Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

<< Previous SELinux Overview
Table of Contents
Logging In Next >>

3. Installation

The following section will explain how to go about obtaining the packages for installation, and how to go about installing the packages for the new SE Linux. As I run Debian, I will base installation instructions on that. It is assumed you know how to install packages for your distribution, how to compile a kernel and how to apply kernel patches.

If you are upgrading from the old SE Linux to the new, and are running an SE Linux kernel, go in to permissive mode (with the avc_toggle command) and follow these instructions.

3.1 Installing base packages for Debian

For Debian unstable:

Put the following in your /etc/apt/sources.list file:

 deb https://www.coker.com.au/newselinux/ ./

The packages for unstable are maintained by Russell Coker.

At the time of writing (late November 2003) no new SE Linux packages are available for Debian stable. The .deb files can be obtained from the site above. Be sure to get the latest versions of each one. I'm not including the full package name as they'll keep changing, but they begin with the following package names listed.

Packages needed for an install of the new SE Linux on Debian unstable are as follows. You don't need to boot with an SE Linux kernel before installing them, so you can install them now:

  • libselinux1
    Contains the shared libraries for the new SE Linux.

  • selinux-policy-default
    Contains sample policy files for lots of commonly used programs such as postfix, sendmail, X and so forth.

  • checkpolicy
    Contains the security policy compiler.

  • policycoreutils
    Contains core utilities such as setfiles, load_policy, newrole etc.

  • selinux-utils
    Contains utilities for operations such as querying the policy.

  • selinux-doc
    Contains some documentation.

Additional packages for Debian that you need are listed below.

  • kernel-patch-2.4-lsm
    A kernel for the LSM hooks and SE Linux.

  • coreutils
    The coreutils package contains modified versions of commands such as cp, mv, ls and so forth.

  • procps
    The procps package contains modified versions of commands such as ps and top.

  • sysvinit
    Contains a patch to load the policy upon boot.

  • dpkg
    A modified dpkg is needed so that it will label the files correctly after a package is installed.

  • libpam-modules
    Sometimes a program needs to access the passwd and shadow files for authentication. If such a program were to be compromised, an attacker could get the shadow file, run something like Crack on it and you're in trouble. With the modified libpam-modules, a program does not have to get direct access to the shadow file. Instead,it (the program that wants to authenticate a user) runs a helper program which compares a supplied password with /etc/shadow and gives a return code of 1 or 0 to indicate whether or not there was a match. This means you have to crack the wrapper program and not the calling code in order to see the contents of the shadow file.

  • logrotate
    Contains a modified version of the logrotate package which preserves the SE Linux security contexts on new files.

  • cron
    A modified cron package is needed so that cron can run scripts in the correct domains, and check ownership of files to serve as entrypoint for the cron domain.

3.1.1 Modified Debian package management tools

Debian users should be familiar with the dselect, apt-get and dpkg commands. se_dselect, se_apt-get and se_dpkg are actually wrapper scripts to run the regular versions of dselect, apt-get and dpkg but with some additional extras. The same applies for se_dpkg-reconfigure. Why are modified versions of this needed? Because when packages are installed, the files need to be labelled correctly as well as the scripts having to be started in the right context.

When using these commands, you will be prompted for a password (the password of the identity you are using). Why? Take the se_dselect command for example. As sysadm_r:sysadm_t run se_dselect. Now, as sysadm_r:sysadm_t in another window, run the command ps ax --context|grep dselect and you'll see something like this:

 5292    404 system_u:system_r:dpkg_t                 dselect
Notice the security context that dselect is now running in. You will be changing identity, role and domain so you need to be authenticated first.

3.2 Using SELinux with Fedora Core 3 or later

Fedora Core 3 and later releases have the Linux Security Modules (LSM) frame work and SELinux included as standard. There is no need to download and install any additional packages or kernel patches if you wish to use SELinux with Fedora Core 3 or 4.

During installation of these recent releases of Fedora Core the installer requests SELinux configuration options. If you are workingon a pre-installed system or do not remember you SELinux selections during installation these settings can easily be changed by running the following command.

        system-config-securitylevel

This is graphical tool that allows you to change SELinux settings. If, you prefer to manually change the SELinux settings you can do so as follows:

Following is the manual procedure:

  • Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.

  • To ensure that you can return from a reboot, set the mode to SELINUX=permissive. This way SELinux will be running under the correct policy, but will let you login if there is a problem such as incorrect file context labeling.

  • Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.

  • Reboot the system. A clean restart under the new policy allows all system processes to be started in the proper context, and reveals any problems in the policy change.

  • Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. These may indicate a problem that needs to be solved for the system to run without trouble under the new policy.

  • When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.

    3.3 Installing base packages for Fedora Core 2

    RPMs for the new SE Linux may be found at ftp://people.redhat.com/dwalsh/SELinux

    The RPMs at the above location are maintained by Dan Walsh.

    When I installed SE Linux on my Fedora test machine, this is what I did:

    * Edited the yum.conf file to contain the following:

    [main]
    cachedir=/var/cache/yum
    debuglevel=2
    logfile=/var/log/yum.log
    pkgpolicy=newest
    distroverpkg=fedora-release
    tolerant=1
    exactarch=1
    
    [development]
    name=Fedora Core $releasever - Development Tree
    #baseurl=https://download.fedora.redhat.com/pub/fedora/linux/core/development/i386
    baseurl=https://mirror.dulug.duke.edu/pub/fedora/linux/core/development/i386
    
    [SELinux]
    name=SELinux repository
    baseurl=ftp://people.redhat.com/dwalsh/SELinux/Fedora
    
    * Ran the command
    yum install policy checkpolicy policycoreutils policy-sources pam passwd vixie-cron
    * After all of the above was installed, I did
    cd /etc/security/selinux/src/policy
    make load
    make relabel
    
    * Rebooted the machine.

