Is AppArmor already installed and running?  It is on my system,
maybe this would conflict with SeLinux?

# aa-status
https://wiki.debian.org/AppArmor/HowToUse



DISABLE APPARMOR

AppArmor is a security mechanism and disabling it is not recommended.
If you really need to disable AppArmor on your system:





https://reintech.io/blog/securing-debian-12-with-selinux
By default, Debian comes with AppArmor, another security module, so
you may need to switch to SELinux manually. Here's how you can enable
SELinux on your Debian 12 system: sudo apt-get update sudo apt-get
install selinux-basics selinux-policy-default auditd


George.





On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:


Hello,

I'm trying to get selinux working on a fresh, gui-free installation of bookworm.  I'm not trying to run any servers, nor use standard
desktop
utilities (yet).  I was hoping this setup would be simple enough
that
selinux would be simple to get going.

I'm following [1], which is very straightforward.  The problem I'm
getting is that it seems woefully incomplete.

I cannot even login (com="agetty" is showing up in audit2why).  Now, obviously, I could follow the instructions and use audit2allow, and go
down the rabbit hole for configuring policies.  But, really?  No
one
has fixed the login-at-the-console use case?  I'm sure I must be
doing
something wrong.  All I've really done is:

apt-get install selinux-basics selinux-policy-default auditd
selinux-activate

(reboot)

(set enforcing=1 in grub)
update-grub
touch /.autorelabel

(reboot)

And then I cannot log in.  Going back and unsetting enforcing=1 in
grub,
and I can use audit2why.  Does anyone who actually uses selinux have
any
hints?

Best,
Antonio

[1] https://wiki.debian.org/SELinux/Setup

<html>
<head>
<style type="text/css">
body,p,td,div,span{
font-size:13px; font-family:Arial, Helvetica, sans-serif;
};
body p{
margin:0px;
}
</style>
</head>
<body>
Is AppArmor already installed and running?&nbsp; It is on my system, maybe this would conflict with SeLinux? <br><br><div><span class="BxUVEf ILfuVd" lang="en"><span class="hgKElc"># aa-status</span></span></div><div><span class="BxUVEf ILfuVd" lang="en">
<span class="hgKElc">https://wiki.debian.org/AppArmor/HowToUse<br></span></span></div><div><h3 id="Disable_AppArmor">Disable AppArmor</h3>
<span class="anchor" id="line-158"></span><span class="anchor" id="line-159"></span>AppArmor is a security mechanism and disabling it is not recommended. If you really need to disable AppArmor on your system: <br></div><div><br></div><div><br></div><div><
span class="BxUVEf ILfuVd" lang="en"><span class="hgKElc">https://reintech.io/blog/securing-debian-12-with-selinux</span></span></div><div>By default, Debian comes with AppArmor, another security module, so
you may need to switch to SELinux manually. Here's how you can enable
SELinux on your Debian 12 system:
<pre><code class="language-sh">sudo apt-get update
sudo apt-get install selinux-basics selinux-policy-default auditd<br><br></code></pre></div><div><span class="BxUVEf ILfuVd" lang="en"><span class="hgKElc">George.<br></span></span></div><div><br></div><div><br></div>On Friday, 17-05-2024 at 14:49
Antonio Russo wrote:<br><blockquote style="border:0;border-left: 2px solid #22437f; padding:0px; margin:0px; padding-left:5px; margin-left: 5px; ">Hello,<br>

I'm trying to get selinux working on a fresh, gui-free installation of<br> bookworm.&nbsp;&nbsp;I'm not trying to run any servers, nor use standard desktop<br>
utilities (yet).&nbsp;&nbsp;I was hoping this setup would be simple enough that<br>
selinux would be simple to get going.<br>

I'm following [1], which is very straightforward.&nbsp;&nbsp;The problem I'm<br>
getting is that it seems woefully incomplete.<br>

