SELinux [Electronic resources] نسخه متنی

3.5 Installing SELinux from Binary or Source Packages

Unless you choose a Linux
distribution that includes built-in support for SELinux,
youll have to install and configure SELinux
yourself. Its generally easier to do so using
binary or source packages than using the source code tarballs
released by the NSA. This section explains how to install and
initially configure SELinux on:

Debian GNU/Linux

Gentoo Linux

SUSE Linux 8.2

In addition, the section gives advice on installing and configuring
SELinux to work with Red Hat Enterprise Linux 3. As explained
earlier, the forthcoming Red Hat Enterprise Linux 4 is planned to
integrally support SELinux.

3.5.1 Debian GNU/Linux

At the time of writing, two releases of
Debian GNU/Linux are currently in use, and a third is under
development. The two commonly used releases are:

Debian GNU/Linux 3.0 stable, known as Woody

Debian GNU/Linux 3.0 unstable, known as Sid

As the release names indicate, Woody is considered the more reliable
release; its component packages have been subject to more extensive,
and more thorough, testing and use than those of Sid. However, the C
compiler and libraries and other components of Woody are too old to
work well with SELinux. Consequently, this section presents an
SELinux installation procedure appropriate for Sid.

If youre interested in using SELinux with Woody,
you can use special packages created by Brian
May, available at
http://www.microcomaustralia.com.au/debian.
You can find brief instructions for using them at http://.au/selinux. Because
these packages are subject to change, I dont
present step-by-step instructions for installing and configuring
SELinux under Woody. If you plan to install SELinux under Woody, you
can request assistance by posting to the SELinux mailing list, to
which you can subscribe using the web page identified in Chapter 1.

To install SELinux under Sid, perform the following steps. Since I
presume you know how to install Debian Sid, the steps include only
general explanations of the associated operations. If
youre unfamiliar with the installation procedure
for Debian, please see the installation manual available at
http://www.debian.org/releases/stable/i386/install.

Obtain bootable media for Debian Sid and boot the system using them.
I recommend the media available at http://people.debian.org/~dwhedon/boot-floppies,
especially bf2.4-3.0.23-netinst.iso because of
its relatively small size (10 MB). If you like, you can choose from
other media available at http://www.debian.org/CD/netinst.

Burn the ISO image to a CD-RW or CD-R and boot the system using it.
Choose the language to be used during installation and your keyboard
type.

Partition the target systems primary hard disk and
create Linux filesystems as usual. The simplest installation consists
of three partitions: a boot partition (/boot), a
root partition (/), and a swap partition. The
swap partition should have partition type 82, whereas the other two
partitions should have type 83.

The installer encourages you to choose the ext2

filesystem type for the boot and root partitions. I suggest that you
ignore the default and choose ext3
as the
filesystem type for the root filesystem, because the journaling
provided by ext3
will improve the reliability of
your filesystem. You can choose either ext2
or
ext3
as the filesystem type of the boot partition.
I myself prefer to choose ext3
for consistency.

Install a kernel and any drivers necessary for devices you plan to
use during, and immediately after, installation. In general, you
should ensure that a driver is available for your
systems network interface. The installation program
may automatically recognize your systems devices,
in which case you dont need to explicitly load any
drivers.

Set up networking by specifying a hostname, domain name, and network
configuration. If a DHCP or BOOTP server is available, you can
request automatic network configuration, which identifies the system
IP address, network mask, gateway IP address, and DNS server IP
address for you; otherwise, you must specify these yourself.

Install the bootloader. Generally, you should install
LILO,
the default Debian bootloader, to the MBR (master boot record) of the
primary hard drive. If your system is configured to boot multiple
operating systems, special considerations are necessary. Consult the
Debian installation manual for details.

Reboot the system. When the system configuration screen appears,
specify configuration options, including the time zone, MD5 passwords
(which should generally be enabled), a shadow password file, a root
password, and a non-root user.

