The UnOfficial SELinux FAQ

Last update : Wednesday October 4, 2006

UnOfficial FAQ? Why UnOfficial FAQ?

Who? What? Why?

What is SELinux ?
Is SELinux a Trusted Operating System?
What is LSM ?
Who developed SELinux ?
What is SELinux good for ?
Why should I run SELinux and not normal Linux ?
What does SELinux do that I can't do with normal *nix?
Who supports SELinux ?
Is there an Email list that I can join ?
I'm not a Linux kernel expert, should I be scared and avoid SELinux ?
Is there somewhere that I can see a demo ?
Is SELinux ready for production ?
Why does the newrole command prompt for authentication ?
What is the performance impact of running SELinux ?
Is SELinux suitable for desktop users ?

Getting SELinux

Where do I get SELinux from ?
What do I need to get ?
Should I use the 2.4 or 2.6 kernel ?
Is there an SELinux distribution ?
How can I get the latest code from CVS ?
Where can I get (the latest) policy files from ?

SELinux Installation

How do I install SELinux ?
Why do I get tcl.h/tk.h errors installing setools/apol ?
Policy installation fails with 'ERROR unknown type system_mail_t at ...'
Can I use xfs/reiserfs filesystems ?
How should I handle large filesystems ?

General Administration

How do I add users/groups ?
How do I set the password for a user ?
How do I start/stop server daemons ?
Can I change root to have the sysadm_r role as default ?
How do I boot into permissive/enforcing mode ?
How do I disable SELinux completely ?
How do I switch between enforcement and permissive modes at run time ?
I want my system to be bullet-proof, How do I switch to enforcement mode and make it impossible to switch back ?
Why would I want to run a system in permissive mode anyway ?
What about backup and recovery ?

Building SELinux Policies

How do I learn to write SELinux security policies ?
The policy definitions are very user-unfriendly, is there a plan for improvement ?
I've changed the policy ( .te ) files, how do I load the policy ?
I've changed the File Context files ( .fc ), how do I tag all the files again ?
How do I go about writing a policy for a new program foo ?
What is a "domain transition" ?
Is there a text file on my system with the list of user roles or is that information stored some other way ?
Can I configure the operating system NOT to ask for a user role on login ?
What's the difference between allow, auditallow, and auditdeny ?
How do I secure PHP programs running under Apache ?
Where should I put local policy changes ?
Are policy loads "atomic" (ie. non-disruptive) ?
What are policy "booleans" ?

SELinux-aware software

Can I patch procmail in a similar way to login, etc ?

Message Logging

How do I stop all of those messages on the console ?
Why does SELinux log messages only once ?
Why do I get a lot of log messages from dhcpd ?

Common Problems

Help! I can't log in!
Program foobar doesn't work!
I upgraded my SELinux kernel to a new version and now I get lots of errors on booting, what went wrong?
If one of those messages is "login[1007]: UNABLE TO GET VALID SID FOR root"
When my system boots I see "SELinux: The separate SELinux kernel patch was not applied..." - what is wrong ?
When I start the X server as root, my system hangs
Does SELinux support XWindows ?
Cron jobs don't run, even in permissive mode
I can't log in with ssh, it reports "Could not obtain SID for user xxx"
run_init fails with "execvp: File or directory not found"
run_init fails with "execvp: Permission Denied"
make relabel ( setfiles ) fails with "Operation not supported"
newrole fails with "cannot find your entry in the passwd file"
X won't start in enforcing mode
ssh won't login to sysadm_r role
fixfiles removes all files in /tmp
Why do I get messages about "cannot enable executable stack" when running programs under SE Linux?

Miscellaneous

Help! .... where can I get more information?


UnOfficial FAQ? Why UnOfficial FAQ?

The "official" FAQ is on the NSA website - it covers history and strategy of SELinux and not much in the way of technical details. It doesn't tell you much about how to do things, what certain errors mean, and how to solve problems. I got frustrated at the lack of documentation for SELinux while I was researching an article for SysAdmin magazine so I wrote this FAQ and called it the UnOfficial FAQ.
Much of the information here comes from my own research, and from the SELinux mailing list. The following people have also made valuable contributions to this FAQ :
  • Russell Coker
  • Stephen Smalley
Where people have contributed significant parts, I've added their name in square backets [].

This document can be found in the following locations :
Note that this FAQ applies to stable releases of the SELinux kernel modules and user-land only. This is because the development versions are just changing too quickly to keep up with. If you are having issues with development versions which aren't answered here, then you're better off joining the SELinux mailing list and posting your problems there.


Who? What? Why?


What is SELinux ?

SELinux is an operating system based on Linux which includes Mandatory Access Control. In short, with SELinux you can define explicit rules about what subjects ( users, programs ) can access which objects ( files, devices ). You could think of it as an internal firewall, which gives you the ability to separate programs and thereby ensuring a high level of security within the operating system.

Is SELinux a Trusted Operating System?

