Allow the users to enable SELinux enforcing mode on their machine without too much hassle.
- Improve the SELinux reference policy, this is currently being worked out with upstream.
- Be sure that when a init/maintainer script is creating a file/directory the label on disk is properly (re)set.
- Be sure that SELinux aware applications have SELinux support enabled and that's it's working properly.
Current status / Further Information
A similar release goal had been proposed for Squeeze: https://lists.debian.org/debian-release/2009/07/msg00389.html
New reference policy
Dominick Grift and Laurent Bigonville have worked on packaging a new upstream reference policy and Michael Pflüger has it on his todo-list to put those bits into a package which can go into experimental (where it can mature a bit to then get uploaded into unstable to migrate back to testing). (2013-10-31)
If you want to help that effort, you could install one of the preliminary packages of bigon (such as selinux-policy-default_2.20130928-1~bigon5_all.deb) and report any problems you encounter. The developers would then try and solve those problems upstream and package the newer upstream snapshot.
(BTW: The major release of the SELinux tool chain published upstream on 2013-10-30 was already packaged for Debian by Laurent Bigonville on 2013-11-03)
Properly set selinux labels during installation
Laurent Bigonville a while ago suggested to amend the Debian policy so that, if a package is creating a file/directory in initscript or in a maintainer script, it ensures (by calling restorecon) that the SELinux context on disk is correct (debian-policy: Document in the policy the way to properly set selinux labels on files and directories). It is difficult to measure progress.
Inform about need to execute "selinux-policy-upgrade" - or offer execution
Since years one needs to run "selinux-policy-upgrade" after installing a new policy to activate it. The user is not even informed about this but must figure this out him- or herself. This should and can be improved.
Since 2:2.20131214-1, the policy is automatically updated when the package is updated. The script takes into account the modules that have been disabled (semodule -d). However, the modules that have been removed (semodule -r) by the user will be re-added.
"SELinux Policy Analysis" tool (apol) from package setools has no menu item in KDE. (Gnome ?) This seems to be a violation of the Debian policy ("9.6 Menus")
Other issues involving SELinux
"if I'm not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations" (Please enable hardened build flags through dpkg-buildpackage, Comment 61)
This needs clarification. It is important that SELinux can be used to protect against Iceweasel/Firefox security issues. And using hardened build flags is also important!
Resolved issues to be verified
Mail: Possible issues with dpkg SELinux support. All the issues mentioned in that mail should be fixed with dpkg 1.17.1 according to Guillem Jover (2013-10-05).
debian-installer: Support targeted SELinux in the installer was resolved in April 2007, still resolved? Can Debian Installer configuration be improved for SELinux? Install in permissive mode?
PATCH RFC - Package script(let)s SELinux execution context, PATCH - libselinux: Refactor rpm_execcon() into a new setexecfilecon(). Guillem Jover (2013-10-05): "Upstream seemed to agree with the patch, but I guess it fell through the cracks. I added the equivalent code to dpkg directly, the same was done on the rpm side. Having that upstream would allow to remove that local function from both codebases, but not after some time so that people can compile with old libselinux releases."
Nice to have
Re-add a Debian package for SETroubleShoot: User friendly utility for troubleshooting SELinux
How to help
Enable SELinux "permissive" mode on your test system. "Enforcing" mode is not necessary to help improve the SELinux integration in Debian.
See unresolved issues under "Further information". Test the new reference policy!
Please note that the creator of this page currently has problems sending mails to that mailing list. 2013-11-01
Andreas Kuckartz (email@example.com)