SELinux

安全增强型 Linux（SELinux）是一项 Linux 功能，通过在 Linux 内核中使用 Linux 安全模块（LSM）提供各种安全策略，包括美国国防部风格的强制访问控制（MAC）。它并不是一个 Linux 发行版，而是一组可以应用于类 Unix 操作系统，如 Linux 和 BSD 的修改。

在 Linux 发行版下运行 SELinux 需要三个要素：启用 SELinux 的内核、SELinux 用户空间工具和库，以及 SELinux 策略（大部分基于参考策略）。一些常见的 Linux 程序还需要进行修补/编译以支持 SELinux 功能。

在 Arch Linux 中的当前状态是怎样的？[编辑 | 编辑源代码]

SELinux 并不是 Arch Linux 官方支持的功能（参见这里^[1]和这里^[2]）。非官方支持的状态如下：

与官方核心包相比，以下是 AUR 中的一些包的变更摘要：

这些 SELinux 相关的包中的其他包可以无需更改或风险地包括在内。

概念：强制访问控制[编辑 | 编辑源代码]

在启用SELinux之前，值得先了解它的工作原理。简而言之，SELinux在Linux上执行强制访问控制（MAC）。与SELinux相比，传统的用户/组/rwx权限是一种自主访问控制（DAC）形式。MAC与DAC不同，因为安全策略及其执行是完全分离的。

一个例子是使用sudo命令。当执行DAC时，sudo允许临时提权到root，使所生成的进程具有无限制的系统范围访问权限。但是，当使用MACs时，如果安全管理员认为该进程只能访问某个文件集合，那么无论使用何种类型的特权提升，除非更改安全策略本身，否则该进程将保持约束在该文件集合中。因此，如果在运行SELinux的机器上尝试使用sudo以使进程能够访问其策略不允许的文件，将会失败。

另一组示例是对文件授予的传统(-rwxr-xr-x)类型权限。在DAC下，这些权限是可由用户修改的。但是，在MAC下，安全管理员可以选择冻结某个文件的权限，从而使任何用户都无法更改这些权限，直到有关该文件的策略发生更改。

正如您所想象的那样，这对于具有被攻击潜力的进程非常有用，例如Web服务器等。如果使用DAC，那么受损的程序具有特权提升的访问权限，可能会造成严重破坏的可能性很高。

欲了解更多信息，请访问Wikipedia:Mandatory access control。

Installing SELinux[编辑 | 编辑源代码]

Package description[编辑 | 编辑源代码]

All SELinux related packages belong to the selinux group in the AUR. Before you manually install any of these, read #Installation to see recommended options for a comprehensive installation.

SELinux aware system utilities[编辑 | 编辑源代码]

coreutils-selinux^AUR

Modified coreutils package compiled with SELinux support enabled. It replaces the coreutils^包 package

cronie-selinux^AUR

Fedora fork of Vixie cron with SELinux enabled. It replaces the cronie^包 package.

dbus-selinux^AUR

An SELinux aware version of D-Bus. It replaces the dbus^包 package.

findutils-selinux^AUR

Patched findutils package compiled with SELinux support to make searching of files with specified security context possible. It replaces the findutils^包 package.

iproute2-selinux^AUR

iproute2 package compiled with SELinux support; for example, it adds the -Z option to ss. It replaces the iproute2^包 package.

logrotate-selinux^AUR

Logrotate package compiled with SELinux support. It replaces the logrotate^包 package.

openssh-selinux^AUR

OpenSSH package compiled with SELinux support to set security context for user sessions. It replaces the openssh^包 package.

pam-selinux^AUR and pambase-selinux^AUR

PAM package with pam_selinux.so. and the underlying base package. They replace the pam^包 and pambase^包 packages respectively.

psmisc-selinux^AUR

Psmisc package compiled with SELinux support; for example, it adds the -Z option to killall. It replaces the psmisc^包 package.

shadow-selinux^AUR

Shadow package compiled with SELinux support; contains a modified /etc/pam.d/login file to set correct security context for user after login. It replaces the shadow^包 package.

sudo-selinux^AUR

Modified sudo package compiled with SELinux support which sets the security context correctly. It replaces the sudo^包 package.

systemd-selinux^AUR

An SELinux aware version of Systemd. It replaces the systemd^包 package.

util-linux-selinux^AUR

Modified util-linux package compiled with SELinux support enabled. It replaces the util-linux^包 package.

