[DSE-Dev] Bug#1070039: refpolicy: enforcing mode causes machine with GNOME desktop to crash
Henrik Ahlgren
pablo at seestieto.com
Mon Apr 29 09:11:59 BST 2024
Package: selinux-policy-default
Version: 2:2.20221101-9
Severity: important
Dear Maintainer,
I am fully aware that selinux is not really considered a first class
citizen in Debian, especially in graphical desktop use cases. Never
had any trouble with AppArmor and I've had moderate success with
running selinux in servers. But, I was bit dissapointed in what
happened when I attempted to enable enforcing mode in a laptop with
pretty standard Debian 12 GNOME environment.
I simply did the following:
sudo apt install --no-install-recommends selinux-basics \
selinux-policy-default auditd
sudo selinux-activate
sudo reboot
(Decided to skip the recommended dependencies for this test, since
they bring in over 600M of random python libraries etc. I assume the
recommended or suggest packages are not essential for selinux
operation?)
Everything went fine, files (on btrfs) got labelled, most system
daemons were running on correct selinux domains, etc. However,
ausearch -m avc reported over 900 policy violations. I still decided
to test what happens if I put selinux into enforcing mode (sudo
setenforce 1).
That caused the graphical session to crash immediately, replaced with
a blinking cursor. Soon after a screen appeared with a sad face and
"Oh no! Something has gone wrong. A problem has occurred and the
system can't recover. Please contact a system administrator."
I have not find much people's experiences on using selinux on desktop
Debian, but I can't be the only one brave enough to try it?
This problem should be pretty easy to reproduce on fresh Debian
installation.
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-20-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages selinux-policy-default depends on:
ii libselinux1 3.4-1+b6
ii libsemanage2 3.4-1+b5
ii libsepol2 3.4-2.1
ii policycoreutils 3.4-1
ii selinux-utils 3.4-1+b6
Versions of packages selinux-policy-default recommends:
ii checkpolicy 3.4-1+b2
pn setools <none>
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list