You are not logged in.

#1 2014-10-21 18:38:35

lovyagin
Member
Registered: 2014-10-09
Posts: 4

Can't enable SELinux

I'm thinking about switching to ARCH linux. As I have noticed ARCH comes without any Mandatory access control and no control system is available in default kernel.

I've chosen to try SELinux since I'm quite familiar with it using Fedora for ages.

I've installed all SELinux packages from AUR including SELinux-aware system utils, refpolicy and linux-selinux kernel however I can't enable SELinux, looks like selinuxfs is not enabled.

Here is my output:

[root@ARCH ~]# uname -r
3.16.4-1-selinux

[root@ARCH ~]# sestatus
SELinux status:                 disabled

[root@ARCH ~]# cat /proc/config.gz | gunzip | grep SELINUX
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

[root@ARCH ~]# cat /proc/filesystems | grep selinux

[root@ARCH ~]# setenforce 1
setenforce: SELinux is disabled

[root@ARCH ~]# cat /etc/selinux/config 
SELINUX=permissive
SELINUXTYPE=refpolicy

[root@ARCH ~]# cat /etc/fstab | grep selinux
none   /selinux   selinuxfs   noauto   0   0

[root@ARCH ~]# pacman -Qm | grep selinux
coreutils-selinux 8.23-1
cronie-selinux 1.4.11-2
dbus-selinux 1.8.8-1
findutils-selinux 4.4.2-5
libdbus-selinux 1.8.8-1
libselinux 2.3-2
libsystemd-selinux 216-3
libsystemd-selinux-debug 216-3
libutil-linux-selinux 2.25.1-1
linux-selinux 3.16.4-1
linux-selinux-docs 3.16.4-1
linux-selinux-headers 3.16.4-1
logrotate-selinux 3.8.7-1
openssh-selinux 6.6p1-2
pam-selinux 1.1.8-4
pambase-selinux 20130928-1
psmisc-selinux 22.21-2
selinux-flex 2.5.4a-6
selinux-refpolicy 20140311-3
shadow-selinux 4.2.1-1
shadow-selinux-debug 4.2.1-1
sudo-selinux 1.8.11.p1-1
systemd-selinux 216-3
systemd-selinux-debug 216-3
systemd-sysvcompat-selinux 216-3
util-linux-selinux 2.25.1-1

What am I missing? (I've tried to add selinux=1 in kernel parameters, doesn't help also.)

P.S. Well, I could try any other MAC if it is stable and effective enough and doesn't require to be configured from scratch...

Offline

#2 2014-10-21 19:51:10

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Can't enable SELinux

I've no idea about SElinux, bet there's a wiki article about it, maybe it can help: https://wiki.archlinux.org/index.php/Selinux

Offline

#3 2014-10-22 10:48:34

lovyagin
Member
Registered: 2014-10-09
Posts: 4

Re: Can't enable SELinux

I've followed the wiki, for sure. It doesn't help unfortunately.

UPD. The reason is definitely in the linux-selinux AUR package, I've installed Fedora kernel and SELinux works now. Don't think this is a good solution anyway. BTW rebuilding kernel from source each time it updates is not a good idea as well.

Offline

#4 2014-10-22 11:16:19

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Can't enable SELinux

Offline

#5 2014-11-13 21:32:25

Emil
Member
Registered: 2013-12-08
Posts: 10

Re: Can't enable SELinux

I'm having the same problem, do you know what's missing from the linux-selinux kernel?

Offline

#6 2014-11-13 23:38:41

IooNag
Member
Registered: 2014-11-13
Posts: 2

Re: Can't enable SELinux

I'm currently using SELinux on Arch Linux with the package in the AUR. Here is what I can see on my system:

  • I'm using linux-selinux with the same config as in the AUR package (which I am currently maintaining, by the way).

  • I'm booting with "security=selinux selinux=1" in the kernel cmdline.

  • /etc/selinux/config contains "SELINUX=permissive" and "SELINUXTYPE=refpolicy-patched", where refpolicy-patched is the name of the policy I use.

  • selinuxfs is automatically mounted by systemd-selinux, and mount shows:

    selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
  • I'm using a custom policy, which is basically refpolicy git master (from https://github.com/TresysTechnology/refpolicy ) + modified Debian systemd patch (from http://anonscm.debian.org/cgit/selinux/ … an/patches ) + replacing "/usr/sbin" with "/usr/s?bin", and adding file contexts for files in /usr/{bin,sbin,lib} when only the context for the /{bin,sbin,lib} directory exists. I don't want to make my policy "the official SELinux policy for Arch" because it is quite ugly, but some efforts are being made to build a systemd policy in refpolicy (cf. http://oss.tresys.com/pipermail/refpoli … 07430.html ), which would simplify building a policy for Arch (moreover I've already upstreamed some Arch specific things in refpolicy and that's why I'm following refpolicy' git head).

