This chapter presents step-by-step procedures for installing and initially configuring SELinux on several popular Linux distributions. At the time of writing, only two popular Linux distributions officially support SELinux: Fedora Core and Gentoo. However, SELinux is also available for Debian GNU/Linux and SUSE, thanks to the unofficial work of independent software developers. In addition, Red Hat has announced that Red Hat Enterprise Linux 4 will support SELinux. So those who are looking to install SELinux can choose from a variety of Linux distributions. You may also be able to download and apply the SELinux source release to a Linux distribution other than those mentioned. The final section of this chapter provides an overview of this process.
Tip
This chapter contains step-by-step instructions for installing and initially configuring SELinux on several Linux distributions. I exercised care in writing and testing these instructions, which were also reviewed and tested by others. However, I can’t promise that they’ll work in every situation or in your particular situation. And directions such as these tend to become outdated quickly. So don’t become alarmed if your system responds differently than expected. You’ll likely find the instructions more useful as a rough guide than as a detailed road map.
Every implementation of SELinux is based on one of the official NSA versions. The NSA has published four major versions of SELinux:
- Original (Pre-LSM) SELinux
The original version of SELinux, which supported Linux 2.2 and Linux 2.4.
- LSM-Based SELinux
A version of SELinux that worked with the Linux Security Modules (LSM) patch to Linux 2.4 and 2.5.
- SELinux for Linux 2.4
A version of SELinux that also worked with the LSM patch to Linux 2.4, but additionally required the extended attribute (EA) patch. Apart from differences in kernel support, this version is architecturally similar to SELinux for Linux 2.6 but is no longer under active development.
- SELinux for Linux 2.6
The current version of SELinux, which works with standard Linux 2.6 kernels. The Linux 2.6 kernel natively supports SELinux and therefore does not have to be patched.
The application programming interface of the original and LSM-based versions of SELinux differs from that of current version. Therefore, although the older versions can still be downloaded from the NSA’s web site, I don’t recommend that the older versions—or third-party packages or source code based on the older versions—be used.
Similarly, although the Linux 2.4 version of SELinux is architecturally similar to the current Linux 2.6-based SELinux release, it is not under active development and therefore lacks useful functions present in the current release. At the time of writing, implementations of SELinux for Linux distributions not integrally supporting SELinux tend to be based on SELinux for Linux 2.4 and are therefore somewhat out of date. Consequently, my own preference and recommendation is that you install one of the following SELinux implementations:
Red Hat Enterprise Linux 4 (when available)
Fedora Core 2
Nevertheless, in the following sections I give procedures and suggestions for installing SELinux for Debian GNU/Linux—owing to its high popularity and ready availability—and Gentoo Linux. Although Gentoo Linux does not support SELinux integrally, Gentoo’s Hardened Project does officially support Gentoo’s implementation of SELinux.