3.5 Installing SELinux from Binary or Source Packages | Selinux: NSAs Open Source Security Enhanced Linux

Unless you choose a Linux distribution that includes built-in support for SELinux, you'll have to install and configure SELinux yourself. It's generally easier to do so using binary or source packages than using the source code tarballs released by the NSA. This section explains how to install and initially configure SELinux on:

Debian GNU/Linux
Gentoo Linux
SUSE Linux 8.2

In addition, the section gives advice on installing and configuring SELinux to work with Red Hat Enterprise Linux 3. As explained earlier, the forthcoming Red Hat Enterprise Linux 4 is planned to integrally support SELinux.

3.5.1 Debian GNU/Linux

At the time of writing, two releases of Debian GNU/Linux are currently in use, and a third is under development. The two commonly used releases are:

Debian GNU/Linux 3.0 stable, known as Woody
Debian GNU/Linux 3.0 unstable, known as Sid

As the release names indicate , Woody is considered the more reliable release; its component packages have been subject to more extensive , and more thorough, testing and use than those of Sid. However, the C compiler and libraries and other components of Woody are too old to work well with SELinux. Consequently, this section presents an SELinux installation procedure appropriate for Sid.

If you're interested in using SELinux with Woody, you can use special packages created by Brian May, available at http://www.microcomaustralia.com.au/debian. You can find brief instructions for using them at http://www.coker.com.au/selinux. Because these packages are subject to change, I don't present step-by-step instructions for installing and configuring SELinux under Woody. If you plan to install SELinux under Woody, you can request assistance by posting to the SELinux mailing list, to which you can subscribe using the web page identified in Chapter 1.

To install SELinux under Sid, perform the following steps. Since I presume you know how to install Debian Sid, the steps include only general explanations of the associated operations. If you're unfamiliar with the installation procedure for Debian, please see the installation manual available at http://www.debian.org/releases/stable/i386/install.

Obtain bootable media for Debian Sid and boot the system using them. I recommend the media available at http://people.debian.org/~dwhedon/boot-floppies, especially bf2.4-3.0.23-netinst.iso because of its relatively small size (10 MB). If you like, you can choose from other media available at http://www.debian.org/CD/netinst.
Burn the ISO image to a CD-RW or CD-R and boot the system using it. Choose the language to be used during installation and your keyboard type.
Partition the target system's primary hard disk and create Linux filesystems as usual. The simplest installation consists of three partitions: a boot partition ( /boot ), a root partition ( / ), and a swap partition. The swap partition should have partition type 82, whereas the other two partitions should have type 83.

The installer encourages you to choose the ext2 filesystem type for the boot and root partitions. I suggest that you ignore the default and choose ext3 as the filesystem type for the root filesystem, because the journaling provided by ext3 will improve the reliability of your filesystem. You can choose either ext2 or ext3 as the filesystem type of the boot partition. I myself prefer to choose ext3 for consistency.
Install a kernel and any drivers necessary for devices you plan to use during, and immediately after, installation. In general, you should ensure that a driver is available for your system's network interface. The installation program may automatically recognize your system's devices, in which case you don't need to explicitly load any drivers.
Set up networking by specifying a hostname, domain name , and network configuration. If a DHCP or BOOTP server is available, you can request automatic network configuration, which identifies the system IP address, network mask, gateway IP address, and DNS server IP address for you; otherwise , you must specify these yourself.
Install the bootloader. Generally, you should install LILO, the default Debian bootloader, to the MBR (master boot record) of the primary hard drive. If your system is configured to boot multiple operating systems, special considerations are necessary. Consult the Debian installation manual for details.
Reboot the system. When the system configuration screen appears, specify configuration options, including the time zone, MD5 passwords (which should generally be enabled), a shadow password file, a root password, and a non-root user .
When prompted to run apt , decline to do so by pressing Cancel. Likewise, decline to run tasksel . When dselect runs, allow it to continue and also allow it to delete any previously downloaded .deb files that are no longer needed.

