#language en ## page was renamed from SELinuxSetup #pragma section-numbers on ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pl/SELinux/Setup|Polski]]-~ <> ---- . <> = Introduction to SELinux on Debian = [[SELinux]] differs from regular Linux security in that in addition to the traditional UNIX user id and group id, it also attaches a SELinux user, role, domain (type), and sensitivity label to each file and process. For most operations, specific '''domains''' are required, but instead of logging into a domain, certain processes will be switching domains automatically, e.g. when you run "ping" you will be switching to a domain that can do ICMP. See the [[SELinux]] page for more background and the [[SELinux/Issues]] page for more details on current SELinux issues in Debian. This page describes how to setup SELinux on your Debian GNU/Linux system. ---- . <> = Steps to setup SELinux = The following steps describe how to install and configure SELinux together with the default policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the [[#policies|policies section]] below for alternative policies): 1. If you are not using the standard linux kernel provided by debian with an ext2/3/4/xfs/btrfs filesystem, you have to make sure that you are using a SELinux capable kernel and filesystem (see the [[#kernel|prerequisites section]] below). 1. Get the default policy and the basic set of SELinux utilities by running {{{apt-get install selinux-basics selinux-policy-default auditd}}}. 1. If using Ubuntu, download this [[attachment:_load_selinux_policy]] script (this is a slightly modified version of the script included in the Ubuntu 'selinux' package), place it in {{{/usr/share/initramfs-tools/scripts/init-bottom/}}} then run {{{update-initramfs -u}}} (sysvinit and systemd in Debian loads the SELinux policy automatically, but Upstart in Ubuntu does not (need to test what Ubuntu does nowadays). See https://bugs.launchpad.net/upstart/+bug/595774) 1. Run {{{selinux-activate}}} to configure GRUB and PAM and to create /.autorelabel 1. Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete. 1. Run {{{check-selinux-installation}}} to check that everything has been setup correctly and to catch common SELinux problems. (Note: in wheezy the warning about {{{/etc/pam.d/login}}} is a [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531660|false positive]]) You should now have a working SELinux system, which is in permissive mode. This means that the selinux policy is not enforced, but denials are logged. You can see all would-be denials since the last reboot with a small explanation for each with {{{audit2why -al}}}. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode temporarily by running {{{setenforce 1}}} or permanently by adding {{{enforcing=1}}} to the kernel command line in {{{/etc/default/grub}}} and then rebooting one last time. If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the [[https://fedoraproject.org/wiki/SELinux|Fedora Project SELinux FAQ]] documentation by !RedHat may be useful. ---- . <> = Prerequisites: filesystems = First of all you must use a filesystem that supports SELinux. Currently this includes btrfs, ext2, ext3, ext4, jfs and xfs. For ext2/3/4 there is nothing special to be aware of, but for other filesystems there are still some quirks: == btrfs == Currently an autorelabel operation won't cover subvolumes on btrfs. You need to manually relabel the subvolume. Once it's labelled everything will work correctly. New subvols that are created don't have labels - but creating a subvol via making a snapshot copies the label. == SquashFS == SquashFS supports xattr (which is required for SELinux file labeling) since kernel version 2.6.30. == ReiserFS == ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not have a SELinux context which makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like {{{fixfiles}}}, so you should first migrate to one of the above listed filesystems if you intend to use SELinux. == xfs == If you use xfs, you should create the filesystem with the "-isize=512" option. The default inode size is 256 bytes, which is not large enough for a SELinux XATTR, and they would need to be stored in separate blocks. This would take up disk space, and be less efficient. See http://www.redhat.com/magazine/001nov04/features/selinux/ for more on this. The above information is dated and since 2010 with recent versions of xfs and selinux there is no appreciable benefits to change the default filesystem inode size of 256, since selinux has been using different algorithm to counter this issue. see https://www.crc.id.au/2010/09/29/selinux-on-xfs-filesystems/ https://bugzilla.redhat.com/show_bug.cgi?id=207143 = Prerequisites: kernel features = Second, you must make sure that your kernel includes all necessary features for running SELinux. If you are using a Debian packaged kernel, you can skip the rest of this section as Debian kernels already include all the necessary SELinux features, so start directly at [[#basics|setup steps]]. If you build the kernel yourself, make sure that CONFIG_AUDIT and CONFIG_SECURITY_SELINUX are enabled. Also make sure you have extended attributes (XATTRs) enabled for your filesystems as it is used to label files with the proper SELinux contexts. For some filesystems (e.g. ReiserFS) you also need to enable security labels as a separate option in addition to extended attributes. Note: extended attributes (xattr) is ''not'' the same as {{{user_xattr}}} support which is not needed for SELinux. When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the [[#basics|setup steps]] above. ---- . <> = Package-specific fixes = Many of the below steps are fixes and workarounds for issues listed on the [[SELinuxStatus]] page and in [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org|bug reports with the SELinux usertag]]. == initscripts == In {{{/etc/default/rcS}}} : . set FSCKFIX=yes == mail servers (postfix/exim/etc) == While a policy module for exim exists, it is strongly recommended to use postfix, as the postfix policy is the only one which got sufficient testing in Debian. If you are using postfix, disable chroot-support by running {{{postfix-nochroot}}}, note that this command can be run multiple times (which is sometimes necessary if you have run another script that added a new entry to /etc/postfix/master.cf), but you need to move the backup file aside first. You can add to /etc/default/postfix the line: SYNC_CHROOT="n" echo 'SYNC_CHROOT="n"' >> /etc/default/postfix to avoid check-selinux-installation fails: Postfix init script is syncing the chroots == passwd's daily backup cronjob == The {{{shadow}}} package includes a daily cronjob to backup some system files, including {{{/etc/shadow}}}. For security reasons, you don't want cron to be able to read this file, so edit {{{/etc/cron.daily/passwd}}} and disable the part making a backup of {{{/etc/shadow}}} and {{{/etc/gshadow}}}. == locate and updatedb == "locate" is part of fileutils, and used to be considered a useful tool for finding files on your system (on modern big servers it can seriously hurt performance while on small systems find is fast enough). To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might permit an "information leak". In the past locate has been used to bypass SE Linux access controls (due to a design flaw). That design flaw has been fixed but it is still recommended that you not use it. To do this, insert an {{{exit 0}}} as the second line of {{{/etc/cron.daily/find}}} (or {{{/etc/cron.daily/mlocate}}}). ---- . <> = Pitfalls = These additional permissions that need to be fulfilled will of course deny many things that you are used to. For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean. But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected. == Backups == When you backup a SELinux system, make sure your backup includes the file contexts. The [[http://packages.debian.org/star|star]] advanced tar implementation is able to store extended attributes (which is what SELinux uses to store the file contexts) if used with the {{{-xattr -H=exustar}}} options. Alternatively, you can run {{{fixfiles relabel}}} after you have restored from a backup in order to reset all file contexts to the policy defaults (which means you'll lose modified contexts - while not commonly used with typical server applications are not uncommon with user applications). You can also run {{{restorecon -R /whatever}}} to restore the contexts of the files that you restored from backup. == Xen domU == When enabling SELinux on a Xen domU instance be sure to include an {{{/etc/fstab}}} entry for your root file system. Programs like {{{fixfiles}}} rely on the output from the [[http://packages.debian.org/etch/mount|mount]] command to report the file system type. Without an {{{/etc/fstab}}} entry {{{mount}}} will report the file system type as {{{rootfs}}} and {{{fixfiles}}} will fail silently. This will prevent the most common file system relabeling operations like {{{touch /.autorelabel}}} and {{{fixfiles relabel /}}} from working properly. Of course you want to do this even when not using SE Linux. A simple {{{/etc/fstab}}} for a Xen domU root file system with only one partition looks something like:<
> {{{ # /dev/hda / ext3 defaults 0 2 }}} ---- . <> = Policies = You have the choice between some variants of the the so-called [[http://oss.tresys.com/projects/refpolicy|SELinux reference policy]]: the ready-made {{{selinux-policy-default}}}, or the source of the reference policy, {{{selinux-policy-src}}} (which you can use if you want to modify the policy or build your own). So for example: . {{{apt-get install selinux-policy-default}}} This will draw in some required tools and libraries, e.g. {{{checkpolicy}}} and/or {{{policycoreutils}}}. You also need the {{{selinux-basics}}} package. Optionally, you can also install some other SELinux-related packages such as {{{selinux-utils}}}, {{{setools}}}, {{{polgen}}}, {{{polgen-doc}}}, {{{slat}}}, {{{selinux-policy-doc}}} etc., but those are not required for a minimum setup. The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have {{{ssh}}} installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required. When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install {{{selinux-policy-src}}}, fix (or write new) policies, relabel the filesystem, etc. Of course with the recent policy you can create your own policy modules so you can make most changes that you would desire while still using {{{selinux-policy-default}}} for the majority of the policy on your system. == Customising Policy == Run {{{apt-get install selinux-policy-dev}}} to install the policy development tools. Copy or symlink {{{/usr/share/doc/selinux-policy-dev/examples/Makefile}}} to the directory you want to use for your new policy. The format of a policy module is as follows: {{{ policy_module(local,0.0.0) require { type user_t, user_home_t, virt_content_t; } # for steam allow unconfined_t user_home_t:file execmod; }}} You put the module source in a file with extension .te and name matching the module name (local.te in this case) and run {{{make load}}} to load it into the kernel. To have the contexts of files set on a full relabel you need a file with a name such as local.fc with content as follows: {{{ /chroot -d gen_context(system_u:object_r:virt_content_t,s0) /chroot/.* <> }}} Running {{{make load}}} will compile that into the policy and then a {{{restorecon}}} command or a reboot with the {{{/.autorelabel}}} file in place will cause the labelling to be done. For the .fc file the first field is a regex matching the files, the optional second file specifies the object class (hyphen followed by the first letter of the {{{ls -l}}} output), and the third field specifies the label where {{{<>}}} is a special label indicating that the file should never be automatically relabeled.