It should be noted that the people working on SE Linux tend to avoid the term "Trusted Linux" or anything similar. Trusted distributions are associated with releases that lag way behind the main releases, have compatibility issues with commonly used software, and generally cause problems for users. In Red Hat distributions and in Hardened Gentoo SE Linux works really well, is up to date, and has minimal compatibility issues.

There are various projects underway to get EAL certification for SELinux, most notably by RedHat and IBM.

What is LSM ?

LSM ( Linux Security Modules ) is an extension of the Linux kernel which allows security systems to be easily added to the kernel. SELinux is implemented as a LSM, and utilises the LSM kernel interface. The LSM homepage is at lsm.bkbits.net

Who developed SELinux ?

SELinux was originally developed by the NSA with cooperation from various contractors such as MITRE and NAI Labs. It was derived from the Flask security architecture which was a part of the Flux research operating system. After its public release at the end of 2000, it was adopted by the open source community and is currently being worked on by a number of people around the world. The NSA is still involved in the development.

More recently, RedHat and Tresys Technology have major roles in SELinux development.

What is SELinux good for ?

From the NSA FAQ :
"The Security-enhanced Linux's new features are designed to enforce the separation of information based on confidentiality and integrity requirements. They are designed for preventing processes from reading data and programs, tampering with data and programs, bypassing application security mechanisms, executing untrustworthy programs, or interfering with other processes in violation of the system security policy. They also help to confine the potential damage that can be caused by malicious or flawed programs. They should also be useful for enabling a single system to be used by users with differing security authorizations to access multiple kinds of information with differing security requirements without compromising those security requirements."

Now that SE Linux is on by default in Fedora and Red Hat Enterprise Linux it adds an extra level of security without any effort from the user. Desktop users can get a high level of security without onerous management effort.

Compared to other approaches for high security, it is easier to achieve the same goals with SELinux than with many alternative methods. For example, if an administrator wishes to setup an Internet DNS server, it takes a lot more effort to setup a CD-ROM based machine than to just do a default Fedora or RHEL install and get the same benefits.

Why should I run SELinux and not normal Linux ?

Because SELinux gives you the ability to secure processes from each other within the system. For example, if you have a web server on the Internet which is also serving Email and DNS then you would not want a vulnerability in the web server process allowing the attacker access to corrupt your DNS server. SELinux is one of the very few practical operating systems available which can provide such a level of protection. In recent releases of Fedora and RedHat Enterprise Linux, SELinux is enabled by default and requires no special effort to maintain.

What does SELinux do that I can't do with normal *nix?

In a conventional Unix/Linux system, access control is under the control of the user. The user choses the other users that may access the files that the user owns.
SELinux is under the control of the security administrator. This includes the files that the user owns. Even if the user wants a specific other user to have access to a file, if that user is not in a domain containing the other user (ie, both are in the same domain) then the other user still cannot access the file.
The difference is in mandatory access vs discretionary access.
As far as the system files go, if all are carefully given approprate ACLs, then they can be protected. However, if the root accout is hacked, the files are still vulnerable.
If a SELinux system is hacked, unless the hack itself contains an all powerful label/domain, the hack still doesn't have access to all of the files.. Only those belonging to the domain of the hacked daemon.
[Jesse Pollard]

Who supports SELinux ?

Well, nobody officially. But if you need help, there are plenty of resources around. Searching Google for your problem is a good start. Also search the SELinux mailing list archives. If you've still got a problem, joining the SELinux mailing group and post your question there.

Is there an Email list that I can join ?

There sure is. And they're a friendly bunch of folks too! You can subscribe by sending an Email message to Majordomo@tycho.nsa.gov with the words 'subscribe selinux' in the message body.
There is a searchable archive of the SELinux mailing list at http://marc.theaimsgroup.com/?l=selinux

I'm not a Linux kernel expert, should I be scared and avoid SELinux ?

Yes! Run! Now! While you still can! Seriously, its not too hard at all. If you've downloaded any kind of source code package, compiled it on Linux ( or Solaris, etc. ) then you will have no problem installing and running SELinux. Just be careful how you setup those kernels in the boot manager, and when you're performing science experiments it pays to have a reliable non-SELinux kernel around that you can boot from, just in case.

Is there somewhere that I can see a demo ?

There are a few SELinux servers on the Internet, to which you can log into, as the root user no less. Bold move - the security of the system depends completely on the SELinux policy definition.

Refer to the following pages for accessing SELinux demo/play machines:
  • Fedora Russell Coker's Fedora demo machine
  • Gentoo a demo machine from the Hardened Gentoo Team
  • Debian Ed Street's Debian demo machine
The Hardened Gentoo team also produces a bootable liveCD which is great for demonstrations. The ISO image is available here.

Is SELinux ready for production ?

SELinux is being rapidly adopted by many companies for production systems since RedHat have enabled it by default for Enterprise Linux. It has been a part of Fedora since Fedora Core 2 was released, and is now becoming widely accepted for production systems.

Why does the newrole command prompt for authentication ?