SELinux userspace utilities[编辑 | 编辑源代码]

checkpolicy^AUR

Tools to build SELinux policy

mcstrans^AUR

Daemon which is used by libselinux to translate MCS labels

libselinux^AUR

Library for security-aware applications. Python bindings needed for semanage and setools now included.

libsemanage^AUR

Library for policy management. Python bindings needed for semanage and setools now included.

libsepol^AUR

Library for binary policy manipulation.

policycoreutils^AUR

SELinux core utils such as newrole, setfiles, etc.

restorecond^AUR

Daemon which maintains the label of some files

secilc^AUR

Compiler for SELinux policies written in CIL (Common Intermediate Language)

selinux-dbus-config^AUR

DBus service which allows managing SELinux configuration

selinux-gui^AUR

SELinux GUI tools (system-config-selinux)

selinux-python^AUR and selinux-python2^AUR

SELinux python tools and libraries (semanage, sepolgen, sepolicy, etc.)

selinux-sandbox^AUR

Sandboxing tool for SELinux

semodule-utils^AUR

Tools to handle SELinux modules when building a policy

SELinux policy packages[编辑 | 编辑源代码]

selinux-refpolicy-src^AUR

Reference policy sources

selinux-refpolicy-git^AUR

Reference policy git master (https://github.com/SELinuxProject/refpolicy) built with configuration specific for Arch Linux

selinux-refpolicy-arch^AUR

Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patches included, which fixes issues related to path labeling and systemd support. These patches are also sent to Reference Policy maintainers and their inclusion in selinux-refpolicy-arch^AUR is mainly a way to perform updates between Refpolicy releases.

Other SELinux tools[编辑 | 编辑源代码]

setools^AUR

CLI and GUI tools to manage SELinux

selinux-alpm-hook^AUR

pacman hook to label files accordingly to SELinux policy when installing and updating packages

Installation[编辑 | 编辑源代码]

There are three methods to install the requisite SELinux packages.

Via binary package on GitHub[编辑 | 编辑源代码]

All packages are available from the selinux unofficial repository. the base package can be replaced with base-selinux during the arch-bootstrap stage of system installation.

Via build script from GitHub[编辑 | 编辑源代码]

This repository also contains a script named build_and_install_all.sh which builds and installs (or updates) all packages in the needed order. Here is an example of a way this script can be used in a user shell to install all packages (with downloading the GPG keys which are used to verify the source tarballs of the package):

$ git clone https://github.com/archlinuxhardened/selinux.git
$ cd selinux
$ ./recv_gpg_keys.sh
$ ./build_and_install_all.sh

Of course, it is possible to modify the content of build_and_install_all.sh before running it, for example if you already have SELinux support in your kernel.

Via AUR[编辑 | 编辑源代码]

