[Solved] Is SELinux an all or nothing proposition?

IrvineHimself · 2018-04-27 06:18:57

Currently, I use an Apparmor, enabled kernel (along with the associated tools,) but am seriously considering cloning $USER to enable running some experiments with SELinux. Basically, when booting into the Apparmor enabled kernel I would log into $USER-1 and for the SELinux enabled kernel I would log into $USER-2. However, the Wiki isn't to clear about the compatibility of the required SELinux enabled packages when used in an environment other than SELinux.

In particular, can the following packages be replaced with their SELinux equivalents without compromising the Apparmor, environment?

coreutils
cronie
dbus
findutils
iproute2
logrotate
openssh
pam
pambase
psmisc
shadow
sudo
systemd
util-linux

Thanks for your thoughts,
Irvine

Last edited by IrvineHimself (2018-05-02 17:19:34)

Everette88 · 2018-04-29 18:57:06

If SElinux isn't enabled in particular boot then installing SElinux aware packages doesn't change system behavior.

IrvineHimself · 2018-04-30 04:29:01

Thanks for the confirmation. I’ve been running a few small tests of individual packages, and had more or less come to that conclusion. In particular, I noted that the apparmor-pam library allows replacing pam with pam-selinux

Today, I was intending the potentially fatal compatibility tests for the SELinux enabled versions of shadow and pam, but, in view of your post, I think I will proceed directly to a full install of the SELinux environment.

For reference
1) Because I think it will simplify maintenance, I prefer to use the AUR’s PKGBUILD’s rather than Git’s, and have written a small bash comparable to build_and_install_all.sh to carry out the required installation. All I need now is several free hours….

2) After further research, I don’t think I actually need two separate $USER’s. I am fairly sure my current setup, particularly firejail-apparmor will work in the SELinux environment. If this is the case, possibly with some minor tweaks, I will soon be able to start exploring SELinux awareness, Firejail, and the selinux-sandbox

Once again, thanks for your input
Irvine

Mods please note: I'm not going to mark this as solved until I confirm, (with a fully SELinux aware installation,) there are no conflicts with Apparmor.
Irvine

Last edited by IrvineHimself (2018-04-30 05:37:47)

x33a · 2018-04-30 04:49:10

Mod note: Moving thread to "Networking, Server, and Protection".

IrvineHimself · 2018-05-02 17:19:05

Okay, I'm marking this as solved. Despite a number of issues which, once I have done some "due diligence", I may raise in separate threads, I have what appears to be a working SELinux environment which is not causing any problems with the alternative Apparmor environment

[stupidme@mine ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy-arch
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      31
[stupidme@mine ~]$

Arch Linux

#1 2018-04-27 06:18:57

[Solved] Is SELinux an all or nothing proposition?

#2 2018-04-29 18:57:06

Re: [Solved] Is SELinux an all or nothing proposition?

#3 2018-04-30 04:29:01

Re: [Solved] Is SELinux an all or nothing proposition?

#4 2018-04-30 04:49:10

Re: [Solved] Is SELinux an all or nothing proposition?

#5 2018-05-02 17:19:05

Re: [Solved] Is SELinux an all or nothing proposition?

Board footer