When you run the newrole command to switch to another SELinux role, you will be prompted to type in the password for the user that you logged in as. This differs from the usual Unix newgrp command to used to switch your default group in Unix which does not prompt for a password. The reason for this is to prevent malicious programs that you may be inadvertently running from gaining access to more privileged roles.

What is the performance impact of running SELinux ?

Currently, the performance overhead is approximately 7%. There has been little effort to date to optimise the SELinux code for performance, and in some cases such as networking the impact may be higher. The SELinux development team is looking at improving performance. If you set "selinux=0" as a kernel boot option, SELinux will have no performance impact.

There has been quite a bit of work on the performance of SE Linux. In early 2005, SE Linux was optimised for machines with 32 or more CPUs. Recently changes have been made to the kernel code to reduce memory use (not in kernel.org or distribution kernels yet).

Is SELinux suitable for desktop users ?

The "targeted" policy (default for Fedora and Red Hat Enterprise Linux) locks down daemons but doesn't restrict user sessions. So for a desktop machine there is no loss of functionality, but SE Linux still provides protection for system programs.


Getting SELinux


Where do I get SELinux from ?

By far the easiest way is to install Fedora Core version 3 or above or Red Hat Enterprise Linux version 4 or above. Fedora Core 2 was the first distribution to have SE Linux support, but it wasn't on by default and didn't work as well as FC3 and FC4.

The SELinux kernel has been traditionally made available from the NSA site, here. Since SELinux has been adopted into the 2.6 kernel it is more widely available in many common Linux distributions. See the next section.

What do I need to get ?

To get SELinux working, you must install the following:
  • An SE-enabled Linux kernel. You can either use the stable 2.6 kernel which doesn't require any additional patches from one of the following:
    Note that if you want to use a 2.6 kernel on a Linux distribution which is based on a 2.4 kernel, then I recommend you perform the 2.6 kernel installation and get it working without enabling SELinux features before you attempt going any further.

    If you want to use a 2.4 kernel, get the older 2.4 kernels with SELinux patches available from the NSA site.

  • The SELinux userland packages from one of:
    • NSA site for source/SRPM packages - even if you're planning on installing RPM/DEB packages, its a good idea to get this source package because it contains useful documentation and installation instructions that you will want to review before installation.
    • Daniel Walsh's RPMs for RedHat/Fedora which includes a very useful script selUpgrade which will automatically fetch and install the packages into a Fedora Core system.
    • Russell Coker's site for Debian packages Russell gives instructions on how to get thep[ackages through Debian's apt-get utility.
Once you've figured out what you need, go to the How do I install? FAQ section.

Should I use the 2.4 or 2.6 kernel ?

You should use the 2.6 kernel.

Support for the old 2.4 kernel SELinux is being decreased and may cease entirely in the near future.

trulux - Lorenzo Hernandez Garcia-Hierro ( lorenzo /at/ gnu.org ) is now the only person who provides any support for SE Linux on a 2.4.x kernel. So really the only option is a 2.6 kernel.
[Russell Coker]

Is there an SELinux distribution ?

SELinux itself is not a distribution - it is a set of features that Linux distributions can include with their installations. Currently, the following common Linux distributions which include SELinux are:
  • Fedora Core - starting with Fedora Core 2. This is the best distribution for SELinux developers as it is the widely accepted reference for development.
  • RedHat Enterprise Linux - from version 4
  • Debian - available as additional packages
  • Gentoo - available as additional packages ( Hardened Gentoo )
  • Ubuntu - available as additional packages
  • SuSE - partly integrated in SuSE Linux 9.x and SLES 9
  • EnGarde Secure Linux - a distribution sponsored by Guardian Digital Inc, specifically designed to provide Internet services on a high security platform. Includes some nice management tools.
  • SlackWare - maybe .....

How can I get the latest code from CVS ?

Get the latest code from CVS by running this command :
cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux -z3 co nsa

Where can I get (the latest) policy files from ?

The NSA release will include a useable set of policy files. Also, Russell Coker has a very good and up to date set of policy files at www.coker.com.au


SELinux Installation


How do I install SELinux ?

Fedora Core 3 and above, and RedHat Enterprise Linux 4 and above, come with full support for SELinux enabled by default. Install one of those distributions and you will have installed SELinux.

For other Linux distributions which don't come with full SELinux support, start by installing the normal Linux system. Make note of the following:

  • use ext2/ext3 filesystems ( ReiserFS can generally be used with recent kernels for non-root filesystems )
  • install the C compiler
  • install development libraries
  • install the kernel sources ( the kernel config files in particular will be useful )
Then download the SELinux package from the NSA site, unpack it and read the README file. There should be more than enough information in the README to get your system installed and operating properly.
The following HOWTOs will also provide assistance:

Why do I get tcl.h/tk.h errors installing setools/apol ?