When prompted to run apt, decline to do so by
pressing Cancel. Likewise, decline to run
tasksel. When dselect runs,
allow it to continue and also allow it to delete any previously
downloaded .deb files that are no longer needed.

If you allow apt to run, it may install updated
packages that conflict with SELinux
packages to be installed later in this procedure. Declining to run
apt avoids this problem.

Respond to the installation program prompts that lead you through the
configuration of installed packages such as mail.

When configuration is complete, log in as the root user. Use a text
editor to create the file
/etc/apt/apt_preferences, specifying the
following contents:

Package: *
Pin: release o=etbe
Pin-Priority: 1100

This configuration file will prevent critical SELinux packages from
being overwritten by updated non-SELinux packages.

Use a text editor to modify the file
/etc/apt/sources.list, deleting any existing
entries and specifying the following contents:

deb http://.au/newselinux/ ./
deb ftp://ftp.us.debian.org/debian/ sid main

The web site Coker.

Issue the command:

#apt-get update

to update the list of available packages.

Use apt-get to install
the libselinux1 package. Then install the following packages:

checkpolicy
coreutils
cron
dpkg
fileutils
initscripts
libpam0g
libpam0g-dev

libpam-cracklib
libpam-doc
libpam-modules
libpam-runtime
libselinux1

logrotate
policycoreutils
procps
selinux-doc
selinux-policy-default

selinux-utils
shellutils
strace
sysvinit
sysv-rc
textutils

These packages contain versions of standard utilities that have been
modified to work with SELinux, SELinux-specific utilities, the
SELinux policy, and SELinux documentation.

You may be prompted to update Glibc, which you should approve. You
will then be prompted to accept a series of files contained in the
selinux-policy-default package; you may accept all such
files.

Launch dselect, and use it to install any
available updates to Sid. If dselect
does not propose installation of a Linux 2.6 kernel, manually select
an appropriate kernel-image
package for installation. In any case, manually select a
kernel-source
package corresponding to the kernel that dselect
automatically selected or that you manually selected. Finally, be
sure that the ncurses-dev package
is selected for installation. Allow dselect to
install the selected packages.

Now, youre ready to build an SELinux
kernel. Move to the directory
/usr/src, unpack the kernel sources, and set up
a symbolic link named linux, pointing to the
directory containing the unpacked sources. If youre
unfamiliar with the procedure for manually configuring, compiling,
and installing a Linux kernel, consult the Debian installation guide.

Enter the directory containing the kernel sources. Using a text
editor, open the Makefile and change the
EXTRAVERSION
variable to a distinct value. This
value is used to name and identify the directory containing loadable
kernel modules that work with your kernel.

Choose an installed /boot/config* file and copy
it to the current directory, naming it .config.
Doing so will conveniently set default values for many configuration
options.

Issue the command:

#make menuconfig

Choose kernel configuration options appropriate to your system,
overriding default values as necessary. I personally like to omit
support for devices and filesystems that I dont use
and specify that support for needed devices and filesystems should be
compiled integrally in the kernel, rather than as modules. But, other
preferences are acceptable.

Also specify the following SELinux-related options. Under Code
Maturity, specify:

Prompt for development and/or incomplete code/drivers

Under Device Drivers
Character Devices, specify:

Unix98 PTY
No Legacy (BSD) PTY support

Under File systems, specify:

Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

Do not specify POSIX access control lists for either
ext2
or ext3
.

Under Pseudo filesystems, specify:

/dev/pts Extended Attributes
/dev/pts Security labels

Do not specify:

/dev file system support

Finally, under Security options, specify:

Enable different security models
Socket and networking security hooks
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

Compile and install the
kernel, by issuing the commands:

#make clean
#make install modules modules_install

If you compiled all features integrally within the kernel, omitting
support for modules, use the following command instead:

#make clean && make install

Modify the /etc/lilo.conf bootloader
configuration to boot the new kernel in SELinux mode, by adding the
following LILO
option to the stanza pertaining to the new kernel:

append="selinux=1 enforcing=0"

Issue the /sbin/lilo command to update the boot
record.

