1.a. SELinux features
Does SELinux enforce resource limits?
No, resource limits are outside the scope of an access control system. If you are looking for this type of support, GRSecurity and RSBAC are better choices.
1.b. SELinux and other hardened projects
Can I use SELinux and GRSecurity (and PaX)?
Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however, it is suggested that GRACL should not be used, since it would be redundant to SELinux's access control.
Can I use SELinux and the hardened compiler (PIE-SSP)?
Yes. It is also suggested that PaX be used to take full advantage of the PIE features of the compiler.
Can I use SELinux and RSBAC?
Unknown. Please report your results if you try this combination.
1.c. SELinux and filesystems
Can I use SELinux with my primary filesystems?
SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has extended attributes, but the support was never complete, and has been broken since 2.6.14. Reiser4 is not supported.
Can I use SELinux with my ancillary filesystems?
Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660 filesystems, with an important caveat. All files in each filesystem will have the same SELinux type, since the filesystems do not support extended attributes. Tmpfs is the only ancillary filesystem with complete extended attribute support, which allows it to behave like a primary filesystem.
Can I use SELinux with my network filesystems?
Yes, SELinux can mount network filesystems, such as NFS and CIFS filesystems, with an important caveat. All files in each filesystem will have the same SELinux type, since the filesystems do not support extended attributes. In the future, hopefully network filesystems will begin to support extended attributes, then they will work like a primary filesystem.
1.d. Portage error messages
I get a missing SELinux module error when using emerge:
Code ListingĀ 1: Portage message |
!!! SELinux module not found. Please verify that it was installed. |
This indicates that the portage SELinux module is missing or damaged. Also python may have been upgraded to a new version which requires python-selinux to be recompiled. Remerge dev-python/python-selinux. If packages have been merged under this condition, they must be relabed after fixing this condition. If the packages needing to be remerged cannot be determined, a full relabel may be required.
1.e. SELinux kernel error messages
I get a register_security error message when booting:
Code ListingĀ 2: Kernel message |
There is already a security framework initialized, register_security failed. Failure registering capabilities with the kernel selinux_register_security: Registering secondary module capability Capability LSM initialized |
This means that the Capability LSM module couldn't register as the primary module, since SELinux is the primary module. The third message means that it registers with SELinux as a secondary module. This is normal.
1.f. Setfiles error messages
When I try to relabel, it fails with invalid contexts:
Code ListingĀ 3: Invalid contexts example |
# make relabel
/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
/usr/sbin/setfiles: read 559 specifications
/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
Exiting after 10 errors.
make: *** [relabel] Error 1
|
First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles cannot validate any contexts, causing it to believe all contexts are invalid. If /selinux is mounted, then most likely there is new policy that has not yet been loaded; therefore, the contexts have not yet become valid.