On systems without TCL/TK installed, and you are running the quickinstall or have elected to install the setools package, you may see these errors:
cd apol; make install
make[3]: Entering directory `/home/installs/selinux/tools/setools/apol'
gcc -Wall -g -I/usr/include -DUSE_SORTING -c apol_gui.c
apol_gui.c:14:17: tcl.h: No such file or directory
apol_gui.c:15:16: tk.h: No such file or directory
SETools requires that both the TCL and TK packages are installed. If they are not, then you can either install the packages, or not install SETools. To remove SETools from the Makefile, edit Makefile and comment-out the following two lines:
# @echo "Building and installing SELinux tools"
# cd tools && make install

Policy installation fails with 'ERROR unknown type system_mail_t at ...'

The problem is most likely that you haven't included the 'mta.te' file into the policy. Just move the file into the policy directory :
cd policy/domains/program
mv unused/mta.te .
... and re-run the installation.

Can I use xfs/reiserfs filesystems ?

For xfs, The default Inode size is 256 bytes, which is not enough to fit the "security.selinux" XATTR name and its data (as about 200 bytes is used for other stuff). So the XATTR won't fit in the Inode and will need a block of it's own which is 4096 bytes on i386. Having 4096 bytes per file for the SE Linux XATTR is a huge waste of disk space.
If you use the option "-isize=512" when making an XFS file system then the SE Linux XATTR will fit in the Inode. On some Inodes the extra space can be used for other things as well, so you won't necessarily have 256 - (XATTR size) bytes of disk space going unused.
[Russell Coker]

For reiserfs, most recent kernels now have support for SELinux, but the patches are known to have bugs. So its best not to use ReiserFS for the root file system ( but it should have full support for other mount points ). Older kernels will require additional patches to support ReiserFS, available from Jeff Mahoney's repository. If you really need to use ReiserFS with SELinux and your kernel doesn't have these patches, then the "-o context=" mount option should do the job reasonably well for contained directories like mail spools.

How should I handle large filesystems ?

Similar to the previous question, if you have a very large filesystem such tens of thousands of files in a mail spool, or squid cache, etc. then it is much more efficient to make these into a separate filesystem mounted with the "-o context=" mount option. Using this, you can then avoid relabelling every single file in the large filesystem which is a very slow process.


General Administration


How do I add users/groups ?

Simply use the normal Linux commands useradd and groupadd to create users and groups respectively. These will create the user/group account and assign an SELinux identity. Accounts which have no SELinux identity will get the identity user_u which should allow them to perform the basic user tasks.

How do I set the password for a user ?

Use the normal Linux command passwd to set a user password. Like useradd, passwd has also been modified for SELinux to set a password without changing the file context of /etc/passwd & /etc/shadow to something else which could stop things from working.

How do I start/stop server daemons ?

It is important that server daemons are started within the correct context, if they are not then they will probably not run properly.

For Fedora and RedHat Enterprise Linux, use the normal command, service (name) start/stop

For Debian and Gentoo, use the run_init command to run scripts in /etc/init.d within the correct context, for example sshd:

run_init /etc/init.d/sshd start
which starts up the sshd daemon. Note that run_init will prompt the user for their password before performing the function: this is to prevent unauthorised acces to the functionality such as being executed by a trojan program.

Can I change root to have the sysadm_r role as default ?

Yes. The way to solve this is to change the order in /etc/security/default_contexts, change this:
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
to this:
system_r:local_login_t sysadm_r:sysadm_t user_r:user_t staff_r:staff_t
Alternatively, you should be able to create a /root/.default_contexts file with this entry to override the system defaults, so that only root defaults to logging in as sysadm_r, and other users who are authorized for both staff_r and sysadm_r will still default to staff_r. You'd have to make sure that local_login_t can read the /root/.default_contexts file, either by labeling it with the default_context_t type or by allowing local_login_t to read sysadm_home_t:file.
[Stephen Smalley]

How do I boot into permissive/enforcing mode ?

Use enforcing=0 in your kernel boot line to boot into permissive mode. See /boot/grub/grub.conf for systems which use the grub bootloader. Conversely, setting enforcing=1 boots your system into enforcing mode.

Fedora Core has a new sysconfig file to do this a little more easily. By adding

SELINUX=permissive
into /etc/sysconfig/selinux. Other options are enforcing and disabled. Note that disabled in here doesn't fully disable the SELinux kernel ( see next question ) but simply boots into permissive mode and skips loading the policy.

This assumes your kernel is built with the CONFIG_SECURITY_SELINUX_DEVELOP flag set which permits booting permissive mode.

See also this page on How to disable SELinux

How do I disable SELinux completely ?

The best way is to simply add selinux=0 to the kernel boot line. In RedHat/Fedora using the grub bootloader, you would edit /boot/grub/grub.conf and add the selinux=0 parameter to the kernel line.

Note however, that if you do this then new files will be created without security context information. If you re-enable SELinux with such files you will probably want to relabel the entire filesystem, and you could also possibly have problems booting.

This assumes your kernel is built with the CONFIG_SECURITY_SELINUX_BOOTPARAM parameter which enables this boot parameter.

See also this page on How to disable SELinux

How do I switch between enforcement and permissive modes at run time ?

There are a number of ways. The quickest is to run
echo "1" >/selinux/enforce
which will switch the kernel into enforcement mode. Conversely,
echo "0" >/selinux/enforce
switches into permissive mode.

