Installing SELinux from Binary or Source Packages

Unless you choose a Linux distribution that includes built-in support for SELinux, you’ll have to install and configure SELinux yourself. It’s generally easier to do so using binary or source packages than using the source code tarballs released by the NSA. This section explains how to install and initially configure SELinux on:

  • Debian GNU/Linux

  • Gentoo Linux

  • SUSE Linux 8.2

In addition, the section gives advice on installing and configuring SELinux to work with Red Hat Enterprise Linux 3. As explained earlier, the forthcoming Red Hat Enterprise Linux 4 is planned to integrally support SELinux.

Debian GNU/Linux

At the time of writing, two releases of Debian GNU/Linux are currently in use, and a third is under development. The two commonly used releases are:

  • Debian GNU/Linux 3.0 stable, known as Woody

  • Debian GNU/Linux 3.0 unstable, known as Sid

As the release names indicate, Woody is considered the more reliable release; its component packages have been subject to more extensive, and more thorough, testing and use than those of Sid. However, the C compiler and libraries and other components of Woody are too old to work well with SELinux. Consequently, this section presents an SELinux installation procedure appropriate for Sid.

If you’re interested in using SELinux with Woody, you can use special packages created by Brian May, available at http://www.microcomaustralia.com.au/debian. You can find brief instructions for using them at http://www.coker.com.au/selinux. Because these packages are subject to change, I don’t present step-by-step instructions for installing and configuring SELinux under Woody. If you plan to install SELinux under Woody, you can request assistance by posting to the SELinux mailing list, to which you can subscribe using the web page identified in Chapter 1.

To install SELinux under Sid, perform the following steps. Since I presume you know how to install Debian Sid, the steps include only general explanations of the associated operations. If you’re unfamiliar with the installation procedure for Debian, please see the installation manual available at http://www.debian.org/releases/stable/i386/install.

  1. Obtain bootable media for Debian Sid and boot the system using them. I recommend the media available at http://people.debian.org/~dwhedon/boot-floppies, especially bf2.4-3.0.23-netinst.iso because of its relatively small size (10 MB). If you like, you can choose from other media available at http://www.debian.org/CD/netinst.

  2. Burn the ISO image to a CD-RW or CD-R and boot the system using it. Choose the language to be used during installation and your keyboard type.

  3. Partition the target system’s primary hard disk and create Linux filesystems as usual. The simplest installation consists of three partitions: a boot partition (/boot), a root partition (/), and a swap partition. The swap partition should have partition type 82, whereas the other two partitions should have type 83.

    The installer encourages you to choose the ext2 filesystem type for the boot and root partitions. I suggest that you ignore the default and choose ext3 as the filesystem type for the root filesystem, because the journaling provided by ext3 will improve the reliability of your filesystem. You can choose either ext2 or ext3 as the filesystem type of the boot partition. I myself prefer to choose ext3 for consistency.

  4. Install a kernel and any drivers necessary for devices you plan to use during, and immediately after, installation. In general, you should ensure that a driver is available for your system’s network interface. The installation program may automatically recognize your system’s devices, in which case you don’t need to explicitly load any drivers.

  5. Set up networking by specifying a hostname, domain name, and network configuration. If a DHCP or BOOTP server is available, you can request automatic network configuration, which identifies the system IP address, network mask, gateway IP address, and DNS server IP address for you; otherwise, you must specify these yourself.

  6. Install the bootloader. Generally, you should install LILO, the default Debian bootloader, to the MBR (master boot record) of the primary hard drive. If your system is configured to boot multiple operating systems, special considerations are necessary. Consult the Debian installation manual for details.

  7. Reboot the system. When the system configuration screen appears, specify configuration options, including the time zone, MD5 passwords (which should generally be enabled), a shadow password file, a root password, and a non-root user.

  8. When prompted to run apt, decline to do so by pressing Cancel. Likewise, decline to run tasksel. When dselect runs, allow it to continue and also allow it to delete any previously downloaded .deb files that are no longer needed.

