Debian SELinux Status

Introduction

In order to run ["SELinux"] on Debian, you generally need an up-to-date 2.6 kernel with ["SELinux"] enabled and some patched user-space utilities, most of which should now be available in the Debian unstable. This page tries to track the progress of SELinux-enabling Debian.

Open Issues

Package

Bug no

Comment

[http://packages.debian.org/sysvinit sysvinit]

[http://bugs.debian.org/330592 #330592]

init crashes when selinux is enabled, /selinux exists but it can't load a policy

[http://packages.debian.org/cron cron]

[http://bugs.debian.org/333837 #333837]

/etc/cron.daily/standard tries to backup gshadow, shadow

[http://packages.debian.org/initscripts initscripts]

[http://bugs.debian.org/333836 #333836]

/etc/init.d/mountvirtfs and /etc/init.d/checkroot.sh try to touch filesystems to check writeability

[http://packages.debian.org/selinux-policy-default selinux-policy]

None

Policy packaging needs to be redone. Installed packages should be identified and appropriate policy files chosen automatically instead of asking a myriad of questions

[http://packages.debian.org/cron cron]

[http://bugs.debian.org/333837 #333837]

/etc/cron.daily/standard tries to backup gshadow, shadow

[http://packages.debian.org/ntp-server ntp-server]

[http://bugs.debian.org/340781 #340781]

ntp cronjob tries to rotate ntp statistics, needs policy modification or use logrotate

general

None

Add more documentation e.g. on how to set booleans in Debian SELinux (partly upstream issue)

Closed Issues

Package

Ver

Bug no

Description

[http://packages.debian.org/src:linux-2.6 linux-2.6]

2.6.14-3

[http://bugs.debian.org/338543 #338543]

Kernel package 2.6.14-2 lacks socket auditing

[http://packages.debian.org/src:linux-2.6 linux-2.6]

2.6.9

None

Enable SELinux in kernel

[http://packages.debian.org/dpkg dpkg]

1.13.9

[http://bugs.debian.org/249496 249496], [http://bugs.debian.org/314886 314886]

Enable SELinux in dpkg

[http://packages.debian.org/ssh ssh]

4.1p1-4

[http://bugs.debian.org/308555 308555]

Enable SELinux in ssh

[http://packages.debian.org/logrotate logrotate]

3.7.1-1

[http://bugs.debian.org/315514 315514]

Enable SELinux in logrotate

[http://packages.debian.org/devmapper devmapper]

2:1.01.04-2

[http://bugs.debian.org/315473 315473]

Enable SELinux in devmapper

[http://packages.debian.org/lvm2 lvm2]

2.01.14-1

[http://bugs.debian.org/315505 315505]

Enable SELinux in lvm2

[http://packages.debian.org/cron cron]

3.0p11-88

[http://bugs.debian.org/315509 315509]

Enable SELinux in cron

[http://packages.debian.org/sysvinit sysvinit]

2.86.ds1-2

[http://bugs.debian.org/315611 315611] (also [http://bugs.debian.org/242900 242900] and [http://bugs.debian.org/249515 249515])

Enable SELinux in sysvinit

[http://packages.debian.org/libpam0g libpam0g]

0.79-1

[http://bugs.debian.org/284954 284954]

Enable SELinux in PAM

[http://packages.debian.org/coreutils coreutils]

5.93-1

[http://bugs.debian.org/312426 312426]

Enable SELinux in coreutils

[http://packages.debian.org/src:linux-2.6 linux-2.6]

2.6.13

[http://bugs.debian.org/333834 333834]

Enable SELinux auditing in kernel to allow debugging/tweaking/enhancing

Additional Information

For some of the userspace tools, there are "unofficial" packages available [http://www.coker.com.au/selinux/ here] and [http://www.golden-gryphon.com/software/security/selinux.xhtml here], these should no longer be necessary but might contain bugfixes which are not yet in the official repository.

For more information, see the ["SELinux"] page.