LINUXMAKER, OpenSource, Tutorials

Install and enable SELinux on Debian 9

With the release of Debian 9.0 under the code name "Stretch" also the support of SELinux is guaranteed. However, after installing Debian 9.0, SELInux is not yet installed by default. This can be done with the following steps.

aptitude -y install selinux-basics selinux-policy-default auditd attr

For SELinux to be enabled with every boot process, the configuration of the Grub bootloader is necessary. For this the program "selinux-activate" exists. This command will create the file "/.autorelabel", which instructs the system to create a complete file system SELinux Reload the next time it boots.

# selinux-activate
Activating SE Linux
Generating grub configuration file …
Found linux image: /boot/vmlinuz-4.9.0-4-amd64
Found initrd image: /boot/initrd.img-4.9.0-4-amd64
done
SE Linux is activated. You may need to reboot now.

# reboot

Please wait a few minutes for the relable event to occur. Then you can log into your system and check if SELinux is enabled.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

As you can see, SELinux is enabled in permissive mode, in this mode you can use SELinux as you wish, but it does not block anything, it only logs its activity so that you can test it without damaging your system or any block activities.