SE Linux in Debian

I have now got a Debian Xen domU running the strict SE Linux policy that can boot in enforcing mode. I expect that tomorrow I will have it working with full functionality and that I will be able to run another SE Linux Play Machine in the near future.

After getting the strict policy working I want to build a Debian kernel with CONFIG_AUDITSYSCALL and an audit package so that I can audit system calls that an application makes and also so that the auditd can collect the SE Linux log messages. Other people have talked about packaging audit for Debian, hopefully one of them will do it first and save me the effort, but it shouldn’t be too difficult to do if they don’t.

Then I need to investigate some options for training people about SE Linux. As I don’t currently have the bandwidth for serving large files I’m thinking of basing some SE Linux training on Xen images from the repository. My rough plan at the moment is to have people download Xen images, run through them while consulting a web page, and ask questions on an IRC channel. I’m not sure what the demand will be for this but some web pages teaching people about SE Linux will be a useful resource even if the IRC based training doesn’t work out.

Another thing I want to do is to get PolyInstantiated Directories working in Debian. The module needed for this is written for a more recent version of PAM, so I might just work on merging the Debian patches with the latest upstream PAM instead of back-porting the module to the ancient Debian PAM.

8 comments to SE Linux in Debian

  • You may wish to look at the model the Undernet User Committee uses on IRC to teach new users of that IRC network how IRC and Undernet services work. has the information including the texts they use in their beginner/advanced classes.

  • Argui

    You’re packager of SE Linux for debian?

  • Can you post a blog about your SELinux integration work into Debian? How about when we can expect to see an enforcing targeted policy in Debian and what work needs to be done to achieve this?

    Thanks for the hard work

  • etbe

    The undernet idea is very interesting. I’m not sure that we have resources to run regular SE Linux courses. Maybe once a month.

    I did all the early work on SE Linux in Debian, then my work on Debian decreased while employed by Red Hat and Manoj took over most of it. Now I’m getting back into it but Manoj still owns the packages.

    I will continue to blog here about SE Linux Debian stuff. Targeted policy in Debian works quite well at the moment, I have a number of servers running Etch in enforcing mode with targeted policy and no configuration changes were needed.

  • I have been working with and developing programs for linux for years. Just started learning selinux. Trying to use it on ubuntu hardy heron. I have the newrole problem with shadow passwd, that you replied to on the psa mailing list. What shoould be the permissions and setuid on newrole?

  • I did a chmod +s newrole and that seems to fix the problem.

    Thanks for your previous submission.

  • etbe

    Clare: In what situation do you need newrole to be setuid?

    Firstly in a Debian-based system setgid shadow is marginally better than setuid root.

    Next if you are running newrole within the same UID then in most cases it should never have need setuid/setgid access. There is some slight difference in it’s functionality in different releases though.