Random SELinux notes
Sorry, these are quite unordered...
Please add your own findings here!
Getting SELinux working on Debian Wheezy official Amazon EC2 AMIs
If you're running a system with refpolicy-targeted and default configuration, there is no need to worry about transitioning to other SELinux roles to execute administrative commands.
All users have user_u:system_r:unconfined_t:s0 which basically means there are no restrictions on which commands can be executed. You will of course still need root permission for most administrative tasks (using su or sudo).
Run sestatus to get some information on your SELinux setup. Include at least "Current Mode" and "Policy from config file" when asking for help. Example output:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: refpolicy-mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33
Alternative web roots
Not everybody uses/likes /var/www - here's how to setup other web roots:
semanage fcontext -a -t httpd_sys_content_t /srv/www restorecon -R /srv/www
If a filesystem is mounted with the nosuid option (e.g. a data filesystem), SELinux type transitions will not happen either. So if you copy e.g. ping to such a filesystem, despite being labeled ping_exec_t, it won't work. This is intentional. If you need this behaviour, you'll have to mount it without the nosuid option.
Services on non-standard ports
If you have e.g. OpenVPN running on a non-stanard port, you'll need to label the port accordingly. This can be done e.g. (to allow OpenVPN on port 1195) by
semanage port -a -t openvpn_port_t -p udp 1195
Similarly, if you have load-balanced/failover DHCP servers, you'll need to assign the inter-server communication port to DHCPD by doing
semanage port -a -t dhcpd_port_t -p udp 519
SELinux has a couple of configureable options. You can list them with getsebool -a, and set them (permanently) with setsebool -P boolean=1.
Example: if you want your DNS server to be able to update zone files, use
setsebool -P named_write_master_zones=1
File context customization
Local customizations to file contexts that survive relabeling are done the following way:
semanage fcontext -a -t unconfined_exec_t /usr/lib/heartbeat/heartbeat
This adds a labeling rule that will make heartbeat run as 'unconfined'.
Services without policy
Should probably labeled as "unconfined" until someone has written a policy. E.g.
semanage fcontext -a -t unconfined_exec_t /usr/sbin/bindgraph.pl
Enabling selinux when booting custom kernel
Starting with linux kernel 2.6.35, there may be multiple security modules compiled into the kernel. In order to enable selinux, use
kernel command-line option. This is necessary even if
is specified too. If it is not set as default in kernel configuration ofcourse.