= Random SELinux notes = Sorry, these are quite unordered... '''Please add your own findings here!''' == Getting SELinux working on Debian Wheezy official Amazon EC2 AMIs == [[http://www.totalserve.net.au/blog/post/getting-selinux-to-work-on-official-debian-wheezy-amazon-ec2-amis|Howto blog post on getting SELinux enabled on official Wheezy EC2 AMIs]] == Targeted policy == If you're running a system with refpolicy-targeted and default configuration, there is no need to worry about transitioning to other SELinux roles to execute administrative commands. All users have {{{user_u:system_r:unconfined_t:s0}}} which basically means there are no restrictions on which commands can be executed. You will of course still need {{{root}}} permission for most administrative tasks (using {{{su}}} or {{{sudo}}}). == SELinux status == Run {{{sestatus}}} to get some information on your SELinux setup. Include at least "Current Mode" and "Policy from config file" when asking for help. Example output: {{{ SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: refpolicy-mcs Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33 }}} == Alternative web roots == Not everybody uses/likes {{{/var/www}}} - here's how to setup other web roots: {{{ semanage fcontext -a -t httpd_sys_content_t /srv/www restorecon -R /srv/www }}} == Nosuid mounts == If a filesystem is mounted with the nosuid option (e.g. a data filesystem), SELinux type transitions will not happen either. So if you copy e.g. ping to such a filesystem, despite being labeled ping_exec_t, it won't work. This is intentional. If you need this behaviour, you'll have to mount it without the nosuid option. == Services on non-standard ports == If you have e.g. OpenVPN running on a non-stanard port, you'll need to label the port accordingly. This can be done e.g. (to allow OpenVPN on port 1195) by {{{ semanage port -a -t openvpn_port_t -p udp 1195 }}} Similarly, if you have load-balanced/failover DHCP servers, you'll need to assign the inter-server communication port to DHCPD by doing {{{ semanage port -a -t dhcpd_port_t -p udp 519 }}} == SELinux options == SELinux has a couple of configureable options. You can list them with {{{getsebool -a}}}, and set them (permanently) with {{{setsebool -P boolean=1}}}. Example: if you want your DNS server to be able to update zone files, use {{{ setsebool -P named_write_master_zones=1 }}} == File context customization == Local customizations to file contexts that survive relabeling are done the following way: {{{ semanage fcontext -a -t unconfined_exec_t /usr/lib/heartbeat/heartbeat }}} This adds a labeling rule that will make heartbeat run as 'unconfined'. == Services without policy == Should probably labeled as "unconfined" until someone has written a policy. E.g. {{{ semanage fcontext -a -t unconfined_exec_t /usr/sbin/bindgraph.pl }}} == Enabling selinux when booting custom kernel == Starting with linux kernel 2.6.35, there may be multiple security modules compiled into the kernel. In order to enable selinux, use {{{ security=selinux }}} kernel command-line option. This is necessary even if {{{ selinux=1 }}} is specified too. If it is not set as default in kernel configuration ofcourse.