selinux in debian 9

[Marek Eliáš <elias@l.ba30.eu>]

Hello,

I am trying to set up selinux on my laptop with a fresh installation of 
debian 9.1, and I have big troubles to make it boot.

I think that I did everything according to the wiki page
https://wiki.debian.org/SELinux/Setup
- installed the packages:
i     selinux-basics                               0.5.6          0.5.6     
   
i A   selinux-policy-default                       
2:2.20161023.1	2:2.20161023.1
i     auditd                                       1:2.6.7-2      1:2.6.7-2 
   
i A   setools                                      4.0.1-6        4.0.1-6   
   
- run selinux-activate (with subsequent reboot, relable, reboot)
- run check-selinux-installation which complained about missing 
/etc/default/rcS
so I added the file with content "FSCKFIX=yes" and the script stopped 
complaining and returned 0.

After this, my system worked in permissive mode.

However, if I tried to switch to enforcing mode (either using 
/etc/selinux/config or by kernel command line parameter), I never managed 
to boot.

I tried audit2allow using the input from /var/log/audit/, from journalctl 
(not everything is apparently in audit log) and also something that I could 
see in the display during the failed startups, and including this as a 
module, but never even managed to get to the single-user mode.
I would guess that booting in permissive mode, parsing audit log with 
audit2allow and including this into my policy would solve the problem, but 
it does not.

My installation uses systemd, although I am not very familiar with it.
I am not sure whether it is ok to send the output of audit2allow as an 
attachment, since it contains a few hundred lines. But I can quote several 
lines.

allow bootloader_t mount_var_run_t:file { getattr open read write };
allow bootloader_t udev_var_run_t:file { getattr open read };
allow bootloader_t user_home_dir_t:dir read;
allow bootloader_t var_lib_t:dir { add_name create mounton read remove_name 
rmdir write };
allow dhcpc_t avahi_exec_t:file { execute execute_no_trans getattr open 
read };
allow ifconfig_t apmd_var_run_t:file read;
allow local_login_t gkeyringd_exec_t:file execute;
allow local_login_t unlabeled_t:file { getattr open read };
allow ntpd_t init_t:file { open read };
allow sulogin_t locale_t:dir search;
allow sulogin_t locale_t:file read;
allow sulogin_t locale_t:lnk_file read;
allow system_cronjob_t http_port_t:tcp_socket name_connect;
allow system_cronjob_t mtrr_device_t:file getattr;
allow systemd_hostnamed_t init_t:dbus send_msg;
allow systemd_logind_t apmd_t:dir search;
allow systemd_logind_t user_runtime_t:sock_file unlink;
allow systemd_passwd_agent_t lvm_t:dir search;
allow systemd_passwd_agent_t lvm_t:file { getattr open read };
allow systemd_passwd_agent_t sysfs_t:file { getattr open read };

Am I doing something wrong, or is selinux even supported in stretch?
If the policy package was missing, the those types would not even exist and 
the respective files would not have such labels (it's a fresh installation 
on a brand new laptop). On the other hand, many of those permissions are 
about very basic parts of the system (sulogin, dhcpc, systemd_logind...).

I stopped my effort because I stopped seeing any new auditd logs which 
would move me further. Does anyone have any advice?

thanks,

marek