Unless you choose a Linux distribution that includes built-in support for SELinux, you’ll have to install and configure SELinux yourself. It’s generally easier to do so using binary or source packages than using the source code tarballs released by the NSA. This section explains how to install and initially configure SELinux on:
Debian GNU/Linux
Gentoo Linux
SUSE Linux 8.2
In addition, the section gives advice on installing and configuring SELinux to work with Red Hat Enterprise Linux 3. As explained earlier, the forthcoming Red Hat Enterprise Linux 4 is planned to integrally support SELinux.
At the time of writing, two releases of Debian GNU/Linux are currently in use, and a third is under development. The two commonly used releases are:
As the release names indicate, Woody is considered the more reliable release; its component packages have been subject to more extensive, and more thorough, testing and use than those of Sid. However, the C compiler and libraries and other components of Woody are too old to work well with SELinux. Consequently, this section presents an SELinux installation procedure appropriate for Sid.
If you’re interested in using SELinux with Woody, you can use special packages created by Brian May, available at http://www.microcomaustralia.com.au/debian. You can find brief instructions for using them at http://www.coker.com.au/selinux. Because these packages are subject to change, I don’t present step-by-step instructions for installing and configuring SELinux under Woody. If you plan to install SELinux under Woody, you can request assistance by posting to the SELinux mailing list, to which you can subscribe using the web page identified in Chapter 1.
To install SELinux under Sid, perform the following steps. Since I presume you know how to install Debian Sid, the steps include only general explanations of the associated operations. If you’re unfamiliar with the installation procedure for Debian, please see the installation manual available at http://www.debian.org/releases/stable/i386/install.
Obtain bootable media for Debian Sid and boot the system using them.
I recommend the media available at http://people.debian.org/~dwhedon/boot-floppies,
especially bf2.4-3.0.23-netinst.iso
because of
its relatively small size (10 MB). If you like, you can choose from
other media available at http://www.debian.org/CD/netinst.
Burn the ISO image to a CD-RW or CD-R and boot the system using it. Choose the language to be used during installation and your keyboard type.
Partition the target system’s primary hard disk and
create Linux filesystems as usual. The simplest installation consists
of three partitions: a boot partition (/boot
), a
root partition (/
), and a swap partition. The
swap partition should have partition type 82, whereas the other two
partitions should have type 83.
The installer encourages you to choose the ext2
filesystem type for the boot and root partitions. I suggest that you
ignore the default and choose ext3
as the
filesystem type for the root filesystem, because the journaling
provided by ext3
will improve the reliability of
your filesystem. You can choose either ext2
or
ext3
as the filesystem type of the boot partition.
I myself prefer to choose ext3
for consistency.
Install a kernel and any drivers necessary for devices you plan to use during, and immediately after, installation. In general, you should ensure that a driver is available for your system’s network interface. The installation program may automatically recognize your system’s devices, in which case you don’t need to explicitly load any drivers.
Set up networking by specifying a hostname, domain name, and network configuration. If a DHCP or BOOTP server is available, you can request automatic network configuration, which identifies the system IP address, network mask, gateway IP address, and DNS server IP address for you; otherwise, you must specify these yourself.
Install the bootloader. Generally, you should install LILO, the default Debian bootloader, to the MBR (master boot record) of the primary hard drive. If your system is configured to boot multiple operating systems, special considerations are necessary. Consult the Debian installation manual for details.
Reboot the system. When the system configuration screen appears, specify configuration options, including the time zone, MD5 passwords (which should generally be enabled), a shadow password file, a root password, and a non-root user.
When prompted to run apt, decline to do so by
pressing Cancel. Likewise, decline to run
tasksel. When dselect runs,
allow it to continue and also allow it to delete any previously
downloaded .deb
files that are no longer needed.
Respond to the installation program prompts that lead you through the configuration of installed packages such as mail.
When configuration is complete, log in as the root user. Use a text
editor to create the file
/etc/apt/apt_preferences
, specifying the
following contents:
Package: * Pin: release o=etbe Pin-Priority: 1100
This configuration file will prevent critical SELinux packages from being overwritten by updated non-SELinux packages.
