[DSE-Dev] SELinux in Debian

Christian Göttsche cgzones at googlemail.com
Thu May 25 20:21:21 UTC 2017


2017-05-25 21:54 GMT+02:00 Lev Kuznetsov <lev.kuznets at gmail.com>:
> Thanks for your reply Christian!!!
> I have tried the default policy...
> It didnt seem to have any errors but when I changed the grub command to run
> selinux, it didnt work - I saw SELinux init msg in the kernel log, but it
> wasnt able to load the policy...)

Some preconditions I think you met already:
The kernel must be compiled with SELinux support: CONFIG_SECURITY_SELINUX=y
The kernel must be booted with the cmdline option 'security=selinux'

In the file /etc/selinux/config there should be the follwing lines:
SELINUX=enforcing
SELINUXTYPE=default # or some other policy name

Then there should be the binary policy at
/etc/selinux/POLICY_NAME/policy/policy.POLICY_VERSION
where POLICY_NAME is the policy name from above and POLICY_VERSION a
number up to 30 (depended on kernel version)
If not, you might need to load the modules, e.g. semodule -X 100 -i
/usr/share/selinux/default/*

> Did you had a successful experience with SELinux and Debian 8 (jessie)? if
> yes, that will give me some motivation to continue :)

I maybe used SELinux on jessie some years ago, nowadays I use it on stretch/sid.

> I also tried your suggestion with
> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy I will try a
> clean install...
>
> p.s.
> I think refpolicy and default policy are from the same source...

Yes, with some Debian related patches

> And again, thanks for your reply, I really appreciate it!
>
> On Tue, May 23, 2017 at 8:21 PM, Christian Göttsche <cgzones at googlemail.com>
> wrote:
>>
>> Did you try to install the selinux-policy-default package from stretch
>> or testing? (Are there any errors?)
>>
>> SELinux needs a policy to be enabled, otherwise you can try the
>> upstream reference policy
>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
>>
>> 2017-05-20 17:12 GMT+02:00 Lev Kuznetsov <lev.kuznets at gmail.com>:
>> > Hi all,
>> > Ive been struggling with this for over a week now :(
>> > 2 questions:
>> > 1) Is SELinux supported on Debian GNU/Linux 8.7 (jessie) ?
>> > With custom 3.16.43 Kernel (compiled with SELinux support):
>> > Linux debian 3.16.43custom #34 SMP Mon May 15 20:55:00 EDT 2017 i686
>> > GNU/Linux
>> >
>> > 2) If so, how to enable some example policy?
>> > I am trying to use the instructions from here
>> > (https://wiki.debian.org/SELinux/Setup)
>> > The problem is that selinux-policy-default is not part of debian
>> > packages
>> > sine it failed some tests... Any instructions I tried to install the
>> > package
>> > are not working... Although the installation finishes, SELinux is not
>> > acivated on startup....
>> >
>> >
>> > Any advice/help is appreciated... Even a 'Yes'/'No' answer from someone
>> > who
>> > has tried that...
>> >
>> > Additional info:
>> > I see in the SELinux is initialized in the kernel log, but no policy is
>> > loaded and SELinux is disabled when running "sestatus"
>> >
>> > Thanks, Lev
>> >
>> > _______________________________________________
>> > SELinux-devel mailing list
>> > SELinux-devel at lists.alioth.debian.org
>> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>
>
>
>
> --
> Regards,
> Lev Kuznetsov



More information about the SELinux-devel mailing list