Next Previous Contents

5. Installing utility programs

Now that we have got SE Linux up and running, it's time to install some utility programs.

5.1 Where we're at

We've got our system going with SE Linux, all files have been labelled with a security context, we know how to change to another role and how to switch between permissive and enforcing modes. We now look at modified package management tools.

5.2 Modified package management tools (se_dselect, se_apt-get and se_dpkg)

Debian users should be familiar with the dselect, apt-get and dpkg commands. se_dselect, se_apt-get and se_dpkg are actually wrapper scripts to run the regular versions of dselect, apt-get and dpkg but with some additional extras. The same applies for se_dpkg-reconfigure. Why are modified versions of this needed? Because when packages are installed, the files need to be labelled correctly.

When using these commands, you will be prompted for a password (the password of the identity you are using). Why? Take the se_dselect command for example. As sysadm_r:sysadm_t run se_dselect. Now, as sysadm_r:sysadm_t in another window, run the command "ps ax --context|grep dselect" and you'll see something like this:

 5292    404 system_u:system_r:dpkg_t                 dselect
Notice the security context that dselect is now running in. You will be changing identity, role and domain so you need to be authenticated first.

5.3 Changing passwords with spasswd

The spasswd command is a wrapper for the regular passwd command. spasswd runs passwd in the correct domain, and ensures that your SE Linux identity matches your Unix account name.

But hang on, didn't you say earlier on that regular Unix user id's are different from SE Linux identities? Why should they have to match now? Well yes, the regular Unix user id's are different to SE Linux user identities but may have the same textual representation. That's what most people do as it's easier. But the spasswd command requires you to have the same SE Linux identity name as your Unix account name. Under SE Linux, your identity is considered the only unique way to determine you who are. If you are not currently the corresponding Unix user, then you will not be able to change the password.

5.4 Changing password with sadminpasswd

The sadminpasswd command is used by the sysadm_r role to change the password for other users. You must be in both sysadm_r and sysadm_t in order to do this.

5.5 Modified utility programs

We saw briefly, in Section 3.2.4, that coreutils and procps packages contain modified versions of command such as cp, ls, mv and ps. With the modified versions, they provide more functionality for SE Linux. With ps and ls for example, you can supply the --context option to view a file or process's security context. The modified cp command allows you to set a specific security context of a copy, or preserve the context while copying.


Next Previous Contents