Configuring CentOS to run SELinux in Strict Mode

I am in the process of setting up some CentOS/RHEL 6 servers to run SELinux in strict mode. What follows are notes, links to online resources and things that I am discovering along the way. Once I am finished I will go back and re-write it to follow more of a how-to/guide type format. In the meantime, it might seem a bit disjointed.

Links/Resources:

  • http://wiki.centos.org/HowTos/SELinux
  • http://fedoraproject.org/wiki/SELinux
  • http://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-chapter-0001.html
  • http://www.nsa.gov/research/selinux/index.shtml

MaintLog Notes:

  • Make sure that the selinux-policy-strict package (and deps) are installed:
  • # yum install selinux-policy-strict
  • After installing the policy I was unable to reboot as I hadn’t relabeled the file system properly. If having problems booting try:
  • # genhomedircon
  • # touch /.autorelabel
  • # reboot
  • After successfully booting with strict mode enabled you will not be able to do the things that you would normally expect as a root user.This is because your root shell does not have access to the system administrator role. To do so invoke the newrole command:
  • # newrole -r sysadmin_r
  • LEFTOFF: it seems semanage isn’t installed. I’ll need to restart with selinux disabled to install it so that I can sort out running newrole properly:? see: http://www.spinics.net/lists/selinux/msg09681.html
  • Make sure that the semanage package is installed: # yum install libsemanage

Leave a Reply