Create the special directory used by the SELinux kernel during system
startup:

#mkdir /selinux

Add the following line at the end of the
/etc/fstab configuration file:

none /selinux selinuxfs defaults 0 0

Modify the PAM configuration by adding the following line at the end
of the files /etc/pam.d/login and
/etc/pam.d/ssh:

session required pam_selinux.so

Compile the SELinux policy and
label the filesystem:

#cd /etc/selinux
#make policy
#make relabel

Labeling the filesystem associates a security context with each
existing file. As explained in Chapter 5, a
files security context identifies the SELinux user,
role, and type of the file. The SELinux policy specifies the label to
apply to each file.

Unfortunately, its not unusual for errors to appear
during compilation of the SELinux policy. These are generally
typographical errors or other gross errors in policy files specifying
domains, such as domain/programs/*.te. To work
around such errors, create the directory
/etc/selinux/domain/programs/error, move any
defective files to this directory, and remake the policy file. You
may need to read material in the following several chapters of this
book to successfully complete this process. You can also post a
request for help on the SELinux mailing list, identified near the end
of Chapter 1.

Reboot your system. When the system starts up, relabel the filesystem
a second time so that any files creating during the reboot are
properly labeled:

#cd /etc/selinux
#make relabel

Your Debian SELinux system should now be ready for use. The
information in the following chapters will help you better understand
how to use, maintain, and improve it.

The Debian developers do not officially support SELinux. However,
they tend to be both technologically keen and helpful in responding
to questions that interest them. Understandably, the developers are
sometimes nonresponsive to questions posed by users who seem to them
to be lazy or unskilled. In a few cases, they may even seem to
respond contemptuously or with hostility. To make good use of their
time and avoid taxing their patience, be sure to put forth a
good-faith effort to troubleshoot and resolve problems before posting
questions to the Debian mailing lists, such as
debian-security.

3.5.2 Gentoo Linux

Unlike Debian GNU/Linux, Gentoo Linux specifically supports SELinux.
However, SELinux has not been integrated into the standard Gentoo
release. This section explains how to install SELinux under Gentoo to
a fresh or bare-metal system. The following section explains how to
install SELinux to a preexisting Gentoo Linux system.

At the time of writing, Gentoo supports SELinux only on servers, not
workstations, due primarily to interoperability problems between
SELinux and X. However, the Gentoo developers suggest that SELinux
workstation may be available in a future Gentoo release.

3.5.2.1 Installing SELinux to a fresh Gentoo system

The "Gentoo x86 SELinux Installation
Guide,"
available at http://www.gentoo.org/, gives the
official Gentoo instructions for installing Gentoo SELinux. The
online instructions are likely to be more up to date than the
following procedure; however, you may find the following procedure
helpful in explaining how the Gentoo procedure works. Ideally, when
installing SELinux under Gentoo, you should consult both the online
instructions and this book.

To install SELinux under Gentoo, perform the following steps:

Obtain a current Gentoo LiveCD image, available from a Gentoo mirror
site listed at
http://www.gentoo.org/main/en/mirrors.xml. Burn
the image to CD-R or CD-RW and boot your system from it. Choose a
kernel from those listed as
available. For installation, you dont need to
choose an SELinux kernel; a standard Gentoo kernel such as
gentoo or nousb is
satisfactory.

After booting, the system automatically logs you in as the root user.
The system probably loaded appropriate kernel drivers for your
systems devices automatically. But, if not, you can
manually load a driver by issuing the modprobe command.
Use the lsmod command to verify that the driver
appropriate for your network interface was loaded. If it was not
loaded, manually load a driver from
/lib/modules*/kernel/drivers/net. If a required
SCSI driver was not loaded, manually load one in the same manner.

