Does PureOS run SELinux by default?

General Privacy & Security
1

I posted that question in this forum in the hope of avoiding as best I could any brick bats or flaming replies.
[ducks]

1 Like
2

I doubt it, given that PureOS is based heavily on Debian, which uses AppArmor by default (since buster 10).

AppArmor constrains only programs that have AppArmor profiles. Many (if not most) Debian packages do. Other programs by default are unrestricted. I donā€™t like this approach. SELinux is restricted by default but writing policies for even simple tasks is looking harder than expected.

I ended up going for Qubes OS. I have full control over what accesses what. I can create a qube for my personal files without any internet connection, for instance. Itā€™s fantastic. Of course if my individual qubes run Debian I get the benefits of AppArmor within that qube. One drawback is that Qubes is quite an ugly distro (because of different window colors), but so far itā€™s been worth it. I donā€™t think I can ever feel safe in any of these other ordinary distros again.

3

I have a couple of PureOS devices and I donā€™t think SELinux is used on them, but I am also not sure how to check it, maybe it is there and I never noticed it. How would I check if SELinux is installed and/or used?

4

Iā€™m not an expert on this, but probably the quickest way to check whether SELinux is installed is to check whether a local configuration file exists, for example, typing in the command line
ls /etc/selinux
will return ā€œfile or directory not foundā€ if SELinux isnā€™t installed. If it is installed, youā€™ll see a list of files including stuff like ā€œ/etc/selinux/configā€.
If SELinux is installed, you can check whether itā€™s running by typing
getenforce
which will return ā€œEnforcedā€ if SELinux is currently running.
You can try checking your computer for SELinux-related packages with something like:
apt search selinux | grep -A2 installed
See:
ht tps://en.wikipedia.org/wiki/Security-Enhanced_Linux
ht tps://selinuxproject.org/page/Main_Page
(URLs fractured to prevent autorun)
Update: When I try the above on my PureOS machine, I get an odd result: /etc/selinux exists, and a few SELinux-related packages are installed, but getenforce returns a command-not-found error.

5

Or just point and click your way in your file manager GUI to the etc folder and scroll down to look. :wink:

Thereā€™s an selinux folder in my Librem5, by the way. It contains one file:
semanage.conf.

6

This is what I have on my Librem 5 also, and the getenforce command does not exist. Same thing on the Librem 13 running PureOS byzantium, and also on another laptop running Ubuntu. Perhaps it is normal for that /etc/selinux/semanage.conf file to sit there even though SELinux is not used? There is nothing else in the /etc/selinux/ directory, only that file.

7

Hi, and thanks for the follow ups - Iā€™m yet to install PureOS - so, ā€˜have a peak in /etcā€™ etc only goes so far. Iā€™m toying with moving from Debian. Debian provides SELinux here:
https://wiki.debian.org/SELinux
But, itā€™s not enabled by default and is only recommended for servers:
https://wiki.debian.org/SELinux/Issues
Iā€™d noticed SELinux packages in the PureOS repos, so wondered if PureOS was using SELinux in itā€™s products - in particular the Librem 5, given itā€™s security emphasis and because Iā€™m getting one :slight_smile:
So, what @DHS says is interestingā€¦
Re getenforce, itā€™s only a utility - so, may be itā€™s not installed by default - doesnā€™t mean SELinux isnā€™t - getenforce is provided by the package selinux-utils in Debian, so I assume the same for PureOS - @DHS , perhaps you could install selinux-utils and see what getenforce returns?
@Skalman , the basic SELinux backage isā€¦ probablyā€¦ selinux-basics (!):
https://packages.debian.org/buster/selinux-basics
Just to be clear - I donā€™t want to know if SELinux is installed on my machine - I know itā€™s not - I want to know if itā€™s shipped with PureOS and if so, in what circs is it enabled (if at all)?

1 Like
8

OK. On my Librem 5 that is not installed:

purism@pureos:~$ apt list | grep selinux
android-libselinux-dev/byzantium 10.0.0+r36-1 arm64
android-libselinux/byzantium 10.0.0+r36-1 arm64
golang-github-opencontainers-selinux-dev/byzantium 1.8.0-1 all
libselinux1-dev/byzantium 3.1-3 arm64
libselinux1/byzantium,now 3.1-3 arm64 [installed]
puppet-module-puppetlabs-selinux-core/byzantium 1.0.4-2 all
python3-selinux/byzantium 3.1-3 arm64
ruby-selinux/byzantium 3.1-3 arm64
selinux-basics/byzantium 0.5.8 all
selinux-policy-default/byzantium 2:2.20210203-3 all
selinux-policy-dev/byzantium 2:2.20210203-3 all
selinux-policy-doc/byzantium 2:2.20210203-3 all
selinux-policy-mls/byzantium 2:2.20210203-3 all
selinux-policy-src/byzantium 2:2.20210203-3 all
selinux-utils/byzantium 3.1-3 arm64

Only one package named something with ā€œselinuxā€ is installed: libselinux1

purism@pureos:~$ apt list --installed | grep selinux
libselinux1/byzantium,now 3.1-3 arm64 [installed]
9

Thanks @Skalman, I think that answers my question on whether there would be any advantage to me of installing PureOS over Debian. Itā€™ll be easier to just install SELinux where I am given thereā€™s no UEFI support in PureOS

10

you CAN install PureOS-10-ā€˜Develā€™-Byzantium in UEFI mode if you follow the on-screen-instructions in the Calamares installer (at least on the LMini this is possible)

1 Like