In Fedora Core, you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode.

In older versions of SELinux, the command avc_toggle was used.

See also this page on How to disable SELinux

I want my system to be bullet-proof, How do I switch to enforcement mode and make it impossible to switch back ?

There's a couple of ways of doing this. Firstly, you could edit policy/macros/admin_macros.te and remove ( or comment-out ) the following line :
can_setenforce($1)
If you remove this line and reload the policy, then it will not be possible to change the enforcing mode ( not without changing the policy at least, and you could probably block that as well ).
Another way is by compiling the SELinux kernel without Development support. This will make a kernel which will only run in enforcement mode which cannot be switched off. Although to really secure your system you should remove any non-SELinux kernels from the boot configuration, and physically secure the system so that an attacker can't boot off any alternative media such as CD-Rom.
[Russell Coker]

Why would I want to run a system in permissive mode anyway ?

Because enforcement mode can make a lot of stuff stop working. Permissive mode is good for testing applications to identify what they are doing which will be denied in enforcement mode. The idea is that you should run your system in permissive mode and fine-tune your file labels and policy rules. When you've got the error rate down to an acceptable level, then switch to enforcement mode and continue testing until your system functions properly without granting too many permissions to applications.

What about backup and recovery ?

When backing up and recovering files with a SELinux system, care must be taken to preserve SELinux context information. Use the star command to backup SE Linux contexts on Fedora, Red Hat Enterprise Linux (and probably most systems with a recent version of star). For example,
star -xattr -H=exustar -c -f output.tar [files] Also the dump and restore utilities for Ext2/3 have been updated to work with XATTRs (and therefore SE Linux contexts). They should work on all distributions now.


Building SELinux Policies


How do I learn to write SELinux security policies ?

Start by reading the NSA document, Configuring the SELinux Policy, particularly the "Building and Applying the Policy" section and the "Customizing the Policy" section. This document will give you a very good start.

Faye Coker has also written an excellent document, Writing SE Linux Policy HOWTO( PDF version ).

From there, try editing some of the existing policy files and see what happens when you make changes. Try setting up or editing policies for some simple server programs such as ntpd and BIND.

SELinux policies are all written in a macro language called m4. To get more information on writing m4 macros, run info m4.

The policy definitions are very user-unfriendly, is there a plan for improvement ?

A few tools are available to help manage SELinux policies:
  • The Hitachi Software Engineering Company in Japan has developed some tools based on Webmin available here.
  • The Computer Privacy and Security Lab at the University of North Texas seems to have a project to design tools for editing and analyzing the SELinux policy. Currently they have listed a GUI analyzer, here.
  • Tresys have SETools in particular the sepcut tool that they have developed for editing SELinux policies.
There have also been plans floating around the mailing list of creating an XML-based policy definition, and I believe this is still in development. Hopefully there will eventually be an efficient user-interface for editing the policy.

I've changed the policy ( .te ) files, how do I load the policy ?

Run make load to load the policy into the kernel if it believes that the new policy needs to be loaded ( ie. the new policy is different from what is already in the kernel ). Alternatively, running make reload will load the new policy regardless. This is useful if you have loaded a policy from some other file and wish to revert to the policy in /etc/security/selinux/.
[Russell Coker]

I've changed the File Context files ( .fc ), how do I tag all the files again ?

Run fixfiles relabel

Alternatively, in Fedora and RHEL you can touch /.autorelabel and reboot or put autorelabel on the boot command line ( in both cases the system gets a full relabel early in the boot process ). Note that this can take quite some time for systems with a large number of files.

How do I go about writing a policy for a new program foo ?

Start by running the program on a system which is in permissive mode, and collect all of the security violation logs from the syslog file ( /var/log/messages in most cases ). Carefully analyse the policy violation messages along with what you know about the application and what its restrictions should be and write the policy rules accordingly.
Alternatively, you can run these through a perl program called audit2allow (which was called newrules.pl in the older releases) which is in the SELinux distribution directory - this will generate Type Enforcement rules which can be added to your policy. Although, there is a risk that audit2allow will generate policy rules which are too permissive for what you are doing - the output policy definitions should be carefully checked before being installed.
You will need to configure labelling for the files belonging to the application, and it may be best to sort this out before you run the applictaion in permissive mode so that the TE rules generated by audit2allow will have the correct file label specifications.
Eventually you should be able to run the application and get only a small number of policy violations, at this point you should switch your system into enforcement mode and verify that the application still works OK.

What is a "domain transition" ?

Read the Configuring the SELinux Policy report, available in the distribution (selinux/doc/policy) or from the NSA SELinux web site. You might also want to read a background paper on Type Enforcement (TE).
A domain is a security attribute associated with a process. Processes with the same domain have the same set of permissions to the same set of objects. A domain transition occurs when a process changes its domain, conventionally by executing a program with a particular entrypoint type. Domain transitions provide a controlled mechanism for changes in permissions, whether to gain permissions, shed permissions, or switch to a completely orthogonal set of permissions. It is difficult to avoid domain transitions. If you did, you might as well not use SELinux.
[Stephen Smalley]

Is there a text file on my system with the list of user roles or is that information stored some other way ?

