Differences between revisions 21 and 22
Revision 21 as of 2006-10-08 00:24:21
Size: 6742
Editor: ?JamesVanZandt
Comment:
Revision 22 as of 2006-11-01 15:12:47
Size: 9537
Comment: Rewrite the entire page to match current situation
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= SELinux on Debian = #pragma section-numbers on
[[TableOfContents()]]
Line 3: Line 4:
["SELinux"] differs from regular Linux that it has additionally to the traditional "user id" a SELinux user, a role and a type for each file and process. ----
Line 5: Line 6:
For these additional permissions are required, but instead of logging into a role, your processes will be "switching roles" automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP. [[Anchor(intro)]]
= Setting up SELinux on Debian =
Line 7: Line 9:
== Prerequisites == ["SELinux"] differs from regular Linux security in that it attaches a SELinux user, role and type for each file and process in addition to the traditional UNIX user id/gid's.
Line 9: Line 11:
First of all, you need to get an appropriate kernel. If you build the kernel yourself, make sure CONFIG_AUDIT is enabled and of course the SELinux options. The standard Debian kernels lack audit, until [http://packages.debian.org/linux-image-2.6.14 Kernel 2.6.14]. For most operations, specific '''roles''' are required, but instead of logging into a role, certain processes will be switching roles automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP. For more details see the ["SELinux"] and ["SELinuxStatus"] pages.
Line 11: Line 13:
Make sure you have extended attributes (XATTRs) enabled for your filesystems in the kernel, which is needed to be able to label files. Note: this is ''not'' the same as {{{user_xattr}}} support (which is not needed for SELinux). This page describes how to get SELinux up and running on your Debian machine. The below setup steps assume that you are running an up to date installation of Testing or Unstable.
Line 13: Line 15:
== Basic Setup for Unstable == ----
Line 15: Line 17:
First you need to install an SELinux policy. You have the choice between some variants of the the so-called [http://oss.tresys.com/projects/refpolicy SELinux reference policy]: the ready-made {{{selinux-policy-refpolicy-strict}}} and {{{selinux-policy-refpolicy-targeted}}}, or the source of the reference policy, {{{selinux-policy-refpolicy-src}}} (which you can use if you want to modify the policy or build your own). [[Anchor(basics)]]
= Basics =

It is suggested that you start out with the '''targeted''' policy which includes a targeted set of policies for most common internet-facing daemons (see the see the [#policies policies section] below).

To install and configure SELinux, you need to perform the following steps:

 1. If you are not running a Debian packaged kernel, see the [#kernel kernel section] below
 2. Get the targeted policy and a basic set of SELinux packages by running {{{apt-get install selinux-basics selinux-policy-refpolicy-targeted}}}[[FootNote(If you've made a fresh installation with a recent DebianInstaller image, it is likely that you already have the SELinux packages installed)]].
 3. Edit {{{/boot/grub/menu.lst}}} and add {{{selinux=1}}} to your kernel command line (by adding it to the {{{#kopt=}}} line and then running {{{update-grub}}}). If you are using lilo, you must instead make similar changes to {{{/etc/lilo.conf}}} and run {{{lilo}}}.
 4. Check that the {{{/selinux}}} directory exists and if not, create it with {{{mkdir /selinux}}}
 5. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
 6. Run {{{check-selinux-installation}}} to check for common SELinux problems.
 7. Run {{{touch /.autorelabel}}} and reboot.
 8. Run {{{touch /.autorelabel}}} and reboot again.

You should now have a working SELinux system. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode by running {{{setenforce 1}}} or by adding {{{enforcing=1}}} to the kernel command line as described above and then reboot one last time.

----

[[Anchor(package-specific)]]
= Package-specific fixes =
Many of the below steps are fixes and workarounds for issues listed on the ["SELinuxStatus"] page and in bug reports [http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org bug reports with the SELinux usertag].

== pam ==
In {{{/etc/pam.d/login}}} uncomment the "session required pam_selinux.so multiple" line. Do the same for {{{/etc/pam.d/ssh}}} if you have {{{ssh}}} installed.

== initscripts ==
In {{{/etc/default/rcS}}} set FSCKFIX=yes. In {{{/etc/init.d/bootmisc.sh}}} search for "Update motd" and comment the two lines below that line. Then run {{{rm /var/run/motd}}}.

== mail servers (postfix/exim/etc) ==
If you don't have postfix installed (e.g. if you are using exim), you must either install postfix or write a policy for your mailserver of choice (for the status of exim policies, see bugs [http://bug.debian.org/387322 #387322] and [http://bugs.debian.org/390179 #390179]).

If you are using postfix (which is strongly recommended), disable chroot-support by changing all "chroot" fields to "n" in {{{/etc/postfix/master.cf}}} (replace all "-" in the 5th column which says "chroot (yes)" ontop with a "n"). Then run {{{echo 'SYNC_CHROOT="n" >> /etc/default/postfix'}}} and restart postfix by running {{{/etc/init.d/postfix restart}}}.

== static ttys/ptys ==
Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so just remove {{{/dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]}}} and make sure that {{{devpts}}} is mounted at {{{/dev/pts}}} by running {{{mount}}} and looking at the output.

== udev ==
In order to stop udev from recreating the above mentioned static ttys/ptys, put the line {{{KERNEL=="[tp]ty[abcdepqrstuvwxyz][0-9a-f]", NAME=""}}} in {{{/etc/udev/rules.d/10-LOCAL.rules}}}. Also add {{{no_static_dev="something"}}} to {{{/etc/udev/udev.conf}}} to prevent udev from providing the {{{/dev/.static}}} directory.

== cron's daily backup cronjob ==
The {{{cron}}} package includes a daily cronjob to backup some system files, including {{{/etc/shadow}}}. For security reasons, you don't want cron to be able to read this file, so edit {{{/etc/cron.daily/standard}}} and disable the part making a backup of {{{/etc/shadow}}} and {{{/etc/gshadow}}} ([http://bugs.debian.org/333837 bug #333837]).

Note: the Debian stable packages provided on http://selinux.alioth.debian.org/ already include this modification.

== locate and updatedb ==
"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an {{{exit 0}}} as the second line of {{{/etc/cron.daily/find}}}.

----

[[Anchor(kernel)]]
= Kernel requirements =
If you are using a Debian packaged kernel, you can skip this part as Debian kernels in Testing and Unstable already include all the necessary SELinux features.

If you build the kernel yourself, make sure CONFIG_AUDIT is enabled and of course the SELinux options. Also make sure you have extended attributes (XATTRs), which is needed to be able to label files, enabled for your filesystems. Note: this is ''not'' the same as {{{user_xattr}}} support which is not needed for SELinux. When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the [#basics basics] above.

----

[[Anchor(pitfalls)]]
= Pitfalls =
These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

== Backups ==
When you backup a SELinux system, make sure you backup the file contexts, too. The [http://packages.debian.org/star star] advanced tar implementation is said to be able to save "xattr", which is what SELinux uses to store the file context. Alternatively, you can run a "{{{fixfiles relabel}}}" after you have executed "{{{make install}}}" in your "{{{/etc/selinux/src}}}" directory to reset all file contexts to the policy defaults (you'll lose modified contexts then - while they are not common with typical server applications they may occur more often with user applications).

----

[[Anchor(policies)]]
= Policies =
You have the choice between some variants of the the so-called [http://oss.tresys.com/projects/refpolicy SELinux reference policy]: the ready-made {{{selinux-policy-refpolicy-strict}}} and {{{selinux-policy-refpolicy-targeted}}}, or the source of the reference policy, {{{selinux-policy-refpolicy-src}}} (which you can use if you want to modify the policy or build your own).
Line 20: Line 98:
This will draw in some required tools and libraries, e.g. {{{checkpolicy}}} and/or {{{policycoreutils}}}. You can optionally also install some other SELinux-related packages such as {{{selinux-utils}}}, {{{setools}}}, {{{polgen}}}, {{{polgen-doc}}}, {{{slat}}}, {{{selinux-policy-refpolicy-doc}}} etc., but those are not required for a minimum setup. This will draw in some required tools and libraries, e.g. {{{checkpolicy}}} and/or {{{policycoreutils}}}. You also need the {{{selinux-basics}}} package.
Line 22: Line 100:
Change refpolicy-targeted to refpolicy-strict in /etc/selinux/config, create directory /selinux and add this line to your /etc/fstab:
selinux /selinux selinuxfs defaults 0 0
Optionally, you can also install some other SELinux-related packages such as {{{selinux-utils}}}, {{{setools}}}, {{{polgen}}}, {{{polgen-doc}}}, {{{slat}}}, {{{selinux-policy-refpolicy-doc}}} etc., but those are not required for a minimum setup.
Line 27: Line 104:
##TODO: Is this still needed?
##Note that this poses a zillion of questions. It's a pain in the ass to answer all of them. Follow the following rule to pick the policies: install all ##macro rules, install all .fc files, install the .te files for application you have installed. -->
##If the policy doesn't build correctly, you are most likely missing some file... they're in {{{/usr/share/selinux/default}}} or so, just copy them over.
##Go to {{{/etc/selinux/src}}} and type {{{make relabel}}} to relabel your filesystem.
When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install {{{selinux-policy-refpolicy-src}}}, fix (or write new) policies, relabel the filesystem, repeat...
Line 32: Line 106:
Now you can reboot your system with the {{{selinux=1}}} option (and/or add it to the kernel options list in your {{{/boot/grub/menu.lst}}}). You'll get a gazillion of error messages in syslog while the system boots (and after that). ----
Line 34: Line 108:
Now it's time to fix the policy, write new policies, relabel the filesystem, repeat... [[Anchor(sarge)]]
= Sarge =
If you want to experiment with SELinux, you are strongly advised to go with Debian Testing or Unstable. SELinux enabled packages for Debian Sarge can be found at http://selinux.alioth.debian.org/. The site says the project is discontinued, though. YMMV.
Line 36: Line 112:
Oh, and enjoy the hell of M4, which someone decided to use for the policy... ----
Line 38: Line 114:
== Pitfalls == = Old package-specific issues =
If you are running an up-to-date Testing or Unstable installation, these issues do not apply to you, they are listed here for reference only.
Line 40: Line 117:
These additional permissions that need to be fulfilled will of course deny many things that you are used to. == ntp ==
Debians ntp-server package has its own cronjob to rotate its statistics files. You can disable the generation of these files via {{{/etc/ntp.conf}}} (bug [http://bugs.debian.org/340781 #340781]).
Line 42: Line 120:
For example, a regular user will not be able to do a "ping", unless you set the "user_ping" boolean. ----
Line 44: Line 122:
But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

So here's a list of things you need to setup when running SELinux on Debian.


TODO: Check if the stuff below is still valid, and if it related to Sarge or Unstable SELinux...


=== Locate and updatedb ===

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an {{{exit 0}}} into {{{/etc/cron.daily/find}}}.

=== Postfix and chroot ===

To create a "chroot", special permissions are needed. This includes copying library files into the chroot and to do the actual chroot system call.

When you are running SELinux, the security gain by doing an additional chroot is rather limited, whereas the security risks of being allowed to setup the chroot are considered higher. Therefore, you should disable all chroots in postfix (the postfix policy wouldn't support setting up the chroots).

To do this, edit {{{/etc/postfix/master.cf}}} and replace all "-" in the 5th column (which says "chroot (yes)" ontop) by a "n".

Then add {{{SYNC_CHROOT="n"}}} to {{{/etc/default/postfix}}}.

=== Static ttys/ptys ===

Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so just remove {{{/dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]}}} and use "devpts".

If you are using "udev", try to put into {{{/etc/udev/rules.d/10-LOCAL.rules}}} the following:
{{{
KERNEL=="[tp]ty[abcdepqrstuvwxyz][0-9a-f]", NAME=""
}}}

=== Cron's daily backup cronjob ===

Note that the Debian stable packages provided on http://selinux.alioth.debian.org/ already include this modification.

The "cron" package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit {{{/etc/cron.daily/standard}}} and disable the part making a backup of /etc/shadow and /etc/gshadow.

=== Backup ===

When you backup a SELinux system, make sure you backup the file contexts, too. The [http://packages.debian.org/star star] advanced tar implementation is said to be able to save "xattr", which is what SELinux uses to store the file context. Alternatively, you can run a "{{{fixfiles relabel}}}" after you have executed "{{{make install}}}" in your "{{{/etc/selinux/src}}}" directory to reset all file contexts to the policy defaults (you'll lose modified contexts then - while they are not common with typical server applications they may occur more often with user applications).

=== NTP ===

Debians ntp-server package has its own cronjob to rotate its statistics files. You can disable the generation of these files via {{{/etc/ntp.conf}}}

== Basic Setup for Sarge ==

SELinux enabled packages for Debian stable can be found at http://selinux.alioth.debian.org/. The site says the project is discontinued, though. YMMV.
= Thanks =
UweHermann, ErichSchubert, ManojSrivastava for providing the information in blog and mailing list posts which this document was based on.

?TableOfContents()


?Anchor(intro)

1. Setting up SELinux on Debian

["SELinux"] differs from regular Linux security in that it attaches a SELinux user, role and type for each file and process in addition to the traditional UNIX user id/gid's.

For most operations, specific roles are required, but instead of logging into a role, certain processes will be switching roles automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP. For more details see the ["SELinux"] and ["SELinuxStatus"] pages.

This page describes how to get SELinux up and running on your Debian machine. The below setup steps assume that you are running an up to date installation of Testing or Unstable.


?Anchor(basics)

2. Basics

It is suggested that you start out with the targeted policy which includes a targeted set of policies for most common internet-facing daemons (see the see the [#policies policies section] below).

