SELinux

From ArchWiki
Revision as of 20:46, 29 October 2010 by Harvie (talk | contribs) (See Also)
Jump to navigation Jump to search

Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]

Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

Prerequisites

Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux.

Note: This is probably not needed anymore:

XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performace penalties.

 # mkfs.xfs -i size=512 /dev/sda1  (for example)

Installing needed packages

You should install at least kernel26-selinux, selinux-pam, selinux-usr-policycoreutils and selinux-refpolicy-src from the AUR. Installing all SELinux connected packages is recommended.

When installing from AUR, you can use an AUR helper or download tarballs from AUR manually and build with makepkg. Especially when installing for the first time, take extreme caution when replacing the pam and coreutils packages, as they are vital to your system. Having the Arch Linux liveCD or liveUSB ready to use is strongly encouraged.

Warning: Do not remove pam via sudo, as PAM is what takes care of authentication and you just removed it. Instead first su to root and then do pacman -Rd pam, pacman -U selinux-pam. Doing pacman -Rd coreutils, pacman -U selinux-coreutils may also cause you troubles, so maybe the best way is to install selinux packages from liveCD chroot to your system.
Warning: Do not install selinux-sysvinit package unless everything is set up, as you may end with unbootable system. Or, don't reboot unless you have everything set up.

Package description

All SELinux related packages belong to the selinux group. Group selinux-system-utilities is used for modified packages from [core] repository. Group selinux-userspace contains packages from SELinux Userspace project. Security policies belong to selinux-policies group. Other packages are in selinux-extras group.

SELinux aware system utils

Template:Package AUR
SELinux enabled kernel (replaces selinux-kernel26). Compiling custom modules like virtualbox works.
Template:Package AUR
Modified coreutils package compiled with SELinux support enabled.
Template:Package AUR
Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.
Template:Package AUR
PAM package with pam_selinux.so.
Template:Package AUR
Sysvinit which loads policy at startup. Be careful; It fails if SELinux policy cannot be loaded!
Template:Package AUR
Modified util-linux-ng package compiled with SELinux support enabled.
Template:Package AUR
Modified udev package compiled with SELinux support enabled for labeling of files in /dev to work correctly.
Template:Package AUR
Patched findutils package compiled with SELinux support to make searching of files with specified security context possible.
Template:Package AUR
Modified sudo package compiled with SELinux support which sets security context correctly.
Template:Package AUR
Procps package with SELinux patch based on some Fedora patches.
Template:Package AUR
Psmisc package compiled with SELinux support; adds e.g. -Z option to killall.
Template:Package AUR
Shadow package compiled with SELinux support; contains modified /etc/pam.d/login file to set correct security context for user after login.
Template:Package AUR
Fedora fork of Vixie cron with SELinux enabled.
Template:Package AUR
Logrotate package compiled with SELinux support.
Template:Package AUR
OpenSSH package compiled with SELinux support to set security context for user sessions.

SELinux userspace

Template:Package AUR
Tools to build SELinux policy
Template:Package AUR
Library for security-aware applications. Python bindings needed for semanage and setools now included.
Template:Package AUR
Library for policy management. Python bindings needed for semanage and setools now included.
Template:Package AUR
Library for binary policy manipulation.
Template:Package AUR
SELinux core utils such as newrole, setfiles, etc.
Template:Package AUR
A python library for parsing and modifying policy source.

SELinux policy

Template:Package AUR
Reference policy sources

Other SELinux tools

Template:Package AUR
CLI and GUI tools to manage SELinux


Note: If using proprietary drivers, such as NVIDIA graphics drivers, you may need to rebuild them for custom kernels.

Configuration

After the installation of needed packages, you have to set up a few things so that SELinux can be used.

Changing boot loader configuration

You have to manually change grub's /boot/grub/menu.lst so that the custom kernel is booted, e.g.:

# (1) Arch Linux
title  Arch Linux (SELinux)
root   (hd0,4)
kernel /boot/vmlinuz26-selinux root=/dev/sda5 ro vga=775
initrd /boot/kernel26-selinux.img

Mounting selinuxfs

Add following to /etc/fstab:

none   /selinux   selinuxfs   noauto   0   0

Don't forget to create the mountpoint:

mkdir /selinux

Main SELinux configuration file

Main SELinux configuration file (/etc/selinux/config) is part of the Template:Package AUR package currently in the AUR. It has default contents as follows:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings 
#                       instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= takes the name of SELinux policy to
# be used. Default policy for Arch Linux is:
#       refpolicy
SELINUXTYPE=refpolicy
Note: Option SELINUX=permissive is suitable only for testing. It gives no security. When everything is set up and working, you should change it to SELINUX=enforcing. Option SELINUXTYPE=refpolicy specifies the name of used policy. Change it if you choose another name for your policy. If you plan to compile policy from source, you have to create the file yourself.

