Package: selinux-policy-default Version: 2:2.20221101-9 Severity: important
Dear Maintainer, I am fully aware that selinux is not really considered a first class citizen in Debian, especially in graphical desktop use cases. Never had any trouble with AppArmor and I've had moderate success with running selinux in servers. But, I was bit dissapointed in what happened when I attempted to enable enforcing mode in a laptop with pretty standard Debian 12 GNOME environment. I simply did the following: sudo apt install --no-install-recommends selinux-basics \ selinux-policy-default auditd sudo selinux-activate sudo reboot (Decided to skip the recommended dependencies for this test, since they bring in over 600M of random python libraries etc. I assume the recommended or suggest packages are not essential for selinux operation?) Everything went fine, files (on btrfs) got labelled, most system daemons were running on correct selinux domains, etc. However, ausearch -m avc reported over 900 policy violations. I still decided to test what happens if I put selinux into enforcing mode (sudo setenforce 1). That caused the graphical session to crash immediately, replaced with a blinking cursor. Soon after a screen appeared with a sad face and "Oh no! Something has gone wrong. A problem has occurred and the system can't recover. Please contact a system administrator." I have not find much people's experiences on using selinux on desktop Debian, but I can't be the only one brave enough to try it? This problem should be pretty easy to reproduce on fresh Debian installation. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-20-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages selinux-policy-default depends on: ii libselinux1 3.4-1+b6 ii libsemanage2 3.4-1+b5 ii libsepol2 3.4-2.1 ii policycoreutils 3.4-1 ii selinux-utils 3.4-1+b6 Versions of packages selinux-policy-default recommends: ii checkpolicy 3.4-1+b2 pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information