1.a. Load policy into a running SELinux kernel

Managed policy (2006.1+)

This requires you to be in the sysadm_r role.

# semodule -B

Unmanaged policy (pre 2006.1)

This requires you to be in the sysadm_r role.

# cd /etc/security/selinux/src/policy
# make load

1.b. Change roles

This requires your user have access to the target role. This example is for changing to the sysadm_r role.

# newrole -r sysadm_r

1.c. Specify available roles for a user

Managed policy (2006.1+)

There is a mapping of linux users to SELinux identities. The policy has generic SELinux users for relevant configurations of roles. For example, to map the user pebenito to the SELinux identity staff_u, run:

# semanage login -a -s staff_u pebenito

The policy does not need to be reloaded. If the user is logged in, it must log out and log in again to take effect.

Unmanaged policy (pre 2006.1)

The SELinux identity determines the roles available to a user. Modify the users file (/etc/security/selinux/src/policy/users). For example, to allow the user pebenito the ability to have roles staff_r and sysadm_r, add to the file:

user pebenito roles { staff_r sysadm_r };

Then load the policy. See the SELinux Overview for additional information on SELinux identities.

1.d. Relabel filesystems

Managed policy (2006.1+)

This requires you to be in the sysadm_r role.

# rlpkg -a

Unmanaged policy (pre 2006.1)

This requires you to be in the sysadm_r role.

# cd /etc/security/selinux/src/policy
# make relabel

1.e. Relabel an individual package

In addition to relabeling entire filesystems, individual portage packages can be relabeled. This requires you to be in the sysadm_r role.

# rlpkg shadow sash

The script rlpkg is used, and any number of packages can be specified on the command line.

1.f. Scan for libraries with text relocations (2006.1+ only)

SELinux has improved memory protections. One feature supported is the permission for ELF text relocations. The libraries with text relocations have a special label, and the rlpkg tool has an option to scan for these libraries.

# rlpkg -t

This will also be done by automatically after a full relabel.

1.g. Start daemons in the correct domain

Controlling daemons that have init scripts in /etc/init.d is slightly different in SELinux. The run_init command must be used to run the scripts, to ensure they are ran in the correct domain. The command can be ran normally, except the command is prefixed with run_init. This requires you to be in the sysadm_r role.

# run_init /etc/init.d/ntpd start
# run_init /etc/init.d/apache2 restart
# run_init /etc/init.d/named stop

Gentoo run_init integration

run_init has been integrated into Gentoo's init script system. With SELinux installed, services can be started and stopped as usual, but will now authenticate the user.

# /etc/init.d/sshd restart
Authenticating root.
Password:
 * Stopping sshd...                       [ ok ]
 * Starting sshd...                       [ ok ]

1.h. Switch between enforcing and permissive modes

Switching between modes in SELinux is very simple. Write a 1 for enforcing, or 0 for permissive to /selinux/enforce to set the mode. The current mode can be queried by reading /selinux/enforce; 0 means permissive mode, and 1 means enforcing mode. If the kernel option "NSA SELinux Development Support" is turned off, the system will always be in enforcing mode, and cannot be switched to permissive mode.

Query current mode
# cat /selinux/enforce
Switch to enforcing mode
# echo 1 > /selinux/enforce
Switch to permissive mode
# echo 0 > /selinux/enforce

A machine with development support turned on can be started in enforcing mode by adding enforcing=1 to the kernel command line, in the bootloader (GRUB, lilo, etc).

Managed policy (2006.1+)

In addition to the above kernel options, the mode at boot can be set by the /etc/selinux/config file.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

The setting in this file will be overridden by the kernel command line options described above.

1.i. Understand sestatus output

The sestatus tool can be used to determine detailed SELinux-specific status information about the system. The -v option provides extra detail about the context of processes and files. The output will be divided into four sections. Sestatus only provides complete information for a user logged in as root (or su/sudo), in the sysadm_r role.

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Policy version:         18

The main status information is provided in the first section. The first line shows if SELinux kernel functions exists and are enabled. If the status is disabled, either the kernel does not have SELinux support, or the policy is not loaded. The second line shows the mount point for the SELinux filesystem. During the normal use, the filesystem should be mounted at the default location of /selinux. The third line shows the current SELinux mode, either enforcing or permissive. The fourth line shows the policy database version supported by the currently running kernel.

Policy booleans:
secure_mode             inactive
ssh_sysadm_login        inactive
user_ping               inactive

The second section displays the status of the conditional policy booleans. The left column is the name of boolean. The right column is the status of the boolean, either active, or inactive. This section will not be shown on policy version 15 kernels, as they do not support conditional policy.

Process contexts:
Current context:        pebenito:sysadm_r:sysadm_t
Init context:           system_u:system_r:init_t
/sbin/agetty            system_u:system_r:getty_t
/usr/sbin/sshd          system_u:system_r:sshd_t

The third section displays the context of the current process, and of several key processes. If a process is running in the incorrect context, it will not function correctly.

File contexts:
Controlling term:       pebenito:object_r:sysadm_devpts_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/agetty            system_u:object_r:getty_exec_t
/bin/login              system_u:object_r:login_exec_t
/sbin/rc                system_u:object_r:initrc_exec_t
/sbin/runscript.sh      system_u:object_r:initrc_exec_t
/usr/sbin/sshd          system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd       system_u:object_r:chkpwd_exec_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/sash               system_u:object_r:shell_exec_t
/usr/bin/newrole        system_u:object_r:newrole_exec_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:shlib_t

The fourth section displays the context of the current process's controlling terminal, and of several key files. For symbolic links, the context of the link and then the context of the link target is displayed. If a file has an incorrect context, the file may be inaccessable or have incorrect permissions for a particular process.