    Tip

    If you allow apt to run, it may install updated packages that conflict with SELinux packages to be installed later in this procedure. Declining to run apt avoids this problem.

  9. Respond to the installation program prompts that lead you through the configuration of installed packages such as mail.

  10. When configuration is complete, log in as the root user. Use a text editor to create the file /etc/apt/apt_preferences, specifying the following contents:

    Package: *
Pin: release o=etbe
Pin-Priority: 1100

  11. This configuration file will prevent critical SELinux packages from being overwritten by updated non-SELinux packages.

  12. Use a text editor to modify the file /etc/apt/sources.list, deleting any existing entries and specifying the following contents:

    deb http://www.coker.com.au/newselinux/ ./
deb ftp://ftp.us.debian.org/debian/ sid main

  13. The web site http://www.coker.com is a repository of Debian SELinux packages, maintained by Russell Coker.

  14. Issue the command:

    # apt-get update

  15. to update the list of available packages.

  16. Use apt-get to install the libselinux1 package. Then install the following packages:

    checkpolicy
    coreutils
    cron
    dpkg
    fileutils
    initscripts
    libpam0g
    libpam0g-dev
    libpam-cracklib
    libpam-doc
    libpam-modules
    libpam-runtime
    libselinux1
    logrotate
    policycoreutils
    procps
    selinux-doc
    selinux-policy-default
    selinux-utils
    shellutils
    strace
    sysvinit
    sysv-rc
    textutils

  17. These packages contain versions of standard utilities that have been modified to work with SELinux, SELinux-specific utilities, the SELinux policy, and SELinux documentation.

    You may be prompted to update Glibc, which you should approve. You will then be prompted to accept a series of files contained in the selinux-policy-default package; you may accept all such files.

  18. Launch dselect, and use it to install any available updates to Sid. If dselect does not propose installation of a Linux 2.6 kernel, manually select an appropriate kernel-image package for installation. In any case, manually select a kernel-source package corresponding to the kernel that dselect automatically selected or that you manually selected. Finally, be sure that the ncurses-dev package is selected for installation. Allow dselect to install the selected packages.

  19. Now, you’re ready to build an SELinux kernel. Move to the directory /usr/src, unpack the kernel sources, and set up a symbolic link named linux, pointing to the directory containing the unpacked sources. If you’re unfamiliar with the procedure for manually configuring, compiling, and installing a Linux kernel, consult the Debian installation guide.

  20. Enter the directory containing the kernel sources. Using a text editor, open the Makefile and change the EXTRAVERSION variable to a distinct value. This value is used to name and identify the directory containing loadable kernel modules that work with your kernel.

  21. Choose an installed /boot/config* file and copy it to the current directory, naming it .config. Doing so will conveniently set default values for many configuration options.

  22. Issue the command:

    # make menuconfig

  23. Choose kernel configuration options appropriate to your system, overriding default values as necessary. I personally like to omit support for devices and filesystems that I don’t use and specify that support for needed devices and filesystems should be compiled integrally in the kernel, rather than as modules. But, other preferences are acceptable.

    Also specify the following SELinux-related options. Under Code Maturity, specify:

    Prompt for development and/or incomplete code/drivers

    Under Device Drivers Character Devices, specify:

    Unix98 PTY
No Legacy (BSD) PTY support

    Under File systems, specify:

    Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

    Do not specify POSIX access control lists for either ext2 or ext3.

    Under Pseudo filesystems, specify:

    /dev/pts Extended Attributes
/dev/pts Security labels

    Do not specify:

    /dev file system support

    Finally, under Security options, specify:

    Enable different security models
Socket and networking security hooks
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

  24. Compile and install the kernel, by issuing the commands:

    # make clean
# make install modules modules_install

    If you compiled all features integrally within the kernel, omitting support for modules, use the following command instead:

    # make clean && make install

  25. Modify the /etc/lilo.conf bootloader configuration to boot the new kernel in SELinux mode, by adding the following LILO option to the stanza pertaining to the new kernel:

    append="selinux=1 enforcing=0"

    Issue the /sbin/lilo command to update the boot record.