Issue the /sbin/ifconfig command to verify that
networking has been configured. If networking has been configured,
verify that its working by pinging your DNS server
or accessing a web site. The lynx,
ping, scp,
ssh, wget, and other
network commands are available and should work. If networking is not
properly operational, consult the Gentoo installation guide for
troubleshooting and problem resolution hints.

Use the date command to set
your systems date and time. For instance, you can
set the date and time to 2:27 a.m. on July 1, 2004, by issuing the
command:

022707012004

Use fdisk to establish
appropriate partitions on your systems primary hard
drive.

Use mkswap to prepare a
swap partition for use and use mke2fs to prepare
ext3
(preferred) or ext2

filesystems on the non-swap partitions. Activate the swap partition
and mount the filesystems. For instance:

mkswap /dev/hda2  # prepare swap partition
mke2fs-j /dev/hda1 # make /boot filesystem
mke2fs-j /dev/hda3 # make / filesystem
swapon /dev/hda2  # activate swap partition
mount /dev/hda3 /mnt/gentoo  # mount / partition
mkdir /mnt/gentoo/boot  # create mount point
mount /dev/hda1 /mnt/gentoo/boot # mount /boot

Download the installation tarball,
stage1-x86-1.4_rc4.tar.bz2, using the

lynx or
wget command, from a Gentoo mirror such as
http://gentoo.oregonstate.edu/experimental/x86/stages,
and place the tarball in the /mnt/gentoo
directory. Extract the tarball contents, enter the
chrooted filesystem just created, and update
your shell context:

#tar jxvpf stage1-*.tar.bz2
#mount-t proc proc /mnt/gentoo/proc
#mount-t selinuxfs none /mnt/gentoo/selinux
#cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
#chroot /mnt/gentoo /bin/bash
#env-update
#source /etc/profile

Update the portage tree:

#emerge sync

Use a text editor, such as Nano, to customize the build settings, if
desired. The settings reside in the file
/etc/make.conf, which is heavily commented and
therefore largely self-explanatory. Generally, the default values are
acceptable. But, you should check the values of
CHOST
, CFLAG
, and
CXXFLAGS
to ensure theyre
consistent with the processor type of your system.

Detailed information on the configuration options provided by the
make.conf file is available at http://www.gentoo.org
and http://www.gentoo.org/dyn/use-index.xml.

Initiate the bootstrap process, which builds the GNU C library, the C
compiler, and other fundamental programs:

#export PORTAGE_TMPDIR=/var/tmp
#cd /usr/portage
#scripts/bootstrap.sh

The bootstrap process is relatively time-consuming, as you might
suspect. You can specify a directory other than
/var/tmp, if you prefer. The directory should
provide several hundred megabytes of free space.

Build the non-bootstrapped programs:

#emerge system

This process generally takes even longer than the bootstrap process.

Set the time zone:

#ln -sf /usr/share/zoneinfo/
path 
/etc/localtime

where path
denotes the subpath
corresponding to your time zone. For instance,
/usr/share/zoneinfo/America/Los_Angeles denotes
the U.S. Pacific time zone.

Install a kernel by issuing any one of the
following commands:

#emerge sys-kernel/selinux-sources
#emerge sys-kernel/hardened-sources
#emerge sys-kernel/gentoo-dev-sources
#emerge sys-kernel/devlopment-sources
#emerge sys-kernel/mm-sources

Issue only one of the preceding commands; dont
issue all of them.

Now, youre ready to build an SELinux
kernel. To begin doing so, issue the
following commands:

#cd /usr/src/linux
#zcat /proc/config.gz > .config
#make menuconfig

Specify the following SELinux-related options. Under Code Maturity,
specify:

Prompt for development and/or incomplete code/drivers

Under Device Drivers
Character Devices, specify:

Unix98 PTY
No Legacy (BSD) PTY support

Under File systems, specify:

Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

Do not specify POSIX access control lists for either
ext2
or ext3
.

