1. Introduction to SELinux on Debian

SELinux differs from regular Linux security in that in addition to the traditional UNIX user id and group id, it also attaches a SELinux user, role, domain (type), and sensitivity label to each file and process.

For most operations, specific domains are required, but instead of logging into a domain, certain processes will be switching domains automatically, e.g. when you run "ping" you will be switching to a domain that can do ICMP. See the SELinux page for more background and the SELinux/Issues page for more details on current SELinux issues in Debian.

This page describes how to get SELinux up and running on a Debian machine running an up to date installation of Testing or Unstable.


2. Steps to setup SELinux

The following steps describe how to install and configure SELinux together with the targeted policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the policies section below for alternative policies):

  1. First make sure that you are using a SELinux capable kernel and filesystem (see the prerequisites section below).

  2. Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-default1.

  3. Run selinux-activate to configure GRUB and PAM and to create /.autorelabel

  4. Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete.
  5. Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: old-style-ptys aren't serious.)

You should now have a working SELinux system. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode by running setenforce 1 or by adding enforcing=1 to the kernel command line as described above and then reboot one last time.

  1. The machine will now be running in permissive mode (SE Linux access controls not enforced). To make it run temporarily in enforcing mode run setenforce 1, to configure it to boot in enforcing mode run selinux-config-enforcing

If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the Fedora Project SELinux FAQ documentation by RedHat may be useful.


3. Prerequisites: filesystems

First of all you must use a filesystem that supports SELinux. Currently this includes btrfs, ext2, ext3, ext4, jfs and xfs.

3.1. btrfs

Currently an autorelabel operation won't cover subvolumes on btrfs. You need to manually relabel the subvolume. Once it's labelled everything will work correctly.

3.2. SquashFS

SquashFS supports xattr (which is required for SELinux file labeling) since kernel version 2.6.30.

3.3. ReiserFS

ReiserFS has partial support for SELinux as it supports extended attributes but not atomic labelling meaning that newly created files will not have a SELinux context which makes using SELinux under ReiserFS quite painful. ReiserFS is therefore not supported by utilities like fixfiles, so you should first migrate to one of the above listed filesystems if you intend to use SELinux.

3.4. xfs

If you use xfs, you should create the filesystem with the "-isize=512" option. The default inode size is 256 bytes, which is not large enough for a SELinux XATTR, and they would need to be stored in separate blocks. This would take up disk space, and be less efficient. See http://www.redhat.com/magazine/001nov04/features/selinux/ for more on this.

4. Prerequisites: kernel features

Second, you must make sure that your kernel includes all necessary features for running SELinux. If you are using a Debian packaged kernel, you can skip the rest of this section as Debian kernels in Testing and Unstable already include all the necessary SELinux features.

If you build the kernel yourself, make sure that CONFIG_AUDIT and CONFIG_SECURITY_SELINUX are enabled. Also make sure you have extended attributes (XATTRs) enabled for your filesystems as it is used to label files with the proper SELinux contexts. For some filesystems (e.g. ReiserFS) you also need to enable security labels as a separate option in addition to extended attributes.

Note: extended attributes (xattr) is not the same as user_xattr support which is not needed for SELinux.

When the configuration is satisfactory: build, install and reboot into your new kernel and then proceed with the setup steps above.


5. Package-specific fixes

Many of the below steps are fixes and workarounds for issues listed on the ?SELinuxStatus page and in bug reports with the SELinux usertag.

5.1. pam

Some of the PAM config files need to have "session required pam_selinux.so multiple".

The set of PAM files which need this varies from time to time as application changes are made. Currently login, kdm, and wdm need this, and it seems likely that Lenny will release with these being the only three that need such changes. selinux-activate will make the changes.

5.2. initscripts

In /etc/default/rcS :

and

[Only important for 'strict' policy:]

5.3. mail servers (postfix/exim/etc)

If you don't have postfix installed (e.g. if you are using exim), you must either install postfix or write a policy for your mailserver of choice (for the status of exim policies, see bugs #387327 and #390179).

If you are using postfix (which is strongly recommended), disable chroot-support by running postfix-nochroot, note that this command can be run multiple times (which is sometimes necessary if you have run another script that added a new entry to /etc/postfix/master.cf), but you need to move the backup file aside first.

5.4. static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has supported dynamic ptys for a long time, so first make sure that devpts is mounted by running mount | grep devpts and then remove the static nodes by running rm -f /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]. Isn't it the default for a udev based Lenny system to not have the old-style BSD PTYs?

5.5. udev

Add no_static_dev="1" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory. Run update-initramfs -k all -u to carry this config file change into initial ramdisk images. This is mostly a cosmetic issue as the system will work well with the .static directory.

not necessary in Squeeze, it seems

5.6. cron's daily backup cronjob

The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow (bug #333837).

5.7. locate and updatedb

"locate" is part of fileutils, and used to be considered a useful tool for finding files on your system (on modern big servers it can seriously hurt performance while on small systems find is fast enough). To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might permit an "information leak". In the past locate has been used to bypass SE Linux access controls (due to a design flaw). That design flaw has been fixed but it is still recommended that you not use it.

To do this, insert an exit 0 as the second line of /etc/cron.daily/find (or /etc/cron.daily/mlocate).


6. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user (depending on the policy) might not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

6.1. Backups

When you backup a SELinux system, make sure your backup includes the file contexts. The star advanced tar implementation is able to store extended attributes (which is what SELinux uses to store the file contexts) if used with the -xattr -H=exustar options. Alternatively, you can run fixfiles relabel after you have restored from a backup in order to reset all file contexts to the policy defaults (which means you'll lose modified contexts - while not commonly used with typical server applications are not uncommon with user applications). You can also run restorecon -R /whatever to restore the contexts of the files that you restored from backup.

6.2. Xen domU

When enabling SELinux on a Xen domU instance be sure to include an /etc/fstab entry for your root file system. Programs like fixfiles rely on the output from the mount command to report the file system type. Without an /etc/fstab entry mount will report the file system type as rootfs and fixfiles will fail silently. This will prevent the most common file system relabeling operations like touch /.autorelabel and fixfiles relabel / from working properly. Of course you want to do this even when not using SE Linux.

A simple /etc/fstab for a Xen domU root file system with only one partition looks something like:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/hda        /               ext3    defaults        0       2


7. Policies

You have the choice between some variants of the the so-called SELinux reference policy: the ready-made selinux-policy-default, or the source of the reference policy, selinux-policy-src (which you can use if you want to modify the policy or build your own).

So for example:

This will draw in some required tools and libraries, e.g. checkpolicy and/or policycoreutils. You also need the selinux-basics package.

Optionally, you can also install some other SELinux-related packages such as selinux-utils, setools, polgen, polgen-doc, slat, selinux-policy-doc etc., but those are not required for a minimum setup.

The ready-made policies (strict and targeted) try to guess which packages you have installed and enable the respective policy modules for those. For example, if you have ssh installed, the ssh policy module will be loaded. However, this might not work for all packages, so some manual tweaking might be required.

When running with SELinux enabled, you might get a lot of error messages in syslog while the system boots and after that. If you're feeling adventurous, you might want to install selinux-policy-src, fix (or write new) policies, relabel the filesystem, etc. Of course with the recent policy you can create your own policy modules so you can make most changes that you would desire while still using selinux-policy-default for the majority of the policy on your system.


8. Thanks

?UweHermann, ErichSchubert, ManojSrivastava for providing the information in blog and mailing list posts which this document was based on.

  1. If you've made a fresh installation with a recent DebianInstaller image, it is likely that you already have the SELinux packages installed (1)