  26. Create the special directory used by the SELinux kernel during system startup:

    # mkdir /selinux

  27. Add the following line at the end of the /etc/fstab configuration file:

    none /selinux selinuxfs defaults 0 0

  28. Modify the PAM configuration by adding the following line at the end of the files /etc/pam.d/login and /etc/pam.d/ssh:

    session required pam_selinux.so

  29. Compile the SELinux policy and label the filesystem:

    # cd /etc/selinux
# make policy
# make relabel

    Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.

    Tip

    Unfortunately, it’s not unusual for errors to appear during compilation of the SELinux policy. These are generally typographical errors or other gross errors in policy files specifying domains, such as domain/programs/*.te. To work around such errors, create the directory /etc/selinux/domain/programs/error, move any defective files to this directory, and remake the policy file. You may need to read material in the following several chapters of this book to successfully complete this process. You can also post a request for help on the SELinux mailing list, identified near the end of Chapter 1.

  30. Reboot your system. When the system starts up, relabel the filesystem a second time so that any files creating during the reboot are properly labeled:

    # cd /etc/selinux
# make relabel

  31. Your Debian SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

    Tip

    The Debian developers do not officially support SELinux. However, they tend to be both technologically keen and helpful in responding to questions that interest them. Understandably, the developers are sometimes nonresponsive to questions posed by users who seem to them to be lazy or unskilled. In a few cases, they may even seem to respond contemptuously or with hostility. To make good use of their time and avoid taxing their patience, be sure to put forth a good-faith effort to troubleshoot and resolve problems before posting questions to the Debian mailing lists, such as debian-security.

Gentoo Linux

Unlike Debian GNU/Linux, Gentoo Linux specifically supports SELinux. However, SELinux has not been integrated into the standard Gentoo release. This section explains how to install SELinux under Gentoo to a fresh or bare-metal system. The following section explains how to install SELinux to a preexisting Gentoo Linux system.

Tip

At the time of writing, Gentoo supports SELinux only on servers, not workstations, due primarily to interoperability problems between SELinux and X. However, the Gentoo developers suggest that SELinux workstation may be available in a future Gentoo release.

Installing SELinux to a fresh Gentoo system

The “Gentoo x86 SELinux Installation Guide,” available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.

To install SELinux under Gentoo, perform the following steps:

  1. Obtain a current Gentoo LiveCD image, available from a Gentoo mirror site listed at http://www.gentoo.org/main/en/mirrors.xml. Burn the image to CD-R or CD-RW and boot your system from it. Choose a kernel from those listed as available. For installation, you don’t need to choose an SELinux kernel; a standard Gentoo kernel such as gentoo or nousb is satisfactory.

  2. After booting, the system automatically logs you in as the root user. The system probably loaded appropriate kernel drivers for your system’s devices automatically. But, if not, you can manually load a driver by issuing the modprobe command. Use the lsmod command to verify that the driver appropriate for your network interface was loaded. If it was not loaded, manually load a driver from /lib/modules*/kernel/drivers/net. If a required SCSI driver was not loaded, manually load one in the same manner.

  3. Issue the /sbin/ifconfig command to verify that networking has been configured. If networking has been configured, verify that it’s working by pinging your DNS server or accessing a web site. The lynx, ping, scp, ssh, wget, and other network commands are available and should work. If networking is not properly operational, consult the Gentoo installation guide for troubleshooting and problem resolution hints.