Use a text editor to modify the file
/etc/apt/sources.list
, deleting any existing
entries and specifying the following contents:
deb http://www.coker.com.au/newselinux/ ./ deb ftp://ftp.us.debian.org/debian/ sid main
The web site http://www.coker.com is a repository of Debian SELinux packages, maintained by Russell Coker.
Issue the command:
# apt-get update
to update the list of available packages.
Use
apt-get
to install
the libselinux1 package. Then install the following packages:
checkpolicy
|
coreutils
|
cron
|
dpkg
|
fileutils
|
initscripts
|
libpam0g
|
libpam0g-dev
|
libpam-cracklib
|
libpam-doc
|
libpam-modules
|
libpam-runtime
|
libselinux1
|
logrotate
|
policycoreutils
|
procps
|
selinux-doc
|
selinux-policy-default
|
selinux-utils
|
shellutils
|
strace
|
sysvinit
|
sysv-rc
|
textutils
|
These packages contain versions of standard utilities that have been modified to work with SELinux, SELinux-specific utilities, the SELinux policy, and SELinux documentation.
You may be prompted to update Glibc, which you should approve. You
will then be prompted to accept a series of files contained in the
selinux-policy-default
package; you may accept all such
files.
Launch dselect, and use it to install any
available updates to
Sid. If dselect
does not propose installation of a Linux 2.6 kernel, manually select
an appropriate
kernel-image
package for installation. In any case, manually select a
kernel-source
package corresponding to the kernel that dselect
automatically selected or that you manually selected. Finally, be
sure that the
ncurses-dev package
is selected for installation. Allow dselect to
install the selected packages.
Now, you’re ready to build an SELinux
kernel. Move to the directory
/usr/src
, unpack the kernel sources, and set up
a symbolic link named linux
, pointing to the
directory containing the unpacked sources. If you’re
unfamiliar with the procedure for manually configuring, compiling,
and installing a Linux kernel, consult the Debian installation guide.
Enter the directory containing the kernel sources. Using a text
editor, open the Makefile
and change the
EXTRAVERSION
variable to a distinct value. This
value is used to name and identify the directory containing loadable
kernel modules that work with your kernel.
Choose an installed /boot/config*
file and copy
it to the current directory, naming it .config
.
Doing so will conveniently set default values for many configuration
options.
Issue the command:
# make menuconfig
Choose kernel configuration options appropriate to your system, overriding default values as necessary. I personally like to omit support for devices and filesystems that I don’t use and specify that support for needed devices and filesystems should be compiled integrally in the kernel, rather than as modules. But, other preferences are acceptable.
Also specify the following SELinux-related options. Under Code Maturity, specify:
Prompt for development and/or incomplete code/drivers
Under Device Drivers → Character Devices, specify:
Unix98 PTY No Legacy (BSD) PTY support
Under File systems, specify:
Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels
Do not specify POSIX access control lists for either
ext2
or ext3
.
Under Pseudo filesystems, specify:
/dev/pts Extended Attributes /dev/pts Security labels
Do not specify:
/dev file system support
Finally, under Security options, specify:
Enable different security models Socket and networking security hooks Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support
Compile and install the kernel, by issuing the commands:
#make clean
#make install modules modules_install
If you compiled all features integrally within the kernel, omitting support for modules, use the following command instead:
# make clean && make install
Modify the /etc/lilo.conf
bootloader
configuration to boot the new kernel in SELinux mode, by adding the
following LILO
option to the stanza pertaining to the new kernel:
append="selinux=1 enforcing=0"
Issue the /sbin/lilo
command to update the boot
record.
Create the special directory used by the SELinux kernel during system startup:
# mkdir /selinux
Add the following line at the end of the
/etc/fstab
configuration file:
none /selinux selinuxfs defaults 0 0
Modify the PAM configuration by adding the following line at the end
of the files /etc/pam.d/login
and
/etc/pam.d/ssh
:
session required pam_selinux.so
Compile the SELinux policy and label the filesystem:
#cd /etc/selinux
#make policy
#make relabel
Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.