In the source distribution's selinux tree, the policy/users file specifies the set of roles authorized for each user. Obtaining the full set of defined roles is not entirely straightforward because role declarations are now distributed among the domain .te files. Roles for user processes are typically defined in policy/domains/user.te or policy/domains/admin.te. You may want to look at the Tresys policy tools as a way of more easily viewing the policy or managing users.
In an installed form, the policy sources are typically placed into /etc/security/selinux/src/policy.
[Stephen Smalley]

Can I configure the operating system NOT to ask for a user role on login ?

The user will be limited to the roles authorized for that user in policy/users. If you authorize the user for multiple roles, then he can choose one of those roles at login time or subsequently via newrole. What's the point of limiting the user to a single role at login time if he can change it subsequently via newrole? Of course, you could limit login to transition to a single user domain if you want to force all users to initially login with a certain role/domain.
[Stephen Smalley]

What's the difference between allow, auditallow, and dontaudit?

allow - specifies the set of permissions that are granted, defaults to none (deny everything unless explicitly allowed by an allow rule).
auditallow - specifies the set of permissions that should be audited when granted, defaults to none (audit no grantings unless explicitly enabled by an auditallow rule).
dontaudit - specifies the set of permissions that should be denied, but without any logging of the denial operation. This is often used to deny access to objects which are accessed frequently where excessive logging may result.
[Stephen Smalley]

How do I secure PHP programs running under Apache ?

PHP programs are difficult because they are run within the same process as the Apache server : SELinux can only change process contexts when a process exec occurs. This means that PHP programs can only run under Apache policy rules. While this scenario is significantly more secure than on a non-SE system, there are obviously issues in that PHP programs may tamper with parts of the web server for which they shouldn't. This could impact the security for both the web server and the PHP program.
Running PHP programs as external CGI-type processes will allow for context changes and permit fine-grain policy control. However, this method has obvious performance problems.

Where should I put local policy changes ?

If you want to make general policy changes to your installed policy, a good place is in the domains/misc directory ( on a RedHat/Fedora system, /etc/security/selinux/src/policy/domains/misc/ ). Create a file in here called "local.te" and put local policy rules into this file. This will make it easier to merge in your local changes with new releases of the base policy. The process to compile and load the policy will automatically pick up your new file.

Are policy loads "atomic" (ie. non-disruptive) ?

Will a policy load try and load a new policy halfway through an access control or relabelling decision?

Policy loads are atomic. The new policy is loaded into temporary structures initially, then certain sanity checks are applied to it, and then it is installed as the active policy, with the last step performed while holding the policy write lock. The access vector cache is then reset and provided with the new policy sequence number.
[Stephen Smalley] This does not mean that the system will not be disrupted by changes to the policy. If a new policy does not allow some operations that the system relies on then the result may be undesired. Also loading a new policy may invalidate the context of processes or files, this will prevent such processes from performing any operations and such files from being accessed by programs other than those run by an administrator (unconfined_t or sysadm_t domains).
[Russell Coker]

What are policy "booleans" ?

There is a new feature in SELinux that allows you to modify a running policy. Basically you can define booleans in policy that an admin can then decide to turn on or off. To allow users to ping you can execute the following command:
# ping 4.2.2.2
ping: icmp open socket: Permission denied
# getsebool -a
user_ping --> active: 0 pending: 0
As root:
# setsebool user_ping 1

# getsebool user_ping
user_ping --> active: 1 pending: 1

# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=0 ttl=248 time=10.0 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=248 time=10.6 ms
To show the available booleans you can use getsebool -a:
getsebool -a
user_ping --> active: 0 pending: 0



SELinux-aware software


Can I patch procmail in a similar way to login, etc ?

You may consider the possibility of patching a mail server to run procmail for delivery in a special user context. Then procmail can safely access the .procmailrc file and deliver mail to the user's home directory, but it can't access the home directory of a user in another role.

However will you even be using multiple roles? For a system such as this, it's likely that you will have three roles, staff_r (for minor administration tasks), sysadm_r (for serious administration - mkfs, fdisk, etc), and user_r (for the users). Now if you demand that all people in staff_r also have an account in user_r for their email, then you can just restrict procmail to only accessing user_r.
[Russell Coker]


Message Logging


How do I stop all of those messages on the console?

SELinux sends a lot of messages to the system console by default. This can be very annoying if you're busy on the console trying to solve some important problem.

There are two different kernel logging systems in use : printk and auditd.

For older systems using printk, the following command will direct all messages of default priority away from the console. The default is "7 4 1 7". The second number is the priority of default messages, setting it to 7 makes default messages of too low a priority to be on the console.

echo "7 7 1 7" >/proc/sys/kernel/printk
Alternatively, the command
dmesg -n 1
seems to work well on Fedora systems.
These commands alter the behaviour when the kernel printk logging mechanism is being used.