  4. Use the date command to set your system’s date and time. For instance, you can set the date and time to 2:27 a.m. on July 1, 2004, by issuing the command:

    022707012004

  5. Use fdisk to establish appropriate partitions on your system’s primary hard drive.

  6. Use mkswap to prepare a swap partition for use and use mke2fs to prepare ext3 (preferred) or ext2 filesystems on the non-swap partitions. Activate the swap partition and mount the filesystems. For instance:

                            mkswap /dev/hda2  # prepare swap partition
mke2fs 
                        -j /dev/hda1 # make /boot filesystem
mke2fs 
                        -j /dev/hda3 # make / filesystem
swapon /dev/hda2  # activate swap partition
mount /dev/hda3 /mnt/gentoo  # mount / partition
mkdir /mnt/gentoo/boot  # create mount point
mount /dev/hda1 /mnt/gentoo/boot # mount /boot

  7. Download the installation tarball, stage1-x86-1.4_rc4.tar.bz2, using the lynx or wget command, from a Gentoo mirror such as http://gentoo.oregonstate.edu/experimental/x86/stages, and place the tarball in the /mnt/gentoo directory. Extract the tarball contents, enter the chrooted filesystem just created, and update your shell context:

    # tar jxvpf stage1-*.tar.bz2
# mount 
                        -t proc proc /mnt/gentoo/proc
# mount 
                        -t selinuxfs none /mnt/gentoo/selinux
# cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile

  8. Update the portage tree:

    # emerge sync

  9. Use a text editor, such as Nano, to customize the build settings, if desired. The settings reside in the file /etc/make.conf, which is heavily commented and therefore largely self-explanatory. Generally, the default values are acceptable. But, you should check the values of CHOST, CFLAG, and CXXFLAGS to ensure they’re consistent with the processor type of your system.

    Tip

    Detailed information on the configuration options provided by the make.conf file is available at http://www.gentoo.org and http://www.gentoo.org/dyn/use-index.xml.

  10. Initiate the bootstrap process, which builds the GNU C library, the C compiler, and other fundamental programs:

    # export PORTAGE_TMPDIR=/var/tmp
# cd /usr/portage
# scripts/bootstrap.sh

    The bootstrap process is relatively time-consuming, as you might suspect. You can specify a directory other than /var/tmp, if you prefer. The directory should provide several hundred megabytes of free space.

  11. Build the non-bootstrapped programs:

    # emerge system

    This process generally takes even longer than the bootstrap process.

  12. Set the time zone:

    # ln -sf /usr/share/zoneinfo/
                        path
                        /etc/localtime

    where path denotes the subpath corresponding to your time zone. For instance, /usr/share/zoneinfo/America/Los_Angeles denotes the U.S. Pacific time zone.

  13. Install a kernel by issuing any one of the following commands:

    # emerge sys-kernel/selinux-sources
# emerge sys-kernel/hardened-sources
# emerge sys-kernel/gentoo-dev-sources
# emerge sys-kernel/devlopment-sources
# emerge sys-kernel/mm-sources

    Warning

    Issue only one of the preceding commands; don’t issue all of them.

  14. Now, you’re ready to build an SELinux kernel. To begin doing so, issue the following commands:

    # cd /usr/src/linux
# zcat /proc/config.gz > .config
# make menuconfig

    Specify the following SELinux-related options. Under Code Maturity, specify:

    Prompt for development and/or incomplete code/drivers

    Under Device Drivers Character Devices, specify:

    Unix98 PTY
No Legacy (BSD) PTY support

    Under File systems, specify:

    Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

    Do not specify POSIX access control lists for either ext2 or ext3.

    Under Pseudo filesystems, specify:

    /dev/pts Extended Attributes
/dev/pts Security labels

    Do not specify:

    /dev file system support

    Finally, under Security options, specify:

    Enable different security models
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

    Do not specify:

    Socket and networking security hooks
NSA SELinux MLS policy

  15. If needed, configure kernel support for PPPoE and IDE CD burning. Be sure the kernel includes support for your system’s Ethernet card. See the Installation Guide for details.

  16. Compile and install the kernel:

    # make dep
# make clean bzImage modules modules_install
# cp /usr/src/linux/arch/i386/boot/bzImage /boot

  17. Install any kernel-related software needed by your system. For instance, you might issue one or more of the following commands:

    # emerge e100  # Intel e100 NIC
# emerge e1000  # Intel e1000 NIC
# emerge emu10k1  # Creative SBLive!

  18. Install a system logging service. Under Gentoo, you can choose any one of four logging services. I prefer the Unix de facto standard, Syslog. To install Syslog, issue the following commands:

    # emerge -k app-admin/sysklogd
# rc-update add sysklogd default

    Tip

    If you prefer to configure a logging service other than Syslog, see the Installation Guide.

  19. Install the cron service:

    # emerge -k sys-apps/vixie-cron
# rc-update add vixie-cron default

  20. First, use nano (or another editor of your choice) to create an /etc/fstab file that mounts your Linux ext2 and ext3, swap, proc, tmpfs, and cdrom filesystems. A typical file looks like this:

    /dev/hda1 /boot    ext3  ro,noatime             1 1
/dev/hda2 /        ext3  noatime                0 0
/dev/hda4 /space   ext3  noatime                0 0
/dev/hda3 none     swap  sw                     0 0
none      /proc    proc  defaults               0 0
none      /dev/shm tmpfs defaults               0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0

    Then, add the following two SELinux-related lines to the file:

    none      /selinux selinuxfs  defaults          0 0
none      /dev/pts devpts     defaults          0 0

    The first line causes the system to automatically mount the SELinux pseudofilesystem during system startup. The second line causes the system to automatically mount the devpts pseudofilesystem. This is needed because the current release of Gentoo SELinux uses devpts rather than the Gentoo-default devfs pseudofilesystem.

  21. Set the password for the root user, by issuing the passwd command. You should also create one or more non-root users, by issuing the adduser command. You should also set a password for each non-root user you create.

    # passwd
New UNIX password: (password not echoed)
Retype new UNIX password: (password not echoed)
# adduser staff
# passwd staff
New UNIX password: (password not echoed)
Retype new UNIX password: (password not echoed)

  22. Specify the host and domain names. To set the host name, issue the command:

    # echo 
                        hname
                         > /etc/hostname

    where hname is the host name. To set the domain name, issue the command:

    # echo 
                        dname
                         > /etc/dnsdomainname

    where dname is the domain name. If your system is to be part of an NIS domain, also set the name of the NIS domain:

    # echo 
                        nisname
                         > /etc/nisdomainname

    where nisname is the NIS domain name.

    Also, modify the /etc/hosts file to include a line such as the following:

                            xxx.xxx.xxx.xxx
                        hname.dname hname

    where xxx.xxx.xxx.xxx is the primary IP address of your system, hname is its host name, and dname is its domain name.

    Tip

    If your system receives its network configuration dynamically, via DHCP or BOOTP, you may omit this step.

  23. Specify the kernel modules that should be loaded at system startup. To do so, add their names (and any desired options) to /etc/modules.autoload.

    Tip

    If the driver for your system’s network adapter was compiled as a module, it’s especially important that the corresponding module is specified in /etc/modules.autoload. You can determine the name of the module by inspecting the names of the driver files located in /lib/modules/ `uname -r`/kernel/drivers/net.

  24. Configure your system’s IP address, network mask, and other TCP/IP parameters in /etc/conf.d/net. Then set networking to start at the default run level:

    # rc-update add net.eth0 default

    Tip

    If your system has multiple network adapters or a PCMCIA network adapter, consult the Installation Guide for the proper configuration procedure.

  25. Set system preferences in /etc/rc.conf. Comments in the file explain the functions of the configuration options. In particular, be sure the CLOCK setting has the correct value (UTC or local).

  26. Compile, install, and configure the GRUB bootloader.

    Tip

    If your system uses hardware RAID, your system is configured for multiple boot, your kernel is configured to use framebuffer video, or if you prefer to configure the LILO bootloader rather than GRUB, see the Installation Guide for further instructions.