• First, install SELinux userspace tools and libraries, in this order (because of the dependencies): libsepol^AUR, libselinux^AUR, checkpolicy^AUR, secilc^AUR, setools^AUR, libsemanage^AUR, semodule-utils^AUR, policycoreutils^AUR, selinux-python^AUR (which depends on python-ipy^包), mcstrans^AUR and restorecond^AUR.
• Then install pambase-selinux^AUR and pam-selinux^AUR and make sure you can login again after the installation completed, because files in /etc/pam.d/ got removed and created when pambase^包 got replaced with pambase-selinux^AUR.
• Next you can recompile some core packages by installing: coreutils-selinux^AUR, findutils-selinux^AUR, iproute2-selinux^AUR, logrotate-selinux^AUR, openssh-selinux^AUR, psmisc-selinux^AUR, shadow-selinux^AUR, cronie-selinux^AUR
• Next, backup your /etc/sudoers file. Install sudo-selinux^AUR and restore your /etc/sudoers (it is overridden when this package is installed as a replacement of sudo^包).
• Next come util-linux and systemd. Because of a cyclic makedepends between these two packages which will not be fixed (FS#39767), you need to build the source package systemd-selinux^AUR, install systemd-libs-selinux^AUR, build and install util-linux-selinux^AUR (with util-linux-libs-selinux^AUR) and rebuild and install systemd-selinux^AUR.
• Next, install dbus-selinux^AUR.
• Next, install selinux-alpm-hook^AUR in order to run restorecon every time pacman installs a package.

After all these steps, you can install a SELinux kernel (like linux^包) and a policy (like selinux-refpolicy-arch^AUR or selinux-refpolicy-git^AUR).

Enable SELinux LSM[编辑 | 编辑源代码]

To enable SELinux as default security model on every boot, set the following kernel parameter:

lsm=landlock,lockdown,yama,integrity,selinux,bpf

Custom kernel[编辑 | 编辑源代码]

When compiling the kernel, it is required to set at least the following options:

CONFIG_SECURITY_SELINUX=y
CONFIG_AUDIT=y

To enable the SELinux Linux security model by default and omit the need to set kernel parameters, additionally set the CONFIG_LSM option and specify selinux as the first "major" module in the list:

CONFIG_LSM="landlock,lockdown,yama,integrity,selinux,bpf"

Checking PAM[编辑 | 编辑源代码]

A correctly set-up PAM is important to get the proper security context after login. Check for the presence of the following lines in /etc/pam.d/system-login:

# pam_selinux.so close should be the first session rule
session         required        pam_selinux.so close

# pam_selinux.so open should only be followed by sessions to be executed in the user context
session         required        pam_selinux.so open

Installing a policy[编辑 | 编辑源代码]

Policies are the mainstay of SELinux. They are what govern its behaviour. The only policy currently available in the AUR is the Reference Policy. In order to install it, you should use the source files, which may be got from the package selinux-refpolicy-src^AUR or by downloading the latest release on https://github.com/SELinuxProject/refpolicy/wiki/DownloadRelease#current-release. When using the AUR package, navigate to /etc/selinux/refpolicy/src/policy and run the following commands:

# make bare
# make conf
# make install

to install the reference policy as it is. Those who know how to write SELinux policies can tweak them to their heart's content before running the commands written above. The command takes a while to do its job and taxes one core of your system completely, so do not worry. Just sit back and let the command run for as long as it takes.

To load the reference policy run:

# make load

Then, make the file /etc/selinux/config with the following contents (Only works if you used the defaults as mentioned above. If you decided to change the name of the policy, you need to tweak the file):

/etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#                   Set this value once you know for sure that SELinux is configured the way you like it and that your system is ready for deployment
#       permissive - SELinux prints warnings instead of enforcing.
#                    Use this to customise your SELinux policies and booleans prior to deployment. Recommended during policy development.
#       disabled - No SELinux policy is loaded.
#                  This is not a recommended setting, for it may cause problems with file labelling
SELINUX=permissive
# SELINUXTYPE= takes the name of SELinux policy to
# be used. Current options are:
#       refpolicy (vanilla reference policy)
#       <custompolicy> - Substitute <custompolicy> with the name of any custom policy you choose to load
SELINUXTYPE=refpolicy

Now, you may reboot. After rebooting, run:

# restorecon -r /

to label your filesystem.

