View previous topic :: View next topic |
Author |
Message |
leonchik1976 Guru
Joined: 24 Jan 2010 Posts: 325
|
Posted: Mon Oct 17, 2022 1:14 pm Post subject: SELinux - how to enable? |
|
|
Installed system with SELinux, following the guide: https://wiki.gentoo.org/wiki/SELinux/Installation
But in kernel can't find "Default security module", only "First legacy 'major LSM' to be initialized (SELinux)".
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
so what needed to enable SELinux? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Oct 17, 2022 4:22 pm Post subject: |
|
|
Plz boot with kernel parameter
Code: |
security=selinux selinux=1
|
Does your config contain somethin like
Code: |
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
? _________________
Last edited by alamahant on Mon Oct 17, 2022 5:01 pm; edited 2 times in total |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1660
|
Posted: Mon Oct 17, 2022 4:30 pm Post subject: |
|
|
alamahant wrote: | Plz boot with kernel parameter
Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Oct 17, 2022 4:57 pm Post subject: |
|
|
grknight wrote: | alamahant wrote: | Plz boot with kernel parameter
Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
I dont think so
Quote: |
The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. The name “module” is a bit of a misnomer since these extensions are not actually loadable kernel modules. Instead, they are selectable at build-time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the "security=..." kernel command line argument, in the case where multiple LSMs were built into a given kernel.
|
https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html _________________
|
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1660
|
Posted: Mon Oct 17, 2022 5:39 pm Post subject: |
|
|
alamahant wrote: | grknight wrote: | alamahant wrote: | Plz boot with kernel parameter
Code: |
security=selinux selinux=1
|
|
The documentation in the kernel says that security= is deprecated and should be replaced by lsm= |
I dont think so
Quote: |
The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. The name “module” is a bit of a misnomer since these extensions are not actually loadable kernel modules. Instead, they are selectable at build-time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the "security=..." kernel command line argument, in the case where multiple LSMs were built into a given kernel.
|
https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html |
Check again with v5.15 in https://www.kernel.org/doc/html/v5.15/admin-guide/kernel-parameters.html
Code: | security= [SECURITY] Choose a legacy "major" security module to
enable at boot. This has been deprecated by the
"lsm=" parameter. |
Last edited by grknight on Mon Oct 17, 2022 5:41 pm; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Oct 17, 2022 6:00 pm Post subject: |
|
|
Quote: |
when trying to boot with those options, it freezes with "failed to initialize selinux support", though everything seems to be installed correctly
|
Incomplete kernel?
Try with
gentoo-kernel-bin _________________
|
|
Back to top |
|
|
leonchik1976 Guru
Joined: 24 Jan 2010 Posts: 325
|
Posted: Mon Oct 17, 2022 6:02 pm Post subject: |
|
|
alamahant wrote: | Quote: |
when trying to boot with those options, it freezes with "failed to initialize selinux support", though everything seems to be installed correctly
|
Incomplete kernel?
Try with
gentoo-kernel-bin |
stage3 selinux comes with selinux-base already installed, so i just did the single step i didn't performed - and it seems to boot now in permissive mode with "lsm=selinux" only
FEATURES="-selinux -sesandbox" emerge -1 selinux-base |
|
Back to top |
|
|
leonchik1976 Guru
Joined: 24 Jan 2010 Posts: 325
|
Posted: Mon Oct 17, 2022 6:04 pm Post subject: |
|
|
though now it seams i have "avc: denied" for everything in logs |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Oct 17, 2022 6:09 pm Post subject: |
|
|
If you had used an selinux tarball all things like
Quote: |
FEATURES="-selinux -sesandbox" emerge -1 selinux-base
|
are not needed.
Quote: |
though now it seams i have "avc: denied" for everything in logs
|
yes this is how it works.
Plz relabel fs. _________________
|
|
Back to top |
|
|
leonchik1976 Guru
Joined: 24 Jan 2010 Posts: 325
|
Posted: Mon Oct 17, 2022 6:20 pm Post subject: |
|
|
alamahant wrote: | If you had used an selinux tarball all things like
Quote: |
FEATURES="-selinux -sesandbox" emerge -1 selinux-base
|
are not needed.
Quote: |
though now it seams i have "avc: denied" for everything in logs
|
yes this is how it works.
Plz relabel fs. |
I did, what is weird - that in enforcing mode - even as root i get access denied with simple "cd"
# cd
-bash: cd: /root: Permission denied |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
|
Back to top |
|
|
leonchik1976 Guru
Joined: 24 Jan 2010 Posts: 325
|
Posted: Mon Oct 17, 2022 6:35 pm Post subject: |
|
|
alamahant wrote: | When using selinux stage3 you just install a kernel and boot.
NO need to follow the selinux installation steps in the wiki
Quote: |
I did, what is weird - that in enforcing mode - even as root i get access denied with simple "cd"
|
Do 2 things please
1. [url="relabel"]https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel[/url]
2. [url="map selinux users to linux users"]https://wiki.gentoo.org/wiki/SELinux/Installation#Define_the_administrator_accounts[/url]
Plz forget enforcing mode for a long time.
For the time being use permissive. |
is there any issues with enforcing mode?? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Oct 17, 2022 6:38 pm Post subject: |
|
|
Quote: |
is there any issues with enforcing mode??
|
Yes too many selinux errors you need to fix first. _________________
|
|
Back to top |
|
|
|