This post describes how to get SELinux running on a Xen guest (domU) that is running Debian Wheezy.

First, you need a guest that is booted by pvgrub and running a distro-supplied kernel ie, a regular (non-Xen) linux image. All that is convered in my previous post on booting unprivileged domains in Xen with pvgrub on Debian Wheezy. This is a required step.

Next we’ll follow Debian’s own SELinux set up, mostly.

You need to install some packages, but I left out some dependencies in particular that I didn’t want so I used –no-install-recommends.

apt-get –no-install-recommends install selinux-basics selinux-policy-default auditd audispd-plugins

In /etc/default/rcS change

set FSCKFIX=yes

I ran selinux-activate, but it doesn’t do what it is supposed to do. So you have to fix these issues by hand.

Add kernel options to enable SELinux in /boot/grub/menu.lst, mine looks like this:

kernel /vmlinuz root=/dev/xvda1 ro selinux=1 security=selinux

Fix pam by adding to /etc/pam.d/login

session required pam_selinux.so multiple

Touch /.autorelabel

Restart the guest. I use xm create -c /path/to/guest/config so I get the console and can watch for relabelling to occur. After relabelling the system should reboot, but it doesn’t. It shuts down and doesn’t come back up. So I xm create -c /path/to/guest/config again. Once I logged in to the guest I ran sestatus and got

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Max kernel policy version: 26

The main issues with Debian’s own SELinux how-to are 1) selinux-activate does not do what it is supposed to in Wheezy 2) we add the kernel options to enable SELinux in /boot/grub/menu.lst.

Also, at somepoint I had to remove a file, but I can’t find the info that I used to justify that step. Here is it:

rm -i /etc/udev/rules.d/010-no-legacy-ptys.rules