    To compile GRUB, issue the command:

    # emerge grub

    To install GRUB, enter its command-line environment and issue the GRUB root and setup commands:

    # grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

    Tip

    The GRUB root command shown is appropriate only if your /boot partition is the first partition on the primary hard drive, the most common case. If the /boot partition is the second partition, use the command:

    grub> root(hd0,1)

    To configure GRUB, use an editor to create the /boot/boot/grub.conf file. A typical file might resemble the following:

    default 0
timeout 30
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=Gentoo SELinux
root (hd0,0) 
kernel (hd0,0)/boot/bzImage root=/dev/hda3 gentoo=nodevfs

    Tip

    This configuration file assumes that the boot partition is /dev/hda1 and the Linux root partition is /dev/hda3. It won’t work if your hard drive is differently configured. In that case, you must adjust the configuration parameters. If you’re unfamiliar with the contents of GRUB’s configuration file, or uncertain what values to specify, see the Installation Guide.

    If your system fails to boot, it’s handy to have available a GRUB boot disk. To create one, put a blank floppy in the drive and issue the following commands:

    # cd /usr/share/grub/i386-pc/
# cat stage1 stage2 > /dev/fd0

  27. Update any out-of-date configuration files, by issuing the command:

    # etc-update

  28. Compile the SELinux policy and label the filesystem, by issuing the following commands:

    # cd /etc/security/selinux/src/policy/
# make install
# make chroot_relabel

    Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.

    Tip

    Unfortunately, it’s not unusual for errors to appear during compilation of the SELinux policy. These are generally typographical errors or other gross errors in policy files specifying domains, such as domain/programs/*.te. To work around such errors, create the directory /etc/selinux/domain/programs/error, move any defective files to this directory, and remake the policy file. You may need to read material in the following several chapters of this book to successfully complete this process. You can also post a request for help on the SELinux mailing list mentioned near the end of Chapter 1.

  29. Exit the chrooted shell, and reboot the system:

    # exit 
# cd /
# umount /mnt/gentoo/boot
# umount /mnt/gentoo/proc
# umount /mnt/gentoo/selinux
# umount /mnt/gentoo
# reboot

  30. When the system has booted, relabel the filesystem for the second time, so that files created during rebooting will be properly labeled:

    # cd /etc/security/selinux/src/policy
# make relabel

    Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

Installing SELinux to an existing Gentoo Linux system

The preceding section explains how to install a Gentoo SELinux system onto a bare-metal system. It’s also possible to install SELinux to a working Gentoo Linux system. This section explains how to do so. The “Gentoo Linux SELinux Quick Start Guide,” available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux to an existing Gentoo Linux system. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.

  1. First, check whether your system is compatible with Gentoo SELinux. Your system should be a server, not a workstation. And, it should use the Linux ext2 or ext3 filesystem rather than a more exotic filesystem such as ReiserFS.

    Tip

    Gentoo SELinux also supports the XFS filesystem. However, this book does not explain how to configure SELinux to work with that filesystem. See the Quick Start Guide for instructions on doing so.

  2. Issue the following instructions to switch to the SELinux profile:

    # rm -f /etc/make.profile
# ln -sf /usr/portage/profiles/selinux-x86-1.4 
                        /etc/make.profile

  3. Check whether any USE flags need to be reenabled in /etc/make.conf:

    # emerge info

    Edit /etc/make.conf as appropriate, based on any messages you see.

    Tip

    You may see the message “!!! SELinux module not found. Please verify that it was installed,” which you may safely ignore. The cause of this message will be fixed by a subsequent step of this procedure.

  4. Check that the C headers are sufficiently up to date:

    # emerge -s linux-headers

    If the version of the headers is older than 2.4.20, merge new headers by issuing the command:

    # emerge >=sys-kernel/linux-headers-2.4.20

  5. Next, recompile the C library, by issuing the command:

    # emerge glibc

    This step generally takes a significant amount of time to complete.

