
 
==Post-installation steps==
{{Warning| If you did not install ''selinux-systemd'', then you will see SELinux in disabled mode, and {{ic|/sys/fs/selinux}} will not be mounted.}}
 
  
 
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:
 
You can check that SELinux is working with {{ic|sestatus}}. You should get something like:
Line 433: Line 490:
 
To switch to enforcing mode without rebooting, you can use:
 
To switch to enforcing mode without rebooting, you can use:
  
  # echo 1 > /selinux/enforce
+
  # echo 1 > /sys/fs/selinux/enforce
  
 
===Swapfiles===
 
===Swapfiles===
Line 442: Line 499:
 
# restorecon /path/to/swapfile}}
 
# restorecon /path/to/swapfile}}
  
==SELinux Policies==
+
==Working with SELinux==
 
+
===SELinux Security Context===
+
  
 
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:
 
SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:
Line 463: Line 518:
 
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.
 
This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.
  
==Useful tools==
+
[http://www.fosteringlinux.com/tag/selinux/ This] is a great series of articles for someone seeking to understand how to work with SELinux.
 +
 
 +
==Troubleshooting==
 +
 
 +
Because of the way the installation is done, SELinux will output its messages to {{ic|/var/log/audit/audit.log}}. Another place to look for SELinux errors is the systemd journal. In general, your {{ic|audit.log}} messages will be many and varied, but you really want to look out for AVC messages, for they are the ones warning you of an SELinux policy transgression by a file or user. They look something like:
 +
 
 +
{{bc|<nowiki>type=AVC msg=audit(1369578264.750:12): avc:  denied  { execmem } for  pid=473 comm="polkitd" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process</nowiki>}}
 +
 
 +
It is a good idea to learn how to use the {{ic|audit2why}} and {{ic|audit2allow}} commands. The first command will tell you what the cryptic messages in your {{ic|audit.log}} actually mean while the second will translate them into installable policies. In order to transform all your {{ic|audit.log}} error messages to a single policy called "examplemod", use the following commands:
 +
 
 +
{{bc|<nowiki># audit2allow -i /var/log/audit/audit.log -m examplemod > examplemod.te
 +
# checkmodule -m -o examplemod.mod examplemod.te
 +
# semodule_package -o examplemod.pp -m examplemod.mod
 +
# semodule -i examplemod.pp</nowiki>}}
 +
 
 +
There will be times when the {{ic|audit2why}} command will simply tell you what to do along with the command needed to do so. In that case, simply copy-paste what you need to.
 +
 
 +
===Useful tools===
  
 
There are some tools/commands that can greatly help with SELinux.  
 
There are some tools/commands that can greatly help with SELinux.  
  
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules  
+
;restorecon: Restores the context of a file/directory (or recursively with {{ic|-R}}) based on any policy rules
;rlpkg: Relabels any files belonging to that Gentoo package to their proper security context (if they have one)
+
 
;chcon: Change the context on a specific file  
 
;chcon: Change the context on a specific file  
 
;audit2allow: Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.
 
;audit2allow: Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.

Revision as of 03:45, 18 January 2014

Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.

Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

Current status in Arch Linux

Current status of those elements in Arch Linux:

Name Status Available at
SELinux enabled kernel Bug submitted: https://bugs.archlinux.org/task/37578 Expected in 3.13 official Arch kernel
SELinux Userspace tools and libraries Work in progress: https://aur.archlinux.org/packages/?O=0&K=selinux Work is done at https://github.com/Siosm/siosm-selinux
SELinux Policy Work in progress, will probably be named selinux-policy-arch No working repository for now.

Summary of changes in AUR as compared to official core packages:

Name Status and comments
linux-selinux Outdated (3.12.*): SELinux expected in 3.13 official Arch kernel
coreutils Need a rebuild to link with libselinux
cronie Need a rebuild with '--with-selinux' flag
findutils Need SELinux patch, already upstream
openssh Need a rebuild with '--with-selinux' flag
pam Need a rebuild with '--enable-selinux' flag for Linux-PAM ; Need a patch for pam_unix2, which only removes a function already implemented in a library elsewhere
pambase Configuration changes to add pam_selinux.so
psmisc Need a patch, already upstream. Will be in version 22.21
shadow Need a rebuild with '-lselinux' and '--with-selinux' flags
sudo Need a rebuild with '--enable-selinux' flag
systemd Need a rebuild with '--enable-selinux' flag
util-linux Need a rebuild with '--enable-selinux' flag

All of the other SELinux related packages may be included without risks.