Your issue might be that systemd can't find any policy when booting and then decides to disable SELinux. Did you install a policy?

Offline

#7 2014-11-14 20:59:06

Emil
Member
Registered: 2013-12-08
Posts: 10

Re: Can't enable SELinux

I followed every step from the wiki, so I supposed a policy should've been installed. I  tried once again to run some commands and actually find some error somewhere.

2 emil@emil /etc/selinux/refpolicy/src/policy % sudo semodule -l
semodule: SELinux policy is not managed or store cannot be accessed.

Tried some more make targets for the policies...

emil@emil /etc/selinux/refpolicy/src/policy % sudo make load
...lots of lines...
linux/refpolicy/zabbix.pp -i /usr/share/selinux/refpolicy/zarafa.pp -i /usr/share/selinux/refpolicy/zebra.pp -i /usr/share/selinux/refpolicy/zosremote.pp
Error opening /etc/selinux/refpolicy/contexts/files/file_contexts.local: No such file or directory
libsemanage.sefcontext_compile: sefcontext_compile returned error code 255. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local
libsemanage.semanage_install_active: Could not copy /etc/selinux/refpolicy/modules/active/policy.kern to /etc/selinux/refpolicy/policy/policy.29. (No such file or directory).
/usr/sbin/semodule:  Failed!
Rules.modular:56: recipe for target 'load' failed
make: *** [load] Error 1

Finally, an error! Now let's google this. I found this thread: http://forums.gentoo.org/viewtopic-p-7344872.html
Tried the solution from the thread:

sudo touch /etc/selinux/refpolicy/contexts/files/file_contexts.local

make load runs now without error now and semodule lists something:

