1. Introduction to SELinux on Debian
SELinux differs from regular Linux security in that in addition to the traditional UNIX user id and group id, it also attaches a SELinux user, role, domain (type), and sensitivity label to each file and process.
For most operations, specific domains are required, but instead of logging into a domain, certain processes will be switching domains automatically, e.g. when you run "ping" you will be switching to a domain that can do ICMP. See the SELinux page for more background and the SELinux/Issues page for more details on current SELinux issues in Debian.
This page describes how to setup SELinux on your Debian GNU/Linux system.
2. Steps to setup SELinux
The following steps describe how to install and configure SELinux together with the default policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the policies section below for alternative policies):
If you are not using the standard linux kernel provided by debian with an ext2/3/4, you have to make sure that you are using a SELinux capable kernel and filesystem (see the prerequisites section below).
Get the default policy and the basic set of SELinux utilities by running apt-get install selinux-basics selinux-policy-default auditd.
If using Ubuntu, download this _load_selinux_policy script (this is a slightly modified version of the script included in the Ubuntu 'selinux' package), place it in /usr/share/initramfs-tools/scripts/init-bottom/ then run update-initramfs -u (Upstart in Debian loads the SELinux policy automatically, but Upstart in Ubuntu does not. See https://bugs.launchpad.net/upstart/+bug/595774)
Run selinux-activate to configure GRUB and PAM and to create /.autorelabel
- Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete.
Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: in wheezy the warning about /etc/pam.d/login is a false positive)
You should now have a working SELinux system, which is in permissive mode. This means that the selinux policy is not enforced, but denials are logged. You can see all would-be denials since the last reboot with a small explanation for each with audit2why -al. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode temporarily by running setenforce 1 or permanently by adding enforcing=1 to the kernel command line in /etc/default/grub and then rebooting one last time.
If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the Fedora Project SELinux FAQ documentation by RedHat may be useful.
3. Prerequisites: filesystems
First of all you must use a filesystem that supports SELinux. Currently this includes btrfs, ext2, ext3, ext4, jfs and xfs. For ext2/3/4 there is nothing special to be aware of, but for other filesystems there are still some quirks:
Currently an autorelabel operation won't cover subvolumes on btrfs. You need to manually relabel the subvolume. Once it's labelled everything will work correctly.
SquashFS supports xattr (which is required for SELinux file labeling) since kernel version 2.6.30.
ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not have a SELinux context which makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like fixfiles, so you should first migrate to one of the above listed filesystems if you intend to use SELinux.
If you use xfs, you should create the filesystem with the "-isize=512" option. The default inode size is 256 bytes, which is not large enough for a SELinux XATTR, and they would need to be stored in separate blocks. This would take up disk space, and be less efficient. See http://www.redhat.com/magazine/001nov04/features/selinux/ for more on this.
The above information is dated and since 2010 with recent versions of xfs and selinux there is no appreciable benefits to change the default filesystem inode size of 256, since selinux has been using different algorithm to counter this issue. see https://www.crc.id.au/2010/09/29/selinux-on-xfs-filesystems/ https://bugzilla.redhat.com/show_bug.cgi?id=207143
4. Prerequisites: kernel features
Second, you must make sure that your kernel includes all necessary features for running SELinux. If you are using a Debian packaged kernel, you can skip the rest of this section as Debian kernels already include all the necessary SELinux features, so start directly at setup steps.
If you build the kernel yourself, make sure that CONFIG_AUDIT and CONFIG_SECURITY_SELINUX are enabled. Also make sure you have extended attributes (XATTRs) enabled for your filesystems as it is used to label files with the proper SELinux contexts. For some filesystems (e.g. ReiserFS) you also need to enable security labels as a separate option in addition to extended attributes.
Note: extended attributes (xattr) is not the same as user_xattr support which is not needed for SELinux.
When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the setup steps above.
5. Package-specific fixes
In /etc/default/rcS :
- set FSCKFIX=yes
5.2. mail servers (postfix/exim/etc)
While a policy module for exim exists, it is strongly recommended to use postfix, as the postfix policy is the only one which got sufficient testing in Debian.
If you are using postfix, disable chroot-support by running postfix-nochroot, note that this command can be run multiple times (which is sometimes necessary if you have run another script that added a new entry to /etc/postfix/master.cf), but you need to move the backup file aside first.
You can add to /etc/default/postfix the line:
echo 'SYNC_CHROOT="n"' >> /etc/default/postfix
to avoid check-selinux-installation fails: Postfix init script is syncing the chroots
5.3. passwd's daily backup cronjob
The shadow package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/passwd and disable the part making a backup of /etc/shadow and /etc/gshadow.
5.4. locate and updatedb
"locate" is part of fileutils, and used to be considered a useful tool for finding files on your system (on modern big servers it can seriously hurt performance while on small systems find is fast enough). To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might permit an "information leak". In the past locate has been used to bypass SE Linux access controls (due to a design flaw). That design flaw has been fixed but it is still recommended that you not use it.
To do this, insert an exit 0 as the second line of /etc/cron.daily/find (or /etc/cron.daily/mlocate).
These additional permissions that need to be fulfilled will of course deny many things that you are used to.
For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.
But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.
When you backup a SELinux system, make sure your backup includes the file contexts. The star advanced tar implementation is able to store extended attributes (which is what SELinux uses to store the file contexts) if used with the -xattr -H=exustar options. Alternatively, you can run fixfiles relabel after you have restored from a backup in order to reset all file contexts to the policy defaults (which means you'll lose modified contexts - while not commonly used with typical server applications are not uncommon with user applications). You can also run restorecon -R /whatever to restore the contexts of the files that you restored from backup.
6.2. Xen domU
When enabling SELinux on a Xen domU instance be sure to include an /etc/fstab entry for your root file system. Programs like fixfiles rely on the output from the mount command to report the file system type. Without an /etc/fstab entry mount will report the file system type as rootfs and fixfiles will fail silently. This will prevent the most common file system relabeling operations like touch /.autorelabel and fixfiles relabel / from working properly. Of course you want to do this even when not using SE Linux.
A simple /etc/fstab for a Xen domU root file system with only one partition looks something like:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/hda / ext3 defaults 0 2
You have the choice between some variants of the the so-called SELinux reference policy: the ready-made selinux-policy-default, or the source of the reference policy, selinux-policy-src (which you can use if you want to modify the policy or build your own).
So for example:
apt-get install selinux-policy-default
This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.
Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-doc etc., but those are not required for a minimum setup.
The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.
When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-src, fix (or write new) policies, relabel the filesystem, etc. Of course with the recent policy you can create your own policy modules so you can make most changes that you would desire while still using selinux-policy-default for the majority of the policy on your system.