Under Pseudo filesystems, specify:

/dev/pts Extended Attributes
/dev/pts Security labels

Do not specify:

/dev file system support

Finally, under Security options, specify:

Enable different security models
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

Do not specify:

Socket and networking security hooks
NSA SELinux MLS policy

If needed, configure kernel support for PPPoE and IDE CD burning. Be
sure the kernel includes support for your systems
Ethernet card. See the Installation Guide for details.

Compile and install the
kernel:

#make dep
#make clean bzImage modules modules_install
#cp /usr/src/linux/arch/i386/boot/bzImage /boot

Install any kernel-related software needed by your system. For
instance, you might issue one or more of the following commands:

#emerge e100  # Intel e100 NIC
#emerge e1000  # Intel e1000 NIC
#emerge emu10k1  # Creative SBLive!

Install a system logging service. Under Gentoo, you can choose any
one of four logging services. I prefer the Unix de facto standard,
Syslog. To install Syslog, issue the following commands:

#emerge -k app-admin/sysklogd
#rc-update add sysklogd default

If you prefer to configure a logging service other than Syslog, see
the Installation Guide.

Install the cron service:

#emerge -k sys-apps/vixie-cron
#rc-update add vixie-cron default

First, use nano (or another editor of your
choice) to create an /etc/fstab file that mounts
your Linux ext2 and ext3,
swap, proc,
tmpfs, and cdrom
filesystems. A typical file looks like this:

/dev/hda1 /boot    ext3  ro,noatime             1 1
/dev/hda2 /        ext3  noatime                0 0
/dev/hda4 /space   ext3  noatime                0 0
/dev/hda3 none     swap  sw                     0 0
none      /proc    proc  defaults               0 0
none      /dev/shm tmpfs defaults               0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0

Then, add the following two SELinux-related lines to the file:

none      /selinux selinuxfs  defaults          0 0
none      /dev/pts devpts     defaults          0 0

The first line causes the system to automatically mount the SELinux
pseudofilesystem during system startup.
The second line causes the system to automatically mount the
devpts pseudofilesystem. This is needed because
the current release of Gentoo SELinux uses
devpts rather than the Gentoo-default
devfs pseudofilesystem.

Set the password for the root user, by issuing the
passwd command. You
should also create one or more non-root users, by issuing the
adduser command. You should also set a password
for each non-root user you create.

#passwd
New UNIX password: (password not echoed)
Retype new UNIX password: (password not echoed)
#adduser staff
#passwd staff
New UNIX password: (password not echoed)
Retype new UNIX password: (password not echoed)

Specify the host and domain names. To set the host name, issue the
command:

#echo
hname
 > /etc/hostname

where hname
is the host name. To set the
domain name, issue the command:

#echo
dname
 > /etc/dnsdomainname

where dname
is the domain name. If your
system is to be part of an NIS domain, also set the name of the NIS
domain:

#echo
nisname
 > /etc/nisdomainname

where nisname
is the NIS domain name.

Also, modify the /etc/hosts file to include a
line such as the following:


xxx.xxx.xxx.xxx

hname.dname hname

where xxx.xxx.xxx.xxx
is the primary IP
address of your system, hname
is its host
name, and dname
is its domain name.

If your system receives its network configuration dynamically, via
DHCP or BOOTP, you may omit this step.

Specify the kernel modules that should be loaded at system startup.
To do so, add their names (and any desired options) to
/etc/modules.autoload.

If the driver for your systems network adapter was
compiled as a module, its especially important that
the corresponding module is specified in
/etc/modules.autoload. You can determine the
name of the module by inspecting the names of the driver files
located in /lib/modules/ `uname
-r`/kernel/drivers/net.

