How to addon SELinux to Debian?

linux-man · 11-29-2016, 10:31 PM

Where do I need to go to add on SELinux?
for Debian

AwesomeMachine · 11-30-2016, 02:37 AM

You just install the policy and a few tools. Read the selinux man page. There is a flag file you create that tells linux to label the file system for selinux. You can control selinux with two boot parameters in the kernel line if grub: selinux=1,0 and enforcing=1,0; but it's 1 or 0. 1 means on and 0 means off.

c0wb0y · 11-30-2016, 02:05 PM

As far as I know, SELinux is unsupported on current Debian stable. Perhaps it would be supported on next release?

DavidMcCann · 12-01-2016, 11:38 AM

SELinux is built into the kernel, so it is there in Debian: just disabled. This page has the links to instructions on how to set it up.
http://wiki.debian.org/SELinux

Note the warning that Debian doesn't do much testing of SELinux "so you might run into quite some issues". That sounds ominous! Do you really need SEL? That really is Linux for paranoids: it was developed for the use of government security agencies. Personally, I'd say that if you do need it for some mysterious reason, you should be running CentOS, where it's enabled by default.

The protection system used by Debian is AppArmor:
http://wiki.debian.org/AppArmor/HowToUse
This is considered to be easier, if not quite so powerful: see the Wikipedia articles on both systems.

c0wb0y · 12-01-2016, 11:22 PM

Having SELinux support in the kernel is not enough. You got to need the tools, applications compiled against it and policies that makes SELinux usable to end users.

dac.override · 12-24-2016, 01:54 AM

Using SELinux on Debian Stretch is great as Stretch provides the latests versions of the essential tools like SETools3, and the SELinux User Space utilities and libraries version 2.6. Not even Fedora Rawhide has these, so in that sense Debian has the advantage.

To complement the above I have created a policy model that, I would argue, is (close to) perfect for a community distribution such as Debian. The model provides a a solid base to build upon. By default it does not block much so if you do not actually use it, you probably wont even notice it is there. The purpose is to lower the barrier of entrance though. Meaning, You can have SELinux enabled and at your disposal, but not use it or use it at your own pace to address your own security challenges. It makes it accessible. You can compare it to the default iptables config in Debian where your tables are empty but set to allow by default. Unless you are aware of iptables you will not notice its presence, however it is there and ready to be used.

The only thing one really hs to do is to learn what security challenges SELinux helps to address, Learn how SELinux helps to address the aforementioned access control challenges, and learn how to speak to, and listen to SELinux.

Here is a blog post with instructions and demo videos:

https://doverride.blogspot.nl/2016/1...h-my-name.html