2.6 and SE Linux
I have attached a copy of the README.Debian file from my kernel-patch-2.4-lsm
package which documents the kernel configuration settings for using SE Linux.
I believe that Debian should do the same thing as Red Hat in terms of SE Linux
kernel support. That is 2.6 kernels should be built with SE Linux support
and let the user decide whether to enable it. If the
CONFIG_SECURITY_SELINUX_BOOTPARAM kernel option is enabled and you boot with
"selinux=0" (or if the Debian kernel source was modified to make selinux=0
the default and require selinux=1 to boot with SE Linux) then there is no
performance cost to SE Linux.
The only cost for including SE Linux in the default kernel is a small amount
of memory and a small amount of disk space for vmlinuz (both less than 50K
last time I checked).
This has already been done in the 2.6.0-test kernels from Red Hat.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
kernel-patch-2.4-lsm for Debian
This patch supplies the Linux Security Modules. It is needed for NSA Security
Enhanced Linux (among other things).
To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.
When configuring your kernel do the following:
(Under Networking Options, enable Network Packet Filtering.
Under Security Options, enable Capabilities and enable
both IP Networking and SELinux as built-in options.)
This means having the following in your /usr/src/linux/.config:
# CONFIG_SECURITY_ROOTPLUG is not set
This release of SE Linux depends on XATTR's. For the Ext3 file system
use the following settings:
The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.
For the DEVPTS file system (required as the new SE Linux does not support
devfs or the old-styly /dev/pty) the following options are needed:
In the recent kernel patches MLS should be functional, but I have never tested
Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).
The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
The CONFIG_SECURITY_SELINUX_BOOTPARAM config option allows you to entirely
disable the SE Linux code. If you have development mode turned on and boot
with no policy then the machine will give the same behaviour as a non-SE
machine, however there will be a small (maybe 2%) performance hit. If you
enable this option and boot with "selinux=0" appended to the kernel command
line then SE Linux will be entirely disabled and the performance hit will be
If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .
Feel free to ask me if you have any queries about how to do this properly.