[DSE-Dev] Bug#756729: Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

Mika Pflüger debian at mikapflueger.de
Fri Aug 1 21:32:23 UTC 2014


Hi Andre,

most interesting is the output of semodule -l. SELinux refpolicy is
modular, so that you only have to load the policy for the programs you
actually use. Note that in your case you have loaded only some select
modules, pretty much a minimal set of modules, which will provide only
very basic functionality.
Upon installation, the selinux-policy-default package in stable tries to
guess which modules you could need and installs those. If you then
install other software afterwards, you have to enable other modules
yourself.
To enable the dhcp module (which hopefully will fix your problem), use:
# semodule -i /usr/share/selinux/default/dhcp.pp
you will find all available modules in /usr/share/selinux/default/,
just check which one sounds like you need it. You can also install all
of them and then selectively disable some using
# semodule -d dhcp
(or equivalent for other module names, see semodule(8)), which is often
easier.

Note that having loaded "too many" modules usually only means selinux
is not as effective in preventing acceses (if e.g. you don't have an
ftp server installed, there is no need to allow ftp access), but it
usually will not do much harm.

We recognise that this situation (minimal set of default modules enable
upon installation) is confusing for many users, which is why we changed
this already in debian unstable, such that by default a much larger set
(also including dhcp) of modules is installed.

I hope this helps you to get up and running with selinux.
Unfortunately, there is only very basic documentation about selinux on
debian (the best I know is
http://debian-handbook.info/browse/stable/sect.selinux.html from the
debian administrator's handbook), but it is mostly analogous to how it
works on RHEL and Fedora, so you can also read 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html

Cheers,

Mika

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20140801/0ac1efb6/attachment.sig>


More information about the SELinux-devel mailing list