How to enable SELinux on Debian “Stretch” 9

Russel Coker announced it on february, and three days ago it really happen: GNU/Linux Debian version 9.0 codename “Stretch” is out and it supports SELinux!

When you install Debian 9.0, SELinux will not be installed by default, to install and enable it you can follow some simple steps:

Login with root privileges on your debian host, then install the selinux basic utilities and auditd (it’s useful to debug SELinux violations):

# apt-get install selinux-basic auditd

Now you need to modify grub’s configuration to enable selinux on every boot

# selinux-activate

Activating SE Linux
Generating grub configuration file …
Found linux image: /boot/vmlinuz-4.9.0-3-amd64
Found initrd image: /boot/initrd.img-4.9.0-3-amd64
SE Linux is activated. You may need to reboot now.

This command will create the “/.autorelabel” file, that will instruct the system do to a full selinux relabel of the filesystem, at the next boot.

Now you can reboot the system:

# reboot

Please wait some minutes to make the relable happen, then you can login on your system and check that SELinux is enabled

# sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30

As you can read, SELinux is enabled in permissive mode, with that mode you can use SELinux as you wish but it will not block anything, it will only log its activity so you can test it without damage your system or block any activity.

Please note that, at time that i’m writing this article, selinux on debian will log a lot of deny, even with the default configuration and without any particular user activity, so actually i advise you to enable selinux on debian only for testing and in permissive mode.

I will write other posts about SELinux usage, advices ecc.