Recently the logging method has changed. Now the kernel audit sub-system, auditd, is used for SE Linux messages. The audit subsystem will default to using printk if there is no auditd running, but if auditd is running then SE Linux events and most other security relevant log entries go to the auditd and are saved to files under /var/log/audit.

The main kernel auditing functionality (as opposed to the minimum needed to log basic AVC messages) is enabled when the auditd is started or if the kernel is booted with the parameter "audit=1". This auditing functionality is now required to display the path names when SE Linux denies access to files, so for best logging functionality you should have auditd running or boot with "audit=1".

Debian does not yet have an auditd, it should be packaged soon.

Why does SELinux log messages only once?

When in permissive mode, SELinux logs each denial once and then adds the corresponding permission to the cache so that you don't end up with a flood of identical messages. The denial won't show up again until the cache entry is reclaimed. You can reset the cache by reloading your policy (e.g. running 'make reload' in the policy directory) or by switching into enforcing mode (and then optionally back into permissive mode) by using setenforce 1 (avc_toggle in older versions), assuming that you are in a domain that can do this.

As with the previous question, for best logging functionality you should have auditd running or boot with "audit=1", and manage the log messages through auditd.

Why do I get a lot of log messages from dhcpd?

The DHCP server ( dhcpd ) uses a packet socket which often receives every packet from the network interface. It may be filtering the packets via a socket filter after the permission check has been performed.
The best solution is to add a policy rule:

dontaudit dhcpd_t domain:packet_socket recvfrom;
- or -
allow dhcpd_t domain:packet_socket recvfrom;


Common Problems


Help! I can't log in!

So, you did remember to keep a non-SELinux kernel around didn't you? With SELinux you can always boot your system from a standard kernel ( or installation CD ) and correct any problems. Most problems come from incomplete installations ( such as installing an unpatched /bin/login program ), or faulty policy installs.
At one point in the past I upgraded the SELinux kernel without installing the tools and reloading the policy - which resulted in an awful mess where /bin/login would complain about "No SIDs found" and not let me login. I found that I could reboot into a non-SELinux kernel and redo the installation.

Help! Program foobar doesn't work!

Virtually any progrm which normally runs on Linux will also run under SELinux ( in permissive mode, that is ). You should resolve application problems by running the programs under a permissive mode kernel and looking at the "denied" messages in the log files. You can run these through the utility audit2allow to generate new policy rules which will allow this functions to be permitted by the kernel.

I upgraded my SELinux kernel to a new version and now I get lots of errors on booting, what went wrong?

Bad things happen if you upgrade your kernel to a newer version which has an incompatible policy with the previous version. You probably forgot to install the policy and/or relabel the filesystems before booting the new version. Boot your system from a non-SELinux kernel and go back and do these things.
If you install a kernel with a new policy version, then you need a matching policy and utilities, in which case you will need to run make install to load the new utilities and policy.
[Russell Coker]

If one of those messages is "login[1007]: UNABLE TO GET VALID SID FOR root"

The SID table is mangled. Try logging in using a different method ( such as connecting over SSH ), otherwise you will need to recover by booting a non-SELinux kernel, then relabel the filesystem and reload the policy ( make reset and make load ).

When my system boots I see "SELinux: The separate SELinux kernel patch was not applied..." - what is wrong ?

You haven't applied the SELinux patch to the LSM kernel. Go back and read the README file about applying the kernel patch.

When I start the X server as root, my system hangs

First of all, don't run the X server as root with or without SELinux. If you run the X server as a non-root user then it should work fine. Otherwise, if you relabel the root home directory to user_home_dir_t then it will also work fine for root ( but its a bad idea ). If you start X as the sysadm_r:sysadm_t role then it should also work fine.
[Russell Coker]

Does SELinux support XWindows ?

Yes. But you need to enable the X-related domains (via sepcut or by directly moving up the .te files from policy/domains/program/unused) and reload your policy. You also need a patched [xgk]dm if you want to run an X Display Manager; the NSA release doesn't provide one, but others have supplied patches. With regard to knowing whether it is safe to move to enforcing mode, you need to study your logs (dmesg output or /var/log/messages) to see what would be denied if you were to switch into enforcing mode. Keep in mind that a denial is typically only logged once when in permissive mode (and then retained in the cache until you reload your policy or switch into enforcing mode), so you need to check the full log from when you booted.
[Stephen Smalley]

Cron jobs don't run, even in permissive mode

SELinux includes a copy of crond which has been modified to run under a SELinux system. If you are having trouble with cron jobs, check that you have the correct SELinux-enabled version of crond.