Configure your systems IP address, network mask,
and other TCP/IP parameters in /etc/conf.d/net.
Then set networking to start at the default run level:

#rc-update add net.eth0 default

If your system has multiple network adapters or a PCMCIA network
adapter, consult the Installation Guide for the proper configuration
procedure.

Set system preferences in /etc/rc.conf. Comments
in the file explain the functions of the configuration options. In
particular, be sure the CLOCK
setting has the
correct value (UTC
or local
).

Compile, install, and configure the GRUB bootloader.

If your system uses hardware RAID, your system is configured for
multiple boot, your kernel is configured to use framebuffer video, or
if you prefer to configure the LILO bootloader rather than GRUB, see the
Installation Guide for further instructions.

To compile GRUB, issue the command:

#emerge grub

To install GRUB, enter its command-line environment and issue the
GRUB root and setup
commands:

#grub
grub>root (hd0,0)
grub>setup (hd0)
grub>quit

The GRUB root command shown is appropriate only if your
/boot partition is the first partition on the
primary hard drive, the most common case. If the
/boot partition is the second partition, use the
command:

grub>root(hd0,1)

To configure GRUB,
use an editor to create the /boot/boot/grub.conf
file. A typical file might resemble the following:

default 0
timeout 30
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=Gentoo SELinux
root (hd0,0) 
kernel (hd0,0)/boot/bzImage root=/dev/hda3 gentoo=nodevfs

This configuration file assumes that the boot partition is
/dev/hda1 and the Linux root partition is
/dev/hda3. It wont work if
your hard drive is differently configured. In that case, you must
adjust the configuration parameters. If youre
unfamiliar with the contents of GRUBs configuration
file, or uncertain what values to specify, see the Installation
Guide.

If your system fails to boot, its handy to have
available a GRUB boot disk. To create one, put a blank floppy in the
drive and issue the following commands:

#cd /usr/share/grub/i386-pc/
#cat stage1 stage2 > /dev/fd0

Update any out-of-date configuration files, by issuing the command:

#etc-update

Compile the SELinux policy and label the filesystem, by issuing the
following commands:

#cd /etc/security/selinux/src/policy/
#make install
#make chroot_relabel

Exit the chrooted shell, and reboot the system:

#exit 
#cd /
#umount /mnt/gentoo/boot
#umount /mnt/gentoo/proc
#umount /mnt/gentoo/selinux
#umount /mnt/gentoo
#reboot

When the system has booted, relabel the filesystem for the second
time, so that files created during rebooting will be properly
labeled:

#cd /etc/security/selinux/src/policy
#make relabel

Your Gentoo SELinux system should now be ready for use. The
information in the following chapters will help you better understand
how to use, maintain, and improve it.

3.5.2.2 Installing SELinux to an existing Gentoo Linux system

The
preceding section explains how to
install a Gentoo SELinux system onto a bare-metal system.
Its also possible to install SELinux to a working
Gentoo Linux system. This section explains how to do so. The
"Gentoo Linux SELinux Quick Start
Guide," available at http://www.gentoo.org/,
gives the official Gentoo instructions for installing Gentoo SELinux
to an existing Gentoo Linux system. The online instructions are
likely to be more up to date than the following procedure; however,
you may find the following procedure helpful in explaining how the
Gentoo procedure works. Ideally, when installing SELinux under
Gentoo, you should consult both the online instructions and this
book.

First, check whether your system is compatible with Gentoo SELinux.
Your system should be a server, not a workstation. And, it should use
the Linux ext2
or ext3

filesystem rather than a more exotic filesystem such as ReiserFS.

Gentoo SELinux also supports the XFS filesystem. However, this book
does not explain how to configure SELinux to work with that
filesystem. See the Quick Start Guide for instructions on doing so.

Issue the following instructions to switch to the SELinux profile:

#rm -f /etc/make.profile
#ln -sf /usr/portage/pro/image/library/english/10024_selinux-x86-1.4 
/etc/make.profile

Check whether any USE
flags need to be reenabled
in /etc/make.conf:

#emerge info

Edit /etc/make.conf as appropriate, based on any
messages you see.

