Initial SElinux debian setup

Initial setup of debian 11 virtual machine:

root@sel:~# uname -a
Linux sel 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64 GNU/Linux

Install SELinux support and tools:

apt-get install selinux-basics selinux-policy-default auditd
selinux-activate
touch /.autorelabel
sync && reboot
check-selinux-installation

Better keep it permissive for the moment:

root@sel:~# getenforce
Permissive

Add more tools

apt install setools
apt-get install policycoreutils-python-utils
apt-get install selinux-policy-dev

Add sample service use nginx and server data from users home:

which would normally fail without doing things.

Jul 15 09:02:51 sel audit[2621]: AVC avc: denied { getattr } for pid=2621 comm=“nginx” path=“/home/kai/www/index.html” dev=“sda1” ino=263159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file permissive=0

So enable it:

setsebool -P httpd_enable_homedirs on

and set better attributes on folders:

chcon -t httpd_user_content_t . index.html

so that worked.

Still no fun with ssh key based logins?:

chcon -R unconfined_u:object_r:ssh_home_t:s0 /home/kai/.ssh/
chcon -R unconfined_u:object_r:ssh_home_t:s0 /home/kai/.ssh/authorized_keys
setsebool ssh_sysadm_login true
setsebool allow_polyinstantiation true

seems to work now.

Add a new binary to SELinux, after beeing copied from the tmp folder:

ls -lZ
-rwxr-xr-x. 1 root root unconfined_u:object_r:user_tmp_t:s0 76908408 Nov  8  2021 promtail
semanage fcontext -a -t bin_t /usr/local/bin/promtail
restorecon /usr/local/bin/promtail
ls -lZ
-rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 76908408 Nov  8  2021 promtail

which changes two things:

  1. with the booleans root can login directly with the private key
  2. with the file permissions a normal user can login via private key