Web lists-archives.com

selinux in debian 9




Hello,

I am trying to set up selinux on my laptop with a fresh installation of debian 9.1, and I have big troubles to make it boot.

I think that I did everything according to the wiki page
https://wiki.debian.org/SELinux/Setup
- installed the packages:
i selinux-basics 0.5.6 0.5.6 i A selinux-policy-default 2:2.20161023.1 2:2.20161023.1 i auditd 1:2.6.7-2 1:2.6.7-2 i A setools 4.0.1-6 4.0.1-6 - run selinux-activate (with subsequent reboot, relable, reboot) - run check-selinux-installation which complained about missing /etc/default/rcS so I added the file with content "FSCKFIX=yes" and the script stopped complaining and returned 0.

After this, my system worked in permissive mode.

However, if I tried to switch to enforcing mode (either using /etc/selinux/config or by kernel command line parameter), I never managed to boot.

I tried audit2allow using the input from /var/log/audit/, from journalctl (not everything is apparently in audit log) and also something that I could see in the display during the failed startups, and including this as a module, but never even managed to get to the single-user mode. I would guess that booting in permissive mode, parsing audit log with audit2allow and including this into my policy would solve the problem, but it does not.

My installation uses systemd, although I am not very familiar with it.
I am not sure whether it is ok to send the output of audit2allow as an attachment, since it contains a few hundred lines. But I can quote several lines.

allow bootloader_t mount_var_run_t:file { getattr open read write };
allow bootloader_t udev_var_run_t:file { getattr open read };
allow bootloader_t user_home_dir_t:dir read;
allow bootloader_t var_lib_t:dir { add_name create mounton read remove_name rmdir write }; allow dhcpc_t avahi_exec_t:file { execute execute_no_trans getattr open read };
allow ifconfig_t apmd_var_run_t:file read;
allow local_login_t gkeyringd_exec_t:file execute;
allow local_login_t unlabeled_t:file { getattr open read };
allow ntpd_t init_t:file { open read };
allow sulogin_t locale_t:dir search;
allow sulogin_t locale_t:file read;
allow sulogin_t locale_t:lnk_file read;
allow system_cronjob_t http_port_t:tcp_socket name_connect;
allow system_cronjob_t mtrr_device_t:file getattr;
allow systemd_hostnamed_t init_t:dbus send_msg;
allow systemd_logind_t apmd_t:dir search;
allow systemd_logind_t user_runtime_t:sock_file unlink;
allow systemd_passwd_agent_t lvm_t:dir search;
allow systemd_passwd_agent_t lvm_t:file { getattr open read };
allow systemd_passwd_agent_t sysfs_t:file { getattr open read };

Am I doing something wrong, or is selinux even supported in stretch?
If the policy package was missing, the those types would not even exist and the respective files would not have such labels (it's a fresh installation on a brand new laptop). On the other hand, many of those permissions are about very basic parts of the system (sulogin, dhcpc, systemd_logind...).

I stopped my effort because I stopped seeing any new auditd logs which would move me further. Does anyone have any advice?

thanks,

marek