When you are satisfied that the system runs stable under the
new policy, enable enforcing by changing
SELINUX=enforcing. You can
either reboot or run setenforce 1 to turn
enforcing on in real time.
RPMs for the new SE Linux may be found at ftp://people.redhat.com/dwalsh/SELinux
The RPMs at the above location are maintained by Dan Walsh.
When I installed SE Linux on my Fedora test machine, this is what I did:
* Edited the yum.conf file to contain the following:
name=Fedora Core $releasever - Development Tree
* Ran the command
yum install policy checkpolicy policycoreutils policy-sources pam passwd vixie-cron
* After all of the above was installed, I did
* Rebooted the machine.
Under the old SE Linux it was best to install things in a certain order, such as installing the modified login package first. With the new SE Linux, dependencies should take care of things.
The Debian kernel-patch-2.4-lsm package takes care of applying both the LSM patch for the new SE Linux. The patch contains LSM kernel hooks, and SE Linux is the code that uses these hooks.
Now read /usr/share/doc/kernel-patch-2.4-lsm/README.Debian and follow the instructions for setting the CONFIG_ options when compiling your kernel. Then go ahead and compile your new kernel or use Debian's make-kpkg package to create a kernel image .deb that you can then install.
Below is an extract of /usr/share/doc/kernel-patch-2.4-lsm/README.Debian:
This patch supplies the Linux Security Modules. It is needed for NSA Security
Enhanced Linux (among other things).
To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.
When configuring your kernel do the following:
(Under Networking Options, enable Network Packet Filtering.
Under Security Options, enable Capabilities and enable
both IP Networking and SELinux as built-in options.)
This means having the following in your /usr/src/linux/.config:
If you compile your kernel with CONFIG_SECURITY_SELINUX_DEVELOP turned on, your machine boots with permissive mode, and must manually be switched to enforcing mode. But if you compile without it, your machine boots in to enforcing mode with no option of going back to permissive mode. See Section 4.4: Permissive and Enforcing mode.
This release of SE Linux depends on XATTR's. For the Ext3 file system
use the following settings:
The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.
If you are using ext2 you will need to build your kernel with CONFIG_EXT2_FS_XATTR set to Y. If you have a ext3 filesystem and want to mount it and not create any xattr's, then compiling ext2 with no XATTR support is a good option. An ext filesystem can be mounted as either ext2 or ext3. The idea is that you can mount the ext3 filesystem with no xattr's as ext2 (just edit your /etc/fstab file accordingly).
This Debian package contains the default security policy files. The equivalent RPM is the policy-sources package.
When installing this package on a Debian system, you will be prompted to answer a series of questions about which policies you'd like to install. Basically it's up to you to determine what you do and don't need. If you accidentally answer No to something you think you may need, don't worry. At a later time you can copy it from /usr/share/selinux/policy/default/domains/program/ over to /etc/selinux/domains/program and then run the command make -C /etc/selinux load from any directory.
A brief mention about the sendmail.te policy-- it is best to remove this as it conflicts with other mail server policy files. Unless you want to run sendmail of course, in which case you don't install the policy files for another mail server.
The prompts will look something like this:
Removal of unwanted policy files
Do you want domains/program/amavis.te:Amavis anti-virus
Selecting Y will install the amavis.te policy file. Selecting n will not install it (but you can copy it later as described above). Selecting d will display the policy file concerned.
When you have finished answering the prompts, the policy will then be compiled and the policies that you have the .te files for will be installed.
A crucial part of the installation occurs at this point. Every file will now be labelled with a security context.
Before rebooting, you must first edit your /etc/fstab file and create the /selinux mount point. So create the mount point of /selinux and set the permissions to mode 500. Now edit your /etc/fstab to include the following:
none /selinux selinuxfs noauto 0 0
If you are running a 2.6.x kernel with XATTR support enabled, after creating the /selinux mount point and editing your /etc/fstab you must now run the command make -C /etc/selinux relabel This command relabels the filesystem with the correct security contexts. Note that you must run the command again after rebooting (discussed further down). If you are running a 2.4.x kernel you can't run this command now, as the 2.4.x non-SE Linux kernel does not allow you to assign the extended attributes.
Before rebooting we must edit the /etc/pam.d/login and ssh files (sshd on Fedora) so that a shell will be started in the right context. Add the following:
session required pam_selinux.so
to both /etc/pam.d/login and /etc/pam.d/ssh
Before rebooting you can add a new SE Linux user with the command useradd and edit the users file, and you can also do it after you reboot. In this document we'll do the latter.
You are now ready to reboot your machine, so go ahead. As soon as you have booted in to a SE Linux kernel, you MUST relabel all file systems.