When I installed this server, I have decided to enable SELinux, and run it in enforcing mode. And it works !

Finding relevant documentation for SELinux and Debian was more difficult than expected, and even when it exists, it is often outdated. Also, It does not give real examples, and one problem I encountered very often is a policy module with correct labels, but created for another distribution, and thus not labeling Debian packages correctly. Some other distros (Gentoo and Fedora) have made huge progress on RBAC security, it would be nice to see the same on Debian.

I have started a guide for SELinux on Debian. The goals are to:

  • give a practical approach on using SELinux on Debian,
  • fight some false ideas (like not being usable on a Desktop, or that you have to enable it globally etc.),
  • describe how to mix confined and unconfined services,
  • give some examples (Cyrus IMAP, git, redmine, PostgreSQL, etc) see the examples page
  • explain how to use it with PaX/Grsec
  • give some example on using the
  • give some generic hardening tips.

Please notes that the examples and solutions given in the guide are only my own explanations and solutions, and that of course it may be wrong, or you may have a better solution. Since this is intended to be a collaborative guide, please contact me to update the guide, I’ll be happy to provide a git account (help wanted !)

For the details, the guide is written in , and rendered (in HTML or PDF) using documentation generator. This allows working with very simple text format (which is diff and git friendly) and having a pretty output.

The details are in the guide. If you find it useful, please give some feedback !

The references are inside, but here’s also a list of interesting links on the subject: