Next Previous Contents

3. Installation

The following section will explain how to go about obtaining the packages for installation, and how to go about installing the packages. As I run Debian, I will base installation instructions on that. It is assumed you know how to install packages for your distribution, how to compile a kernel and how to apply kernel patches.

3.1 Obtaining base packages for your distribution

For Debian unstable:

Put the following in your /etc/apt/sources.list file:

 deb http://www.coker.com.au/selinux/ ./

The packages for unstable are maintained by Russell Coker.

For Debian woody:

Put the following in your /etc/apt/sources.list file:

 deb http://www.microcomaustralia.com.au/debian/ stable selinux main
The packages for stable are maintained by Brian May.

The .deb files can be obtained from the sites above. For the selinux and the selinux-policy-default packages for Debian unstable, these have been included in the unstable release. So all you need to do is install them as you would any other package with dselect or whatever.

Files needed for an install of SE Linux on Debian unstable are as follows:

The .deb's for Debian woody are similarly named.

RPM's can be obtained from the Sourceforge SE Linux project page

The RPM's are maintained by Mark Westerman.

3.2 Installing SE Linux related packages

The following steps should be done in the order given.

3.2.1 Installing the SE Linux login package

The first step is to install the SE Linux login package (login_4.0.3-7.se1_i386.deb). This package is required in order for a user to have the correct security context applied when they log in, and basically make it possible for them to log in in the first place. Even if you've installed all of the other SE Linux packages, if you neglect to install the SE Linux login package and you reboot, you'll be unable to log in. This is because you will not have the right type assigned to the terminal device you are attempting to log in from and as such, the shell will not be able to do any reading or writing and will exit. Not good, so don't say I didn't warn you. DON'T FORGET TO INSTALL THE SE LINUX LOGIN PACKAGE! Now you really can't say I didn't warn you.

3.2.2 Installing the selinux package

The second step is to install the selinux package. This package contains the core SE Linux administrative programs.

3.2.3 Installing the modified dpkg package for Debian

A modified dpkg is needed so that it will label the files correctly after a package is installed.

3.2.4 Installing the coreutils and procps packages

The coreutils package contains modified versions of commands such as cp, mv, ls and so forth. The procps package contains modified versions of commands such as ps and kill. You need to install these modified versions as they have been tailored for use with SE Linux.

NOTE: The coreutils package contains a merge of the former shellutils, fileutils and textutils packages. If you can not find a coreutils package for your distribution, install these three packages instead.

3.2.5 Installing the LSM kernel image

The next step is to install the LSM kernel image.

The .deb for this image can be obtained from http://www.microcomaustralia.com.au/debian/ or you can compile your own kernel with the LSM kernel patch (package kernel-patch-2.4-lsm for a 2.4.x kernel). If you need RPM's check the SE Linux project page at sourceforge.net.

The Debian kernel-patch-2.4-lsm package takes care of applying both the LSM patch, and the SE Linux patch needed to get SE Linux installed on your Debian system. After this package is installed, apply the patch by running

/usr/src/kernel-patches/all/apply/lsm

Now read /usr/share/doc/kernel-patch-2.4-lsm/README.Debian and follow the instructions for setting the CONFIG_ options when compiling your kernel. Then go ahead and compile your new kernel or use Debian's make-kpkg package to create a kernel image .deb that you can then install.

Below is an extract of /usr/share/doc/kernel-patch-2.4-lsm/README.Debian if you are running another distribution:

When configuring your kernel do the following:
        (Under Networking Options, enable Network Packet Filtering.
        Under Security Options, disable Capabilities and enable
        both IP Networking and SELinux as built-in options.)

Have the following in your /usr/src/linux/.config:
CONFIG_NETFILTER=y
CONFIG_INET=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_DTE=n
CONFIG_SECURITY_OWLSM=n
CONFIG_LIDS=n

Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).

The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
booting).
If you compile your kernel with CONFIG_SECURITY_SELINUX_DEVELOP turned on, your machine boots with permissive mode, and must manually be switched to enforcing mode. But if you compile without it, your machine boots in to enforcing mode with no option of going back to permissive mode. See Section 4.4: Permissive and Enforcing mode.

3.2.6 Installing the selinux-policy-default package

The final step is to install the selinux-policy-default package. This package contains the default security policy files.

When installing this package, you will be prompted to answer a series of questions about which policies you'd like to install. Basically it's up to you to determine what you do and don't need. If you accidentally answer No to something you think you may need, don't worry. At a later time you can copy it from /usr/share/selinux/policy/default/domains/program/ over to /etc/selinux/domains/program and then run the command make -C /etc/selinux load from any directory.

A brief mention about the sendmail.te policy-- it is best to remove this as it conflicts with other mail server policy files. Unless you want to run sendmail of course, in which case you don't install the policy files for another mail server.

The prompts will look something like this:

Removal of unwanted policy files
Do you want domains/program/amavis.te:Amavis anti-virus
Yes/No/Display[Y/n/d]?
Selecting Y will install the amavis.te policy file. Selecting n will not install it (but you can copy it later as described above). Selecting d will display the policy file concerned.

When you have finished answering the prompts, the package will then be compiled and the policies that you have the .te files for will be installed.

A crucial part of the installation occurs at this point. Every file will now be labelled with a security context.

You are now ready to reboot your machine, so go ahead. As soon as you have booted in to a SE Linux kernel, you MUST relabel all file systems.


Next Previous Contents