?TableOfContents()


?Anchor(intro)

1. Introduction to SELinux on Debian

["SELinux"] differs from regular Linux security in that in addition to the traditional UNIX user id and group id, it also attaches a SELinux user, role and type to each file and process.

For most operations, specific roles are required, but instead of logging into a role, certain processes will be switching roles automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP. See the ["SELinux"] page for more background and the ["SELinuxStatus"] page for more details on current SELinux issues in Debian.

This page describes how to get SELinux up and running on a Debian machine running an up to date installation of Testing or Unstable.


?Anchor(basics)

2. Steps to setup SELinux

The following steps describe how to install and configure SELinux together with the targeted policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the [#policies policies section] below for alternative policies):

  1. First make sure that you are using a SELinux capable kernel and filesystem (see the [#kernel prerequisites section] below).
  2. Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-refpolicy-targeted?FootNote(If you've made a fresh installation with a recent DebianInstaller image, it is likely that you already have the SELinux packages installed).

  3. Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.

  4. Check that the /selinux directory exists and if not, create it with mkdir /selinux.

  5. Read through the [#package-specific package-specific fixes section] below and make all necessary modifications.
  6. Run touch /.autorelabel and reboot (this will take a long time).

  7. Run touch /.autorelabel and reboot again (and prepare for a long wait yet again).

  8. Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems.

You should now have a working SELinux system. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode by running setenforce 1 or by adding enforcing=1 to the kernel command line as described above and then reboot one last time.

If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the [http://fedora.redhat.com/docs/selinux-faq-fc5/ Fedora Core 5 SELinux FAQ] documentation by RedHat may be useful.


?Anchor(kernel)

3. Prerequisites (kernel and filesystems)

First of all you must use a filesystem that supports SELinux. Currently this includes ext2, ext3, jfs and xfs. ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not a have a SELinux context which makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like fixfiles, so you should first migrate to one of the above listed filesystems if you intend to use SELinux.

Second, you must make sure that your kernel includes all necessary features for running SELinux. If you are using a Debian packaged kernel, you can skip the rest of this section as Debian kernels in Testing and Unstable already include all the necessary SELinux features.

If you build the kernel yourself, make sure that CONFIG_AUDIT and the SELinux options are enabled. Also make sure you have extended attributes (XATTRs) enabled for your filesystems as it is used to label files with the proper SELinux contexts. For some filesystems (e.g. ReiserFS) you also need to enable security labels as a separate option in addition to extended attributes.

Note: extended attributes is not the same as user_xattr support which is not needed for SELinux.

When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the [#basics setup steps] above.


?Anchor(package-specific)

4. Package-specific fixes

Many of the below steps are fixes and workarounds for issues listed on the ["SELinuxStatus"] page and in [http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org bug reports with the SELinux usertag].

4.1. pam

In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same for /etc/pam.d/ssh if you have ssh installed.

4.2. initscripts

In /etc/default/rcS set FSCKFIX=yes. In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then run rm /var/run/motd.

4.3. mail servers (postfix/exim/etc)

If you don't have postfix installed (e.g. if you are using exim), you must either install postfix or write a policy for your mailserver of choice (for the status of exim policies, see bugs [http://bugs.debian.org/387322 #387322] and [http://bugs.debian.org/390179 #390179]).

If you are using postfix (which is strongly recommended), disable chroot-support by changing all "chroot" fields to "n" in /etc/postfix/master.cf (replace all "-" in the 5th column which says "chroot (yes)" ontop with a "n"). Then run echo 'SYNC_CHROOT="n"' >> /etc/default/postfix and restart postfix by running /etc/init.d/postfix restart.

4.4. static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so first make sure that devpts is mounted by running mount | grep devpts and then remove the static nodes by running rm -f /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f].

4.5. udev

Add no_static_dev="something" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory.

4.6. cron's daily backup cronjob

The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow ([http://bugs.debian.org/333837 bug #333837]).

Note: the Debian stable packages provided on http://selinux.alioth.debian.org/ already include this modification.

4.7. locate and updatedb

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an exit 0 as the second line of /etc/cron.daily/find.


?Anchor(pitfalls)

5. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

5.1. Backups

When you backup a SELinux system, make sure your backup includes the file contexts. The [http://packages.debian.org/star star] advanced tar implementation is able to store extended attributes (which is what SELinux uses to store the file contexts) if used with the -xattr -H=exustar options. Alternatively, you can run fixfiles relabel after you have restored from a backup in order to reset all file contexts to the policy defaults (which means you'll lose modified contexts - while not commonly used with typical server applications are not uncommon with user applications).


?Anchor(policies)

6. Policies

You have the choice between some variants of the the so-called [http://oss.tresys.com/projects/refpolicy SELinux reference policy]: the ready-made selinux-policy-refpolicy-strict and selinux-policy-refpolicy-targeted, or the source of the reference policy, selinux-policy-refpolicy-src (which you can use if you want to modify the policy or build your own).

So for example:

This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.

Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-refpolicy-doc etc., but those are not required for a minimum setup.

The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.

When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-refpolicy-src, fix (or write new) policies, relabel the filesystem, repeat...


?Anchor(sarge)

7. Sarge

If you want to experiment with SELinux, you are strongly advised to go with Debian Testing or Unstable. SELinux enabled packages for Debian Sarge can be found at http://selinux.alioth.debian.org/. The site says the project is discontinued, though. YMMV.


8. Old package-specific issues

If you are running an up-to-date Testing or Unstable installation, these issues do not apply to you, they are listed here for reference only.

8.1. ntp

Debians ntp-server package has its own cronjob to rotate its statistics files. You can disable the generation of these files via /etc/ntp.conf (bug [http://bugs.debian.org/340781 #340781]).

8.2. udev

In order to stop udev from recreating the above mentioned static ttys/ptys, put the line KERNEL=="[tp]ty[abcdepqrstuvwxyz][0-9a-f]", NAME="" in /etc/udev/rules.d/10-LOCAL.rules. A rule to this effect is already included in the selinux-basics package.


9. Thanks

?UweHermann, ErichSchubert, ManojSrivastava for providing the information in blog and mailing list posts which this document was based on.