Now, make a file requiredmod.te with the contents:

requiredmod.te

module requiredmod 1.0;

require {
        type devpts_t;
        type kernel_t;
        type device_t;
        type var_run_t;
        type udev_t;
        type hugetlbfs_t;
        type udev_tbl_t;
        type tmpfs_t;
        class sock_file write;
        class unix_stream_socket { read write ioctl };
        class capability2 block_suspend;
        class dir { write add_name };
        class filesystem associate;
}

#============= devpts_t ==============
allow devpts_t device_t:filesystem associate;

#============= hugetlbfs_t ==============
allow hugetlbfs_t device_t:filesystem associate;

#============= kernel_t ==============
allow kernel_t self:capability2 block_suspend;

#============= tmpfs_t ==============
allow tmpfs_t device_t:filesystem associate;

#============= udev_t ==============
allow udev_t kernel_t:unix_stream_socket { read write ioctl };
allow udev_t udev_tbl_t:dir { write add_name };
allow udev_t var_run_t:sock_file write;

and run the following commands:

# checkmodule -m -o requiredmod.mod requiredmod.te
semodule_package -o requiredmod.pp -m requiredmod.mod
semodule -i requiredmod.pp

This is required to remove a few messages from /var/log/audit/audit.log which are a nuisance to deal with in the reference policy. This is an ugly hack and it should be made very clear that the policy so installed simply patches the reference policy in order to hide the effects of incorrect labelling.

Testing in a Vagrant virtual machine[编辑 | 编辑源代码]

It is possible to use Vagrant to provision a virtual Arch Linux machine with SELinux configured. This is a convenient way to test an Arch Linux system running SELinux without modifying a current system. Here are commands which can be used to achieve this:

$ git clone https://github.com/archlinuxhardened/selinux.git
$ cd selinux/_vagrant
$ vagrant up
$ vagrant ssh

Post-installation steps[编辑 | 编辑源代码]

You can check that SELinux is working with sestatus. You should get something like:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

To maintain correct context, you can enable restorecond.service.

To switch to enforcing mode without rebooting, you can use:

# echo 1 > /sys/fs/selinux/enforce

Swapfiles[编辑 | 编辑源代码]

If you have a swap file instead of a swap partition, issue the following commands in order to set the appropriate security context:

# semanage fcontext -a -t swapfile_t "/path/to/swapfile"
# restorecon /path/to/swapfile

Working with SELinux[编辑 | 编辑源代码]

SELinux defines security using a different mechanism than traditional Unix access controls. The best way to understand it is by example. For example, the SELinux security context of the apache homepage looks like the following:

$ ls -lZ /var/www/html/index.html

-rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html

The first three and the last columns should be familiar to any (Arch) Linux user. The fourth column is new and has the format:

user:role:type[:level]

To explain:

1. User: The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
2. Role: The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
3. Type: When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access. When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
4. Level: This optional field can also be know as a range and is only present if the policy supports MCS or MLS.

This is important in case you wish to understand how to build your own policies, for these are the basic building blocks of SELinux. However, for most purposes, there is no need to, for the reference policy is sufficiently mature. However, if you are a power user or someone with very specific needs, then it might be ideal for you to learn how to make your own SELinux policies.

This is a great series of articles for someone seeking to understand how to work with SELinux.

Troubleshooting[编辑 | 编辑源代码]

The place to look for SELinux errors is the systemd journal. In order to see SELinux messages related to the label system_u:system_r:policykit_t:s0 (for example), you would need to run:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

Useful tools[编辑 | 编辑源代码]

There are some tools/commands that can greatly help with SELinux.

restorecon

Restores the context of a file/directory (or recursively with -R) based on any policy rules

chcon

Change the context on a specific file

Reporting issues[编辑 | 编辑源代码]

Please report issues on GitHub: https://github.com/archlinuxhardened/selinux/issues

See also[编辑 | 编辑源代码]

• Security Enhanced Linux
• Gentoo:SELinux
• Fedora:SELinux
• NSA's Official SELinux Homepage
• SELinux Project Homepage
  • Reference Policy Homepage
  • SETools Homepage
• ArchLinux, SELinux and You (archived)

参考资料[编辑 | 编辑源代码]