To install and configure SELinux, you need to perform the following steps:

  1. If you are not running a Debian packaged kernel, see the [#kernel kernel section] below
  2. Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-refpolicy-targeted?FootNote(If you've made a fresh installation with a recent DebianInstaller image, it is likely that you already have the SELinux packages installed).

  3. Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.

  4. Check that the /selinux directory exists and if not, create it with mkdir /selinux

  5. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
  6. Run check-selinux-installation to check for common SELinux problems.

  7. Run touch /.autorelabel and reboot.

  8. Run touch /.autorelabel and reboot again.

You should now have a working SELinux system. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode by running setenforce 1 or by adding enforcing=1 to the kernel command line as described above and then reboot one last time.


?Anchor(package-specific)

3. Package-specific fixes

Many of the below steps are fixes and workarounds for issues listed on the ["SELinuxStatus"] page and in bug reports [http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org bug reports with the SELinux usertag].

3.1. pam

In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same for /etc/pam.d/ssh if you have ssh installed.

3.2. initscripts

In /etc/default/rcS set FSCKFIX=yes. In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then run rm /var/run/motd.

3.3. mail servers (postfix/exim/etc)

If you don't have postfix installed (e.g. if you are using exim), you must either install postfix or write a policy for your mailserver of choice (for the status of exim policies, see bugs [http://bug.debian.org/387322 #387322] and [http://bugs.debian.org/390179 #390179]).

If you are using postfix (which is strongly recommended), disable chroot-support by changing all "chroot" fields to "n" in /etc/postfix/master.cf (replace all "-" in the 5th column which says "chroot (yes)" ontop with a "n"). Then run echo 'SYNC_CHROOT="n" >> /etc/default/postfix' and restart postfix by running /etc/init.d/postfix restart.

3.4. static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so just remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] and make sure that devpts is mounted at /dev/pts by running mount and looking at the output.

3.5. udev

In order to stop udev from recreating the above mentioned static ttys/ptys, put the line KERNEL=="[tp]ty[abcdepqrstuvwxyz][0-9a-f]", NAME="" in /etc/udev/rules.d/10-LOCAL.rules. Also add no_static_dev="something" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory.

3.6. cron's daily backup cronjob

The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow ([http://bugs.debian.org/333837 bug #333837]).

Note: the Debian stable packages provided on http://selinux.alioth.debian.org/ already include this modification.

3.7. locate and updatedb

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an exit 0 as the second line of /etc/cron.daily/find.


?Anchor(kernel)

4. Kernel requirements

If you are using a Debian packaged kernel, you can skip this part as Debian kernels in Testing and Unstable already include all the necessary SELinux features.

If you build the kernel yourself, make sure CONFIG_AUDIT is enabled and of course the SELinux options. Also make sure you have extended attributes (XATTRs), which is needed to be able to label files, enabled for your filesystems. Note: this is not the same as user_xattr support which is not needed for SELinux. When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the [#basics basics] above.


?Anchor(pitfalls)

5. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

5.1. Backups

When you backup a SELinux system, make sure you backup the file contexts, too. The [http://packages.debian.org/star star] advanced tar implementation is said to be able to save "xattr", which is what SELinux uses to store the file context. Alternatively, you can run a "fixfiles relabel" after you have executed "make install" in your "/etc/selinux/src" directory to reset all file contexts to the policy defaults (you'll lose modified contexts then - while they are not common with typical server applications they may occur more often with user applications).


?Anchor(policies)

6. Policies

You have the choice between some variants of the the so-called [http://oss.tresys.com/projects/refpolicy SELinux reference policy]: the ready-made selinux-policy-refpolicy-strict and selinux-policy-refpolicy-targeted, or the source of the reference policy, selinux-policy-refpolicy-src (which you can use if you want to modify the policy or build your own).

So for example:

  • apt-get install selinux-policy-refpolicy-strict

This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.

Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-refpolicy-doc etc., but those are not required for a minimum setup.

The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.

When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-refpolicy-src, fix (or write new) policies, relabel the filesystem, repeat...


?Anchor(sarge)

7. Sarge

If you want to experiment with SELinux, you are strongly advised to go with Debian Testing or Unstable. SELinux enabled packages for Debian Sarge can be found at http://selinux.alioth.debian.org/. The site says the project is discontinued, though. YMMV.


8. Old package-specific issues

If you are running an up-to-date Testing or Unstable installation, these issues do not apply to you, they are listed here for reference only.

8.1. ntp

Debians ntp-server package has its own cronjob to rotate its statistics files. You can disable the generation of these files via /etc/ntp.conf (bug [http://bugs.debian.org/340781 #340781]).


9. Thanks

?UweHermann, ErichSchubert, ManojSrivastava for providing the information in blog and mailing list posts which this document was based on.