Differences between revisions 44 and 45
Revision 44 as of 2012-07-31 00:03:26
Size: 2686
Editor: GeoffSimmons
Comment: Specify page language, drop deleted link (SELinux/OldIssues was deleted in 2010), formatting.
Revision 45 as of 2013-05-09 20:53:22
Size: 477
Editor: ?MikaPflüger
Comment: Replaced old hints which do not apply to wheezy anymore with a link to the BTS
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
In order to run [[SELinux]] on Debian, you generally need an up-to-date 2.6 version of Linux with [[SELinux]] enabled and some patched user-space utilities, most of which should now be available in Debian unstable and testing. For details on setting up [[SELinux]], see [[../Setup|the Setup page]].
Line 7: Line 7:
For details on setting up [[SELinux]], see [[../Setup|the Setup page]].
## For information only relevant to older Releases such as Etch, see [[../OldIssues|the old issues page]].
== Graphical/Desktop Installs and SELinux ==
Line 10: Line 9:
In order to track the progress of SELinux-enabling Debian in recent Releases "(Lenny/Squeeze/Sid)", see [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org|bug reports with SELinux usertag]]

== Upgrading to MCS ==

In December 2006, the refpolicy package in Etch was updated to enable multi-category security (MCS) support. Upgrading from a pre-MCS refpolicy to an MCS one is fairly disruptive and undocumented, because MCS requires some features of MLS, which wasn't previously enabled. The package upgrade doesn't immediately break anything, but one can't install new modules from Debian's own packages afterward — semodule installs will emit "Tried to link in an MLS module with a non-MLS base" errors.

If you have a pre-MCS sid/etch install and need to attempt the upgrade, one workable procedure is approximately this:

 1. Isolate the host, since you'll be disabling its protection temporarily
 1. Upgrade your reference policy to 0.0.20061018-2 or later (if you haven't already)
 1. Save the source to any custom modules you're using
 1. Purge libsemanage1, policycoreutils and selinux-policy-refpolicy-targeted (or -strict, if that's what you use)
 1. Manually move /etc/selinux out of the way
 1. Reinstall the packages again (there will be errrors loading the policy because your kernel isn't booted with MLS enabled)
 1. Reboot the system in non-enforcing mode
 1. Recompile your custom modules with MLS enabled (checkmodule's -M switch), and reinstall them
 1. Repeat the usual SELinux breakin process of checking that services are running in the proper domains, that the logs are clean, etc.
 1. Re-enable enforcing mode

== OpenVPN/liblzo issues ==

When linking with liblzo/liblzo2 prior to version 2.02-3, OpenVPN suffers from bug DebianBug:336138. The liblzo libraries were incorrectly marked as requiring an executable stack. A workaround is described in the bug report; alternatively, update to the versions of openvpn and liblzo2 in current testing/unstable.

Package liblzo1 no longer exists and was replaced by liblzo2. It therefore is possible that this issue can be closed.
Graphical/Desktop installs of Debian are not heavily tested with selinux, so you might run into quite some issues. A list of current known bugs can be found in [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=refpolicy|BTS refpolicy page]].

Debian SELinux Status and Issues

For details on setting up SELinux, see the Setup page.

Graphical/Desktop Installs and SELinux

Graphical/Desktop installs of Debian are not heavily tested with selinux, so you might run into quite some issues. A list of current known bugs can be found in BTS refpolicy page.