Version: Debian12, Bookworm (kernel: 6.1.0-9-cloud-amd64) Package: libselinux1:amd64 Impact: cosmetic
I have noticed that the kernels shipped with Debian (or at least the flavor mentioned above) don't provide the CONFIG_SECURITY_SELINUX_BOOTPARAM. This essentially means that there's no way to disable SELinux via the kernel's cmdline. Even though Debian, by default, does not use SELinux, it does ship the libselinux which, for instance, systemd is happily linking to. It does go through the selinux_init_load_policy() which means that the libselinux attempts to not only mount selinuxfs (which it successfully does) but it also attempts to load its .policy. Naturally, for the system which does not depend on SELinux, such .policy would not exist. This ends up with a very confusing message, coming from libselinux, which can be seen right after systemd kicks in: SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.33: No such file or directory (libselinux automagically determines this .N suffix at the end so I guess the actual path may differ across different versions). Since we cannot disable SELinux on the kernel level, and there's no way to prevent libselinux from mounting selinuxfs (I believe based on that action it actually determines if SELinux is disabled or not since it does not lookup the "selinux=" in kernel's cmdline, just the "enforcing=" bit), we need to actually create its /etc/selinux/config and explicitly set "SELINUX=disabled" inside. To me, this is the inconsistent part. :) User which is not using SELinux at all, is required to put its config in place, to make sure the above loading of the .policy does not happen (and to prevent this error from popping up on the console). In my opinion, Debian should either provide the /etc/selinux/config from the very get-go (with SELinux disabled) or at least enable the CONFIG_SECURITY_SELINUX_BOOTPARAM. :) Regards, Michal
