SELinux and Arch

Nicky726 · 2009-02-19 21:14:01

Hi there,

I'm trying to install and setup SELinux on my Arch box. (Because SELinux is topic of my bachelor research and Arch is my favourit distro)

So after reading Arch and Gentoo SELinux wikis I installed SELinux enabled kernel and other SELinux stuff, compiled and loaded Reference Policy and relabeled FS.

Now I can load SELinux and set it to enforcing mode, which seems to be working, though it needs some finetuning at next stage. Though to finish current research stage I need to load SELinux at boot. From what I read it is done by sysvinit patched for use with SELinux, which is also available in [comunity]. Problem is that patched sysvinit fails to load the policy and kernel panics. Acording to Gentoo wiki sysvinit needs to be linked to libselinux, mine from package community/selinux-sysvinit 2.86-1 seems not to be. :-/

Sooo, the question is, does it work for anybody? I guess if not, then there is something wrong with the package and some finetuning might solve that. Or maybe I'm doing something wrong, please help me to determine what.

pyromithrandir · 2009-06-01 05:59:14

I know you posted this a long time ago, but I had the same problem, and I fixed it, so I thought I would post here. I was reading the selinux sysvinit patch, and found that it looks for your policy in /etc/policy.bin, so just copy your policy from /etc/selinux/refpolicy/policy/policy.xx (or wherever it is for you) to /etc/policy.bin and you'll be good. It worked for me!

Nicky726 · 2009-10-12 16:57:51

Thanx, though I've eventually found that too. Though it kinda end up with somehow strangely confined system, so I've gave up on SELinux in Arch due to lack of time to experiment and continued in Fedora.

Gen2ly · 2009-10-12 20:51:20

Hey guys, hate to ask but I've been interested in SELinux too. I looked at the Gentoo docs but they are a little outdated. Could I ask (if it isn't too much of a problem) that if you got the time, could you update the SELinux page. As of now, there isn't a lot on it and I'd be interested in what you guys have learned.

Nicky726 · 2009-10-13 09:51:35

Hey, I'll try it, as I have a section in my bachelors thesis about SELinux on Arch, shame is I got kinda stuck in that, as what I got was not much usable, but maybe I overlooked something. :-/ Just gotta translate it to English in my free time.

Gen2ly · 2009-10-15 06:42:02

That be great! Got alot more to learn about it myself so it definitely be appreciated.

Nicky726 · 2009-10-19 16:34:55

OK, so I finally got to it. Hopefully it'll be useful to someone. And from what I saw, in changes since my last try, I may try to setup SELinux again some free time and see, where it can get me.

Gen2ly · 2009-10-19 18:38:23

Ah, finally thoughts to be able to getting SELinux going in Arch. I've tried this from scratch before with Gentoo and got to the relabel part but the documentation was pretty dated after that. Got more to learn still but this is much better than before.

Last edited by Gen2ly (2009-10-19 18:41:01)

DasWu · 2009-10-26 12:03:55

I'm glad that finally there is some action in SELinux on Arch. I'm very interested in it but till now I didn't have the time to figure out all the stuff on my own. but i guess setting SELinux is only one part. The configuring might be a bit of work to do. Do you have any experience in maybe using fedoras work on policy on a Arch install?

In fact i might try fedora as security is a big factor for me

cheers

Last edited by DasWu (2009-10-26 12:14:39)

JohnVV · 2009-10-26 19:16:35

good news , i have gotten used to SE with Fedora
and want it installed in Arch

Nicky726 · 2009-11-16 16:04:44

SELinux moved to AUR, now I maintain it. I upgraded to latest versions and restructured packages a bit, so SELinux experimentators are encouraged to test and report problems, send patches and give feedback. I also refreshed the wiki a bit to reflect the upgrade.

JohnVV · 2009-11-16 23:18:49

SELinux moved to AUR

now that i am starting to get used to arch ( was fedora) i am about to install and run se in the next week or so
that and the wiki will help

Gen2ly · 2009-11-16 23:57:10

Yeah, gotta add that this is great! Been wanting to get more into SELinux and having these in the AUR and the updated wiki will help me alot. Appreciate the work Nicky.

Last edited by Gen2ly (2009-11-16 23:57:31)

MP2E · 2009-11-17 01:07:55

I also appreciate this! I keep considering using Arch as a server host for a few of my games, a webhost, etc. But I kept worrying about security. Maybe I'm just paranoid, but I feel quite unprotected without SELinux, PaX and all my other nice little tinfoil hat utilities

Nicky726 · 2009-11-25 22:04:43

Upgraded selinux-refpolicy-src to 20091117 release, which should bring us new SELinux support for some apps and advances in X window system support.

Last edited by Nicky726 (2010-01-04 09:09:57)

karlo · 2010-03-10 23:01:51

Hi, SELinux is also a topic of my research. I'm writing refpolicy editor and everything was fine till I wanted to compile refpolicy ( refpolicy-2.20091117 ) and set this policy as a default in Fedora12 (by the way, sources of default policy in Fedora are not public, are they? ). After following steps published on http://oss.tresys.com/projects/refpolic … eRefpolicy my system is not booting. Some daemons failed to run (eg. HAL). selinux=0 in grub helps but is not the solution. Selinux is set to run in permissive mode. Has someone any ideas what's wrong and how to fix it?

Last edited by karlo (2010-03-10 23:12:56)

Allan · 2010-03-10 23:20:38

karlo wrote:

...and set this policy as a default in Fedora12 ...

