Wednesday, April 17, 2013

How to enable SELinux in SLES 11 SP2

I've been playing with SELinux for a few days. Once you decide to hack on SELinux, which means a very long hacking journey is begin. The 1st shit you need to do is to enable the SELinux before you dive into the details. Yes, you may already knew these great stuff could help your great SELinux hacking journey:

1, SELinux project wiki
2, The SELinux Notebook - The Foundations - 3rd Edition

The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)

Firstly, make sure SELS 11 SP2 is working well:
--------------------------------------------------------------------------------
shawn-fortress:~ # cat /etc/issue

Welcome to SUSE Linux Enterprise Server 11 SP2  (i586) - Kernel \r (\l).
-------------------------------------------------------------------------------- 

Install these packages which are needed for SELinux:
--------------------------------------------------------------------------------
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils
--------------------------------------------------------------------------------


Type "yast2 bootloader" in cmdline and add:
-------------------------------------------------------------------------------- 
"security=selinux selinux=1 enforcing=0" into the kernel cmdline
--------------------------------------------------------------------------------
 In GRUB bootloader, these above 3 options are used related to SELinux.
 * security=selinux, tells the kernel to use SELinux and not AppArmor
 * selinux=1, switches on SELinux
 * enforcing=0, puts SELinux in permissive mode( only logging)


Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-tools
--------------------------------------------------------------------------------

Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-policy
--------------------------------------------------------------------------------

Add  selinux to existing PAM config file:
--------------------------------------------------------------------------------
pam-config -a --selinux
--------------------------------------------------------------------------------

set restorecond service to runlevel 3 in "expert mode":
--------------------------------------------------------------------------------
yast2 runlevel
--------------------------------------------------------------------------------

Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:

shawn-fortress:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 26
Policy from config file:        refpolicy-standard

See, it's working!

Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "SELinux on openSUSE 11.1" helped me to understand the config of SELinux in big picture.

May L0rd's hacking spirit guide us!

1 comment:

Carmen Rosa said...

Great! thanks for the information...

I will appreciate if you can share info about Compiling the Policy, I was using semanage but I got errores on my SELS 11.2

Thanks in advance,
Carmen