Differences between revisions 25 and 26
Revision 25 as of 2006-11-02 14:25:52
Size: 9490
Comment:
Revision 26 as of 2006-11-04 21:51:41
Size: 9399
Editor: ?UweHermann
Comment: I think you no longer need to explicitly add /selinux to /etc/fstab.
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
["SELinux"] differs from regular Linux security in that it attaches a SELinux user, role and type for each file and process in addition to the traditional UNIX user id/gid's. ["SELinux"] differs from regular Linux security in that it attaches an SELinux user, role and type for each file and process in addition to the traditional UNIX user id and group id.
Line 22: Line 22:
 1. If you are not running a Debian packaged kernel, see the [#kernel kernel section] below  1. If you are not running a Debian packaged kernel, see the [#kernel kernel section] below.
Line 25: Line 25:
 4. Check that the {{{/selinux}}} directory exists and if not, create it with {{{mkdir /selinux}}}
 5
. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
 6. Run {{{check-selinux-installation}}} to check for common SELinux problems.
 7. Run {{{touch /.autorelabel}}} and reboot.
 8. Run {{{touch /.autorelabel}}} and reboot again.
 4. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
 5. Run {{{check-selinux-installation}}} to check for common SELinux problems.
 6. Run {{{touch /.autorelabel}}} and reboot.
 
7. Run {{{touch /.autorelabel}}} and reboot again.

?TableOfContents()


?Anchor(intro)

1. Setting up SELinux on Debian

["SELinux"] differs from regular Linux security in that it attaches an SELinux user, role and type for each file and process in addition to the traditional UNIX user id and group id.

For most operations, specific roles are required, but instead of logging into a role, certain processes will be switching roles automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP. For more details see the ["SELinux"] and ["SELinuxStatus"] pages.

This page describes how to get SELinux up and running on a Debian machine running an up to date installation of Testing or Unstable.


?Anchor(basics)

2. Basics

The following steps describe how to install and configure SELinux together with the targeted policy which enables SELinux for the most important parts of your system (e.g. most internet-facing daemons, see the [#policies policies section] below for alternative policies):

  1. If you are not running a Debian packaged kernel, see the [#kernel kernel section] below.
  2. Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-refpolicy-targeted?FootNote(If you've made a fresh installation with a recent DebianInstaller image, it is likely that you already have the SELinux packages installed).

  3. Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.

  4. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
  5. Run check-selinux-installation to check for common SELinux problems.

  6. Run touch /.autorelabel and reboot.

  7. Run touch /.autorelabel and reboot again.

You should now have a working SELinux system. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode by running setenforce 1 or by adding enforcing=1 to the kernel command line as described above and then reboot one last time.


?Anchor(package-specific)

3. Package-specific fixes

Many of the below steps are fixes and workarounds for issues listed on the ["SELinuxStatus"] page and in bug reports [http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org bug reports with the SELinux usertag].

3.1. pam

In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same for /etc/pam.d/ssh if you have ssh installed.

3.2. initscripts

In /etc/default/rcS set FSCKFIX=yes. In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then run rm /var/run/motd.

3.3. mail servers (postfix/exim/etc)

If you don't have postfix installed (e.g. if you are using exim), you must either install postfix or write a policy for your mailserver of choice (for the status of exim policies, see bugs [http://bugs.debian.org/387322 #387322] and [http://bugs.debian.org/390179 #390179]).

If you are using postfix (which is strongly recommended), disable chroot-support by changing all "chroot" fields to "n" in /etc/postfix/master.cf (replace all "-" in the 5th column which says "chroot (yes)" ontop with a "n"). Then run echo 'SYNC_CHROOT="n" >> /etc/default/postfix' and restart postfix by running /etc/init.d/postfix restart.

3.4. static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so just remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] and make sure that devpts is mounted at /dev/pts by running mount and looking at the output.

3.5. udev

In order to stop udev from recreating the above mentioned static ttys/ptys, put the line KERNEL=="[tp]ty[abcdepqrstuvwxyz][0-9a-f]", NAME="" in /etc/udev/rules.d/10-LOCAL.rules. Also add no_static_dev="something" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory.

3.6. cron's daily backup cronjob

The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow ([http://bugs.debian.org/333837 bug #333837]).

Note: the Debian stable packages provided on http://selinux.alioth.debian.org/ already include this modification.

3.7. locate and updatedb

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an exit 0 as the second line of /etc/cron.daily/find.


?Anchor(kernel)

4. Kernel requirements

If you are using a Debian packaged kernel, you can skip this part as Debian kernels in Testing and Unstable already include all the necessary SELinux features.

If you build the kernel yourself, make sure CONFIG_AUDIT is enabled and of course the SELinux options. Also make sure you have extended attributes (XATTRs), which is needed to be able to label files, enabled for your filesystems. Note: this is not the same as user_xattr support which is not needed for SELinux. When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the [#basics basics] above.


?Anchor(pitfalls)

5. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

5.1. Backups

When you backup a SELinux system, make sure you backup the file contexts, too. The [http://packages.debian.org/star star] advanced tar implementation is said to be able to save "xattr", which is what SELinux uses to store the file context. Alternatively, you can run a "fixfiles relabel" after you have executed "make install" in your "/etc/selinux/src" directory to reset all file contexts to the policy defaults (you'll lose modified contexts then - while they are not common with typical server applications they may occur more often with user applications).


?Anchor(policies)

6. Policies

You have the choice between some variants of the the so-called [http://oss.tresys.com/projects/refpolicy SELinux reference policy]: the ready-made selinux-policy-refpolicy-strict and selinux-policy-refpolicy-targeted, or the source of the reference policy, selinux-policy-refpolicy-src (which you can use if you want to modify the policy or build your own).

So for example:

  • apt-get install selinux-policy-refpolicy-strict

This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.

Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-refpolicy-doc etc., but those are not required for a minimum setup.

The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.

When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-refpolicy-src, fix (or write new) policies, relabel the filesystem, repeat...


?Anchor(sarge)

7. Sarge

If you want to experiment with SELinux, you are strongly advised to go with Debian Testing or Unstable. SELinux enabled packages for Debian Sarge can be found at http://selinux.alioth.debian.org/. The site says the project is discontinued, though. YMMV.


8. Old package-specific issues

If you are running an up-to-date Testing or Unstable installation, these issues do not apply to you, they are listed here for reference only.

8.1. ntp

Debians ntp-server package has its own cronjob to rotate its statistics files. You can disable the generation of these files via /etc/ntp.conf (bug [http://bugs.debian.org/340781 #340781]).


9. Thanks

?UweHermann, ErichSchubert, ManojSrivastava for providing the information in blog and mailing list posts which this document was based on.