    3.4 Installing SE Linux related packages.

    Under the old SE Linux it was best to install things in a certain order, such as installing the modified login package first. With the new SE Linux, dependencies should take care of things.

    3.4.1 Installing the LSM kernel image

    The Debian kernel-patch-2.4-lsm package takes care of applying both the LSM patch for the new SE Linux. The patch contains LSM kernel hooks, and SE Linux is the code that uses these hooks.

    Now read /usr/share/doc/kernel-patch-2.4-lsm/README.Debian and follow the instructions for setting the CONFIG_ options when compiling your kernel. Then go ahead and compile your new kernel or use Debian's make-kpkg package to create a kernel image .deb that you can then install.

    Below is an extract of /usr/share/doc/kernel-patch-2.4-lsm/README.Debian:

    This patch supplies the Linux Security Modules.  It is needed for NSA Security
    Enhanced Linux (among other things).
    
    To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
    make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.
    
    When configuring your kernel do the following:
    (Under Networking Options, enable Network Packet Filtering.
    Under Security Options, enable Capabilities and enable
    both IP Networking and SELinux as built-in options.)
    
      This means having the following in your /usr/src/linux/.config:
      CONFIG_NETFILTER=y
      CONFIG_INET=y
      CONFIG_SECURITY=y
      CONFIG_SECURITY_CAPABILITIES=y
      CONFIG_SECURITY_SELINUX=y
      CONFIG_SECURITY_DTE=n
      CONFIG_SECURITY_OWLSM=n
      CONFIG_LIDS=n
    This release of SE Linux depends on XATTR's. For the Ext3 file system use the following settings: CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_XATTR_SHARING=y CONFIG_EXT3_FS_SECURITY=y
    The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are not required for SE Linux, but do not do any harm either.
    If you compile your kernel with CONFIG_SECURITY_SELINUX_DEVELOP turned on, your machine boots with permissive mode, and must manually be switched to enforcing mode. But if you compile without it, your machine boots in to enforcing mode with no option of going back to permissive mode. See Section 4.4: Permissive and Enforcing mode.

    If you are using ext2 you will need to build your kernel with CONFIG_EXT2_FS_XATTR set to Y. If you have a ext3 filesystem and want to mount it and not create any xattr's, then compiling ext2 with no XATTR support is a good option. An ext filesystem can be mounted as either ext2 or ext3. The idea is that you can mount the ext3 filesystem with no xattr's as ext2 (just edit your /etc/fstab file accordingly).

    3.4.2 Installing the selinux-policy-default package

    This Debian package contains the default security policy files. The equivalent RPM is the policy-sources package.

    When installing this package on a Debian system, you will be prompted to answer a series of questions about which policies you'd like to install. Basically it's up to you to determine what you do and don't need. If you accidentally answer No to something you think you may need, don't worry. At a later time you can copy it from /usr/share/selinux/policy/default/domains/program/ over to /etc/selinux/domains/program and then run the command make -C /etc/selinux load from any directory.

    A brief mention about the sendmail.te policy-- it is best to remove this as it conflicts with other mail server policy files. Unless you want to run sendmail of course, in which case you don't install the policy files for another mail server.

    The prompts will look something like this:

    Removal of unwanted policy files
    Do you want domains/program/amavis.te:Amavis anti-virus
    Yes/No/Display[Y/n/d]?
    
    Selecting Y will install the amavis.te policy file. Selecting n will not install it (but you can copy it later as described above). Selecting d will display the policy file concerned.

    When you have finished answering the prompts, the policy will then be compiled and the policies that you have the .te files for will be installed.

    A crucial part of the installation occurs at this point. Every file will now be labelled with a security context.

    3.4.3 Editing your /etc/fstab file and creating the /selinux mount point

    Before rebooting, you must first edit your /etc/fstab file and create the /selinux mount point. So create the mount point of /selinux and set the permissions to mode 500. Now edit your /etc/fstab to include the following:

    none /selinux        selinuxfs       noauto  0       0
    

    3.4.4 Running make relabel

    If you are running a 2.6.x kernel with XATTR support enabled, after creating the /selinux mount point and editing your /etc/fstab you must now run the command make -C /etc/selinux relabel This command relabels the filesystem with the correct security contexts. Note that you must run the command again after rebooting (discussed further down). If you are running a 2.4.x kernel you can't run this command now, as the 2.4.x non-SE Linux kernel does not allow you to assign the extended attributes.

    3.4.5 Editing /etc/pam.d/login and /etc/pam.d/ssh

    Before rebooting we must edit the /etc/pam.d/login and ssh files (sshd on Fedora) so that a shell will be started in the right context. Add the following:

    session required        pam_selinux.so
    
    to both /etc/pam.d/login and /etc/pam.d/ssh

    3.4.6 Adding users

    Before rebooting you can add a new SE Linux user with the command useradd and edit the users file, and you can also do it after you reboot. In this document we'll do the latter.

    You are now ready to reboot your machine, so go ahead. As soon as you have booted in to a SE Linux kernel, you MUST relabel all file systems.


  •  
     
      Published with kind permission of Faye Coker Design by Interspire