| View previous topic :: View next topic |
| Author |
Message |
leonchik1976
Guru
Joined: 24 Jan 2010
Posts: 325
|
 Posted: Mon Oct 17, 2022 1:14 pm Post subject: SELinux - how to enable? |
 |
|
Installed system with SELinux, following the guide: https://wiki.gentoo.org/wiki/SELinux/Installation
But in kernel can't find "Default security module", only "First legacy 'major LSM' to be initialized (SELinux)".
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
so what needed to enable SELinux? |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Mon Oct 17, 2022 4:22 pm Post subject: |
|
|
Plz boot with kernel parameter
| Code: |
security=selinux selinux=1
|
Does your config contain somethin like
| Code: |
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
?
_________________
Last edited by alamahant on Mon Oct 17, 2022 5:01 pm; edited 2 times in total |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1660
|
| Posted: Mon Oct 17, 2022 4:30 pm Post subject: |
|
|
| alamahant wrote: | Plz boot with kernel parameter
| Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Mon Oct 17, 2022 4:57 pm Post subject: |
|
|
| grknight wrote: | | alamahant wrote: | Plz boot with kernel parameter
| Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
I dont think so
| Quote: |
The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. The name “module” is a bit of a misnomer since these extensions are not actually loadable kernel modules. Instead, they are selectable at build-time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the "security=..." kernel command line argument, in the case where multiple LSMs were built into a given kernel.
|
https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html
_________________
|
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1660
|
| Posted: Mon Oct 17, 2022 5:39 pm Post subject: |
|
|
| alamahant wrote: | | grknight wrote: | | alamahant wrote: | Plz boot with kernel parameter
| Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
I dont think so
| Quote: |
The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. The name “module” is a bit of a misnomer since these extensions are not actually loadable kernel modules. Instead, they are selectable at build-time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the "security=..." kernel command line argument, in the case where multiple LSMs were built into a given kernel.
|
https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html |
Check again with v5.15 in https://www.kernel.org/doc/html/v5.15/admin-guide/kernel-parameters.html
| Code: | security= [SECURITY] Choose a legacy "major" security module to
enable at boot. This has been deprecated by the
"lsm=" parameter. |
Last edited by grknight on Mon Oct 17, 2022 5:41 pm; edited 1 time in total |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Mon Oct 17, 2022 6:00 pm Post subject: |
|
|
| Quote: |
when trying to boot with those options, it freezes with "failed to initialize selinux support", though everything seems to be installed correctly
|
Incomplete kernel?
Try with
gentoo-kernel-bin
_________________
|
|
| Back to top |
|
|
leonchik1976
Guru
Joined: 24 Jan 2010
Posts: 325
|
| Posted: Mon Oct 17, 2022 6:02 pm Post subject: |
|
|
| alamahant wrote: | | Quote: |
when trying to boot with those options, it freezes with "failed to initialize selinux support", though everything seems to be installed correctly
|
Incomplete kernel?
Try with
gentoo-kernel-bin |
stage3 selinux comes with selinux-base already installed, so i just did the single step i didn't performed - and it seems to boot now in permissive mode with "lsm=selinux" only
FEATURES="-selinux -sesandbox" emerge -1 selinux-base |
|
| Back to top |
|
|
leonchik1976
Guru
Joined: 24 Jan 2010
Posts: 325
|
| Posted: Mon Oct 17, 2022 6:04 pm Post subject: |
|
|
| though now it seams i have "avc: denied" for everything in logs |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Mon Oct 17, 2022 6:09 pm Post subject: |
|
|
If you had used an selinux tarball all things like
| Quote: |
FEATURES="-selinux -sesandbox" emerge -1 selinux-base
|
are not needed.
| Quote: |
though now it seams i have "avc: denied" for everything in logs
|
yes this is how it works.
Plz relabel fs.
_________________
|
|
| Back to top |
|
|
leonchik1976
Guru
Joined: 24 Jan 2010
Posts: 325
|
| Posted: Mon Oct 17, 2022 6:20 pm Post subject: |
|
|
| alamahant wrote: | If you had used an selinux tarball all things like
| Quote: |
FEATURES="-selinux -sesandbox" emerge -1 selinux-base
|
are not needed.
| Quote: |
though now it seams i have "avc: denied" for everything in logs
|
yes this is how it works.
Plz relabel fs. |
I did, what is weird - that in enforcing mode - even as root i get access denied with simple "cd"
# cd
-bash: cd: /root: Permission denied |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
|
| Back to top |
|
|
leonchik1976
Guru
Joined: 24 Jan 2010
Posts: 325
|
| Posted: Mon Oct 17, 2022 6:35 pm Post subject: |
|
|
| alamahant wrote: | When using selinux stage3 you just install a kernel and boot.
NO need to follow the selinux installation steps in the wiki
| Quote: |
I did, what is weird - that in enforcing mode - even as root i get access denied with simple "cd"
|
Do 2 things please
1. [url="relabel"]https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel[/url]
2. [url="map selinux users to linux users"]https://wiki.gentoo.org/wiki/SELinux/Installation#Define_the_administrator_accounts[/url]
Plz forget enforcing mode for a long time.
For the time being use permissive. |
is there any issues with enforcing mode?? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Mon Oct 17, 2022 6:38 pm Post subject: |
|
|
| Quote: |
is there any issues with enforcing mode??
|
Yes too many selinux errors you need to fix first.
_________________
|
|
| Back to top |
|
|
|
Networking & Security