You may see the message "!!! SELinux module not
found. Please verify that it was installed," which
you may safely ignore. The cause of this message will be fixed by a
subsequent step of this procedure.

Check that the C headers are sufficiently up to date:

#emerge -s linux-headers

If the version of the headers is older than 2.4.20, merge new headers
by issuing the command:

#emerge \>=sys-kernel/linux-headers-2.4.20

Next, recompile the C library, by issuing the command:

#emerge glibc

This step generally takes a significant amount of time to complete.

Merge an appropriate
Linux 2.4 or Linux 2.6 kernel, by
issuing any one of the following commands:

#emerge sys-kernel/selinux-sources
#emerge sys-kernel/hardened-sources
#emerge sys-kernel/gentoo-dev-sources
#emerge sys-kernel/devlopment-sources
#emerge sys-kernel/mm-sources

Issue only one of the preceding commands; dont
issue all of them.

Now, youre ready to build an SELinux
kernel. To begin doing so, issue the
following commands:

#cd /usr/src/linux
#make menuconfig

Specify any options needed to support devices or facilities installed
on your system. Also, specify the following SELinux-related options.
Under Code Maturity, specify:

Prompt for development and/or incomplete code/drivers

Under Device Drivers
Character Devices, specify:

Unix98 PTY
No Legacy (BSD) PTY support

Under File systems, specify:

Second extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels

Do not specify POSIX access control lists for either
ext2
or ext3
.

Under Pseudo filesystems, specify:

/dev/pts Extended Attributes
/dev/pts Security labels

Do not specify:

/dev file system support

Finally, under Security options, specify:

Enable different security models
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support

Do not specify:

Socket and networking security hooks
NSA SELinux MLS policy

Compile and install the
kernel:

#make dep
#make clean bzImage modules modules_install
#cp /usr/src/linux/arch/i386/boot/bzImage /boot

Add the following lines to /etc/fstab:

none /selinux selinuxfs gid=5,mode=620 0 0
none /dev/pts devpts    defaults       0 0

Edit /boot/grub/grub.conf, adding
gentoo=nodevfs
to the kernel line; for instance:

kernel /bzImage root=/dev/hda3 gentoo=nodevfs

If your system boots using LILO rather than GRUB, add
append="Gentoo=nodevfs
" to the proper stanza
within /etc/lilo.conf.

Make two directories needed by SELinux:

#mkdir /selinux
#mkdir /sys

Reboot the system.

Merge packages required by SELinux:

#emerge libselinux checkpolicy policycoreutils
#emerge selinux-base-policy

Load the precompiled SELinux policy:

#cd /etc/security/selinux/src/policy
#make load

Merge packages modified to work with SELinux:

#emerge baselayout coreutils findutils openssh pam pam-login procps psmisc 
python-selinux shadow util-linux

Merge any of the following packages that are already installed:

#emerge app-admin/logrotate
#emerge sys-apps/vixie-cron
#emerge sys-libs/pwdb

vixie-cron is the only cron
package
compatible with SELinux. If you have another
cron package installed, you should remove it
and, optionally, replace it with vixie-cron.

Remove the following packages:

#emerge -C fileutils sh-utils textutils

Compile and install the SELinux policy, and label the files:

#cd /etc/security/selinux/src/policy
#make install
#make relabel

If using GRUB, reinstall GRUB to the MBR:

#grub
grub>root (hd0,0)
grub>setup (hd0)
grub>quit

If GRUB is installed to a location other than
the MBR, or your systems /boot
filesystem resides on a partition other than the first partition of
the primary hard drive, see the Quick Start Guide for instructions.

Reboot the system.