Unfortunately, it’s not unusual for errors to appear
during compilation of the SELinux policy. These are generally
typographical errors or other gross errors in policy files specifying
domains, such as domain/programs/*.te
. To work
around such errors, create the directory
/etc/selinux/domain/programs/error
, move any
defective files to this directory, and remake the policy file. You
may need to read material in the following several chapters of this
book to successfully complete this process. You can also post a
request for help on the SELinux mailing list, identified near the end
of Chapter 1.
Reboot your system. When the system starts up, relabel the filesystem a second time so that any files creating during the reboot are properly labeled:
#cd /etc/selinux
#make relabel
Your Debian SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.
The Debian developers do not officially support SELinux. However, they tend to be both technologically keen and helpful in responding to questions that interest them. Understandably, the developers are sometimes nonresponsive to questions posed by users who seem to them to be lazy or unskilled. In a few cases, they may even seem to respond contemptuously or with hostility. To make good use of their time and avoid taxing their patience, be sure to put forth a good-faith effort to troubleshoot and resolve problems before posting questions to the Debian mailing lists, such as debian-security.
Unlike Debian GNU/Linux, Gentoo Linux specifically supports SELinux. However, SELinux has not been integrated into the standard Gentoo release. This section explains how to install SELinux under Gentoo to a fresh or bare-metal system. The following section explains how to install SELinux to a preexisting Gentoo Linux system.
At the time of writing, Gentoo supports SELinux only on servers, not workstations, due primarily to interoperability problems between SELinux and X. However, the Gentoo developers suggest that SELinux workstation may be available in a future Gentoo release.
The “Gentoo x86 SELinux Installation Guide,” available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.
To install SELinux under Gentoo, perform the following steps:
Obtain a current Gentoo LiveCD image, available from a Gentoo mirror
site listed at
http://www.gentoo.org/main/en/mirrors.xml
. Burn
the image to CD-R or CD-RW and boot your system from it. Choose a
kernel from those listed as
available. For installation, you don’t need to
choose an SELinux kernel; a standard Gentoo kernel such as
gentoo
or nousb
is
satisfactory.
After booting, the system automatically logs you in as the root user.
The system probably loaded appropriate kernel drivers for your
system’s devices automatically. But, if not, you can
manually load a driver by issuing the
modprobe
command.
Use the lsmod
command to verify that the driver
appropriate for your network interface was loaded. If it was not
loaded, manually load a driver from
/lib/modules*/kernel/drivers/net
. If a required
SCSI driver was not loaded, manually load one in the same manner.
Issue the /sbin/ifconfig
command to verify that
networking has been configured. If networking has been configured,
verify that it’s working by pinging your DNS server
or accessing a web site. The lynx
,
ping
, scp
,
ssh
, wget,
and other
network commands are available and should work. If networking is not
properly operational, consult the Gentoo installation guide for
troubleshooting and problem resolution hints.
Use the
date
command to set
your system’s date and time. For instance, you can
set the date and time to 2:27 a.m. on July 1, 2004, by issuing the
command:
022707012004
Use
fdisk
to establish
appropriate partitions on your system’s primary hard
drive.
Use
mkswap
to prepare a
swap partition for use and use mke2fs
to prepare
ext3
(preferred) or ext2
filesystems on the non-swap partitions. Activate the swap partition
and mount the filesystems. For instance:
mkswap /dev/hda2
# prepare swap partitionmke2fs
-j /dev/hda1
# make /boot filesystemmke2fs
-j /dev/hda3
# make / filesystemswapon /dev/hda2
# activate swap partitionmount /dev/hda3 /mnt/gentoo
# mount / partitionmkdir /mnt/gentoo/boot
# create mount pointmount /dev/hda1 /mnt/gentoo/boot
# mount /boot
Download the installation tarball,
stage1-x86-1.4_rc4.tar.bz2
, using the
lynx
or
wget
command, from a Gentoo mirror such as
http://gentoo.oregonstate.edu/experimental/x86/stages,
and place the tarball in the /mnt/gentoo
directory
. Extract the tarball contents, enter the
chrooted filesystem just created, and update
your shell context:
#tar jxvpf stage1-*.tar.bz2
#mount
-t proc proc /mnt/gentoo/proc
#mount
-t selinuxfs none /mnt/gentoo/selinux
#cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
#chroot /mnt/gentoo /bin/bash
#env-update
#source /etc/profile
Update the portage tree:
# emerge sync
Use a text editor, such as Nano, to customize the build settings, if
desired. The settings reside in the file
/etc/make.conf
, which is heavily commented and
therefore largely self-explanatory. Generally, the default values are
acceptable. But, you should check the values of
CHOST
, CFLAG
, and
CXXFLAGS
to ensure they’re
consistent with the processor type of your system.