Concepts: Mandatory Access Controls

Note: This section is meant for beginners. If you know what SELinux does and how it works, feel free to skip ahead to the installation.

Before you enable SELinux, it is worth understanding what it does. Simply and succinctly, SELinux enforces Mandatory Access Controls (MACs) on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of Discretionary Access Control (DAC). MACs are different from DACs because security policy and its execution are completely separated.

An example would be the use of the sudo command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if sudo is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.

Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.

As you may imagine, this is particularly useful for processes which have the potential to be compromised, i.e. web servers and the like. If DACs are used, then there is a particularly good chance of havoc being wrecked by a compromised program which has access to privilege escalation.

For further information, do visit the MAC Wikipedia page.

Prerequisites

Filesystems

This information was originally sourced from the Debian Wiki.

Only ext2, ext3, ext4, JFS, XFS and BtrFS filesystems are supported to use SELinux. Some filesystems have a few quirks which you should be aware of before migration, though:

  • BtrFS: Currently an autorelabel operation won't cover subvolumes on btrfs. You need to manually relabel the subvolume. Once it's labelled everything will work correctly.
Note: The XFS section may not be needed anymore
  • XFS: XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performance penalties.
# mkfs.xfs -i size=512 /dev/sda1  (for example)
  • SquashFS: SquashFS supports xattr (which is required for SELinux file labeling) since kernel version 2.6.30.
  • ReiserFS: ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not have a SELinux context. This makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like fixfiles, so you should first migrate to one of the above listed filesystems if you intend to use SELinux.

Also, please do make sure that Xattr (Extended Attributes) are enabled for your filesystems. To do that, you can issue the following command:

$ zcat /proc/config.gz | grep -i <filesystem name>

<filesystem name> can be reiser, xfs, etc. Somewhere among the output should be something like:

CONFIG_EXT2_FS_XATTR=y

If you just want to see what filesystems have extended attributes enabled, just issue:

$ zcat /proc/config.gz | grep -i xattr

If the output says that your filesystems do not have xattrs enabled, you need to recompile the kernel to enable them. Also, if you wish to use ReiserFS despite the warnings given, also make sure that it has security labels enabled as a separate option.

Preparing the Kernel

Note: The user siosm has an unofficial repository with the package linux-selinuxAUR. This is a standard kernel with selinux enabled. If you do not wish to dabble around with kernel configurations, simply add his repository and install linux-selinuxAUR normally via pacman. The instructions for enabling his repository are given in this section.

By default, the Arch Kernel does not have the SELinux LSM enabled. To check, you can issue the command:

$ zgrep -i selinux /proc/config.gz

To which your output should be something of the sort:

# CONFIG_SECURITY_SELINUX is not set

if you have a stock kernel running. If you are considering to build a custom kernel, the following options should be enabled for maximum security, performance and effectiveness:

config.selinux-custom
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_AUDIT_LOGINUID_IMMUTABLE=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=n
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT2_FS_XIP=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_DEBUG=y
CONFIG_EXT3_FS=m
CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_REISERFS_FS=y
CONFIG_REISERFS_CHECK=y
CONFIG_REISERFS_PROC_INFO=y
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_XFS_FS=y
CONFIG_XFS_QUOTA=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_XFS_RT=y
CONFIG_XFS_DEBUG=y
CONFIG_JFS_FS=m
CONFIG_JFS_POSIX_ACL=y
CONFIG_JFS_SECURITY=y
CONFIG_JFS_DEBUG=y
CONFIG_JFS_STATISTICS=y
CONFIG_REISERFS_FS=y
CONFIG_REISERFS_CHECK=y
CONFIG_REISERFS_PROC_INFO=y
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y

Save the file in the directory you're building the kernel and then modify the PKGBUILD such that it goes from this:

if [ "${CARCH}" = "x86_64" ]; then
    cat "${srcdir}/config.x86_64" > ./.config
  else
    cat "${srcdir}/config" > ./.config
  fi

to this:

if [ "${CARCH}" = "x86_64" ]; then
    cat "${srcdir}/config.x86_64" > ./.config
  else
    cat "${srcdir}/config" > ./.config
  fi
  cat /absolute/path/to/config.selinux-custom >> ./.config

If you know what you're doing, then you can remove anything relating to filesystems you do not plan to use.

