SELinux is kind of cool. I really like the concept.

What is annoying about SELinux is the complexity.

There are so many fine-grained rules to be written that it takes you ages to setup on a fairly complex system. There is a good repository of pre-written rules available, still you need to add a lot.

Unfortunately i cannot subscribe the SELinux mailing list, the mailserver just refuses to talk to me.

If you intend to install SELinux: it’s broken on sid currently. russel said you’ll need the latest patches for 2.6 - i guess to support port restrictions - which will bump you to policy version 18.

Right now, the corresponding libselinux1 has not yet hit my mirror, but the latest init from russels pool has. Therefore the box i just prepared doesn’t yet boot with selinux.

I promised to publish a couple of notes on setting up SELinux on Debian, here are the first set of them:

  • for any system user (above uid 100, below is okay; usually these are clamav, amavis and such) do change the shell to /bin/false.
  • /etc/cron.daily/standard tries to backup files like “shadow”, but it doesn’t have the appropriate rights. I just #’ed the backup lines.
  • in postfix, disable all chroots. selinux is better than normal chroots, and it is a lot easier to setup without.
  • remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] - use pts.
  • if mount lists “unknown” as filesystem for /, “make relabel” won’t relabel it. you need to modify the makefile (add a / before the big shellsubst)
  • while running in permissive mode for testing, do not forget “newrole -r sysadm_r”, and do use se_dpkg, se_apt-get!
  • /etc/init.d/checkroot.sh and /etc/init.d/mountvirtfs try to “touch” your filesystem. Make that a “true touch”.
  • /etc/cron.daily/find - this updates your locatedb. but findutils is an essential package, i suggest to “exit 0” in that script