Translation(s): English - Polski


1. Introduction to SELinux on Debian

SELinux differs from regular Linux security in that in addition to the traditional UNIX user id and group id, it also attaches a SELinux user, role, domain (type), and sensitivity label to each file and process.

For most operations, specific domains are required, but instead of logging into a domain, certain processes will be switching domains automatically, e.g. when you run "ping" you will be switching to a domain that can do ICMP. See the SELinux page for more background and the SELinux/Issues page for more details on current SELinux issues in Debian.

This page describes how to setup SELinux on your Debian GNU/Linux system.


2. Steps to setup SELinux

The following steps describe how to install and configure SELinux together with the default policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the policies section below for alternative policies):

  1. If you are not using the standard linux kernel provided by debian with an ext2/3/4/xfs/btrfs filesystem, you have to make sure that you are using a SELinux capable kernel and filesystem (see the prerequisites section below).

  2. Get the default policy and the basic set of SELinux utilities by running apt-get install selinux-basics selinux-policy-default auditd.

  3. If using Ubuntu, download this _load_selinux_policy script (this is a slightly modified version of the script included in the Ubuntu 'selinux' package), place it in /usr/share/initramfs-tools/scripts/init-bottom/ then run update-initramfs -u (sysvinit and systemd in Debian loads the SELinux policy automatically, but Upstart in Ubuntu does not (need to test what Ubuntu does nowadays). See https://bugs.launchpad.net/upstart/+bug/595774)

  4. Setup swap If your system is low on memory, to avoid OOM killer from killing selinux default policy update process
  5. Run selinux-activate to configure GRUB and PAM and to create /.autorelabel

  6. Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete.
  7. Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: in wheezy the warning about /etc/pam.d/login is a false positive)

You should now have a working SELinux system, which is in permissive mode. This means that the selinux policy is not enforced, but denials are logged. You can see all would-be denials since the last reboot with a small explanation for each with audit2why -al. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode temporarily by running setenforce 1 or permanently by adding enforcing=1 to the kernel command line in /etc/default/grub and then rebooting one last time.

If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the Fedora Project SELinux FAQ documentation by RedHat may be useful.


3. Prerequisites: filesystems

First of all you must use a filesystem that supports SELinux. Currently this includes btrfs, ext2, ext3, ext4, jfs and xfs. For ext2/3/4 there is nothing special to be aware of, but for other filesystems there are still some quirks:

3.1. btrfs

Currently an autorelabel operation won't cover subvolumes on btrfs. You need to manually relabel the subvolume. Once it's labelled everything will work correctly. New subvols that are created don't have labels - but creating a subvol via making a snapshot copies the label.

3.2. SquashFS

SquashFS supports xattr (which is required for SELinux file labeling) since kernel version 2.6.30.

3.3. ReiserFS

ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not have a SELinux context which makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like fixfiles, so you should first migrate to one of the above listed filesystems if you intend to use SELinux.

3.4. xfs

If you use xfs, you should create the filesystem with the "-isize=512" option. The default inode size is 256 bytes, which is not large enough for a SELinux XATTR, and they would need to be stored in separate blocks. This would take up disk space, and be less efficient. See http://www.redhat.com/magazine/001nov04/features/selinux/ for more on this.

The above information is dated and since 2010 with recent versions of xfs and selinux there is no appreciable benefits to change the default filesystem inode size of 256, since selinux has been using different algorithm to counter this issue. see https://www.crc.id.au/2010/09/29/selinux-on-xfs-filesystems/ https://bugzilla.redhat.com/show_bug.cgi?id=207143

4. Prerequisites: kernel features

Second, you must make sure that your kernel includes all necessary features for running SELinux. If you are using a Debian packaged kernel, you can skip the rest of this section as Debian kernels already include all the necessary SELinux features, so start directly at setup steps.

If you build the kernel yourself, make sure that CONFIG_AUDIT and CONFIG_SECURITY_SELINUX are enabled. Also make sure you have extended attributes (XATTRs) enabled for your filesystems as it is used to label files with the proper SELinux contexts. For some filesystems (e.g. ReiserFS) you also need to enable security labels as a separate option in addition to extended attributes.

Note: extended attributes (xattr) is not the same as user_xattr support which is not needed for SELinux.

When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the setup steps above.


5. Package-specific fixes

Many of the below steps are fixes and workarounds for issues listed on the ?SELinuxStatus page and in bug reports with the SELinux usertag.

5.1. initscripts

In /etc/default/rcS :

5.2. mail servers (postfix/exim/etc)

While a policy module for exim exists, it is strongly recommended to use postfix, as the postfix policy is the only one which got sufficient testing in Debian.

If you are using postfix, disable chroot-support by running postfix-nochroot, note that this command can be run multiple times (which is sometimes necessary if you have run another script that added a new entry to /etc/postfix/master.cf), but you need to move the backup file aside first.

You can add to /etc/default/postfix the line:

echo 'SYNC_CHROOT="n"' >> /etc/default/postfix

to avoid check-selinux-installation fails: Postfix init script is syncing the chroots

5.3. passwd's daily backup cronjob

The shadow package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/passwd and disable the part making a backup of /etc/shadow and /etc/gshadow.

5.4. locate and updatedb

"locate" is part of fileutils, and used to be considered a useful tool for finding files on your system (on modern big servers it can seriously hurt performance while on small systems find is fast enough). To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might permit an "information leak". In the past locate has been used to bypass SE Linux access controls (due to a design flaw). That design flaw has been fixed but it is still recommended that you not use it.

To do this, insert an exit 0 as the second line of /etc/cron.daily/find (or /etc/cron.daily/mlocate).


6. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

6.1. Backups

When you backup a SELinux system, make sure your backup includes the file contexts. The star advanced tar implementation is able to store extended attributes (which is what SELinux uses to store the file contexts) if used with the -xattr -H=exustar options. Alternatively, you can run fixfiles relabel after you have restored from a backup in order to reset all file contexts to the policy defaults (which means you'll lose modified contexts - while not commonly used with typical server applications are not uncommon with user applications). You can also run restorecon -R /whatever to restore the contexts of the files that you restored from backup.

6.2. Xen domU

When enabling SELinux on a Xen domU instance be sure to include an /etc/fstab entry for your root file system. Programs like fixfiles rely on the output from the mount command to report the file system type. Without an /etc/fstab entry mount will report the file system type as rootfs and fixfiles will fail silently. This will prevent the most common file system relabeling operations like touch /.autorelabel and fixfiles relabel / from working properly. Of course you want to do this even when not using SE Linux.

A simple /etc/fstab for a Xen domU root file system with only one partition looks something like:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/hda        /               ext3    defaults        0       2


7. Policies

You have the choice between some variants of the the so-called SELinux reference policy: the ready-made selinux-policy-default, or the source of the reference policy, selinux-policy-src (which you can use if you want to modify the policy or build your own).

So for example:

This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.

Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-doc etc., but those are not required for a minimum setup.

The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.

When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-src, fix (or write new) policies, relabel the filesystem, etc. Of course with the recent policy you can create your own policy modules so you can make most changes that you would desire while still using selinux-policy-default for the majority of the policy on your system.

7.1. Customising Policy

Run apt-get install selinux-policy-dev to install the policy development tools.

Copy or symlink /usr/share/doc/selinux-policy-dev/examples/Makefile to the directory you want to use for your new policy.

The format of a policy module is as follows:

policy_module(local,0.0.0)

require {
        type user_t, user_home_t, virt_content_t;
}

# for steam
allow unconfined_t user_home_t:file execmod;

You put the module source in a file with extension .te and name matching the module name (local.te in this case) and run make load to load it into the kernel.

To have the contexts of files set on a full relabel you need a file with a name such as local.fc with content as follows:

/chroot                 -d      gen_context(system_u:object_r:virt_content_t,s0)
/chroot/.*                      <<none>>

Running make load will compile that into the policy and then a restorecon command or a reboot with the /.autorelabel file in place will cause the labelling to be done.

For the .fc file the first field is a regex matching the files, the optional second file specifies the object class (hyphen followed by the first letter of the ls -l output), and the third field specifies the label where <<none>> is a special label indicating that the file should never be automatically relabeled.