Random SELinux notes

Sorry, these are quite unordered...

Please add your own findings here!

Getting SELinux working on Debian Wheezy official Amazon EC2 AMIs

Howto blog post on getting SELinux enabled on official Wheezy EC2 AMIs

Targeted policy

If you're running a system with refpolicy-targeted and default configuration, there is no need to worry about transitioning to other SELinux roles to execute administrative commands.

All users have user_u:system_r:unconfined_t:s0 which basically means there are no restrictions on which commands can be executed. You will of course still need root permission for most administrative tasks (using su or sudo).

SELinux status

Run sestatus to get some information on your SELinux setup. Include at least "Current Mode" and "Policy from config file" when asking for help. Example output:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy-mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Alternative web roots

Not everybody uses/likes /var/www - here's how to setup other web roots:

semanage fcontext -a -t httpd_sys_content_t /srv/www
restorecon -R /srv/www

Nosuid mounts

If a filesystem is mounted with the nosuid option (e.g. a data filesystem), SELinux type transitions will not happen either. So if you copy e.g. ping to such a filesystem, despite being labeled ping_exec_t, it won't work. This is intentional. If you need this behaviour, you'll have to mount it without the nosuid option.

Services on non-standard ports

If you have e.g. OpenVPN running on a non-stanard port, you'll need to label the port accordingly. This can be done e.g. (to allow OpenVPN on port 1195) by

semanage port -a -t openvpn_port_t -p udp 1195

Similarly, if you have load-balanced/failover DHCP servers, you'll need to assign the inter-server communication port to DHCPD by doing

semanage port -a -t dhcpd_port_t -p udp 519

SELinux options

SELinux has a couple of configureable options. You can list them with getsebool -a, and set them (permanently) with setsebool -P boolean=1.

Example: if you want your DNS server to be able to update zone files, use

setsebool -P named_write_master_zones=1

File context customization

Local customizations to file contexts that survive relabeling are done the following way:

semanage fcontext -a -t unconfined_exec_t /usr/lib/heartbeat/heartbeat

This adds a labeling rule that will make heartbeat run as 'unconfined'.

Services without policy

Should probably labeled as "unconfined" until someone has written a policy. E.g.

semanage fcontext -a -t unconfined_exec_t /usr/sbin/bindgraph.pl

Enabling selinux when booting custom kernel

Starting with linux kernel 2.6.35, there may be multiple security modules compiled into the kernel. In order to enable selinux, use


kernel command-line option. This is necessary even if


is specified too. If it is not set as default in kernel configuration ofcourse.