Differences between revisions 42 and 43
Revision 42 as of 2012-07-29 10:38:35
Size: 2757
Editor: ?AndreasKuckartz
Comment: Update info on liblzo issue
Revision 43 as of 2012-07-30 19:25:06
Size: 2762
Editor: ?AndreasKuckartz
Comment: "(Etch/Lenny/Sid)" -> "(Lenny/Squeeze/Sid)"
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
In order to track the progress of SELinux-enabling Debian in recent Releases (Etch/Lenny/Sid), see [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org|bug reports with SELinux usertag]] In order to track the progress of SELinux-enabling Debian in recent Releases "(Lenny/Squeeze/Sid)", see [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org|bug reports with SELinux usertag]]

Debian SELinux Status and Issues

In order to run SELinux on Debian, you generally need an up-to-date 2.6 version of Linux with SELinux enabled and some patched user-space utilities, most of which should now be available in Debian unstable and testing.

For details on setting up SELinux, see the Setup page.

In order to track the progress of SELinux-enabling Debian in recent Releases "(Lenny/Squeeze/Sid)", see bug reports with SELinux usertag

Upgrading to MCS

In December 2006, the refpolicy package in Etch was updated to enable multi-category security (MCS) support. Upgrading from a pre-MCS refpolicy to an MCS one is fairly disruptive and undocumented, because MCS requires some features of MLS, which wasn't previously enabled. The package upgrade doesn't immediately break anything, but one can't install new modules from Debian's own packages afterward — semodule installs will emit "Tried to link in an MLS module with a non-MLS base" errors.

If you have a pre-MCS sid/etch install and need to attempt the upgrade, one workable procedure is approximately this:

  1. Isolate the host, since you'll be disabling its protection temporarily
  2. Upgrade your reference policy to 0.0.20061018-2 or later (if you haven't already)
  3. Save the source to any custom modules you're using
  4. Purge libsemanage1, policycoreutils and selinux-policy-refpolicy-targeted (or -strict, if that's what you use)
  5. Manually move /etc/selinux out of the way
  6. Reinstall the packages again (there will be errrors loading the policy because your kernel isn't booted with MLS enabled)
  7. Reboot the system in non-enforcing mode
  8. Recompile your custom modules with MLS enabled (checkmodule's -M switch), and reinstall them
  9. Repeat the usual SELinux breakin process of checking that services are running in the proper domains, that the logs are clean, etc.
  10. Re-enable enforcing mode

OpenVPN/liblzo issues

When linking with liblzo/liblzo2 prior to version 2.02-3, OpenVPN suffers from bug 336138. The liblzo libraries were incorrectly marked as requiring an executable stack. A workaround is described in the bug report; alternatively, update to the versions of openvpn and liblzo2 in current testing/unstable.

Package liblzo1 no longer exists and was replaced by liblzo2. It therefore is possible that this issue can be closed.

Old Issues

The very old issues are listed in ?../OldIssues.