HOWTO Use SELinux with LinuxLink
Required Packages
The SELinux userspace packages can be found within the Target Software -> Software Packages -> System -> Security menu.
The following packages are required for SELinux runtime usage:
- libselinux
- libsepol
- policycoreutils
Optionally, the following can also be included:
- checkpolicy
- sepolgen
- refpolicy
Kernel Configuration
To enable SELinux in the kernel configuration, enable the following options:
- Auditing Support (CONFIG_AUDIT)
- Enable different security models (CONFIG_SECURITY)
- Socket and Networking Security Hooks (CONFIG_SECURITY_NETWORK)
- NSA SELinux Support (CONFIG_SECURITY_SELINUX)
Additional SELinux configuration options are available depending on your run time requirements.
Target Configuration
Init
The sysvinit package provides SELinux integration when libselinux is selected. Other init options may also provide SELinux support but are not discussed here.
sysvinit is responsible for loading the policy at boot time and then re-execing itself after the policy load.
Enabling SELinux
Enabling SELinux is then a matter of adding the SELinux kernel command line options (selinux=1, enforcing=1, etc) and setting SELINUX=permissive or SELINUX=enforcing within the /etc/selinux/config configuration file.
The sestatus utility can be used on the target to query the status of SELinux. setenforce can be used to switch between enforcing and permissive.
Policy
The policy can be provided by the refpolicy package. This is a very generic and encompassing policy that has a large footprint. A custom policy can be created using the ./scripts/selinux tools within the Linux kernel source tree. Specifically, mdp/mdp.c can be cross compiled and used to generate a basic policy that can be copied to the target /etc/selinux directory.
The install_policy.sh script must be run on the target, with a cross compiled mdp available. This should generate policy.conf and file_contexts and run checkpolicy to generate the final policy. The final policy and other intermediate files are then copied to /etc/selinux.