  6. Merge an appropriate Linux 2.4 or Linux 2.6 kernel, by issuing any one of the following commands:

    # emerge sys-kernel/selinux-sources
# emerge sys-kernel/hardened-sources
# emerge sys-kernel/gentoo-dev-sources
# emerge sys-kernel/devlopment-sources
# emerge sys-kernel/mm-sources

    Warning

    Issue only one of the preceding commands; don’t issue all of them.

  7. Now, you’re ready to build an SELinux kernel. To begin doing so, issue the following commands:

    # cd /usr/src/linux
# make menuconfig

    Specify any options needed to support devices or facilities installed on your system. Also, specify the following SELinux-related options. Under Code Maturity, specify:

    Prompt for development and/or incomplete code/drivers

    Under Device Drivers Character Devices, specify:

    Unix98 PTY
No Legacy (BSD) PTY support

    Under File systems, specify:

    Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

    Do not specify POSIX access control lists for either ext2 or ext3.

    Under Pseudo filesystems, specify:

    /dev/pts Extended Attributes
/dev/pts Security labels

    Do not specify:

    /dev file system support

    Finally, under Security options, specify:

    Enable different security models
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

    Do not specify:

    Socket and networking security hooks
NSA SELinux MLS policy

  8. Compile and install the kernel:

    # make dep
# make clean bzImage modules modules_install
# cp /usr/src/linux/arch/i386/boot/bzImage /boot

  9. Add the following lines to /etc/fstab:

    none /selinux selinuxfs gid=5,mode=620 0 0
none /dev/pts devpts    defaults       0 0

    The first line causes the system to automatically mount the SELinux pseudofilesystem during system startup. The second line causes the system to automatically mount the devpts pseudofilesystem. This is needed because the current release of Gentoo SELinux uses devpts rather than the Gentoo-default devfs pseudofilesystem.

  10. Edit /boot/grub/grub.conf, adding gentoo=nodevfs to the kernel line; for instance:

    kernel /bzImage root=/dev/hda3 gentoo=nodevfs

    Tip

    If your system boots using LILO rather than GRUB, add append="Gentoo=nodevfs" to the proper stanza within /etc/lilo.conf.

  11. Make two directories needed by SELinux:

    # mkdir /selinux
# mkdir /sys

  12. Reboot the system.

  13. Merge packages required by SELinux:

    # emerge libselinux checkpolicy policycoreutils
# emerge selinux-base-policy

  14. Load the precompiled SELinux policy:

    # cd /etc/security/selinux/src/policy
# make load

  15. Merge packages modified to work with SELinux:

    # emerge baselayout coreutils findutils openssh 
                        pam pam-login procps psmisc python-selinux shadow 
                        util-linux

  16. Merge any of the following packages that are already installed:

    # emerge app-admin/logrotate
# emerge sys-apps/vixie-cron
# emerge sys-libs/pwdb

    Tip

    vixie-cron is the only cron package compatible with SELinux. If you have another cron package installed, you should remove it and, optionally, replace it with vixie-cron.

  17. Remove the following packages:

    # emerge -C fileutils sh-utils textutils

  18. Compile and install the SELinux policy, and label the files:

    # cd /etc/security/selinux/src/policy
# make install
# make relabel

    Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file’s security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.

    Tip

    Unfortunately, it’s not unusual for errors to appear during compilation of the SELinux policy. These are generally typographical errors or other gross errors in policy files specifying domains, such as domain/programs/*.te. To work around such errors, create the directory /etc/selinux/domain/programs/error, move any defective files to this directory, and remake the policy file. You may need to read material in the following several chapters of this book to successfully complete this process. You can also post a request for help on the SELinux mailing list, identified near the end of Chapter 1.