Relabel the files again, to ensure that files created during
rebooting are properly labeled:

#cd /etc/security/selinux/src/policy
#make relabel

Your Gentoo SELinux system should now be ready for use. The
information in the following chapters will help you better understand
how to use, maintain, and improve it.

3.5.3 RPM-Based Distributions

Installing SELinux using
RPM packages is fast and
convenient. And assuming that the packages are fully compatible with
the target system, its also effective. SELinux RPM
packages are available for two Linux releases: Red Hat Enterprise
Linux and SUSE Linux.

3.5.3.1 Red Hat Enterprise Linux

At one time, Red Hat engineer Dan Walsh, whos a member of
the team responsible for implementation of SELinux under Fedora Core
2, made available SELinux binary and source RPM packages for RHEL3,
on his FTP site, dwalsh/SELinux/srpms/
to work with RHEL3, by tweaking them a bit and by installing updated
versions of Autoconf, Automake, and other source code tools available
under Fedora Core 2. Alternatively, its possible to
install Fedora Core 2 binary packages that satisfy the dependencies.
I have installed SELinux on RHEL3 using both approaches.
Nevertheless, I do not include instructions here for doing so, for
two reasons:

At the time of writing, the packages are being regularly updated due
to ongoing work for Fedora Core 2. Therefore, its
not possible to provide step-by-step instructions that can be
expected to be accurate at the time of this books
publication.

Notwithstanding that the SELinux packages for RHEL3 were made by a
Red Hat engineer, Red Hat does not support SELinux under RHEL3.
Therefore, installation by a user of SELinux under RHEL3 would likely
void the users support agreement with Red Hat.

Those who want to use SELinux with RHEL are likely better served by
installing a beta or production release of RHEL4, which should be
available by the time of publication of this book.

3.5.3.2 SUSE Linux

The latest SUSE
Professional Linux release available at the time of writing, SUSE
Professional Linux 9.1, includes an SELinux-capable Linux kernel and
SELinux-patched utilities. However, the distribution reportedly does
not include the SELinux tools and includes a very old version of the
SELinux sample policy. Consistent with that report, searching the
SUSE web site for the word SELinux did not
return any information about SELinux and SUSE 9.1. And a web search
failed to turn up information about using SELinux with SUSE 9.1.
However, a Novell representative has announced that a forthcoming
SUSE Linux release will include a fully supported implementation of
SELinux.

SELinux RPM packages for SUSE 8.2 have been independently released by
Paul Dwerryhouse, a system and network engineer
employed at the time of this writing by Versatel b.v., in Amsterdam,
Netherlands. His work is available at http://leapster.org/linux/selinux/suse.

To install SELinux under SUSE 8.2 using Pauls
packages, you must download and install:

His modified kernel (or download his kernel patches and apply them
against Linux 2.4).

His modified initrd.

His userspace RPM packages, of which there are currently 27. These
are available individually, or combined within a single 78 MB
tarball.

Paul provides special instructions for installing his kernel. He also
cautions not to use his kernel on production hosts, sinceas
Paul himself explains ithe "cheated in a
couple of places when porting the SELinux patch to [the Linux 2.4]
kernel," by removing the variable HZ feature and
taking other shortcuts.

SELinux for SUSE 8.2 is not officially supported by SUSE. Users who
install SELinux under SUSE 8.2 may void any support agreement with
SUSE.

Those interested in using SELinux with SUSE may find helpful
information on the SELinux Wiki and file repository maintained by
Tom Vogt and
others. The Wiki is available at http://www.securityenhancedlinux.de,
and the file repository is available at http://selinux.lemuria.org. Much of the
information in the Wiki is in German, the native language of many
SUSE users and developers.

SELinux [Electronic resources] نسخه متنی

فارسی

کردی

العربیه

اردو

Türkçe

Русский

English

Français

کانال فیلم من

تبیان من

فایلهای من

کتابخانه من

پنل پیامکی

وبلاگ من

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی