[DSE-User] SELinux on Wheezy

[Arno Schuring]

Hi all,

(posting to this list feels a bit like screaming into the void, but
let's hope there's at least a faint echo somewhere :)

Over the past few weeks I have been trying to get SELinux in a workable
state for me. That endeavour started out as wanting to try selinux on
Squeeze, but after determining that making it work would be nontrivial,
I decided to focus on the policy in testing instead.

Now that I have a more-or-less working machine*, I think it's time to
share my modifications. Primarily as a guide to others, but also to
discuss the modifications and where they belong (e.g. program error,
local policy, Debian policy or upstream).

I did have to modify more than just the policy, but so far my
modifications have dealt mostly with init scripts. Most of these have
been submitted in the bts as wishlist items, not sure if selinux
warrants a higher severity level.

I intend to send one message per module. Even though most modules don't
change more than a few lines and I changed about 15 modules, sending
multiple messages makes them easier to locate in the archive.


Finally, some random observations:
- newer kernels want security=selinux, not selinux=1
- sudo is now selinux-aware (as of 1.8.3p2 iirc)
- the initscripts touch .ramfs on every tmpfs mount. I've allowed it
  locally but I'm not convinced this is necessary
- /usr/sbin/service could be made selinux-aware, and automatically use
  run_init if required. I have it patched locally, but unsure of its
  general applicatibility because run_init errors out if selinux is
  disabled, and my solution of grepping sestatus' output is ugly


Regards,
Arno


* more-or-less: dspam, exim and dovecot still run in permissive mode.
  Dspam policy lifted from Fedora 16, exim can problaby be confined as
  soon as the exim->dspam domain transition is solved; dovecot has
  proven elusive so far.