-
-
Notifications
You must be signed in to change notification settings - Fork 18
SELinux
This tutorial guides you through the procedure of setting up SELinux (Security-Enhanced Linux) on an Armbian system. Follow these steps to install necessary packages, configure SELinux, and ensure it's enabled on your system.
- A running Armbian system
- Root access or a user with
sudo
privileges
First, update your system's package list to ensure you can install the latest versions of the required packages.
sudo apt update
Install the SELinux basics, the default SELinux policy, and the audit daemon packages.
sudo apt install selinux-basics selinux-policy-default auditd
To enable SELinux at boot, append extraargs=selinux=1 security=selinux
to the /boot/armbianEnv.txt
file.
echo "extraargs=selinux=1 security=selinux" | sudo tee -a /boot/armbianEnv.txt > /dev/null
Prepare your system for using SELinux by activating it.
sudo selinux-activate
Open the SELinux configuration file in nano
(or your preferred text editor) to set the SELinux mode. You can choose between enforcing (SELINUX=enforcing
) and permissive (SELINUX=permissive
) modes.
sudo nano /etc/selinux/config
Apply the changes by rebooting your system.
sudo reboot
After rebooting, check the status of SELinux to confirm it's enabled and verify its mode.
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
-
SELinux status: Shows whether SELinux is enabled or disabled. In this case, it should be
enabled
. - SELinuxfs mount: Indicates where the SELinux filesystem is mounted.
- SELinux root directory: Points to the directory where SELinux configurations are stored.
- Loaded policy name: The name of the policy currently in use.
-
Current mode: Shows the current mode of SELinux, which can be
enforcing
,permissive
, ordisabled
. For a secure setup, it should beenforcing
. - Mode from config file: Indicates the mode set in the SELinux configuration file, which should match the current mode if your setup was successful.
- Policy MLS status: Indicates whether Multi-Level Security (MLS) is enabled.
- Policy deny_unknown status: Shows whether SELinux will deny unknown types.
- Max kernel policy version: The maximum policy version supported by the kernel.
If your output matches the expected results, SELinux is correctly set up and enforcing policies on your system.