This content is part of the Essential Guide: Essential guide to Linux in the enterprise

Use Security Enhanced Linux on SUSE for solid business security

The SELinux framework isn't part of every Linux distribution by default, so to use Security Enhanced Linux on SUSE, you've got to do some tweaking.

Many government Linux customers require SELinux to be enabled on the Linux platforms they use. Though it's part of the Linux kernel, there are a few extra steps to take to ensure SELinux on SUSE Linux Enterprise is a success.

Security Enhanced Linux (SELinux) is a framework that goes beyond the possibilities of mere Linux permissions. It was started by the National Security Agency in the late 1990s and has been part of the mainline Linux kernel since version 2.6. In this article, you'll read how to enable SELinux on SUSE Linux Enterprise Server (SLES) to keep your system secure.

Before you start with SELinux on SUSE, you should learn more about it. SELinux is a framework that consists of services and utilities that communicate with the Linux Kernel Security interface. The entire SELinux stack is supported in SUSE Linux Enterprise Server. But an important part of SELinux -- the policy -- is not part of the default stack. The policy consists of all the rules and restrictions that administrators want to configure to secure their SELinux installation. There is no default policy for SUSE Linux Enterprise Server.

Learning about SELinux

  • By using the Linux Kernel Security Framework, SELinux allows administrators to define rules that specify which users or ports can access which programs. Because these rules can be very specific, SELinux makes it possible to reduce the risk of security incidents to a minimum.
  • Because of the very robust work it does, more governments around the world are now only using Linux distributions that include SELinux. Although SELinux is in the Linux kernel on all distributions, to use it SELinux needs additional tools and libraries which aren't on every Linux distribution by default.
  • AppArmor is an alternate way to secure Linux systems. It is easier to use and based on the same principles, but SELinux has emerged as the standard.

It makes sense that there is no working SELinux policy for SUSE Linux Enterprise Server since a policy consists of thousands of rules that integrate deeply into the operating system. But creating a tailor-made policy is a lot of work. However, some standard policies are available and can be used as an alternative.

The policy itself contains many rules, which are based on context labels that define which service or user can access which resource on a server. To define this, every item on an SELinux secured system must be labeled. An example of a rule in the policy is the following:

allow user_t bin_t:file {read execute getattr}

In this example, every user who has the user_t context label gets access to files that are labeled with the bin_t label and gets this access with read, execute and getattr permissions, a specific set of permissions that is defined within SELinux. As an administrator, you can check the current label settings by using ps -Z (for processes), netstat -Z (for ports), id (for users) or ls -Z for files and directories.

To install SELinux on SUSE Linux Enterprise Server, you first need to install all the SELinux packages. The easiest way is to search for all packages with selinux in their name or description and install them. Second, you need to get a policy. As I mentioned, no policy is available for SLES, but you can download the refpolicy source file from and use that. Next, you'll need to prepare your server for selinux by adding a few GRUB boot options:

security=selinux selinux=1 enforcing=0

After doing this, reboot your server to configure SELinux. Note that the option enforcing=0 starts SELinux in permissive mode; this is essential because you don't have a working policy yet. To make it easier to understand what SELinux is trying to do in permissive mode, you will have SELinux applying all rules and logging messages but nothing is really being blocked. This is an excellent way to fine-tune your SELinux configuration.

To install the policy, first download it from and look for the source file for the refpolicy. Then, extract the tarball to /etc/selinux/refpolicy. In the /etc/selinux/refpolicy/build.cof file, you need to set the following few options before you start compiling it:

DISTRO = suse
UNK_PERMS = allow

After changing these parameters, run the make load command from the /etc/selinux/refpolicy directory and reboot. After rebooting, it's a good idea to request the current SELinux status by using the sestatus command. Listing 1 shows you what the result of this command should look like:

Listing 1. Showing current SELinux status with sestatus

mmi:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 26
Policy from config file:        refpolicy

If the status looks OK, then apply all context labels to the file system. To do this, from the /etc/selinux/refpolicy directory run the make relabel command. This will take a while. Oncefinished, it's a good idea to restart your server.

After rebooting your server once the file system has been labeled, you should perform a few checks to verify that all is working. First, use sestatus -v. This will not just tell you that SELinux is operational, but it also gives an overview of current process and file contexts. Pay special attention to the Init context, it should be set to init_t. Also, you can use the commands semanage fcontext -l to get a list of the file system labels that are currently set, and semanage boolean -l to get a list of all Booleans that are available. If all looks good, you're ready to go and set the file contexts and Booleans that are needed for your server to be operational. After doing that, you can switch the default SELinux mode to enabled by changing the enforcing=0 GRUB boot option to enforcing=1.

On occasion, you may find that certain services will not work with SELinux on SUSE. This may be due to SUSE Linux Enterprise Server not having its own policy. If that happens, try turning off certain SELinux modules. Use semodule -l to get a list of all SELinux modules that are currently loaded. If a module for a specific service is loaded and that prevents your service from working properly, use semodule -d modulename to switch it off. The service will now run without SELinux protection. You can also modify the SELinux policy so that the service can run with SELinux protection.

ABOUT THE AUTHOR: Sander van Vugt is an independent trainer and consultant based in the Netherlands. He is an expert in Linux high availability, virtualization and performance, and has completed several projects that implement all three. He is also the writer of various Linux-related books, such as Beginning the Linux Command Line, Beginning Ubuntu Server Administration and Pro Ubuntu Server Administration.

Dig Deeper on Linux servers