emil@emil ~ % sudo semodule -l
abrt    1.4.0
accountsd       1.1.0
acct    1.6.0
ada     1.5.0
afs     1.9.0
aiccu   1.1.0
aide    1.7.0
aisexec 1.2.0
alsa    1.12.0
amanda  1.15.0
amavis  1.15.0
amtu    1.3.0
anaconda        1.7.0
apache  2.7.0
apcupsd 1.9.0
apm     1.12.0
application     1.2.0
apt     1.8.0
arpwatch        1.11.0
asterisk        1.12.0
auditadm        2.2.0
authbind        1.3.0
authlogin       2.5.0
automount       1.14.0
avahi   1.14.0
awstats 1.5.0
backup  1.6.0
bacula  1.2.0
bcfg2   1.1.0
bind    1.13.0
bird    1.1.0
bitlbee 1.5.0
blueman 1.1.0
bluetooth     
X
  3.5.0
boinc   1.1.0
bootloader      1.14.0
brctl   1.7.0
bugzilla        1.1.0
cachefilesd     1.1.0
calamaris       1.8.0
callweaver      1.1.0
canna   1.12.0
ccs     1.6.0
cdrecord        2.6.0
certmaster      1.3.0
certmonger      1.2.0
certwatch       1.8.0
cfengine        1.1.0
cgroup  1.2.0
chronyd 1.2.0
cipe    1.6.0
clamav  1.11.0
clock   1.7.0
clockspeed      1.6.0
clogd   1.1.0
cmirrord        1.1.0
cobbler 1.2.0
collectd        1.0.0
colord  1.1.0
comsat  1.8.0
condor  1.0.0
consolekit      1.9.0
consoletype     1.10.0
corosync        1.1.0
couchdb 1.1.0
courier 1.14.0
cpucontrol      1.4.0
cpufreqselector 1.4.0
cron    2.6.0
ctdb    1.1.0
cups    1.16.0
cvs     1.10.0
cyphesis        1.3.0
cyrus   1.13.0
daemontools     1.3.0
dante   1.9.0
dbadm   1.1.0
dbskk   1.6.0
dbus    1.19.0
dcc     1.12.0
ddclient        1.10.0
ddcprobe        1.3.0
denyhosts       1.1.0
devicekit       1.3.0
dhcp    1.11.0
dictd   1.8.0
dirmngr 1.0.0
distcc  1.9.0
djbdns  1.6.0
dkim    1.2.0
dmesg   1.3.0
dmidecode       1.5.0
dnsmasq 1.10.0
dnssectrigger   1.1.0
dovecot 1.16.0
dpkg    1.10.0
drbd    1.1.0
dspam   1.1.0
entropyd        1.8.0
evolution       2.4.0
exim    1.6.0
fail2ban        1.5.0
fcoe    1.1.0
fetchmail       1.13.0
finger  1.10.0
firewalld       1.1.0
firewallgui     1.1.0
firstboot       1.13.0
fprintd 1.2.0
fstools 1.16.0
ftp     1.15.0
games   2.3.0
gatekeeper      1.8.0
getty   1.10.0
gift    2.4.0
git     1.3.0
gitosis 1.4.0
glance  1.1.0
glusterfs       1.1.0
gnome   2.3.0
gnomeclock      1.1.0
gpg     2.8.0
gpm     1.9.0
gpsd    1.2.0
guest   1.3.0
hadoop  1.3.0
hal     1.15.0
hddtemp 1.2.0
hostname        1.8.0
hotplug 1.16.0
howl    1.10.0
i18n_input      1.9.0
icecast 1.2.0
ifplugd 1.1.0
imaze   1.8.0
inetd   1.13.0
init    1.20.0
inn     1.11.0
iodine  1.1.0
ipsec   1.14.0
iptables        1.14.0
irc     2.3.0
ircd    1.8.0
irqbalance      1.6.0
iscsi   1.9.0
isns    1.0.0
jabber  1.10.0
java    2.7.0
jockey  1.0.0
kdump   1.3.0
kdumpgui        1.2.0
kerberos        1.12.0
kerneloops      1.5.0
keyboardd       1.1.0
keystone        1.1.0
kismet  1.7.0
ksmtuned        1.1.0
ktalk   1.9.0
kudzu   1.9.0
l2tp    1.1.0
ldap    1.11.0
libraries       2.10.0
lightsquid      1.1.0
likewise        1.3.0
lircd   1.2.0
livecd  1.3.0
lldpad  1.1.0
loadkeys        1.9.0
locallogin      1.12.0
lockdev 1.5.0
logadm  1.0.0
logging 1.20.0
logrotate       1.15.0
logwatch        1.12.0
lpd     1.14.0
lvm     1.15.0
mailman 1.10.0
mailscanner     1.1.0
man2html        1.0.0
mandb   1.1.0
mcelog  1.2.0
mediawiki       1.0.0
memcached       1.3.0
milter  1.5.0
miscfiles       1.11.0
modemmanager    1.2.0
modutils        1.14.0
mojomojo        1.1.0
mongodb 1.1.0
mono    1.9.0
monop   1.8.0
mount   1.16.0
mozilla 2.8.0
mpd     1.1.0
mplayer 2.5.0
mrtg    1.9.0
mta     2.7.0
munin   1.9.0
mysql   1.14.0
nagios  1.13.0
ncftool 1.2.0
nessus  1.9.0
netlabel        1.3.0
netutils        1.12.0
networkmanager  1.15.0
nis     1.12.0
nscd    1.11.0
nsd     1.8.0
nslcd   1.4.0
ntop    1.10.0
ntp     1.11.0
numad   1.1.0
nut     1.3.0
nx      1.7.0
oav     1.10.0
obex    1.0.0
oddjob  1.10.0
oident  2.3.0
openca  1.3.0
openct  1.6.0
openhpi 1.1.0
openvpn 1.12.0
openvswitch     1.1.0
pacemaker       1.1.0
pads    1.1.0
passanger       1.1.0
pcmcia  1.7.0
pcscd   1.8.0
pegasus 1.9.0
perdition       1.8.0
pingd   1.1.0
pkcs    1.0.0
plymouthd       1.2.0
podsleuth       1.7.0
policykit       1.3.0
polipo  1.1.0
portage 1.14.0
portmap 1.11.0
portreserve     1.4.0
portslave       1.8.0
postfix 1.15.0
postfixpolicyd  1.3.0
postgresql      1.16.0
postgrey        1.9.0
ppp     1.14.0
prelink 1.11.0
prelude 1.4.0
privoxy 1.12.0
procmail        1.13.0
psad    1.1.0
ptchown 1.2.0
publicfile      1.2.0
pulseaudio      1.6.0
puppet  1.4.0
pwauth  1.0.0
pxe     1.5.0
pyicqt  1.1.0
pyzor   2.3.0
qemu    1.8.0
qmail   1.6.0
qpid    1.1.0
quantum 1.1.0
quota   1.6.0
rabbitmq        1.0.0
radius  1.13.0
radvd   1.14.0
raid    1.13.0
razor   2.4.0
rdisc   1.8.0
readahead       1.13.0
realmd  1.1.0
remotelogin     1.8.0
resmgr  1.3.0
rgmanager       1.3.0
rhcs    1.2.0
rhgb    1.9.0
rhsmcertd       1.1.0
ricci   1.8.0
rlogin  1.11.0
rngd    1.1.0
roundup 1.8.0
rpc     1.15.0
rpcbind 1.6.0
rpm     1.16.0
rshd    1.8.0
rssh    2.3.0
rsync   1.13.0
rtkit   1.2.0
rwho    1.7.0
samba   1.16.0
sambagui        1.2.0
samhain 1.2.0
sanlock 1.1.0
sasl    1.15.0
sblim   1.1.0
screen  2.6.0
secadm  2.4.0
sectoolm        1.1.0
selinuxutil     1.17.0
sendmail        1.12.0
sensord 1.0.0
setrans 1.8.0
setroubleshoot  1.12.0
seunshare       1.1.0
shorewall       1.4.0
shutdown        1.2.0
slocate 1.12.0
slpd    1.1.0
slrnpull        1.5.0
smartmon        1.12.0
smokeping       1.2.0
smoltclient     1.2.0
smstools        1.0.0
snmp    1.14.0
snort   1.11.0
sosreport       1.3.0
soundserver     1.9.0
spamassassin    2.6.0
speedtouch      1.5.0
squid   1.12.0
ssh     2.4.0
sssd    1.2.0
staff   2.4.0
storage 1.11.0
stunnel 1.11.0
su      1.12.0
sudo    1.10.0
svnserve        1.1.0
sxid    1.8.0
sysadm  2.6.0
sysnetwork      1.15.0
sysstat 1.8.0
systemtap       1.1.0
tcpd    1.5.0
tcsd    1.1.0
telepathy       1.4.0
telnet  1.11.0
tftp    1.13.0
tgtd    1.3.0
thunderbird     2.4.0
timidity        1.10.0
tmpreaper       1.7.0
tor     1.9.0
transproxy      1.8.0
tripwire        1.3.0
tuned   1.2.0
tvtime  2.3.0
tzdata  1.5.0
ucspitcp        1.4.0
udev    1.16.0
ulogd   1.3.0
uml     2.3.0
unconfined      3.5.0
unprivuser      2.4.0
updfstab        1.6.0
uptime  1.5.0
usbmodules      1.3.0
usbmuxd 1.2.0
userdomain      4.9.0
userhelper      1.8.0
usermanage      1.19.0
usernetctl      1.7.0
uucp    1.13.0
uuidd   1.1.0
uwimap  1.10.0
varnishd        1.2.0
vbetool 1.7.0
vdagent 1.1.0
vhostmd 1.1.0
virt    1.7.0
vlock   1.2.0
vmware  2.7.0
vnstatd 1.1.0
vpn     1.16.0
w3c     1.1.0
watchdog        1.8.0
wdmd    1.1.0
webadm  1.2.0
webalizer       1.13.0
wine    1.11.0
wireshark       2.4.0
wm      1.3.0
xen     1.13.0
xfs     1.7.0
xguest  1.2.0
xprint  1.7.0
xscreensaver    1.2.0
xserver 3.9.0
yam     1.5.0
zabbix  1.6.0
zarafa  1.2.0
zebra   1.13.0
zosremote       1.2.0

