Skip to content

SELinux

Joey Turner edited this page Jul 15, 2024 · 1 revision

Setting Up SELinux on Armbian

This tutorial guides you through the procedure of setting up SELinux (Security-Enhanced Linux) on an Armbian system. Follow these steps to install necessary packages, configure SELinux, and ensure it's enabled on your system.

Prerequisites

  • A running Armbian system
  • Root access or a user with sudo privileges

Steps

1. Update Package Lists

First, update your system's package list to ensure you can install the latest versions of the required packages.

sudo apt update

2. Install SELinux and Auditd

Install the SELinux basics, the default SELinux policy, and the audit daemon packages.

sudo apt install selinux-basics selinux-policy-default auditd

3. Append SELinux Parameters

To enable SELinux at boot, append extraargs=selinux=1 security=selinux to the /boot/armbianEnv.txt file.

echo "extraargs=selinux=1 security=selinux" | sudo tee -a /boot/armbianEnv.txt > /dev/null

4. Activate SELinux

Prepare your system for using SELinux by activating it.

sudo selinux-activate

5. Configure SELinux Mode

Open the SELinux configuration file in nano (or your preferred text editor) to set the SELinux mode. You can choose between enforcing (SELINUX=enforcing) and permissive (SELINUX=permissive) modes.

sudo nano /etc/selinux/config

6. Reboot the System

Apply the changes by rebooting your system.

sudo reboot

Verify SELinux Status

After rebooting, check the status of SELinux to confirm it's enabled and verify its mode.

sestatus

Output Example

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Output Explanation

  • SELinux status: Shows whether SELinux is enabled or disabled. In this case, it should be enabled.
  • SELinuxfs mount: Indicates where the SELinux filesystem is mounted.
  • SELinux root directory: Points to the directory where SELinux configurations are stored.
  • Loaded policy name: The name of the policy currently in use.
  • Current mode: Shows the current mode of SELinux, which can be enforcing, permissive, or disabled. For a secure setup, it should be enforcing.
  • Mode from config file: Indicates the mode set in the SELinux configuration file, which should match the current mode if your setup was successful.
  • Policy MLS status: Indicates whether Multi-Level Security (MLS) is enabled.
  • Policy deny_unknown status: Shows whether SELinux will deny unknown types.
  • Max kernel policy version: The maximum policy version supported by the kernel.

If your output matches the expected results, SELinux is correctly set up and enforcing policies on your system.

Clone this wiki locally