How to install SELinux in Debian Stretch

In this post I’m going to explain how to install SELinux in Debian 9 (Stretch). In following posts I will explain how to debug its alerts till putting it in enforcing mode.

This is the version of Debian I’m using.

$ uname -a
Linux debian64 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux

I have followed the documentation in https://wiki.debian.org/SELinux/Setup

$ sudo apt-get install selinux-basics selinux-policy-default auditd
[...]
$ sudo selinux-activate
Activating SE Linux
Generando un fichero de configuración de grub...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Encontrada imagen de linux: /boot/vmlinuz-4.9.0-3-amd64
Encontrada imagen de memoria inicial: /boot/initrd.img-4.9.0-3-amd64
hecho
SE Linux is activated. You may need to reboot now.

I rebooted my laptop in this moment as suggested.

$ sudo check-selinux-installation
Traceback (most recent call last):
File "/usr/sbin/check-selinux-installation", line 33, in
results += test.test()
File "/usr/share/selinux-basics/tests/24_fsckfix.py", line 24, in test
raise IOError("/etc/default/rcS not found, is this Debian?")
OSError: /etc/default/rcS not found, is this Debian?

The reason of this error seems to be that in Stretch is using systemd and the init scripts are different. There seems to be a bug already reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860522.

However, we have another way of checking if SELinux is installed and enabled:

$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30

It is enabled and in permissive mode.

Now we can see what would be blocked if enabled:

$ audit2why -al

For me there are a lot of “would block” like these:

type=USER_AVC msg=audit(1499276433.108:36): pid=475 uid=108 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.1 spid=472 tpid=474 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? terminal=?'

Was caused by:

Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499276433.112:37): pid=475 uid=108 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.4 spid=474 tpid=472 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? terminal=?'

Was caused by:

Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

So SELinux is installed and now we have to debug each alert in order to know if it should be blocked or not. If not, you can use audit2allow to create a new rule that allows that when SELinux is in enforcing mode.