Set up PAM

Correctly set-up PAM is important to get a proper security context after login. If you installed Template:Package AUR from AUR, there should be following lines in /etc/pam.d/login:

# pam_selinux.so close should be the first session rule
session         required        pam_selinux.so close
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session         required        pam_selinux.so open

if not, add them to the file. Similarly for loging in via SSH in /etc/pam.d/sshd, which is part of Template:Package AUR package.

If you want to use SELinux with GUI, you should add abovementioned lines to other files such as /etc/pam.d/kde, /etc/pam.d/kde-np, ... depending on you login manager.

Note: Running SELinux with GUI applications in Arch Linux is not much supported at the time being.

Reference policy

There are currently two possible ways of installing reference policy: From a precompiled package (Template:Package AUR) or from a source package (Template:Package AUR).

Note: It is possible to have both the source and the binary package installed. If you plan to build from source in that case, you sould probably change the name of policy in build.conf to avoid overwriting of selinux-refpolicy package files.

Installing a precompiled refpolicy

Install Template:Package AUR from AUR. This is a modular-otherways-vanilla refpolicy. This package includes policy headers (you can therefore compile your own modules), policy documentation and an install script which will load the policy for you and relabel your filesystem (which will likely take some time). It does not include the sources though.

This package also includes the main SELinux configuration file (/etc/selinux/config) defaulting to refpolicy and permissive SELinux enforcement for testing purposes.

You should verify that the policy was correctly loaded, that is if the file /etc/selinux/refpolicy/policy/policy.24 has non-zero size. If so and if you have installed Template:Package AUR and other needed packages you are ready to reboot and make sure that everything works.

In case the policy was not correctly loaded you can as root use the following command inside of the /usr/share/selinux/refpolicy directory to do so:

/bin/ls *.pp | /bin/grep -Ev "base.pp|enableaudit.pp" | /usr/bin/xargs /usr/sbin/semodule -s refpolicy -b base.pp -i

To manually relabel your filesystem you can as root use:

/sbin/restorecon -r /

Installing refpolicy from a source package

Install Template:Package AUR from AUR. Edit the file /etc/selinux/refpolicy/src/policy/build.conf to your liking.

Note: Build configuration file build.conf is overwritten on every selinux-refpolicy-src package upgrade, so backup your configuration.

To build, install and load policy from source do the following. (For other posibilities consult the README file located in /etc/selinux/refpolicy/src/policy/.)

cd /etc/selinux/refpolicy/src/policy
make bare
make conf 
make load

Copy or link the compiled binary policy to /etc/policy.bin for sysvinit to find and install selinux-sysvinit:

ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin

At this moment files doesn't have any context, so you should relabel the whole filesystem, which will take a while:

make relabel

Create the main SELinux configuration file (/etc/selinux/config) acording to exaple in related section.

Now you are ready to reboot and make sure that everything works.

Post-installation steps

You can check that SELinux is working with sestatus. You should get something like:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        refpolicy

To maintain correct context, you can use restorecond:

touch /etc/rc.d/restorecond
chmod ugo+x /etc/rc.d/restorecond

Which should contain:

#!/bin/sh
restorecond
Note: Don't forget to add restorecond into your daemons array in /etc/rc.conf

To switch to enforcing mode without reboot, you can use:

echo 1 >/selinux/enforce
Note: If setting SELINUX=enforcing in /etc/selinux/config doesn't work for you, create /etc/rc.d/selinux-enforce containing the preceeding command similarly as with restorecond daemon.


Useful tools

There are some tools/commands that can greatly help with SELinux.

  • restorecon: Restores the context of a file/directory (or recusively with -R) based on any policy rules
  • rlpkg: Relabels any files belonging to that gentoo package to their proper security context (if they have one)
  • chcon: Change the context on a specific file
  • audit2allow: Reads in log messages from the AVC log file and tells you what rules would fix the error. Don't just add these rules without looking at them though, they cannot detect errors in other places (ie the application running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.

References

See also

  • AppArmor (Similar to SELinux, much easier to configure, but not such complex)
  • DNSSEC