SELinux implementation in Ubuntu

Solution 1:

How does Ubuntu implements SELinux...?

selinux is not installed or enabled by default. We use apparmor by default. The Ubuntu wiki page for SELinux even claims ...

Warning

The Ubuntu-specific "selinux" and "selinux-policy-ubuntu" packages documented here have not received much attention since Karmic, and appear to be effectively broken in Precise.

If you wish to use SELinux in Ubuntu, the "selinux-basics" and "selinux-policy-default" packages from Debian are still being actively maintained. Documentation relevant to those packages can be found at http://wiki.debian.org/SELinux

but also contains instruction on how to install it:

SELinux in Ubuntu

SELinux can be enabled in Ubuntu by installing the "selinux" meta-package, which will make the needed changes to the system, and install the Tresys policies for Ubuntu:

sudo apt-get install selinux

After installation, you will be prompted to reboot the system to label and activate SELinux.

But it might be smarter to install the debian packages manually...


What are the packages(modules) involved?

  • packages related to selinux.
  • packages related to selinux-utils.
  • packages related to selinux-policy-ubuntu.

Solution 2:

I believe you have to remove apparmor before installing SELinux:

sudo apt-get remove apparmor

According to the SELinux wiki page:

Starting with Hardy Heron SELinux has been integrated into Ubuntu and can be installed via apt.

Install the selinux package:

sudo apt-get install selinux

Change the SELinux mode in /etc/selinux/config (optional):

  • Enforcing

    sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
    
  • Permissive

    sudo sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
    

Reboot

During shutdown all of the files on the system will be labeled. This may take some time depending on how many files you have and disk speed.

A search using apt-cache search turns up these packages:

postgresql-contrib-9.4 - additional facilities for PostgreSQL
ruby-selinux - Ruby bindings to SELinux shared libraries
checkpolicy - SELinux policy compiler
debian-handbook - reference book for Debian users and system administrators
joe-jupp - reimplement the joe Debian package using jupp
jupp - user friendly full screen text editor
libseaudit-dev - Security Enhanced Linux audit message parser development
libseaudit4 - Security Enhanced Linux audit message parsing library
libsefs-dev - Security Enhanced Linux file context management development
libsefs4 - Security Enhanced Linux file context management
libsetools-java - SETools Java bindings (architecture-independent)
libsetools-tcl - SETools Tcl bindings
libtomoyotools3 - lightweight Linux Mandatory Access Control system - library
policycoreutils - SELinux core policy utilities
python-selinux - Python bindings to SELinux shared libraries
python-semanage - Python bindings for SELinux policy management
python-sepolgen - Python module used in SELinux policy generation
python-sepolicy - Python binding for SELinux Policy Analyses
python-setools - SETools Python bindings
ruby-semanage - Ruby bindings to for SELinux policy management
selinux - Security-Enhanced Linux runtime support
selinux-basics - SELinux basic support
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-dummy - Empty Security-Enhanced Linux policy (dummy package)
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
selinux-policy-ubuntu - Security-Enhanced Linux Reference Policy
selinux-policy-ubuntu-dev - Security-Enhanced Linux Reference Policy Development Headers
selinux-policy-ubuntu-doc - Security-Enhanced Linux Reference Policy Documentation
selinux-utils - SELinux utility programs
setools - tools for Security Enhanced Linux policy analysis
setools-gui - GUI tools for Security Enhanced Linux policy analysis