[Guide] SELinux {Get/Install/Setup}

[lseidman]

Hi everyone,

As you may already be familiar with SELinux or perhaps not but I won't go in to discussion what exactly it is, know though that the NSA from the USA created it years back and I am an avid user. I recently got my Raspberry PI and using Raspbian but had an abundant amount of time trying to figure out why every reboot and SSH/HDMI Output would cause a large X [cursor], like the old school GUI did when XFree86 GUI didn't work and this is when attempting to start selinux with no success. In short, I have a tutorial I made to help those who may want to try it out and notice it will NOT work out of the box, even if you use apt-get for all 3 required selinux packages.

GET SELINUX
Open up a terminal and launch:

Code: Select all

sudo apt-get install selinux-basics selinux-policy-default

ACTIVATE SELINUX
Now, you will normally have an issue here but go ahead and run the command:

Code: Select all

selinux-activate

The output may vary but it should tell you to reboot, so go forth and type

sudo reboot

now and should start to reboot.

CHECK SELINUX
Now, you may have to remotely SSH to your machine as you probably don't see anything but a grey background and big black X for a mouse cursor. If you don't have this problem, SELinux probably was a successful install (lucky you but doubtful). Either way, open a terminal and run the command:

Code: Select all

sudo check-selinux-installation

Now, after that command, you probably see something scary like:

/usr/sbin/check-selinux-installation:19: DeprecationWarning: os.popen3 is deprecated. Use the subprocess module.
@staticmethod
/usr/sbin/check-selinux-installation:23: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module.
def fix():
/etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled – not serious, but could prevent system from booting…

This obviously means SELinux was NOT successful. So, let's fix that!

PERMISSIVE OR ENFORCING?
Now, I would tell you to try and enable permissive mode but it is extremely likely it won't work. So I want you to enable Enforcing Mode by typing:

Code: Select all

sudo selinux-config-enforcing

CONFIGURE PAM
Now we need to manually configure PAM and you could use vi or pico (sorry, I like pico!) so you can use your favorite text editor for the below command:

1). Edit PAM Login (/etc/pam.d/login)

Code: Select all

sudo pico /etc/pam.d/login

Now add the following in the file:

Code: Select all

session required pam_selinux.so multiple

Save the file (Pico users press Ctrl+X, Y to Overwrite, Enter to Save/Exit).

Now let's re-activate by typing:

Code: Select all

sudo selinux-activate

It will recommend you reboot, don't, not yet as we have a couple more tasks...

2). EDIT INITSCRIPTS (/etc/default/rcS)
Go forth and type:

Code: Select all

sudo pico /etc/default/rcS

In this file, I want you to add 2 lines of code (any order):

Code: Select all

FSCKFIX=yes

and

Code: Select all

EDITMOTD=no

Now save the file (see #1 for PICO Saving).

CHECK DEVPTS
Please run the code:

Code: Select all

sudo mount | grep devpts

If it comes back with:

[devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)/quote] or similar, you're good to go.

Now, remove the static nodes by typing:

Code: Select all

sudo rm -f /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]

3). Go, Go Activate (selinux-activate)
Now that we added and saved everything, let's see if we did it successfully by typing:

Code: Select all

sudo selinux-activate

If you now see:

Activating SE Linux
SE Linux is activated. You may need to reboot now.

We've successfully allowed SELinux to install and has been activated where prior it could not be. You could always setup a Cron job and other things as well but you should be OK now.

[raspberryjammer]

Thanks for the great guide!

I've run into a problem though.
After completing all the steps, when I check-selinux-installation I get the following...

Code: Select all

getfilecon:  getfilecon(/proc/1) failed
SELinux is not enabled.
Could not read the domain of PID 1.

Any idea how I can fix this? I've done loads of Googling but couldn't find a solution.

Thanks

[nicknml]

Nice tutorial although I tend to find SELinux to usually be an annoyance.

[lenrem]

Hmmm,
Correct me if I am wrong: I believe there should be a line with CONFIG_SECURITY_SELINUX in /proc/config.gz for all this to work. I cannot find it. I have the exact same respons as raspberryjammer.
I do have:

Code: Select all

# CONFIG_SECURITY is not set
# CONFIG_SECURITYFS is not set

Is that a show stopper?

[mutemule]

I've been playing with getting SELinux up and running, and it seems as though the situation has changed from the original post above. Most of this information was taken from https://wiki.debian.org/SELinux, which you should refer to if you're embarking down this road.