If you allow apt to run, it may install updated packages that conflict with SELinux packages to be installed later in this procedure. Declining to run apt avoids this problem.
Respond to the installation program prompts that lead you through the configuration of installed packages such as mail.
When configuration is complete, log in as the root user. Use a text editor to create the file /etc/apt/apt_preferences , specifying the following contents:
```
 Package: * Pin: release o=etbe Pin-Priority: 1100 
```
This configuration file will prevent critical SELinux packages from being overwritten by updated non-SELinux packages.
Use a text editor to modify the file /etc/apt/sources.list , deleting any existing entries and specifying the following contents:
```
 deb http://www.coker.com.au/newselinux/ ./ deb ftp://ftp.us.debian.org/debian/ sid main 
```
The web site www.coker.com is a repository of Debian SELinux packages, maintained by Russell Coker.
Issue the command:
```
 #  apt-get update  
```
to update the list of available packages.
Use apt-get to install the libselinux1 package. Then install the following packages:

checkpolicy

coreutils

cron

dpkg

fileutils

initscripts

libpam0g

libpam0g-dev

libpam-cracklib

libpam-doc

libpam-modules

libpam-runtime

libselinux1

logrotate

policycoreutils

procps

selinux-doc

selinux-policy-default

selinux- utils

shellutils

strace

sysvinit

sysv-rc

textutils
These packages contain versions of standard utilities that have been modified to work with SELinux, SELinux-specific utilities, the SELinux policy, and SELinux documentation.

You may be prompted to update Glibc, which you should approve. You will then be prompted to accept a series of files contained in the selinux-policy-default package; you may accept all such files.
Launch dselect , and use it to install any available updates to Sid. If dselect does not propose installation of a Linux 2.6 kernel, manually select an appropriate kernel-image package for installation. In any case, manually select a kernel-source package corresponding to the kernel that dselect automatically selected or that you manually selected. Finally, be sure that the ncurses-dev package is selected for installation. Allow dselect to install the selected packages.
Now, you're ready to build an SELinux kernel. Move to the directory /usr/src , unpack the kernel sources, and set up a symbolic link named linux , pointing to the directory containing the unpacked sources. If you're unfamiliar with the procedure for manually configuring, compiling, and installing a Linux kernel, consult the Debian installation guide.
Enter the directory containing the kernel sources. Using a text editor, open the Makefile and change the EXTRAVERSION variable to a distinct value. This value is used to name and identify the directory containing loadable kernel modules that work with your kernel.
Choose an installed /boot/config* file and copy it to the current directory, naming it .config . Doing so will conveniently set default values for many configuration options.
Issue the command:
```
 #  make menuconfig  
```
Choose kernel configuration options appropriate to your system, overriding default values as necessary. I personally like to omit support for devices and filesystems that I don't use and specify that support for needed devices and filesystems should be compiled integrally in the kernel, rather than as modules. But, other preferences are acceptable.

Also specify the following SELinux- related options. Under Code Maturity, specify:
```
 Prompt for development and/or incomplete code/drivers 
```
Under Device Drivers Character Devices, specify:
```
 Unix98 PTY No Legacy (BSD) PTY support 
```
Under File systems, specify:
```
 Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels 
```
Do not specify POSIX access control lists for either ext2 or ext3 .

Under Pseudo filesystems, specify:
```
 /dev/pts Extended Attributes /dev/pts Security labels 
```
Do not specify:
```
 /dev file system support 
```
Finally, under Security options, specify:
```
 Enable different security models Socket and networking security hooks Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support 
```
Compile and install the kernel, by issuing the commands:
```
 #  make clean  #  make install modules modules_install  
```
If you compiled all features integrally within the kernel, omitting support for modules, use the following command instead:
```
 #  make clean && make install  
```
Modify the /etc/lilo.conf bootloader configuration to boot the new kernel in SELinux mode, by adding the following LILO option to the stanza pertaining to the new kernel:
```
 append="selinux=1 enforcing=0" 
```
Issue the /sbin/lilo command to update the boot record.
Create the special directory used by the SELinux kernel during system startup:
```
 #  mkdir /selinux  
```
Add the following line at the end of the /etc/fstab configuration file:
```
 none /selinux selinuxfs defaults 0 0 
```
Modify the PAM configuration by adding the following line at the end of the files /etc/pam.d/login and /etc/pam.d/ssh :
```
 session required pam_selinux.so 
```

