George at Clug
2024-05-17 08:10:01 UTC
Is AppArmor already installed and running? It is on my system,
maybe this would conflict with SeLinux?
# aa-status
https://wiki.debian.org/AppArmor/HowToUse
DISABLE APPARMOR
AppArmor is a security mechanism and disabling it is not recommended.
If you really need to disable AppArmor on your system:
https://reintech.io/blog/securing-debian-12-with-selinux
By default, Debian comes with AppArmor, another security module, so
you may need to switch to SELinux manually. Here's how you can enable
SELinux on your Debian 12 system: sudo apt-get update sudo apt-get
install selinux-basics selinux-policy-default auditd
George.
On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:
Hello,
I'm trying to get selinux working on a fresh, gui-free installation of
bookworm.  I'm not trying to run any servers, nor use standard
desktop
utilities (yet).  I was hoping this setup would be simple enough
that
selinux would be simple to get going.
I'm following [1], which is very straightforward.  The problem I'm
getting is that it seems woefully incomplete.
I cannot even login (com="agetty" is showing up in audit2why).  Now,
obviously, I could follow the instructions and use audit2allow, and go
down the rabbit hole for configuring policies.  But, really?  No
one
has fixed the login-at-the-console use case?  I'm sure I must be
doing
something wrong.  All I've really done is:
apt-get install selinux-basics selinux-policy-default auditd
selinux-activate
(reboot)
(set enforcing=1 in grub)
update-grub
touch /.autorelabel
(reboot)
And then I cannot log in.  Going back and unsetting enforcing=1 in
grub,
and I can use audit2why.  Does anyone who actually uses selinux have
any
hints?
Best,
Antonio
[1] https://wiki.debian.org/SELinux/Setup
maybe this would conflict with SeLinux?
# aa-status
https://wiki.debian.org/AppArmor/HowToUse
DISABLE APPARMOR
AppArmor is a security mechanism and disabling it is not recommended.
If you really need to disable AppArmor on your system:
https://reintech.io/blog/securing-debian-12-with-selinux
By default, Debian comes with AppArmor, another security module, so
you may need to switch to SELinux manually. Here's how you can enable
SELinux on your Debian 12 system: sudo apt-get update sudo apt-get
install selinux-basics selinux-policy-default auditd
George.
On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:
Hello,
I'm trying to get selinux working on a fresh, gui-free installation of
bookworm.  I'm not trying to run any servers, nor use standard
desktop
utilities (yet).  I was hoping this setup would be simple enough
that
selinux would be simple to get going.
I'm following [1], which is very straightforward.  The problem I'm
getting is that it seems woefully incomplete.
I cannot even login (com="agetty" is showing up in audit2why).  Now,
obviously, I could follow the instructions and use audit2allow, and go
down the rabbit hole for configuring policies.  But, really?  No
one
has fixed the login-at-the-console use case?  I'm sure I must be
doing
something wrong.  All I've really done is:
apt-get install selinux-basics selinux-policy-default auditd
selinux-activate
(reboot)
(set enforcing=1 in grub)
update-grub
touch /.autorelabel
(reboot)
And then I cannot log in.  Going back and unsetting enforcing=1 in
grub,
and I can use audit2why.  Does anyone who actually uses selinux have
any
hints?
Best,
Antonio
[1] https://wiki.debian.org/SELinux/Setup