This post describes how to get SELinux running on a Xen guest (domU) that is running Debian Wheezy.
First, you need a guest that is booted by pvgrub and running a distro-supplied kernel ie, a regular (non-Xen) linux image. All that is convered in my previous post on booting unprivileged domains in Xen with pvgrub on Debian Wheezy. This is a required step.
Next we’ll follow Debian’s own SELinux set up, mostly.
You need to install some packages, but I left out some dependencies in particular that I didn’t want so I used –no-install-recommends.
apt-get –no-install-recommends install selinux-basics selinux-policy-default auditd audispd-plugins
In /etc/default/rcS change
I ran selinux-activate, but it doesn’t do what it is supposed to do. So you have to fix these issues by hand.
Add kernel options to enable SELinux in /boot/grub/menu.lst, mine looks like this:
kernel /vmlinuz root=/dev/xvda1 ro selinux=1 security=selinux
Fix pam by adding to /etc/pam.d/login
session required pam_selinux.so multiple
Restart the guest. I use xm create -c /path/to/guest/config so I get the console and can watch for relabelling to occur. After relabelling the system should reboot, but it doesn’t. It shuts down and doesn’t come back up. So I xm create -c /path/to/guest/config again. Once I logged in to the guest I ran sestatus and got
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Max kernel policy version: 26
The main issues with Debian’s own SELinux how-to are 1) selinux-activate does not do what it is supposed to in Wheezy 2) we add the kernel options to enable SELinux in /boot/grub/menu.lst.
Also, at somepoint I had to remove a file, but I can’t find the info that I used to justify that step. Here is it:
rm -i /etc/udev/rules.d/010-no-legacy-ptys.rules