Compile the SELinux policy and label the filesystem:

 #  cd /etc/selinux  #  make policy  #  make relabel

Labeling the filesystem associates a security context with each existing file. As explained in Chapter 5, a file's security context identifies the SELinux user, role, and type of the file. The SELinux policy specifies the label to apply to each file.

Unfortunately, it's not unusual for errors to appear during compilation of the SELinux policy. These are generally typographical errors or other gross errors in policy files specifying domains, such as domain/programs/*.te . To work around such errors, create the directory /etc/selinux/domain/programs/error , move any defective files to this directory, and remake the policy file. You may need to read material in the following several chapters of this book to successfully complete this process. You can also post a request for help on the SELinux mailing list, identified near the end of Chapter 1.

Reboot your system. When the system starts up, relabel the filesystem a second time so that any files creating during the reboot are properly labeled:
```
 #  cd /etc/selinux  #  make relabel  
```

Your Debian SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

The Debian developers do not officially support SELinux. However, they tend to be both technologically keen and helpful in responding to questions that interest them. Understandably, the developers are sometimes nonresponsive to questions posed by users who seem to them to be lazy or unskilled. In a few cases, they may even seem to respond contemptuously or with hostility . To make good use of their time and avoid taxing their patience, be sure to put forth a good-faith effort to troubleshoot and resolve problems before posting questions to the Debian mailing lists, such as debian-security .

3.5.2 Gentoo Linux

Unlike Debian GNU/Linux, Gentoo Linux specifically supports SELinux. However, SELinux has not been integrated into the standard Gentoo release. This section explains how to install SELinux under Gentoo to a fresh or bare-metal system. The following section explains how to install SELinux to a preexisting Gentoo Linux system.

At the time of writing, Gentoo supports SELinux only on servers, not workstations, due primarily to interoperability problems between SELinux and X. However, the Gentoo developers suggest that SELinux workstation may be available in a future Gentoo release.

3.5.2.1 Installing SELinux to a fresh Gentoo system

The "Gentoo x86 SELinux Installation Guide," available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.

To install SELinux under Gentoo, perform the following steps:

Obtain a current Gentoo LiveCD image, available from a Gentoo mirror site listed at http://www.gentoo.org/main/en/mirrors.xml . Burn the image to CD-R or CD-RW and boot your system from it. Choose a kernel from those listed as available. For installation, you don't need to choose an SELinux kernel; a standard Gentoo kernel such as gentoo or nousb is satisfactory.
After booting, the system automatically logs you in as the root user. The system probably loaded appropriate kernel drivers for your system's devices automatically. But, if not, you can manually load a driver by issuing the modprobe command. Use the lsmod command to verify that the driver appropriate for your network interface was loaded. If it was not loaded, manually load a driver from /lib/modules*/kernel/drivers/net . If a required SCSI driver was not loaded, manually load one in the same manner.
Issue the /sbin/ifconfig command to verify that networking has been configured. If networking has been configured, verify that it's working by pinging your DNS server or accessing a web site. The lynx , ping , scp , ssh , wget, and other network commands are available and should work. If networking is not properly operational, consult the Gentoo installation guide for troubleshooting and problem resolution hints.
Use the date command to set your system's date and time. For instance, you can set the date and time to 2:27 a.m. on July 1, 2004, by issuing the command:
```
 022707012004 
```
Use fdisk to establish appropriate partitions on your system's primary hard drive.

