Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• SELinux/Setup

1. SELinux on Debian

["SELinux"] differs from regular Linux that it has additionally to the traditional "user id" a selinux user, a role and a type for each file and process.

For these additional permissions are required, but instead of logging into a role, your processes will be "switching roles" automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP.

1.1. Basic Setup

First of all, you need to get an appropriate kernel. If you build the kernel yourself, make sure CONFIG_AUDIT is enabled and of course the SELinux options. The standard Debian kernels lack audit, except the current "epxerimental" packages of [http://packages.debian.org/kernel-image-2.6.13 Kernel 2.6.13] (this may or may not change).

Next you need to install SELinux utilites. This can be done by calling apt-get install selinux-utils policycoreutils checkpolicy.

Then you need a SELinux policy: apt-get install selinux-policy-default. Note that this poses (used to?) a zillion of questions. It's a pain in the ass to answer all of them. Follow the following rule to pick the policies: install all macro rules. install all .fc files. Install the .te files for application you have installed.

If the policy doesn't build correctly, you are most likely missing some file... they're in /usr/share/selinux/default or so, just copy them over.

Make sure you have xattr enabled for your filesystems (eventually add the xattr mount option, remount etc.) - xattr is needed to be able to label files.

Go to /etc/selinux/src and type make relabel to relabel your filesystem.

Now you can reboot your system with the selinux=1 option. You'll get a gazillion of error messages in syslog.

Now it's time to fix the policy, write new policies, relabel the filesystem, repeat...

Oh, and enjoy the hell of M4, which someone decided to use for the policy...

1.2. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user will not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

So here's a list of things you need to setup when running SELinux on Debian.

1.2.1. Locate and updatedb

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan you whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an exit 0 into /etc/cron.daily/find.

1.2.2. Postfix and chroot

To create a "chroot", special permissions are needed. This includes copying library files into the chroot and to do the actual chroot system call.

When you are running SELinux, the security gain by doing an additional chroot is rather limited, whereas the security risks of being allowed to setup the chroot are considered higher. Therefore, you should disable all chroots in postfix (the postfix policy wouldn't support setting up the chroots).

To do this, edit /etc/postfix/master.cf and replace all "-" in the 5th column (which says "chroot (yes)" ontop) by a "n".

1.2.3. Static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has support for dynamic ptys for a long time, so just remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] and use "devpts".

1.2.4. Cron's daily backup cronjob

The "cron" package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow.

1.2.5. Initscript's boot scripts

Some core initscripts - responsible for mounting your filesystems - try to verify the "writeability" of some filesystems by doing a mini write to them. This write would fail with SELinux - and you don't want them to be able to write there either. On a correctly setup system this will succeed anyway.

Therefore, edit /etc/init.d/checkroot.sh and /etc/init.d/mountvirtfs, locate the "dir_writeable" macro and replace "touch" by "true touch" there.