Linux – How to enable SELinux when booting a ramdisk from a CD/DVD

linuxselinux

I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all kernel modules to my ramdisk, and have tried various combinations of selinux=1 and selinux 1 with enforcing 1 and enforcing 0. as Kernel boot parameters. All files contained in the checkpolicy, libselinux, policycoreutils, selinux-policy and selinux-policy-targeted rpms have also been copied into the ramdisk tree.

After the system boots from the ramdisk, I check dmesg:

% dmesg | grep -i selinux
Kernel command line: initrd=idrd.img ramdisk_size=110476 selinux=1
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SElinux: Registering netfilter hooks

But SELinux isn't running:

% /usr/sbin/getenforce
Disabled
% /usr/sbin/setenforce 1
/usr/sbin/setenforce: SELinux is disabled

Neither /var/log/messages nor /proc/kmsg hold clues.

Best Answer

What's not immediately obvious is that SELINUX requires selinuxfs to be mounted. When mounted, selinuxfs appears in /proc/mounts but not in the output of the mount command.

Mounting selinuxfs in my initrd did the trick

Related Solutions

Linux Security – Reasons to Disable or Enable SELinux

RedHat turns SELinux on by default because its safer. Nearly every vendor that uses Redhat-derived products turns SELinux off because they don't want to have to put in the time (and therefore money) to figure out why the thing doesn't work. The Redhat/Fedora people have put in a massive amount of time and effort making SELinux more of a viable option in the Enterprise, but not a lot of other organizations really care about your security. (They care about their security and the security reputation of their product, which is a totally different thing.)

If you can make it work, then go for it. If you can't, then don't expect a lot of assistance from the vendors out there. You can probably get help from the Redhat/Fedora guys, from the selinux mailing lists and #selinux channel on freenode. But from companies like Oracle -- well, SELinux doesn't really factor in to their business plan.

Linux – how to enable selinux in kernel

SELinux is very restrictive by default, depending on distribution. You will have to explicitly enable access, depending on your configuration.

In the case of Red Hat, with SELinux enabled, /var/www is access, but if your sites are on /home, it won't be. You have to enable it with:

setsebool -P httpd_enable_homedirs on

You can pull the list of policies you can enable with:

getsebool -a

It is a lot, so you will have to grep for the service you want to enable access. Again, in the case of Red Hat, you only need to enable spooling for mail, so it will work by default. However, it may be different with your distribution. That and your web directory may be in a completely different location.

So you need go the selinux directory and look at the policies, roles and files contexts, which may be available at:

/etc/selinux

And apply the appropriate labels to the files.

I suggest you look at this as a base starting point:

http://selinuxproject.org/page/Main_Page

If you want to keep running SELinux. Otherwise, either use a different distribution that makes it easy for your to manage SELinux or put it in permissive mode for now and use some other mechanism to secure your server - at least until you get the hang of SELinux.

Best Answer

Related Solutions

Linux Security – Reasons to Disable or Enable SELinux

Linux – how to enable selinux in kernel

Related Topic