I cannot even login (com="agetty" is showing up in audit2why).&nbsp;&nbsp;Now,<br>
obviously, I could follow the instructions and use audit2allow, and go<br>
down the rabbit hole for configuring policies.&nbsp;&nbsp;But, really?&nbsp;&nbsp;No one<br>
has fixed the login-at-the-console use case?&nbsp;&nbsp;I'm sure I must be doing<br>
something wrong.&nbsp;&nbsp;All I've really done is:<br>

apt-get install selinux-basics selinux-policy-default auditd<br> selinux-activate<br>

(reboot)<br>

(set enforcing=1 in grub)<br>
update-grub<br>
touch /.autorelabel<br>

(reboot)<br>

And then I cannot log in.&nbsp;&nbsp;Going back and unsetting enforcing=1 in grub,<br>
and I can use audit2why.&nbsp;&nbsp;Does anyone who actually uses selinux have any <br>
hints?<br>

Best,<br>
Antonio<br>

[1] <a target="_blank" class="blue" href="https://wiki.debian.org/SELinux/Setup">https://wiki.debian.org/SELinux/Setup</a></blockquote>
</body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/17/24 02:02, George at Clug wrote:

Is AppArmor already installed and running?  It is on my system, maybe this would conflict with SeLinux?

# aa-status
https://wiki.debian.org/AppArmor/HowToUse

Disable AppArmor

AppArmor is a security mechanism and disabling it is not recommended. If you really need to disable AppArmor on your system:

https://reintech.io/blog/securing-debian-12-with-selinux
By default, Debian comes with AppArmor, another security module, so you may need to switch to SELinux manually. Here's how you can enable SELinux on your Debian 12 system:

|sudo apt-get update sudo apt-get install selinux-basics selinux-policy-default auditd

|

George.

On Friday, 17-05-2024 at 14:49 Antonio Russo wrote:

Hello,

I'm trying to get selinux working on a fresh, gui-free installation of
bookworm.  I'm not trying to run any servers, nor use standard desktop
utilities (yet).  I was hoping this setup would be simple enough that
selinux would be simple to get going.

I'm following [1], which is very straightforward.  The problem I'm
getting is that it seems woefully incomplete.

I cannot even login (com="agetty" is showing up in audit2why).  Now,
obviously, I could follow the instructions and use audit2allow, and go
down the rabbit hole for configuring policies.  But, really?  No one
has fixed the login-at-the-console use case?  I'm sure I must be doing
something wrong.  All I've really done is:

apt-get install selinux-basics selinux-policy-default auditd
selinux-activate

(reboot)

At this point, you should be running in permissive mode. And you should run either audit2why to identify conditions that may (as you have found) cause operational problems.

(set enforcing=1 in grub)
update-grub
touch /.autorelabel

Unless you made changes, relabeling should not be necessary here. The above is done by running selinux-activate without the argument "disable".

(reboot)

And then I cannot log in.  Going back and unsetting enforcing=1 in grub,
and I can use audit2why.  Does anyone who actually uses selinux have any
hints?

Post in this thread the complete output of "audit2why --boot" - this will show all enforcement errors since the most recent boot. Without that information it is unlikely that anyone can offer detailed advice about fixing things.

Using audit2allow will produce a corresponding file you can use to prepare a local module to permit those things that cause problems. It is a text file that is input to the module compiler, so you can remove items that you want to disallow before
compiling and installing a corrective module. See the instructions in [1] at #7.

Best,
Antonio

[1] https://wiki.debian.org/SELinux/Setup <https://wiki.debian.org/SELinux/Setup>

It probably is a good idea to disable apparmor if you're going to use SELinux. The kernel interface is supposed to be compatible with either or both security modules, but only one really should be necessary and, without intending to spawn a flame war, I
will put forward my opinion that the SELinux security model is superior to that of AppArmor. The latter has the advantage of being the distribution default, but I have not found SELinux especially hard to administer on a stable Debian system, apart from
the fact that it comes with a learning curve.

Regards,
Tom Dial

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)