Installing SELinux on Debian 10
Updated by Linode Contributed by Linode
Ubuntu has a Mandatory Access Control (MAC) system similar to SELinux, named AppArmor. Both SELinux and AppArmor provide a set of tools to isolate applications from each other to protect the host system from being compromised. AppArmor offers Ubuntu users mandatory access control options, without the perceived difficulty or learning curve that SELinux may have. However, if you are switching to Debian 10, are already familiar with SELinux, and would like to use it to enforce security on your system, you can install it by following the steps in this guide.
Before You Begin
NoteThis guide is written for a non-root user. Commands that require elevated privileges are prefixed with
sudo. If you’re not familiar with the
sudocommand, you can check our Users and Groups guide.
Update your system:
sudo apt update
NoteThe Linode kernel does not support SELinux by default. If your system is running a Linode kernel, you will need to change to an upstream kernel in order to use SELinux. See the How to Change Your Linode’s Kernel for more steps. Once you’re kernel is set to the upstream kernel, continue on with the steps in this guide.
Stop AppArmor using systemctl:
sudo systemctl stop apparmor
Purge AppArmor from the system.
Do not purge AppArmor if you believe you may reuse it in the future. If you would like to preserve your AppArmor configuration files, use the
sudo apt remove apparmor
sudo apt purge apparmor
NoteIf after issuing the `purge command you receive warnings about remaining AppArmor files or directories. You can remove them manually, if desired. This step is not necessary to get a working SELinux installation.
Update your system:
sudo apt update && sudo apt upgrade -yuf
Reboot your Linode
Install the SELinux package along with supporting packages to help you manage your installation.
sudo apt-get install selinux-basics selinux-policy-default auditd
Activate your SELinux installation:
Your output should resemble the following:
Activating SE Linux Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.19.0-8-amd64 Found initrd image: /boot/initrd.img-4.19.0-8-amd64 done SE Linux is activated. You may need to reboot now.
Reboot your Linode for the installation to complete:
NoteAfter rebooting your system, SELinux should be enabled, but in permissive mode. Permissive mode means any actions that would have been disallowed are allowed, but logged in your system’s audit log located in the
Log back into your Linode via SSH. Replace
192.0.2.0with your own Linode’s IP address.
Verify the status of your SELinux installation:
You should see a similar output:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
To put SELinux into enforcing mode, use the
setenforcecommand. When in enforcing mode, any actions not permitted by your system’s are blocked and the corresponding event is logged in the audit log.
sudo setenforce 1
enforcingmode after reboot, modify the SELinux configuration file in
/etc/selinux/configfrom the default
1 2 3 4 5 6 7
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
If you have set SELinux to enforcing mode, ensure that your SSH port has access before logging out of your session.
sudo semanage port -l | grep 'ssh'
You should see a similar output if TCP is allowed on port 22.
ssh_port_t tcp 22
If you do not see the this entry, open the port with the following command:
sudo semanage port -a -t ssh_port_t -p tcp 22
After installing SELinux on your system, use our Getting Started with SELinux Guide to learn the basics of SELinux security.
Join our Community
This guide is published under a CC BY-ND 4.0 license.