I can't log in with ssh, it reports "Could not obtain SID for user xxx"

The sshd server that comes with SELinux has been modified to look up user SIDs as users log in, and will report this error if it cannot find the SID for the user logging in. There are three main causes for this error:
  • You haven't created the user properly. Remember to use suseradd to create users with SELinux. Check if you can log in on the console with that user name. Check that the password has been defined. Check that you are passing the correct user name to ssh.
  • The sshd daemon is not running in the proper context. Shut it down with the command:
    run_init /etc/init.d/sshd stop
    Then start it again with the command:
    run_init /etc/init.d/sshd start
  • If the user has been configured to have only the sysadm_r role then the result is that sshd will not allow the user to log in. The sshd code could be modified to permit this, but it would be easier to configure the user to have another role ( such as staff_r or user_r ).

run_init fails with "execvp: File or directory not found"

This happens on some Debian systems when the expect package is not installed. Install the Debian expect package.

run_init fails with "execvp: Permission Denied"

The most common cause of this is that the /etc/init.d/(name) script has not been labelled correctly; it needs to have the initrc_exec_t type. Use this command:
chcon -t initrc_exec_t /etc/init.d/(name)

make relabel ( setfiles ) fails with "Operation not supported"

For example,
root@trillian:/etc/security/selinux/src/policy# execcon root:sysadm_r:sysadm_t make relabel

/usr/sbin/setfiles: read 425 specifications
/usr/sbin/setfiles: labeling files under /
/: Operation not supported
/usr/sbin/setfiles: unable to obtain attribute for file /
/usr/sbin/setfiles: error while labeling files under /
This is usually because the filesystem type doesn't support extended attributes ( xattr ). For reiserfs, extended attribute support is moderately new, and extended attributes while supported may have other problems.

newrole fails with "cannot find your entry in the passwd file"

Run id -c, and if you get this:
system_u:system_r:sysadm_t
then you are probably not running the patched login program, or don't have the pam_selinux PAM module enabled. Note from the id command that the user identity portion of the context wasn't set, which is why newrole is confused. You should never get a shell in system_u identity of system_r context. newrole checks the identity against the passwd file, and you have no account system_u there (and you shouldn't have one).

X won't start in enforcing mode

It seems that the X server tries to access /dev/mem even if it doesn't need to. This can be fixed by changing a line in macros/program/xserver_macros.te from
dontaudit $1_xserver_t memory_device_t:chr_file read;
to
allow $1_xserver_t memory_device_t:chr_file rw_file_perms;

ssh won't login to sysadm_r role

The example policy prohibits direct transitions from sshd_t to sysadm_t, but you should be able to login as staff_r:staff_t and then newrole to sysadm_r:sysadm_t.

sshd (via libselinux) asks the kernel what contexts are reachable from its domain for your user identity (kernel determines this based on the policy) and then picks one of the reachable contexts based on either /etc/security/default_contexts or $HOME/.default_contexts. There is no way to specify a context from the client.

Note that a patched sshd is necessary for SELinux systems, if you are having problems, then first check that you have an SELinux aware ssh installation. There used to be a pam_selinux module which supported ssh, but this is now deprecated.

fixfiles removes all files in /tmp

Purging of the files in /tmp was added to the fixfiles utility to avoid problems with types on entries such as /tmp/orbit* and /tmp/.ICE-unix - it removes them during initial labelling causing problems to desktops such as KDE possibly causing KDE to crash and exit. The files will get re-created in the correct domain when the desktop software recreates them (when KDE starts again). For this reason, be careful about using fixfiles on a running system. Hopefully a warning message will be added to the utility and its man page.

Why do I get messages about "cannot enable executable stack" when running programs under SE Linux?

SE Linux when combined with Exec-Shield will control the access to an executable stack. Every binary and shared object needs to have a section labelling it in terms of whether it requires an executable stack. Generally the compiler generates this automatically except in the case of assembler code where the label is omitted by default (which indicates that an executable stack is required.

avc: denied { execstack } for pid=1234 comm="simpress.bin"
scontext=admin:staff_r:staff_t tcontext=admin:staff_r:staff_t tclass=process


When this happens you see AVC messages such as the above and error messages on the command line when executing the program such as the following:

ooimpress file.sxi
/usr/lib/openoffice.org2.0/program/simpress.bin: error while loading shared
libraries: libicudata.so.34: cannot enable executable stack as shared object
requires: Permission denied

The following URL has the full details : http://people.redhat.com/drepper/nonselsec.pdf

To summarise this, run
  execstack -c X
(where X is the name of the shared object or program) to mark it as not needing an executable stack. A quick test should then reveal if it really needs it (an executable or shared object which needs an executable stack will crash if marked as not needing it). Run the command
  readelf -l X|grep STACK
to see whether X is marked as needing it. If there's no output or you see RWX/RWE in the second-last column then it is marked as requiring an executable stack. If you see "RW" then it doesn't need it. Here's the output from a program marked as not needing it:
  GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4

For assembler files you can add -Wa,--execstack to the compiler command-line to specify that it doesn't need an executable stack. There are other methods, see the PDF file above for the details.

[Russell Coker]


Miscellaneous


Help! .... where can I get more information?

Well, if you've read the README, and nothing here helps, then I suggest you check the SELinux resources page, if you're still stuck, then join the SELinux mailing list and post a message to the group. If you find useful answers, then let me know about your problem (and maybe the answer too) and I'll add it to this FAQ.