I am in the process of setting up some CentOS/RHEL 6 servers to run SELinux in strict mode. What follows are notes, links to online resources and things that I am discovering along the way. Once I am finished I will go back and re-write it to follow more of a how-to/guide type format. In the meantime, it might seem a bit disjointed.
Links/Resources:
- http://wiki.centos.org/HowTos/SELinux
- http://fedoraproject.org/wiki/SELinux
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0001.html
- http://www.nsa.gov/research/selinux/index.shtml
MaintLog Notes:
- Make sure that the selinux-policy-strict package (and deps) are installed:
- # yum install selinux-policy-strict
- After installing the policy I was unable to reboot as I hadn’t relabeled the file system properly. If having problems booting try:
- # genhomedircon
- # touch /.autorelabel
- # reboot
- After successfully booting with strict mode enabled you will not be able to do the things that you would normally expect as a root user.This is because your root shell does not have access to the system administrator role. To do so invoke the newrole command:
- # newrole -r sysadmin_r
- LEFTOFF: it seems semanage isn’t installed. I’ll need to restart with selinux disabled to install it so that I can sort out running newrole properly:? see: http://www.spinics.net/lists/selinux/msg09681.html
- Make sure that the semanage package is installed: # yum install libsemanage