Use mkswap to prepare a swap partition for use and use mke2fs to prepare ext3 (preferred) or ext2 filesystems on the non-swap partitions. Activate the swap partition and mount the filesystems. For instance:

  mkswap /dev/hda2  # prepare swap partition  mke2fs   -j /dev/hda1  # make /boot filesystem  mke2fs   -j /dev/hda3  # make / filesystem  swapon /dev/hda2  # activate swap partition  mount /dev/hda3 /mnt/gentoo  # mount / partition  mkdir /mnt/gentoo/boot  # create mount point  mount /dev/hda1 /mnt/gentoo/boot  # mount /boot

Download the installation tarball, stage1-x86-1.4_rc4.tar.bz2 , using the lynx or wget command, from a Gentoo mirror such as http://gentoo.oregonstate.edu/experimental/x86/stages, and place the tarball in the /mnt/gentoo directory . Extract the tarball contents, enter the chroot ed filesystem just created, and update your shell context:
```
 #  tar jxvpf stage1-*.tar.bz2  #  mount   -t proc proc /mnt/gentoo/proc  #  mount   -t selinuxfs none /mnt/gentoo/selinux  #  cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf  #  chroot /mnt/gentoo /bin/bash  #  env-update  #  source /etc/profile  
```
Update the portage tree:
```
 #  emerge sync  
```
Use a text editor, such as Nano, to customize the build settings, if desired. The settings reside in the file /etc/make.conf , which is heavily commented and therefore largely self-explanatory. Generally, the default values are acceptable. But, you should check the values of CHOST , CFLAG , and CXXFLAGS to ensure they're consistent with the processor type of your system.

Detailed information on the configuration options provided by the make.conf file is available at http://www.gentoo.org and http://www.gentoo.org/dyn/use-index.xml.
Initiate the bootstrap process, which builds the GNU C library, the C compiler, and other fundamental programs:
```
 #  export PORTAGE_TMPDIR=/var/tmp  #  cd /usr/portage  #  scripts/bootstrap.sh  
```
The bootstrap process is relatively time-consuming , as you might suspect. You can specify a directory other than /var/tmp , if you prefer. The directory should provide several hundred megabytes of free space.
Build the non-bootstrapped programs:
```
 #  emerge system  
```
This process generally takes even longer than the bootstrap process.
Set the time zone:
```
 #  ln -sf /usr/share/zoneinfo/    path    /etc/localtime  
```
where path denotes the subpath corresponding to your time zone. For instance, /usr/share/zoneinfo/America/Los_Angeles denotes the U.S. Pacific time zone.

Install a kernel by issuing any one of the following commands:

 #  emerge sys-kernel/selinux-sources  #  emerge sys-kernel/hardened-sources  #  emerge sys-kernel/gentoo-dev-sources  #  emerge sys-kernel/devlopment-sources  #  emerge sys-kernel/mm-sources

Issue only one of the preceding commands; don't issue all of them.

Now, you're ready to build an SELinux kernel. To begin doing so, issue the following commands:

 #  cd /usr/src/linux  #  zcat /proc/config.gz > .config  #  make menuconfig

Specify the following SELinux-related options. Under Code Maturity, specify:

 Prompt for development and/or incomplete code/drivers

Under Device Drivers Character Devices, specify:

 Unix98 PTY No Legacy (BSD) PTY support

Under File systems, specify:

 Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels

Do not specify POSIX access control lists for either ext2 or ext3 .

Under Pseudo filesystems, specify:

 /dev/pts Extended Attributes /dev/pts Security labels

Do not specify:

 /dev file system support

Finally, under Security options, specify:

 Enable different security models Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support

Do not specify:

 Socket and networking security hooks NSA SELinux MLS policy

If needed, configure kernel support for PPPoE and IDE CD burning. Be sure the kernel includes support for your system's Ethernet card. See the Installation Guide for details.

Compile and install the kernel:

 #  make dep  #  make clean bzImage modules modules_install  #  cp /usr/src/linux/arch/i386/boot/bzImage /boot

Install any kernel-related software needed by your system. For instance, you might issue one or more of the following commands:
```
 #  emerge e100  # Intel e100 NIC #  emerge e1000  # Intel e1000 NIC #  emerge emu10k1  # Creative SBLive! 
```
Install a system logging service. Under Gentoo, you can choose any one of four logging services. I prefer the Unix de facto standard, Syslog. To install Syslog, issue the following commands:
```
 #  emerge -k app-admin/sysklogd  #  rc-update add sysklogd default  
```
If you prefer to configure a logging service other than Syslog, see the Installation Guide.

