Does PureOS run SELinux by default?

I posted that question in this forum in the hope of avoiding as best I could any brick bats or flaming replies.
[ducks]

1 Like

I doubt it, given that PureOS is based heavily on Debian, which uses AppArmor by default (since buster 10).

AppArmor constrains only programs that have AppArmor profiles. Many (if not most) Debian packages do. Other programs by default are unrestricted. I don’t like this approach. SELinux is restricted by default but writing policies for even simple tasks is looking harder than expected.

I ended up going for Qubes OS. I have full control over what accesses what. I can create a qube for my personal files without any internet connection, for instance. It’s fantastic. Of course if my individual qubes run Debian I get the benefits of AppArmor within that qube. One drawback is that Qubes is quite an ugly distro (because of different window colors), but so far it’s been worth it. I don’t think I can ever feel safe in any of these other ordinary distros again.

I have a couple of PureOS devices and I don’t think SELinux is used on them, but I am also not sure how to check it, maybe it is there and I never noticed it. How would I check if SELinux is installed and/or used?

I’m not an expert on this, but probably the quickest way to check whether SELinux is installed is to check whether a local configuration file exists, for example, typing in the command line
ls /etc/selinux
will return “file or directory not found” if SELinux isn’t installed. If it is installed, you’ll see a list of files including stuff like “/etc/selinux/config”.
If SELinux is installed, you can check whether it’s running by typing
getenforce
which will return “Enforced” if SELinux is currently running.
You can try checking your computer for SELinux-related packages with something like:
apt search selinux | grep -A2 installed
See:
ht tps://en.wikipedia.org/wiki/Security-Enhanced_Linux
ht tps://selinuxproject.org/page/Main_Page
(URLs fractured to prevent autorun)
Update: When I try the above on my PureOS machine, I get an odd result: /etc/selinux exists, and a few SELinux-related packages are installed, but getenforce returns a command-not-found error.

Or just point and click your way in your file manager GUI to the etc folder and scroll down to look. :wink:

There’s an selinux folder in my Librem5, by the way. It contains one file:
semanage.conf.

This is what I have on my Librem 5 also, and the getenforce command does not exist. Same thing on the Librem 13 running PureOS byzantium, and also on another laptop running Ubuntu. Perhaps it is normal for that /etc/selinux/semanage.conf file to sit there even though SELinux is not used? There is nothing else in the /etc/selinux/ directory, only that file.

Hi, and thanks for the follow ups - I’m yet to install PureOS - so, ‘have a peak in /etc’ etc only goes so far. I’m toying with moving from Debian. Debian provides SELinux here:
https://wiki.debian.org/SELinux
But, it’s not enabled by default and is only recommended for servers:
https://wiki.debian.org/SELinux/Issues
I’d noticed SELinux packages in the PureOS repos, so wondered if PureOS was using SELinux in it’s products - in particular the Librem 5, given it’s security emphasis and because I’m getting one :slight_smile:
So, what @DHS says is interesting…
Re getenforce, it’s only a utility - so, may be it’s not installed by default - doesn’t mean SELinux isn’t - getenforce is provided by the package selinux-utils in Debian, so I assume the same for PureOS - @DHS , perhaps you could install selinux-utils and see what getenforce returns?
@Skalman , the basic SELinux backage is… probably… selinux-basics (!):
https://packages.debian.org/buster/selinux-basics
Just to be clear - I don’t want to know if SELinux is installed on my machine - I know it’s not - I want to know if it’s shipped with PureOS and if so, in what circs is it enabled (if at all)?

1 Like

OK. On my Librem 5 that is not installed:

purism@pureos:~$ apt list | grep selinux
android-libselinux-dev/byzantium 10.0.0+r36-1 arm64
android-libselinux/byzantium 10.0.0+r36-1 arm64
golang-github-opencontainers-selinux-dev/byzantium 1.8.0-1 all
libselinux1-dev/byzantium 3.1-3 arm64
libselinux1/byzantium,now 3.1-3 arm64 [installed]
puppet-module-puppetlabs-selinux-core/byzantium 1.0.4-2 all
python3-selinux/byzantium 3.1-3 arm64
ruby-selinux/byzantium 3.1-3 arm64
selinux-basics/byzantium 0.5.8 all
selinux-policy-default/byzantium 2:2.20210203-3 all
selinux-policy-dev/byzantium 2:2.20210203-3 all
selinux-policy-doc/byzantium 2:2.20210203-3 all
selinux-policy-mls/byzantium 2:2.20210203-3 all
selinux-policy-src/byzantium 2:2.20210203-3 all
selinux-utils/byzantium 3.1-3 arm64

Only one package named something with “selinux” is installed: libselinux1

purism@pureos:~$ apt list --installed | grep selinux
libselinux1/byzantium,now 3.1-3 arm64 [installed]

Thanks @Skalman, I think that answers my question on whether there would be any advantage to me of installing PureOS over Debian. It’ll be easier to just install SELinux where I am given there’s no UEFI support in PureOS

you CAN install PureOS-10-‘Devel’-Byzantium in UEFI mode if you follow the on-screen-instructions in the Calamares installer (at least on the LMini this is possible)

1 Like