Warning: If you've built a custom kernel which is not linux-selinuxAUR (e.g. linux-iceAUR or linux-pfAUR), then the various packages which have to be compiled may fail to do so because of the linux-selinux dependency. Make sure to remove that dependency while compiling those packages. However, be careful that the options mentioned above are enabled in your kernel configuration.

For those of you who do not wish to be bothered by kernel configuration or anything else regarding PKGBUILDs, simply install the package linux-selinuxAUR from the AUR.

Note: If using proprietary drivers, such as NVIDIA graphics drivers, you may need to rebuild them for custom kernels.

Installing SELinux

Package description

All SELinux related packages belong to the selinux group. The group selinux-system-utilities is a group of modified packages from the [core] repository. The group selinux-userspace contains packages from the SELinux Userspace project. Security policies belong to the selinux-policies group. Other packages are in the selinux-extras group. All the packages mentioned below are present in the AUR.

SELinux aware system utilities

linux-selinuxAUR
SELinux enabled kernel. It's not really needed, however, installing it comes recommended if you aren't a kernel tweaker.
coreutils-selinuxAUR
Modified coreutils package compiled with SELinux support enabled. It replaces the coreutils package
selinux-flexAUR
Flex version needed only to build checkpolicy. The normal flex package causes a failure in the checkmodule command. It replaces the flex package.
pam-selinuxAUR and pambase-selinuxAUR
PAM package with pam_selinux.so. and the underlying base package. They replace the pam and pambase packages respectively.
systemd-selinuxAUR
An SELinux aware version of Systemd. It replaces the systemd package.
util-linux-selinuxAUR
Modified util-linux package compiled with SELinux support enabled. It replaces the util-linux package.
findutils-selinuxAUR
Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the findutils package.
sudo-selinuxAUR
Modified sudo package compiled with SELinux support which sets the security context correctly. It replaces the sudo package.
psmisc-selinuxAUR
Psmisc package compiled with SELinux support; for example, it adds the -Z option to killall. It replaces the psmisc package.
shadow-selinuxAUR
Shadow package compiled with SELinux support; contains a modified /etc/pam.d/login file to set correct security context for user after login. It replaces the shadow package.
cronie-selinuxAUR
Fedora fork of Vixie cron with SELinux enabled. It replaces the cronie package.
selinux-logrotateAUR
Logrotate package compiled with SELinux support. It replaces the logrotate package.
openssh-selinuxAUR
OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the openssh package.

SELinux userspace utilities

checkpolicyAUR
Tools to build SELinux policy
libselinuxAUR
Library for security-aware applications. Python bindings needed for semanage and setools now included.
libsemanageAUR
Library for policy management. Python bindings needed for semanage and setools now included.
libsepolAUR
Library for binary policy manipulation.
policycoreutilsAUR
SELinux core utils such as newrole, setfiles, etc.
sepolgenAUR
A Python library for parsing and modifying policy source.

SELinux policy packages

selinux-refpolicyAUR
Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.
selinux-refpolicy-srcAUR
Reference policy sources
selinux-refpolicy-archAUR
Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some issues with /etc/rc.d/* labeling.
Note: The selinux-refpolicy-arch package was last updated in 2011, hence it seems doubtful that it is useful any longer.

Other SELinux tools

setoolsAUR
CLI and GUI tools to manage SELinux
audit
This is the only package mentioned here which is available in the official repos. These are the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel. SELinux (AVC) will log all denials using audit. Very useful in troubleshooting SELinux. Also audit2allow uses logs from this program.

Installation

After making sure that an SELinux enabled kernel has been installed, there are two methods to install the requisite SELinux packages.