Detailed information on the configuration options provided by the
make.conf
file is available at http://www.gentoo.org
and http://www.gentoo.org/dyn/use-index.xml.
Initiate the bootstrap process, which builds the GNU C library, the C compiler, and other fundamental programs:
#export PORTAGE_TMPDIR=/var/tmp
#cd /usr/portage
#scripts/bootstrap.sh
The bootstrap process is relatively time-consuming, as you might
suspect. You can specify a directory other than
/var/tmp
, if you prefer. The directory should
provide several hundred megabytes of free space.
Build the non-bootstrapped programs:
# emerge system
This process generally takes even longer than the bootstrap process.
Set the time zone:
#ln -sf /usr/share/zoneinfo/
path/etc/localtime
where path
denotes the subpath
corresponding to your time zone. For instance,
/usr/share/zoneinfo/America/Los_Angeles
denotes
the U.S. Pacific time zone.
Install a kernel by issuing any one of the following commands:
#emerge sys-kernel/selinux-sources
#emerge sys-kernel/hardened-sources
#emerge sys-kernel/gentoo-dev-sources
#emerge sys-kernel/devlopment-sources
#emerge sys-kernel/mm-sources
Now, you’re ready to build an SELinux kernel. To begin doing so, issue the following commands:
#cd /usr/src/linux
#zcat /proc/config.gz > .config
#make menuconfig
Specify the following SELinux-related options. Under Code Maturity, specify:
Prompt for development and/or incomplete code/drivers
Under Device Drivers → Character Devices, specify:
Unix98 PTY No Legacy (BSD) PTY support
Under File systems, specify:
Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels
Do not specify POSIX access control lists for either
ext2
or ext3
.
Under Pseudo filesystems, specify:
/dev/pts Extended Attributes /dev/pts Security labels
Do not specify:
/dev file system support
Finally, under Security options, specify:
Enable different security models Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support
Do not specify:
Socket and networking security hooks NSA SELinux MLS policy
If needed, configure kernel support for PPPoE and IDE CD burning. Be sure the kernel includes support for your system’s Ethernet card. See the Installation Guide for details.
Compile and install the kernel:
#make dep
#make clean bzImage modules modules_install
#cp /usr/src/linux/arch/i386/boot/bzImage /boot
Install any kernel-related software needed by your system. For instance, you might issue one or more of the following commands:
#emerge e100
# Intel e100 NIC #emerge e1000
# Intel e1000 NIC #emerge emu10k1
# Creative SBLive!
Install a system logging service. Under Gentoo, you can choose any one of four logging services. I prefer the Unix de facto standard, Syslog. To install Syslog, issue the following commands:
#emerge -k app-admin/sysklogd
#rc-update add sysklogd default
Install the cron
service:
#emerge -k sys-apps/vixie-cron
#rc-update add vixie-cron default
First, use nano
(or another editor of your
choice) to create an /etc/fstab
file that mounts
your Linux ext2
and ext3
,
swap
, proc
,
tmpfs
, and cdrom
filesystems. A typical file looks like this:
/dev/hda1 /boot ext3 ro,noatime 1 1 /dev/hda2 / ext3 noatime 0 0 /dev/hda4 /space ext3 noatime 0 0 /dev/hda3 none swap sw 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
Then, add the following two SELinux-related lines to the file:
none /selinux selinuxfs defaults 0 0 none /dev/pts devpts defaults 0 0
The first line causes the system to automatically mount the SELinux
pseudofilesystem during system startup.
The second line causes the system to automatically mount the
devpts
pseudofilesystem. This is needed because
the current release of Gentoo SELinux uses
devpts
rather than the Gentoo-default
devfs
pseudofilesystem.
