HOWTO SELinux

From Gentoo Linux Wiki

This article is part of the Security series.

This article is still a Stub. You can help Gentoo-Wiki by expanding it.

Users who want to test SELinux without running any policy in a live enviroment should read HOWTO Null Selinux on non-SELinux profile. Installation instructions can be found at official Gentoo SELinux homepage.

Gentoo's current SELinux implementation does not use the reference SELinux policy, but that may change soon. It may be possible to follow the NULL SELinux Install HOWTO to do so.

1 Tips
- 1.1 Context (Type) is everything
2 Problems
- 2.1 Vixie-cron
- 2.2 udev and coldplug
3 Tools
4 References

[edit] Tips

SELinux is expansive and difficult, there are some important concepts:

[edit] Context (Type) is everything

Most service and applications must run in a specific domain. If the services it started in the wrong domain, it may malfunction and even be inoperative in Enforcing mode.
Some files must be labelling with the correct types. If the file's type label is wrong, it may not be accessible in the corresponding application's domain.
Gentoo prompts for a password when launch services in the /etc/init.d directory. If not asked, service may not be started in the proper domain.
Service must be (re)started in the sysadm_r role. Otherwise, the domain transition for the service may be denied, resulting in the service running in the wrong domain.
Most SELinux problems are due to mislabled files or role transition failures
Sudo and su do not change current role when switching users - unless pam_selinux being used.
Service process should almost never be in the admin_t or sysadm_t domains - if ps auxZ shows that, the service is likely in the wrong domain.

Files can be relabled via make relabel from the Gentoo SELinux handbook.

In permissive mode, SELinux doesn't enfore anything, and thus functions as a non-SELinux system, but it does spit out gratituous amounts of warnings if a denial WOULD have occurred.

[edit] Problems

The above statement may not be quite true. Some programs will misbehave even with the system in permissive mode. The Gentoo SELinux handbook points out some potential problems, such as login issues.

[edit] Vixie-cron

Vixie-cron likes to perform its own internal checks before attempting a domain transition, and fail the transition even in permissive mode. Thus, incorrectly labeled files or domain transition problems can cause crontabs not to run (or misbehave) inexplicably.

Make sure the cron daemon is running as the right domain (started as mentioned above) ps -afxZ | grep cron should show something like:

system_u:system_r:crond_t        6628 ?        Ss     0:00 /usr/sbin/cron

Make sure the crontab user files are labeled properly by using ls -laZ /var/spool/cron/crontabs/. Root's crontab should have the staff_cron_spool_t label; while other users should be labelled user_cron_spool_t. chcon can be used to fix this.
Check the syslog output for the cron daemon (usually /var/log/cron.log) for errors when it is restarted, as different behavior may not show up in the SELinux audit logs.

Warning: Never use crontab -e -u [user]. The resulting crontab will be mislabeled. Instead, su, and edit the crontab from there.

[edit] udev and coldplug

If you get after the installation of SELinux, labeling and reboot an avc-Message about /dev/console and the whole rc-stuff. Try this in /etc/conf.d/rc

RC_COLDPLUG="no"

[edit] Tools

There are some tools/commands that can greatly help with selinux.

restorecon - Restores the context of a file/directory (or recusively with -R) based on any policy rules
rlpkg - Relabels any files belonging to that gentoo package to their proper security context (if they have one)
chcon - Change the context on a specific file
audit2allow - Reads in log messages from the avc log file and tells you what rules would fix the error. Don't just add these rules without looking at them though, they cannot detect errors in other places (ie the application running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.