Via Unofficial Repository

Arch Linux user Siosm has created an unofficial repository for the maintenance of the SELinux packages in the AUR. In order to install from them, add his repository by adding the following lines to the end of your /etc/pacman.conf:

[siosm-selinux]
Server = http://repo.siosm.fr/$repo/

Add his GPG key by running as root:

# pacman-key --add siosm_gpg.pub
# pacman-key --lsign-key C8D83B6AE4B8685A7290545FDB27818F78688F83

If you haven't already, install an SELinux enabled kernel from this repository (linux-selinux). Now install the following by either using the su - command or by logging in as root:

pambase-selinuxAUR pam-selinuxAUR coreutils-selinuxAUR libsemanageAUR shadow-selinuxAUR libcgroupAUR policycoreutilsAUR cronie-selinuxAUR findutils-selinuxAUR selinux-flexAUR selinux-logrotateAUR openssh-selinuxAUR psmisc-selinuxAUR python2-ipy setoolsAUR systemd-selinuxAUR

Warning: Do not use the sudo command to install these. This is because pam, which is used for sudo authentication, is being replaced here

Via AUR

A lot of credit for this section must go to jamesthebard for his outstanding work and documentation.

The first install needs to be of pambase-selinuxAUR and pam-selinuxAUR. However, do not use yaourt -S selinux-pam selinux-pambase or use sudo after building to install the package. This is because pam is what handles authentication. Hence, it is best if the packages are built as an ordinary user using makepkg and installed by root using a simple pacman -U <packagename>.

Next, you need to build and install coreutils-selinuxAUR, libsemanageAUR, shadow-selinuxAUR, libcgroupAUR, policycoreutilsAUR, cronie-selinuxAUR, findutils-selinuxAUR, selinux-flexAUR, selinux-logrotateAUR, openssh-selinuxAUR and psmisc-selinuxAUR from the AUR and python2-ipy from the community repository.

Tip: The openssh-selinuxAUR package needs to be built in a gui environment else it fails in the pairs.sh test during compilation.

Next, the swig package needs to be downgraded to version 2.0.4-3, else the package setoolsAUR gives an error.

Now comes the setoolsAUR package. For this, do make sure that you have the jdk7-openjdk package installed, in order for the JAVA_HOME variable to be set properly. If it still isn't even after installing the package, run:

$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk

Also, you need to edit the PKGBUILD in order for it to compile properly. Change the PKGBUILD around line 14 so that it looks as follows:

optdepends=('glib2'
'gtk2>=2.8'
'bwidget>=1.8')

Next, backup your /etc/sudoers file. Install sudo-selinuxAUR, checkpolicyAUR, util-linux-selinuxAUR and audit.

Install systemd-selinuxAUR. Make sure that you change the PKGBUILD so that the build() section looks this way:

build() {
  cd "$_origname-$pkgver"

  ./configure \
      --enable-static \
      --libexecdir=/usr/lib \
      --localstatedir=/var \
      --sysconfdir=/etc \
      --enable-introspection \
      --enable-gtk-doc \
      --enable-selinux \
      --enable-audit \
      --disable-ima \
      --with-sysvinit-path= \
      --with-sysvrcnd-path= \
      --with-firmware-path="/usr/lib/firmware/updates:/usr/lib/firmware"

  make
}

before installing.

Warning: Another way to install systemd is by getting the official PKGBUILD file and making the changes as shown above. However, as of the current version of systemd (204-2) in the official repos, running the audit daemon (auditd.service) causes the creation of an ordering cycle on basic.target causing certain sockets and services to fail. The current version of selinux-systemd in the AUR is 203-1 which has no problems of this sort. This forum post may be referred to for more details and solutions (when they become available).

Changing boot loader configuration

If you've installed a new kernel, make sure that you update your bootloader accordingly

GRUB

Run the following command:

# grub-mkconfig -o /boot/grub/grub.cfg

Syslinux

Change your syslinux.cfg file by adding:

/boot/syslinux/syslinux.cfg
LABEL arch-selinux
         LINUX ../vmlinuz-linux-selinux
         APPEND root=/dev/sda2 ro
         INITRD ../initramfs-linux-selinux.img

at the end. Change "linux-selinux" to whatever kernel you are using.

Checking PAM

A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in /etc/pam.d/system-login:

# pam_selinux.so close should be the first session rule
session         required        pam_selinux.so close
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session         required        pam_selinux.so open

Installing a policy

Warning: The reference policy as given by Tresys is not very good for Arch Linux, as almost no file is labelled correctly. However, as of writing, Archers have no other choice. If anyone has made any significant strides in addressing this problem, they are encouraged to share it, preferably on the AUR.

Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package selinux-refpolicy-srcAUR. Change the pkgver to 20130424 and the sha256sums to 6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4 and build the file. Now, navigate to /etc/selinux/refpolicy/src/policy and run the following commands:

# make bare
# make conf
# make install

to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so don't worry. Just sit back and let the command run for as long as it takes.

Then, make the file /etc/selinux/config with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):

/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#                   Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment
#       permissive - SELinux prints warnings instead of enforcing.
#                    Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.
#       disabled - No SELinux policy is loaded.
#                  This is not a recommended setting, for it may cause problems with file labelling
SELINUX=permissive
# SELINUXTYPE= takes the name of SELinux policy to
# be used. Current options are:
#       refpolicy (vanilla reference policy)
#       <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load
SELINUXTYPE=refpolicy

Now enable the audit daemon by running:

# systemctl enable auditd.service

If you do not so this, then you may get a kernel panic on rebooting. Now, you may reboot. After rebooting, run:

# restorecon -r /

to label your filesystem.

Now, make a file requiredmod.te with the contents:

requiredmod.te
module requiredmod 1.0;

require {
        type devpts_t;
        type kernel_t;
        type device_t;
        type var_run_t;
        type udev_t;
        type hugetlbfs_t;
        type udev_tbl_t;
        type tmpfs_t;
        class sock_file write;
        class unix_stream_socket { read write ioctl };
        class capability2 block_suspend;
        class dir { write add_name };
        class filesystem associate;
}

#============= devpts_t ==============
allow devpts_t device_t:filesystem associate;

#============= hugetlbfs_t ==============
allow hugetlbfs_t device_t:filesystem associate;

#============= kernel_t ==============
allow kernel_t self:capability2 block_suspend;

#============= tmpfs_t ==============
allow tmpfs_t device_t:filesystem associate;

#============= udev_t ==============
allow udev_t kernel_t:unix_stream_socket { read write ioctl };
allow udev_t udev_tbl_t:dir { write add_name };
allow udev_t var_run_t:sock_file write;

and run the following commands:

# checkmodule -m -o requiredmod.mod requiredmod.te
# semodule_package -o requiredmod.pp -m requiredmod.mod
# semodule -i requiredmod.pp

This is required to remove a few messages from /var/log/audit/audit.log which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.

Post-installation steps

You can check that SELinux is working with sestatus. You should get something like:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

To maintain correct context, you can use restorecond:

# systemctl enable restorecond

To switch to enforcing mode without rebooting, you can use:

# echo 1 > /sys/fs/selinux/enforce

Swapfiles

If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:

# semanage fcontext -a -t swapfile_t "/path/to/swapfile"
# restorecon /path/to/swapfile

Working with SELinux

SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:

$ls -lZ /var/www/html/index.html
-rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html

The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:

user:role:type[:level]

To explain:

  1. User: The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
  2. Role: The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
  3. Type: When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
  4. Level: This optional field can also be know as a range and is only present if the policy supports MCS or MLS.

This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.

This is a great series of articles for someone seeking to understand how to work with SELinux.

Troubleshooting

Because of the way the installation is done, SELinux will output its messages to /var/log/audit/audit.log. Another place to look for SELinux errors is the systemd journal. In general, your audit.log messages will be many and varied, but you really want to look out for AVC messages, for they are the ones warning you of an SELinux policy transgression by a file or user. They look something like:

type=AVC msg=audit(1369578264.750:12): avc:  denied  { execmem } for  pid=473 comm="polkitd" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process

It is a good idea to learn how to use the audit2why and audit2allow commands. The first command will tell you what the cryptic messages in your audit.log actually mean while the second will translate them into installable policies. In order to transform all your audit.log error messages to a single policy called "examplemod", use the following commands:

# audit2allow -i /var/log/audit/audit.log -m examplemod > examplemod.te
# checkmodule -m -o examplemod.mod examplemod.te
# semodule_package -o examplemod.pp -m examplemod.mod
# semodule -i examplemod.pp

There will be times when the audit2why command will simply tell you what to do along with the command needed to do so. In that case, simply copy-paste what you need to.

Useful tools

There are some tools/commands that can greatly help with SELinux.

restorecon
Restores the context of a file/directory (or recursively with -R) based on any policy rules
chcon
Change the context on a specific file
audit2allow
Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.

References

See also

  • AppArmor (Similar to SELinux, much easier to configure, less features.)