Set the password for the root user, by issuing the
passwd
command. You
should also create one or more non-root users, by issuing the
adduser
command. You should also set a password
for each non-root user you create.
#passwd
New UNIX password: (password not echoed) Retype new UNIX password: (password not echoed) #adduser staff
#passwd staff
New UNIX password: (password not echoed) Retype new UNIX password: (password not echoed)
Specify the host and domain names. To set the host name, issue the command:
#echo
hname> /etc/hostname
where hname
is the host name. To set the
domain name, issue the command:
#echo
dname> /etc/dnsdomainname
where dname
is the domain name. If your
system is to be part of an NIS domain, also set the name of the NIS
domain:
#echo
nisname> /etc/nisdomainname
where nisname
is the NIS domain name.
Also, modify the /etc/hosts
file to include a
line such as the following:
xxx.xxx.xxx.xxx hname.dname hname
where xxx.xxx.xxx.xxx
is the primary IP
address of your system, hname
is its host
name, and dname
is its domain name.
Specify the kernel modules that should be loaded at system startup.
To do so, add their names (and any desired options) to
/etc/modules.autoload
.
If the driver for your system’s network adapter was
compiled as a module, it’s especially important that
the corresponding module is specified in
/etc/modules.autoload
. You can determine the
name of the module by inspecting the names of the driver files
located in /lib/modules/ `uname
-r`/kernel/drivers/net
.
Configure your system’s IP address, network mask,
and other TCP/IP parameters in /etc/conf.d/net
.
Then set networking to start at the default run level:
# rc-update add net.eth0 default
Set system preferences in /etc/rc.conf
. Comments
in the file explain the functions of the configuration options. In
particular, be sure the CLOCK
setting has the
correct value (UTC
or local
).
Compile, install, and configure the GRUB bootloader.
If your system uses hardware RAID, your system is configured for multiple boot, your kernel is configured to use framebuffer video, or if you prefer to configure the LILO bootloader rather than GRUB, see the Installation Guide for further instructions.
To compile GRUB, issue the command:
# emerge grub
To install GRUB, enter its command-line environment and issue the
GRUB root
and setup
commands:
#grub
grub>root (hd0,0)
grub>setup (hd0)
grub>quit
The GRUB root command shown is appropriate only if your
/boot
partition is the first partition on the
primary hard drive, the most common case. If the
/boot
partition is the second partition, use the
command:
grub> root(hd0,1)
To configure GRUB,
use an editor to create the /boot/boot/grub.conf
file. A typical file might resemble the following:
default 0 timeout 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title=Gentoo SELinux root (hd0,0) kernel (hd0,0)/boot/bzImage root=/dev/hda3 gentoo=nodevfs
This configuration file assumes that the boot partition is
/dev/hda1
and the Linux root partition is
/dev/hda3
. It won’t work if
your hard drive is differently configured. In that case, you must
adjust the configuration parameters. If you’re
unfamiliar with the contents of GRUB’s configuration
file, or uncertain what values to specify, see the Installation
Guide.
If your system fails to boot, it’s handy to have available a GRUB boot disk. To create one, put a blank floppy in the drive and issue the following commands:
#cd /usr/share/grub/i386-pc/
#cat stage1 stage2 > /dev/fd0
Update any out-of-date configuration files, by issuing the command:
# etc-update
Compile the SELinux policy and label the filesystem, by issuing the following commands:
#cd /etc/security/selinux/src/policy/
#make install
#make chroot_relabel
Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.
Unfortunately, it’s not unusual for errors to appear
during compilation of the SELinux policy. These are generally
typographical errors or other gross errors in policy files specifying
domains, such as domain/programs/*.te
. To work
around such errors, create the directory
/etc/selinux/domain/programs/error
, move any
defective files to this directory, and remake the policy file. You
may need to read material in the following several chapters of this
book to successfully complete this process. You can also post a
request for help on the SELinux mailing list mentioned near the end
of Chapter 1.