Best to ask on the Fedora forums for Fedora help...

sand_man · 2010-03-11 00:07:01

karlo wrote:

Hi, SELinux is also a topic of my research. I'm writing refpolicy editor and everything was fine till I wanted to compile refpolicy ( refpolicy-2.20091117 ) and set this policy as a default in Fedora12 (by the way, sources of default policy in Fedora are not public, are they? ). After following steps published on http://oss.tresys.com/projects/refpolic … eRefpolicy my system is not booting. Some daemons failed to run (eg. HAL). selinux=0 in grub helps but is not the solution. Selinux is set to run in permissive mode. Has someone any ideas what's wrong and how to fix it?

Sorry, SELinux isn't used in Arch.

Gen2ly · 2010-03-11 00:58:20

sand_man wrote:

Sorry, SELinux isn't used in Arch.

No, not generally but Nicky knows quite a bit about it. Worked good for me on my last computer (which is [a tear] no more). If you're lucky you can catch Nicky and help debug. Like having this around, but might need a bit of maintenance at this point.

Nicky726 · 2010-04-11 20:23:10

karlo wrote:

Hi, SELinux is also a topic of my research. I'm writing refpolicy editor and everything was fine till I wanted to compile refpolicy ( refpolicy-2.20091117 ) and set this policy as a default in Fedora12 (by the way, sources of default policy in Fedora are not public, are they? ). After following steps published on http://oss.tresys.com/projects/refpolic … eRefpolicy my system is not booting. Some daemons failed to run (eg. HAL). selinux=0 in grub helps but is not the solution. Selinux is set to run in permissive mode. Has someone any ideas what's wrong and how to fix it?

Hello,

this may be a little late, but have you tried to follow Arch Linux SELinux guide, here on wiki? Last time I tried it, it worked -- if you are doing your research at Arch Linux.

Fedora source can be found, they have src.rmp. The sources itself are normal refpolicy, but there are some huge patches. I wasn't able to compile that even on Fedora though.

As for SELinux at Arch I have gathered some requests and will be trying to make it better in the summer.

Gen2ly · 2010-04-12 02:47:27

I use SELinux on my computer so this is good news. Appreciate the work you do.

Nicky726 · 2010-05-23 21:37:54

Updated selinux-setools to 3.3.7, changes in PKGBUILD:
autoconf now needed as builddep;
dependencies for GUI tools moved to optdep;
--disable-bwidget-check flag used by default.
This should build ok at noGUI machine, though I didn't tested, as I have none.

Current SELinux on Arch status:
PKGBUILD for kernel26-selinux is prety stale, I plan to do something about it soon after the exams, and maybe even the splitpkgs at AUR, but that may be too much for me;
selinux-coreutils is a minor version behind [core] and it may cause some troubles when used with encrypted root and LVM, I have the PKGBUILD ready, just need to test it, though I don't want to risk breaking my working netbook just now, so I'll do that soon too. :-[
I've been also digin into aditional selinux aware packages in the winter, which I want to resume after exams;

wonder if I should set up virtual Arch for this experiments, rather then risking some production machine breaking...

guess thats it for now.

kelito · 2010-05-29 14:53:34

Hi, to all.! I Tried follow the guide in ArchWiki to activate SeLinux in Arch, but, when I make load.. i have a error,

SELinux: Could not downgrade policy file /etc/selinux/refpolicy/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/refpolicy/policy/policy.24: No existe el fichero o el directorio
/usr/sbin/load_policy: no se puede cargar la política: No existe el fichero o el directorio
make: *** [tmp/load] Error 2

I tried reboot the system, but dont start, freeze in boot.. (sorry my bad english, I dont speak this language)

Nicky726 · 2010-06-04 21:10:44

Just a guess, isn't that gcc 4.5 connected?

Nicky726 · 2010-06-05 15:23:36

Updated SELinux userspace and SELinux Reference policy to latest upstream versions and SELinux aware coreutils to [core] versions, SELinux aware PAM package pkgrel incresed so it is rebuilt with newest SELinux packages.

So that leaves me only with the kernel package outdated, I may wait for .34 being pushed to [core].

To kelito: I tried building the just updated reference policy and it is flawless, have you set monolithic=no in its build.conf?

Last edited by Nicky726 (2010-06-05 15:24:59)

Arch Linux

#1 2009-02-19 21:14:01

SELinux and Arch

#2 2009-06-01 05:59:14

Re: SELinux and Arch

#3 2009-10-12 16:57:51

Re: SELinux and Arch

#4 2009-10-12 20:51:20

Re: SELinux and Arch

#5 2009-10-13 09:51:35

Re: SELinux and Arch

#6 2009-10-15 06:42:02

Re: SELinux and Arch

#7 2009-10-19 16:34:55

Re: SELinux and Arch

#8 2009-10-19 18:38:23

Re: SELinux and Arch

#9 2009-10-26 12:03:55

Re: SELinux and Arch

#10 2009-10-26 19:16:35

Re: SELinux and Arch

#11 2009-11-16 16:04:44

Re: SELinux and Arch

#12 2009-11-16 23:18:49

Re: SELinux and Arch

#13 2009-11-16 23:57:10

Re: SELinux and Arch

#14 2009-11-17 01:07:55

Re: SELinux and Arch

#15 2009-11-25 22:04:43

Re: SELinux and Arch

#16 2010-03-10 23:01:51

Re: SELinux and Arch

#17 2010-03-10 23:20:38

Re: SELinux and Arch

#18 2010-03-11 00:07:01

Re: SELinux and Arch

#19 2010-03-11 00:58:20

Re: SELinux and Arch

#20 2010-04-11 20:23:10

Re: SELinux and Arch

#21 2010-04-12 02:47:27

Re: SELinux and Arch

#22 2010-05-23 21:37:54

Re: SELinux and Arch

#23 2010-05-29 14:53:34

Re: SELinux and Arch

#24 2010-06-04 21:10:44

Re: SELinux and Arch

#25 2010-06-05 15:23:36

Re: SELinux and Arch

Board footer