Some notes about my SELinux installation

This document doesn’t document how to install SELinux. If you want to install it, please read one of these websites:

To develop the SELinux policy, here are the relevant git repositories:

And here is some documentation related with writing the policy:

And while listing websites, here are some more:

The present document will focus on some pitfalls I’ve encountered since installing SELinux on systems running Debian or ArchLinux.

Install a strict policy

On Debian by default a targeted policy is installed, daemons are confined but not users. To make users confined, you need to remove the unconfined module. To do this:

# Set up staff accounts
semanage login -a -s staff_u userlogin

# Confine other users
semanage login -m -s user_u -r s0 __default__

# Map root to root instead of unconfined_u
semanage login -m -s root root

# Remove the unconfined module
semodule -r unconfined

Use run_init as root without a password

run_init command (to manage services) authenticates the real user with PAM before making a transition to system_u:system_r:init_t context. The default configuration tell PAM to ask for a password to authenticate but this may be annoying on non-critical systems where root needs to restart services. To disable the password prompt for root, add this at the beginning of /etc/pam.d/run_init:

auth       sufficient   pam_rootok.so

Moreover make sure that you allow run_init_t to use pam_rootok.so:

allow run_init_t self:passwd rootok;

Fix /tmp labeling

If mount shows:

tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,rootcontext=system_u:object_r:file_t:s0,seclabel)

… or if ls -Zd /tmp shows:

system_u:object_r:file_t:SystemLow /tmp

/tmp is incorrectly labeled file_t instead of tmp_t.

To fix the label, you need to restore the context of the /tmp folder of the root filesystem to system_u:object_r:tmp_t:s0:

mount --bind / /mnt
setfiles -r /mnt /etc/selinux/default/contexts/files/file_contexts /mnt
umount /mnt

It is also possible to use such a line in /etc/fstab (without :s0 suffix when using a policy without MLS):

tmpfs /tmp tmpfs nodev,nosuid,rootcontext=system_u:object_r:tmp_t:s0 0 0

If ls -Zd /tmp shows type tmpfs_t instead of tmp_t, it is also needed to modify /etc/fstab accordingly.

Configure SELinux booleans

Here are some booleans I use is almost all my SELinux systems (enabled with setsebool -P $BOOL on or semanage boolean -m --on $BOOL):

# Allow users to send ping
setsebool -P user_ping on

# Enable reading of urandom for all domains
setsebool -P global_ssp on

# Use CGI with nginx (eg. for gitweb)
setsebool -P httpd_enable_cgi on
setsebool -P nginx_enable_http_server on

# Make GPG agent to work
setsebool -P gpg_agent_env_file on

# Disable NX memory protection for some applications (eg. Firefox)
setsebool -P allow_execmem on

# Allow privileged users (sysadm_u, unconfined_u, etc.) to log in through SSH
setsebool -P ssh_sysadm_login on

# Allow privileged users (sysadm_u, unconfined_u, etc.) to log in through X
setsebool -P xdm_sysadm_login on

Fix labels for files in /home

By default, files under /home are labeled as user home directories. On some system, /home is on the largest disk partition and there are other things, like database files (instead of /var/lib/... folders) or Git repositories. For such folders, you must a command like this to specify the real file context to use:

semanage fcontext -a -t httpd_sys_content_t "/home/git(/.*)?"

Generate interface file for audit2allow -R

audit2allow -R needs /var/lib/sepolgen/interface_info, which is created by sepolgen-ifgen. However, as the -p parameter of this command is buggy, your interface files need to be located in the default policy, ie. in /usr/share/selinux/default/include directory. For example, add a symlink /usr/share/selinux/default to your policy directory:

. /etc/selinux/config
cd /usr/share/selinux && ln -s $SELINUXTYPE default
sepolgen-ifgen

Activate some SELinux modules

To reload modules, go to /usr/share/selinux/$(policyname) and run:

semodule --verbose -b base.pp -s $(basename $(pwd)) -n -i module1.pp -i ...

Allow staff_u to read /root when running sudo

By default /etc/selinux/default/modules/active/file_contexts.homedirs defines /root to be labeled root:object_r:user_home_t, which staff_u can’t access (there is a constraint for it). To solve this issue, change the constraint or (much sumpler) change the user associated to root:

chcon -u staff_u /root -R

Alternatively it is possible to consider root as an usual staff user:

semanage login -m -s staff_u root

Export local configuration done with semanage

To export all local changes done with semanage, there is an option:

semanage -o

To import exported data back to the local configuration:

semanage -i

Bugs still present in October 2014

In ArchLinux, /sys is not labelled correctly on boot. It needs to be labeled by systemd using tmpfiles.d configuration. Therefore you need to add this in /etc/tmpfiles.d/sysfs.conf:

Z /sys/devices/system/cpu/online 0444 root root

For further information, please read: