1. SELinux on Debian

["SELinux"] differs from regular Linux that it has additionally to the traditional "user id" a selinux user, a role and a type for each file and process.

For these additional permissions are required, but instead of logging into a role, your processes will be "switching roles" automatically, e.g. when you run "ping" you will be switching to a role that can do ICMP.

1.1. Pitfalls

These additional permissions that need to be fulfilled will of course deny many things that you are used to.

For example, a regular user will not be able to do a "ping", unless you set the "user_ping" boolean.

But in many cases, there won't be a simple boolean to set - in some cases, a different behaviour is actually expected.

So here's a list of things you need to setup when running SELinux on Debian.

1.1.1. Locate and updatedb

"locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan you whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes.

To do this, insert an exit 0 into /etc/cron.daily/find.

1.1.2. Postfix and chroot

To create a "chroot", special permissions are needed. This includes copying library files into the chroot and to do the actual chroot system call.

When you are running SELinux, the security gain by doing an additional chroot is rather limited, whereas the security risks of being allowed to setup the chroot are considered higher. Therefore, you should disable all chroots in postfix (the postfix policy wouldn't support setting up the chroots).

To do this, edit /etc/postfix/master.cf and replace all "-" in the 5th column (which says "chroot (yes)" ontop) by a "n".

1.1.3. Static ttys/ptys

Having static ttys/ptys means that they need to be relabelled eventually. Linux has support for dynamic ptys for a long time, so just remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] and use "devpts".

1.1.4. Cron's daily backup cronjob

The "cron" package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow.

1.1.5. Initscript's boot scripts

Some core initscripts - responsible for mounting your filesystems - try to verify the "writeability" of some filesystems by doing a mini write to them. This write would fail with SELinux - and you don't want them to be able to write there either. On a correctly setup system this will succeed anyway.

Therefore, edit /etc/init.d/checkroot.sh and /etc/init.d/mountvirtfs, locate the "dir_writeable" macro and replace "touch" by "true touch" there.