[Resolved] SELinux in Debian

HulaHoop · August 3, 2014, 12:24am

I am interested in feedback from anyone who want to help with this.

Be sure that apparmor is diable first or else it won’t work.
This can be useful for those who want to run an alternative MAC on their Debian hosts to isolate virtual machines. SELinux has its merits.

So far when running this guide I reach a point where SELinux is all setup with no conflicts showing in the logs. However getting it to enforce is not working.

HulaHoop · August 5, 2014, 2:47am

14.5. Introduction to SELinux << Please cite this guide in the documentation just in case someone want more information.

Successfully running SELinux Enforcing mode in Whonix with no problems. For Debian users who want in general to use a more powerful Mandatory Access Control framework follow these steps. sVirt uses it if its enabled with no extra input needed.

# aptitude install selinux-basics selinux-policy-default # selinux-activate # reboot
sudo nano /etc/default/grub

Replace all mention of apparmor in settings for GRUB_CMDLINE_LINUX with selinux=1 and the enforcing=1 parameter to the Linux kernel. The audit=1 parameter enables SELinux logging which records all the denied operations.
Remove the line under it that starts with: GRUB_CMDLINE_LINUX_DEFAULT

update-grub

rock and roll

HulaHoop · August 5, 2014, 3:11am

Check SELinux status using

Patrick · August 5, 2014, 1:51pm

This fits into Advanced Security Guide - Whonix below AppArmor.

troubadour · August 5, 2014, 8:26pm

Nice. Now, we just have to write policy modules (targeted, strict?). For having had a little more than a look, I can tell it’s not a walk in the park.