Saturday, March 7, 2009

Memo: SELinux on Debian Etch

Memo: SELinux on Debian Etch

Install base utilities and enable SELinux

First make sure that you are using a SELinux capable kernel and filesystem. Get the targeted policy and a basic set of SELinux packages by running:

aptitude install selinux-basics selinux-policy-refpolicy-targeted

Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub)
Run fixfiles relabel and reboot.

Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems.

SELinux runs by default in permissive mode, ie. it doesn’t do anything apart from auditing the actions, and logging them (eg. in /var/log/syslog). To really enable SELinux, you have to run setenforce 1 and edit /etc/selinux/config.

Usfeful tips

Relabel files:

# restorecon -R -v /etc /usr/sbin /var/run /var/log

Allow NFS server:

# setsebool -P nfs_export_all_rw 1

Remove the call to create_xconsole in /etc/init.d/sysklogd
Remove the section about xconsole from /etc/syslog.conf

Load necessary modules to confine the daemons in their own domains:

semodule -i /usr/share/selinux/refpolicy-targeted/


# semodule -l
apache 1.4.0
apm 1.3.0
avahi 1.3.0
dbus 1.3.0
gpg 1.1.0
hal 1.4.0
inetd 1.2.0
loadkeys 1.0.0
portmap 1.3.0
prelink 1.2.0
pythonsupport 0.0.1
rpc 1.3.0
rsync 1.3.0
sasl 1.3.0
screen 1.1.0
smartmon 1.1.0
ssh 1.4.0
tcpd 1.1.0
udev 1.4.0
usbmodules 1.1.0
vbetool 1.1.0


setsebool -P allow_execmod=1
execstack -c $(locate
execstack -c $(locate

In the first line, you turn on execmod. In the 2 lines after, you disable the execstack from shared librairies.

execstack -c $(locate
execstack -c $(locate


setsebool -P snmpd_disable_trans=1


Debian specific:


No comments: