On 5/17/24 02:02, George at Clug wrote:
Is AppArmor already installed and running? It is on my system, maybe this
would conflict with SeLinux?
# aa-status
https://wiki.debian.org/AppArmor/HowToUse
Disable AppArmor
AppArmor is a security mechanism and disabling it is not recommended. If you
really need to disable AppArmor on your system:
https://reintech.io/blog/securing-debian-12-with-selinux
By default, Debian comes with AppArmor, another security module, so you may
need to switch to SELinux manually. Here's how you can enable SELinux on your
Debian 12 system:
|sudo apt-get update sudo apt-get install selinux-basics selinux-policy-default
auditd
|
George.
On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:
Hello,
I'm trying to get selinux working on a fresh, gui-free installation of
bookworm. I'm not trying to run any servers, nor use standard desktop
utilities (yet). I was hoping this setup would be simple enough that
selinux would be simple to get going.
I'm following [1], which is very straightforward. The problem I'm
getting is that it seems woefully incomplete.
I cannot even login (com="agetty" is showing up in audit2why). Now,
obviously, I could follow the instructions and use audit2allow, and go
down the rabbit hole for configuring policies. But, really? No one
has fixed the login-at-the-console use case? I'm sure I must be doing
something wrong. All I've really done is:
apt-get install selinux-basics selinux-policy-default auditd
selinux-activate
(reboot)
At this point, you should be running in permissive mode. And you should run
either audit2why to identify conditions that may (as you have found) cause
operational problems.
(set enforcing=1 in grub)
update-grub
touch /.autorelabel
Unless you made changes, relabeling should not be necessary here. The above is done by
running selinux-activate without the argument "disable".
(reboot)
And then I cannot log in. Going back and unsetting enforcing=1 in grub,
and I can use audit2why. Does anyone who actually uses selinux have any
hints?
Post in this thread the complete output of "audit2why --boot" - this will show
all enforcement errors since the most recent boot. Without that information it is
unlikely that anyone can offer detailed advice about fixing things.
Using audit2allow will produce a corresponding file you can use to prepare a
local module to permit those things that cause problems. It is a text file that
is input to the module compiler, so you can remove items that you want to
disallow before compiling and installing a corrective module. See the
instructions in [1] at #7.
Best,
Antonio
[1] https://wiki.debian.org/SELinux/Setup
<https://wiki.debian.org/SELinux/Setup>
It probably is a good idea to disable apparmor if you're going to use SELinux.
The kernel interface is supposed to be compatible with either or both security
modules, but only one really should be necessary and, without intending to
spawn a flame war, I will put forward my opinion that the SELinux security
model is superior to that of AppArmor. The latter has the advantage of being
the distribution default, but I have not found SELinux especially hard to
administer on a stable Debian system, apart from the fact that it comes with a
learning curve.
Regards,
Tom Dial
