Debian SELinux Status

In order to run ["SELinux"] on Debian, you generally need an up-to-date 2.6 kernel with ["SELinux"] enabled and some patched user-space utilities, most of which should now be available in Debian unstable and testing.

For details on setting up ["SELinux"], see [:../Setup:the Setup page]. For information only relevant to older Releases such as Sarge, see [:?../OldIssues:the old issues page].

In order to track the progress of SELinux-enabling Debian in recent Releases (Etch/Lenny/Sid), see [http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=selinux;users=selinux-devel@lists.alioth.debian.org bug reports with SELinux usertag]

Upgrading to MCS

The refpolicy package in Etch was recently (December 2006) updated to enable multi-category security (MCS) support. Upgrading from a pre-MCS refpolicy to an MCS one is fairly disruptive and undocumented, because MCS requires some features of MLS, which wasn't previously enabled. The package upgrade doesn't immediately break anything, but one can't install new modules from Debian's own packages afterward -- semodule installs will emit "Tried to link in an MLS module with a non-MLS base" errors.

If you have a pre-MCS sid/etch install and need to attempt the upgrade, one workable procedure is approximately this:

  1. Isolate the host, since you'll be disabling its protection temporarily
  2. Upgrade your reference policy to 0.0.20061018-2 or later (if you haven't already)
  3. Save the source to any custom modules you're using
  4. Purge libsemanage1, policycoreutils and selinux-policy-refpolicy-targeted (or -strict, if that's what you use)
  5. Manually move /etc/selinux out of the way
  6. Reinstall the packages again (there will be errrors loading the policy because your kernel isn't booted with MLS enabled)
  7. Reboot the system in non-enforcing mode
  8. Recompile your custom modules with MLS enabled (checkmodule's -M switch), and reinstall them
  9. Repeat the usual SELinux breakin process of checking that services are running in the proper domains, that the logs are clean, etc.
  10. Re-enable enforcing mode

OpenVPN issues

OpenVPN suffers from bug [http://bugs.debian.org/336138 #336138]. The liblzo libraries are incorrectly marked as requiring an executable stack. A workaround is described in the bug report.