Exit the chroot
ed shell, and reboot the system:
#exit
#cd /
#umount /mnt/gentoo/boot
#umount /mnt/gentoo/proc
#umount /mnt/gentoo/selinux
#umount /mnt/gentoo
#reboot
When the system has booted, relabel the filesystem for the second time, so that files created during rebooting will be properly labeled:
#cd /etc/security/selinux/src/policy
#make relabel
Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.
The preceding section explains how to install a Gentoo SELinux system onto a bare-metal system. It’s also possible to install SELinux to a working Gentoo Linux system. This section explains how to do so. The “Gentoo Linux SELinux Quick Start Guide,” available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux to an existing Gentoo Linux system. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.
First, check whether your system is compatible with Gentoo SELinux.
Your system should be a server, not a workstation. And, it should use
the Linux ext2
or ext3
filesystem rather than a more exotic filesystem such as ReiserFS.
Issue the following instructions to switch to the SELinux profile:
#rm -f /etc/make.profile
#ln -sf /usr/portage/profiles/selinux-x86-1.4
/etc/make.profile
Check whether any USE
flags need to be reenabled
in /etc/make.conf
:
# emerge info
Edit /etc/make.conf
as appropriate, based on any
messages you see.
Check that the C headers are sufficiently up to date:
# emerge -s linux-headers
If the version of the headers is older than 2.4.20, merge new headers by issuing the command:
# emerge >=sys-kernel/linux-headers-2.4.20
Next, recompile the C library, by issuing the command:
# emerge glibc
This step generally takes a significant amount of time to complete.
Merge an appropriate Linux 2.4 or Linux 2.6 kernel, by issuing any one of the following commands:
#emerge sys-kernel/selinux-sources
#emerge sys-kernel/hardened-sources
#emerge sys-kernel/gentoo-dev-sources
#emerge sys-kernel/devlopment-sources
#emerge sys-kernel/mm-sources
Now, you’re ready to build an SELinux kernel. To begin doing so, issue the following commands:
#cd /usr/src/linux
#make menuconfig
Specify any options needed to support devices or facilities installed on your system. Also, specify the following SELinux-related options. Under Code Maturity, specify:
Prompt for development and/or incomplete code/drivers
Under Device Drivers → Character Devices, specify:
Unix98 PTY No Legacy (BSD) PTY support
Under File systems, specify:
Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels
Do not specify POSIX access control lists for either
ext2
or ext3
.
Under Pseudo filesystems, specify:
/dev/pts Extended Attributes /dev/pts Security labels
Do not specify:
/dev file system support
Finally, under Security options, specify:
Enable different security models Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support
Do not specify:
Socket and networking security hooks NSA SELinux MLS policy
Compile and install the kernel:
#make dep
#make clean bzImage modules modules_install
#cp /usr/src/linux/arch/i386/boot/bzImage /boot
Add the following lines to /etc/fstab
:
none /selinux selinuxfs gid=5,mode=620 0 0 none /dev/pts devpts defaults 0 0
The first line causes the system to automatically mount the SELinux
pseudofilesystem during system startup.
The second line causes the system to automatically mount the
devpts
pseudofilesystem. This is needed because
the current release of Gentoo SELinux uses
devpts
rather than the Gentoo-default
devfs
pseudofilesystem.
Edit /boot/grub/grub.conf
, adding
gentoo=nodevfs
to the kernel line; for instance:
kernel /bzImage root=/dev/hda3 gentoo=nodevfs
Make two directories needed by SELinux:
#mkdir /selinux
#mkdir /sys
Reboot the system.
Merge packages required by SELinux:
#emerge libselinux checkpolicy policycoreutils
#emerge selinux-base-policy
Load the precompiled SELinux policy:
#cd /etc/security/selinux/src/policy
#make load
Merge packages modified to work with SELinux:
#emerge baselayout coreutils findutils openssh
pam pam-login procps psmisc python-selinux shadow
util-linux
Merge any of the following packages that are already installed:
#emerge app-admin/logrotate
#emerge sys-apps/vixie-cron
#emerge sys-libs/pwdb
Remove the following packages:
# emerge -C fileutils sh-utils textutils
Compile and install the SELinux policy, and label the files:
#cd /etc/security/selinux/src/policy
#make install
#make relabel
Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.
Unfortunately, it’s not unusual for errors to appear
during compilation of the SELinux policy. These are generally
typographical errors or other gross errors in policy files specifying
domains, such as domain/programs/*.te
. To work
around such errors, create the directory
/etc/selinux/domain/programs/error
, move any
defective files to this directory, and remake the policy file. You
may need to read material in the following several chapters of this
book to successfully complete this process. You can also post a
request for help on the SELinux mailing list, identified near the end
of Chapter 1.
If using GRUB, reinstall GRUB to the MBR:
#grub
grub>root (hd0,0)
grub>setup (hd0)
grub>quit
Reboot the system.
Relabel the files again, to ensure that files created during rebooting are properly labeled:
#cd /etc/security/selinux/src/policy
#make relabel
Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.
Installing SELinux using RPM packages is fast and convenient. And assuming that the packages are fully compatible with the target system, it’s also effective. SELinux RPM packages are available for two Linux releases: Red Hat Enterprise Linux and SUSE Linux.
At one time, Red Hat engineer Dan Walsh, who’s a member of the team responsible for implementation of SELinux under Fedora Core 2, made available SELinux binary and source RPM packages for RHEL3, on his FTP site, ftp://people.redhat.com/. However, the packages available there at the time of writing are not fully compatible with RHEL3; they have have dependencies unsatisfied by packages available from the site or the RHEL3 release.
Those who are handy with source RPMs can likely hack the packages available at ftp://people.redhat.com/dwalsh/SELinux/srpms/ to work with RHEL3, by tweaking them a bit and by installing updated versions of Autoconf, Automake, and other source code tools available under Fedora Core 2. Alternatively, it’s possible to install Fedora Core 2 binary packages that satisfy the dependencies. I have installed SELinux on RHEL3 using both approaches. Nevertheless, I do not include instructions here for doing so, for two reasons:
At the time of writing, the packages are being regularly updated due to ongoing work for Fedora Core 2. Therefore, it’s not possible to provide step-by-step instructions that can be expected to be accurate at the time of this book’s publication.
Notwithstanding that the SELinux packages for RHEL3 were made by a Red Hat engineer, Red Hat does not support SELinux under RHEL3. Therefore, installation by a user of SELinux under RHEL3 would likely void the user’s support agreement with Red Hat.
Those who want to use SELinux with RHEL are likely better served by installing a beta or production release of RHEL4, which should be available by the time of publication of this book.
The latest SUSE Professional Linux release available at the time of writing, SUSE Professional Linux 9.1, includes an SELinux-capable Linux kernel and SELinux-patched utilities. However, the distribution reportedly does not include the SELinux tools and includes a very old version of the SELinux sample policy. Consistent with that report, searching the SUSE web site for the word SELinux did not return any information about SELinux and SUSE 9.1. And a web search failed to turn up information about using SELinux with SUSE 9.1. However, a Novell representative has announced that a forthcoming SUSE Linux release will include a fully supported implementation of SELinux.
SELinux RPM packages for SUSE 8.2 have been independently released by Paul Dwerryhouse, a system and network engineer employed at the time of this writing by Versatel b.v., in Amsterdam, Netherlands. His work is available at http://leapster.org/linux/selinux/suse.
To install SELinux under SUSE 8.2 using Paul’s packages, you must download and install:
His modified kernel (or download his kernel patches and apply them against Linux 2.4).
His modified initrd.
His userspace RPM packages, of which there are currently 27. These are available individually, or combined within a single 78 MB tarball.
Paul provides special instructions for installing his kernel. He also cautions not to use his kernel on production hosts, since—as Paul himself explains it—he “cheated in a couple of places when porting the SELinux patch to [the Linux 2.4] kernel,” by removing the variable HZ feature and taking other shortcuts.
SELinux for SUSE 8.2 is not officially supported by SUSE. Users who install SELinux under SUSE 8.2 may void any support agreement with SUSE.
Those interested in using SELinux with SUSE may find helpful information on the SELinux Wiki and file repository maintained by Tom Vogt and others. The Wiki is available at http://www.securityenhancedlinux.de, and the file repository is available at http://selinux.lemuria.org. Much of the information in the Wiki is in German, the native language of many SUSE users and developers.