Re: selinux on bookworm

[George at Clug <Clug@goproject.info>]

Is AppArmor already installed and running?  It is on my system, maybe this would conflict with SeLinux?

# aa-status

https://wiki.debian.org/AppArmor/HowToUse

Disable AppArmor

AppArmor is a security mechanism and disabling it is not recommended. If you really need to disable AppArmor on your system:

https://reintech.io/blog/securing-debian-12-with-selinux

By default, Debian comes with AppArmor, another security module, so you may need to switch to SELinux manually. Here's how you can enable SELinux on your Debian 12 system:

sudo apt-get update
sudo apt-get install selinux-basics selinux-policy-default auditd

George.

On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:
> Hello,
>
> I'm trying to get selinux working on a fresh, gui-free installation of
> bookworm.  I'm not trying to run any servers, nor use standard desktop
> utilities (yet).  I was hoping this setup would be simple enough that
> selinux would be simple to get going.
>
> I'm following [1], which is very straightforward.  The problem I'm
> getting is that it seems woefully incomplete.
>
> I cannot even login (com="agetty" is showing up in audit2why).  Now,
> obviously, I could follow the instructions and use audit2allow, and go
> down the rabbit hole for configuring policies.  But, really?  No one
> has fixed the login-at-the-console use case?  I'm sure I must be doing
> something wrong.  All I've really done is:
>
> apt-get install selinux-basics selinux-policy-default auditd
> selinux-activate
>
> (reboot)
>
> (set enforcing=1 in grub)
> update-grub
> touch /.autorelabel
>
> (reboot)
>
> And then I cannot log in.  Going back and unsetting enforcing=1 in grub,
> and I can use audit2why.  Does anyone who actually uses selinux have any 
> hints?
>
> Best,
> Antonio
>
> [1] https://wiki.debian.org/SELinux/Setup