  19. If using GRUB, reinstall GRUB to the MBR:

    # grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

    Tip

    If GRUB is installed to a location other than the MBR, or your system’s /boot filesystem resides on a partition other than the first partition of the primary hard drive, see the Quick Start Guide for instructions.

  20. Reboot the system.

  21. Relabel the files again, to ensure that files created during rebooting are properly labeled:

    # cd /etc/security/selinux/src/policy
# make relabel

    Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

RPM-Based Distributions

Installing SELinux using RPM packages is fast and convenient. And assuming that the packages are fully compatible with the target system, it’s also effective. SELinux RPM packages are available for two Linux releases: Red Hat Enterprise Linux and SUSE Linux.

Red Hat Enterprise Linux

At one time, Red Hat engineer Dan Walsh, who’s a member of the team responsible for implementation of SELinux under Fedora Core 2, made available SELinux binary and source RPM packages for RHEL3, on his FTP site, ftp://people.redhat.com/. However, the packages available there at the time of writing are not fully compatible with RHEL3; they have have dependencies unsatisfied by packages available from the site or the RHEL3 release.

Those who are handy with source RPMs can likely hack the packages available at ftp://people.redhat.com/dwalsh/SELinux/srpms/ to work with RHEL3, by tweaking them a bit and by installing updated versions of Autoconf, Automake, and other source code tools available under Fedora Core 2. Alternatively, it’s possible to install Fedora Core 2 binary packages that satisfy the dependencies. I have installed SELinux on RHEL3 using both approaches. Nevertheless, I do not include instructions here for doing so, for two reasons:

  • At the time of writing, the packages are being regularly updated due to ongoing work for Fedora Core 2. Therefore, it’s not possible to provide step-by-step instructions that can be expected to be accurate at the time of this book’s publication.

  • Notwithstanding that the SELinux packages for RHEL3 were made by a Red Hat engineer, Red Hat does not support SELinux under RHEL3. Therefore, installation by a user of SELinux under RHEL3 would likely void the user’s support agreement with Red Hat.

Those who want to use SELinux with RHEL are likely better served by installing a beta or production release of RHEL4, which should be available by the time of publication of this book.

SUSE Linux

The latest SUSE Professional Linux release available at the time of writing, SUSE Professional Linux 9.1, includes an SELinux-capable Linux kernel and SELinux-patched utilities. However, the distribution reportedly does not include the SELinux tools and includes a very old version of the SELinux sample policy. Consistent with that report, searching the SUSE web site for the word SELinux did not return any information about SELinux and SUSE 9.1. And a web search failed to turn up information about using SELinux with SUSE 9.1. However, a Novell representative has announced that a forthcoming SUSE Linux release will include a fully supported implementation of SELinux.

SELinux RPM packages for SUSE 8.2 have been independently released by Paul Dwerryhouse, a system and network engineer employed at the time of this writing by Versatel b.v., in Amsterdam, Netherlands. His work is available at http://leapster.org/linux/selinux/suse.

To install SELinux under SUSE 8.2 using Paul’s packages, you must download and install:

  • His modified kernel (or download his kernel patches and apply them against Linux 2.4).

  • His modified initrd.

  • His userspace RPM packages, of which there are currently 27. These are available individually, or combined within a single 78 MB tarball.

Paul provides special instructions for installing his kernel. He also cautions not to use his kernel on production hosts, since—as Paul himself explains it—he “cheated in a couple of places when porting the SELinux patch to [the Linux 2.4] kernel,” by removing the variable HZ feature and taking other shortcuts.

Warning

SELinux for SUSE 8.2 is not officially supported by SUSE. Users who install SELinux under SUSE 8.2 may void any support agreement with SUSE.

Tip

Those interested in using SELinux with SUSE may find helpful information on the SELinux Wiki and file repository maintained by Tom Vogt and others. The Wiki is available at http://www.securityenhancedlinux.de, and the file repository is available at http://selinux.lemuria.org. Much of the information in the Wiki is in German, the native language of many SUSE users and developers.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset