This article provides notes on how to install Security Enhanced Linux (SELinux) on an Ubuntu 22.04 Linux system. These notes are based on my experience doing this installation and some of the issues I encountered while doing so. There are other resources online that describe this procedure, but the ones I encountered are either old, incomplete, give bad advice, or are just plain wrong. Although I don’t have all the answers myself, I hope to maintain this article by editing it in the future when I learn more.
Introduction
SELinux is a mandatory access control (MAC) system for Linux. This means that access to resources, such as files, are controlled by the system administrator rather than by the resource owner as is the case in a discretionary access control (DAC) system. SELinux is implemented as a Linux Security Module (LSM), which is a standard way to add additional security features to the Linux kernel. However, SELinux is more than just an LSM. To be a practical system, it must also provide modified versions of some system tools, such as ‘ls’ and ‘ps’, as well as SELinux-specific tools that know how to interact with the SELinux-enabled kernel.
It is important to understand that SELinux acts in addition to the normal DAC system available in traditional Linux. Access to a file is granted only if both systems agree that it should be granted. Everything you already know about the way file permissions and access control lists work still applies after SELinux is installed.
Ubuntu Linux comes with a MAC system pre-installed and pre-configured called AppArmor. It is also implemented as an LSM. It is my understanding that LSMs are “stackable” in the sense that multiple LSMs can be in use at the same time. In fact, normal Linux capabilities are implemented via an LSM which runs alongside AppArmor (or SELinux). However, I have seen suggestions elsewhere online that say AppArmor is incompatible with SELinux and will conflict with it. I wonder about the truth of that, but I agree that using two complex MAC systems at once is a bad idea even if they could technically coexist. Thus, before installing SELinux you will want to disable AppArmor as I describe in the next section.
It should be mentioned that some Linux distributions come with SELinux pre-installed and pre-configured instead of AppArmor. Other distributions, such as Ubuntu, have decided to use AppArmor instead. This means installing SELinux on a Ubuntu system is swimming against the current to some extent. You may experience more issues and quirks than you might with a different distribution that is designed around SELinux. Running SELinux on Ubuntu is not “official” in the way running AppArmor is.
One quirk is related to snap. Information I’ve found online suggests that snap has a dependency on AppArmor. This surprises me; I don’t understand why a packaging system would depend on a MAC system. I do understand that snaps might come with AppArmor rules that govern the operation of the installed software, but it seems to me that the functional behavior of a snap should not require the presence (or absence) of a certain MAC solution. I may not understand snaps very well.
Since Ubuntu 22.04 provides some software packages as snaps, it is possible, perhaps likely, that those packages won’t work once AppArmor is disabled. For example, Firefox is provided as a snap (by default), and it does not work after AppArmor is disabled. Also, it is no longer possible to remove snaps after AppArmor is disabled because the snap infrastructure does not work sufficiently well at that point. So, before embarking on an installation of SELinux on your Ubuntu system, you should review what snaps you are using and verify that you can live without them. If you want to remove a snap, be sure to do so before you begin the process described in the next section. To list your installed snaps, do:
$ snap list
The command ‘snap remove’ can be used to remove snaps if you choose to do so.
Keep in mind that managing SELinux is not a trivial activity. SELinux is best suited to systems where extra security is essential, such as public-facing servers. It is not a good fit for a system that is intended to be used as a general-purpose workstation. So, while installing SELinux may make sense for your institutional web server or database server, you might not want to install it on your day-to-day desktop. The kind of systems for which SELinux makes sense don’t normally have many snaps installed anyway, so this issue may not be significant in practice.
If you are still interested in installing SELinux on your Ubuntu 22.04 system, I will describe the specific procedure for doing so in the next section.
Installing SELinux
The best description I’ve found for this process is on the Linode site. The information below elaborates on what that site describes.
The first step to install SELinux on Ubuntu 22.04 is to stop and disable AppArmor as described in the introduction above.
# systemctl stop apparmor
# systemctl disable apparmor
The first command stops the AppArmor temporarily. The second command disables AppArmor from restarting with the system reboots. It is not necessary to remove AppArmor. In fact, to facilitate returning the system to its original state, I recommend leaving the AppArmor files in place.
To install SELinux itself do the following:
# apt install policycoreutils selinux-basics selinux-utils -y
# selinux-activate
The -y
option tells apt
to take “yes” as your response to all relevant yes/no questions. If you prefer a more interactive installation experience, you can leave the -y
out. You should see a message about SELinux being activated and suggesting that you reboot. However, before rebooting it is advisable to review the configuration first. Use this command to check the mode in which SELinux is operating:
$ getenforce
Notice that you do not need to be the superuser to run this command. There are three outputs: “Disabled” means that SELinux is installed but not doing anything. “Permissive” means that SELinux is checking all operations against the current policy but not enforcing any of the restrictions defined by that policy. Violations are logged in the system log file. “Enforcing” means that SELinux is enforcing the restrictions defined by the policy. After you install the SELinux packages and activate SELinux as above, the mode should be “Disabled.”
Now check the file /etc/selinux/config
. This is a plain text file that contains SELinux’s basic configuration settings. Verify that the line SELINUX=permissive
is in the file. This the mode SELinux will come up in at the next reboot. It is essential that you start SELinux in permissive mode! The default policy will cause many violations. If you enforce the default policy, your system may be unbootable because of those violations.
The procedure is to run your system for a while in permissive mode and monitor the policy violations in the system log file. Work through those violations by either reconfiguring the software that is causing them or by modifying the policy. Only when the policy violations are minimal or non-existent should you consider changing the mode to enforcing.
Once you are convinced that the configuration is for permissive mode, reboot your system. I recommend you do this with access to the console rather than rebooting remotely. The first boot after activating SELinux takes a long time because the system must add labels to all objects in the file system. Depending on how many files and folders you have on your disks, the time to do this can be considerable. In my case it took about 20 minutes. If there is a problem with this process, or any unusual messages produced by it, you will want to be at the console to see them.
Once the system has fully rebooted again run the getenforce
command to verify that the mode is now “Permissive.” Inspect the file /var/log/syslog
for policy violation messages. You will see many.
Next Steps
Your system is now running SELinux, but SELinux is providing no security since it is in permissive mode. In fact, your system is less secure than it was with AppArmor running. You will want to fix this. Here is an outline of what needs to be done next. I may write more details in a later blog post (to which I will link) or by editing this post.
- Install a more suitable default policy. The default policy installed with SELinux may not be well matched to the way you are using your system. Since SELinux policies are complex, you may be able to download a different policy that would be more suitable for your machine. Starting with such a policy can minimize the number of policy violations you must clean up by hand. Of course, be careful when downloading a security policy from the Internet. Be sure to review it before you try to use it.
- Edit the policy or modify software configurations (or change your working procedures) to remove all policy violations. The idea is to tune the SELinux policy to match the normal way you use your system. If you don’t do this then when you turn on enforcing mode, some things will break. This process may take days, weeks, or even months.
- Enable enforcing mode. Once you are ready, change the SELinux configuration file to specify enforcing mode and reboot. Assuming you did your due diligence in step #2 above, the system should restart and work normally.
- Monitor the system. You will have to fine-tune your policy in an ongoing way. It is likely that no matter how much time you spent on step #2 above, there will be things you forget to handle. Also, of course, if someone attacks your system you may find policy violations that reflect attempts to access resources without authorization.
- Lock down the system. It is theoretically possible to write an SELinux policy so that nobody, not even root, can edit the policy. This prevents someone who does get root access remotely from making the policy more permissive, or even setting SELinux back to permissive mode altogether. However, this also means that when you want to legitimately modify the policy you will need to reboot the system in permissive mode by using appropriate command line arguments to the kernel at boot time (i. e, in
grub
before the kernel loads). Doing so requires physical access to the system’s console, so this isn’t a change to make lightly.
This summarizes how to install SELinux on Ubuntu 22.04. This article is subject to change and extension as I learn more myself. I hope to provide some details about each of the “next steps” that I outline above.
Enjoy!