SELinux

Introduction

["SELinux"] was initially a project to port the work developing a mandatory access control architecture done by the National Security Agency (NSA) and the Secure Computing Corporation (SCC) on the Mach and Fluke OS's to Linux.

For more information please read the [http://www.nsa.gov/selinux/index.cfm NSA SELinux website] and a [http://www.nsa.gov/selinux/papers/inevit-abs.cfm paper on why mandatory access controls are a good and likely a necessary thing].

Debian SELinux support

The Debian packaged Linux kernels have had ["SELinux"] support compiled in (but disabled by default) since version 2.6.9. In order to activate ["SELinux"] the parameter selinux=1 must be passed to the kernel when booting. Alternatively, you can compile your own kernel with ["SELinux"] enabled by default.

The SELinux support is in constant flux, so it is generally recommended that you use an up-to-date installation of unstable if you want to experiment with ["SELinux"] (for instance, the Debian packaged kernels did not include "audit" support until version 2.6.13).

In addition to kernel modifications, several user-space application need to be modified to support ["SELinux"] properly. Patched versions of these should be in Debian unstable by now.

Debian SELinux wiki pages

There are a number of pages which you might want to read if you decide to experiment with ["SELinux"]:

Non-Linux Platforms

Please note that ["SELinux"] is a Linux-specific feature and Debian packages shouldn't assume it is present (unless they're Linux-specific packages for some reason). Remember to check wether this is a Linux platform by using dpkg-architecture variables in debian/rules, and conditionalise the libselinux Build-Dependency using [] tags. Something like [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386] should be fine.