Reboot and SELinux seems to work now!

emil@emil ~ % sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Max kernel policy version:      29

I only needed the security=selinux boot parameter.

I have no idea why and how this actually fixed the problem, but apparently something is missing from the wiki or the policies?

Last edited by Emil (2014-11-14 20:59:25)

Offline

#8 2014-11-14 22:22:33

IooNag
Member
Registered: 2014-11-13
Posts: 2

Re: Can't enable SELinux

This is quite strange because /etc/selinux/refpolicy/contexts/files/file_contexts.local doesn't exist on my system running SELinux:

# . /etc/selinux/config 
# ls /etc/selinux/$SELINUXTYPE/contexts/files
file_contexts
file_contexts.bin
file_contexts.homedirs
file_contexts.homedirs.bin
file_contexts.subs_dist
media

file_contexts.subs_dist and media are installed by refpolicy' "make install" and the other files are generated/managed by semanage and semodule.

I agree there seems to be a missing step on the wiki page. Between "make install"+/etc/selinux/config and "reboot+restorecon -r /" (which should probably be "restorecon -F -r /" by the way) the policy needs to be loaded, either with "make load" or with "semodule -b base.pp -i first_module.pp -i second_module.pp -i ..." (to only install a subset of the policy modules). Feel free to update the wiki page accordingly.

Offline

Board footer

Powered by FluxBB