Search:  
Gentoo Wiki

SELinux

This article is part of the Security series.

This article is still a Stub. You can help Gentoo-Wiki by expanding it.

Users who want to test SELinux without running any policy in a live enviroment should read HOWTO Null Selinux on non-SELinux profile. Installation instructions can be found at official Gentoo SELinux homepage.

Gentoo's current SELinux implementation does not use the reference SELinux policy, but that may change soon. It may be possible to follow the NULL SELinux Install HOWTO to do so.

Contents

Tips

SELinux is expansive and difficult, there are some important concepts:

Context (Type) is everything

Files can be relabled via make relabel from the Gentoo SELinux handbook.

In permissive mode, SELinux doesn't enfore anything, and thus functions as a non-SELinux system, but it does spit out gratituous amounts of warnings if a denial WOULD have occurred.

Problems

The above statement may not be quite true. Some programs will misbehave even with the system in permissive mode. The Gentoo SELinux handbook points out some potential problems, such as login issues.

Vixie-cron

Vixie-cron likes to perform its own internal checks before attempting a domain transition, and fail the transition even in permissive mode. Thus, incorrectly labeled files or domain transition problems can cause crontabs not to run (or misbehave) inexplicably.

system_u:system_r:crond_t        6628 ?        Ss     0:00 /usr/sbin/cron
Warning: Never use crontab -e -u [user]. The resulting crontab will be mislabeled. Instead, su, and edit the crontab from there.


udev and coldplug

If you get after the installation of SELinux, labeling and reboot an avc-Message about /dev/console and the whole rc-stuff. Try this in /etc/conf.d/rc

RC_COLDPLUG="no"

Tools

There are some tools/commands that can greatly help with selinux.

References

Retrieved from "http://www.gentoo-wiki.info/SELinux"

Last modified: Mon, 04 Aug 2008 09:03:00 +0000 Hits: 15,720