First off, lenrem is right, you will need to compile a new kernel, as the default kernel is missing some required options. You're looking to have at least CONFIG_AUDIT, CONFIG_SECURITY, and CONFIG_SECURITY_SELINUX enabled, in addition to the default kernel options provided. The complete set of SELinux-related (and required) kernel options I'm using are:

Code: Select all

CONFIG_AUDIT=y
CONFIG_AUDIT_LOGINUID_IMMUTABLE=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""

So, you need to compile and install a new kernel (I based mine off of arch/arm/configs/bcmrpi_defconfig). This is by far the hardest part of this process, and isn't something I'll cover how to do (hint: https://akanto.wordpress.com/2012/09/25 ... 17-part-1/).

Next, to install packages: sudo apt-get install selinux-basics selinux-policy-default auditd. We're almost done.

The PAM configuration above is correct, and is a change you'll need to make by hand. You'll also want to set your default mode to permissive, by editing /etc/selinux/config and setting SELINUX=permissive.

Finally, the selinux-enable command won't work for you, because it's looking for grub, and we don't use grub. So edit /boot/cmdline.txt and append selinux=1 security=selinux to the single line in that file. Finally, the last thing the selinux-enable does is force a filesystem relabel, so we can do this by running sudo touch /.autorelabel.

Now reboot your Pi. On this reboot, the filesystem will be relabelled, which does take some time (5-10 minutes, depending). Once complete, it will initiate a reboot itself, and you will be up and running with SELinux in permissive mode!

To switch to enforcing mode, just run sudo setenforce 1. To change your system to always run in enforcing mode, just set SELINUX=enforcing in /etc/selinux/config, and then reboot.

(If you run into issues, PM me, as I've only just created an account to make this note, so it's unlikely I'll be following this topic.)

EDIT: Quick review shows a potential issue with what I wrote regarding the usefulness of selinux-enable. If you're using a display manager (kdm or wdm), selinux-enable will update your PAM configuration for those subsystems such that they are SELinux-friendly. So you may want to run it on your system, if you're using X11 (if you're sticking to a console, there's no benefit to running it, but neither is there a drawback).

[0xgone]

I'm setting up selinux on my Pi right now. Could anyone explain the "CHECK DEVPTS" part of this tutorial ? Are the tty removed to ensure they are not used instead of devpts ?

[pandu]

I have incorporated everything that has been suggested in this thread to enable SELinux in Raspbian kerbel v4.1.16 v7+.But no luck yet. I keep seeing the below output:

$ sudo check-selinux-installation
../proc/1 kernel..
SELinux is not enabled.
The init process (PID 1) is running in an incorrect domain.

Can one of you please help me figure out if am doing something wrong here.Greatly appreciate your help.
I have not been able to find out where CONFIG_AUDIT_LOGINUID_IMMUTABLE is in menuconfig. Could that be the reason why SElInux is not enabled for me. It would be great if you can let me know which category in menuconfig has CONFIG_AUDIT_LOGINUID_IMMUTABLE. Thanks.

[jhausladen]

SELinux is now working right out of the box:

- Compile the Kernel with SELinux enabled. Instructions for compiling a kernel can be found at https://www.raspberrypi.org/documentati ... uilding.md

- Before actually compiling the Kernel (zImage modules dtbs) open your .config file in the Kernel's root directory and add the necessary Kernel parameters suggested in the Arch Wiki https://wiki.archlinux.org/index.php/SE ... the_Kernel
This is neccessary, as the default configuration for the Raspberry Pi's kernel does not include SELinux.

- Run the “bcm_defconfig” command again but replace the bcm_defconfig with "menuconfig" at the end to verify SELinux is now enabled in the "Security" options.

- On bootup, install selinux userland tools "sudo apt-get install selinux-basics selinux-policy-default auditd"

- Optionally install "selinux-policy-dev, setools/setools-gui, selinux-utils"

- Activate SELinux by running "selinux-activate"

- Reboot and verify the status by running "sestatus" command. This step may take a few minutes to label the filesystem

- Configure SELinux such as "permissive/enforcing" mode by editing the /etc/selinux/config file

- For activating/deactivating SELinux add "selinux=1" and "security=selinux" to the "/boot/cmdline.txt" configuration. In general SELinux will be active by default at this stage.

- No need to adjust PAM, as "selinux-activate" takes care of this.

- The "check-selinux-install" command will claim about FSCKFIX not being enabled. Open "/etc/default/rcS" and set FSCKFIX=yes

One problem I could not fix myself yet is that with sELinux enbabled, the exec-shield protection prohibits loading the "libarmmem.so"

ERROR; ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot enable executable stack as shared object requires): ignored.

Using execstack -c /usr/lib... option does not work as libarmmem.so needs an executable stack.
When using setsebool -P allow_execstack 1 one gets some permission denied erros on many shared libraries. E.g., nano is not working anymore (segfault). It seems the default policy may not be completely valid. The ERROR; ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot enable executable stack as shared object requires): goes away by changing the context of libarmmem.so to textrel_shlib_t (chcon -t textrel_shlib_t /usr/lib/arm-linux-gnueabihf/libarmmem.so)