Install the cron service:

 #  emerge -k sys-apps/vixie-cron  #  rc-update add vixie-cron default

First, use nano (or another editor of your choice) to create an /etc/fstab file that mounts your Linux ext2 and ext3 , swap , proc , tmpfs , and cdrom filesystems. A typical file looks like this:
```
 /dev/hda1 /boot    ext3  ro,noatime             1 1 /dev/hda2 /        ext3  noatime                0 0 /dev/hda4 /space   ext3  noatime                0 0 /dev/hda3 none     swap  sw                     0 0 none      /proc    proc  defaults               0 0 none      /dev/shm tmpfs defaults               0 0 /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0 
```
Then, add the following two SELinux-related lines to the file:
```
 none      /selinux selinuxfs  defaults          0 0 none      /dev/pts devpts     defaults          0 0 
```
The first line causes the system to automatically mount the SELinux pseudofilesystem during system startup. The second line causes the system to automatically mount the devpts pseudofilesystem. This is needed because the current release of Gentoo SELinux uses devpts rather than the Gentoo-default devfs pseudofilesystem.

Set the password for the root user, by issuing the passwd command. You should also create one or more non-root users, by issuing the adduser command. You should also set a password for each non-root user you create.

 #  passwd  New UNIX password: (password not echoed) Retype new UNIX password: (password not echoed) #  adduser staff  #  passwd staff  New UNIX password: (password not echoed) Retype new UNIX password: (password not echoed)

Specify the host and domain names. To set the host name, issue the command:
```
 #  echo    hname    > /etc/hostname  
```
where hname is the host name. To set the domain name, issue the command:
```
 #  echo    dname    > /etc/dnsdomainname  
```
where dname is the domain name. If your system is to be part of an NIS domain, also set the name of the NIS domain:
```
 #  echo    nisname    > /etc/nisdomainname  
```
where nisname is the NIS domain name.

Also, modify the /etc/ hosts file to include a line such as the following:
```
   xxx.xxx.xxx.xxx     hname.dname hname   
```
where xxx.xxx.xxx.xxx is the primary IP address of your system, hname is its host name, and dname is its domain name.

If your system receives its network configuration dynamically, via DHCP or BOOTP, you may omit this step.

Specify the kernel modules that should be loaded at system startup. To do so, add their names (and any desired options) to /etc/modules.autoload .

If the driver for your system's network adapter was compiled as a module, it's especially important that the corresponding module is specified in /etc/modules.autoload . You can determine the name of the module by inspecting the names of the driver files located in /lib/modules/ ` uname -r`/kernel/drivers/net .

Configure your system's IP address, network mask, and other TCP/IP parameters in /etc/conf.d/net . Then set networking to start at the default run level:
```
 #  rc-update add net.eth0 default  
```
If your system has multiple network adapters or a PCMCIA network adapter, consult the Installation Guide for the proper configuration procedure.
Set system preferences in /etc/rc.conf . Comments in the file explain the functions of the configuration options. In particular, be sure the CLOCK setting has the correct value ( UTC or local ).

Compile, install, and configure the GRUB bootloader.

If your system uses hardware RAID, your system is configured for multiple boot, your kernel is configured to use framebuffer video, or if you prefer to configure the LILO bootloader rather than GRUB, see the Installation Guide for further instructions.

To compile GRUB, issue the command:

 #  emerge grub

To install GRUB, enter its command-line environment and issue the GRUB root and setup commands:

 #  grub  grub>  root (hd0,0)  grub>  setup (hd0)  grub>  quit

The GRUB root command shown is appropriate only if your /boot partition is the first partition on the primary hard drive, the most common case. If the /boot partition is the second partition, use the command:

 grub>  root(hd0,1)

To configure GRUB, use an editor to create the /boot/boot/grub.conf file. A typical file might resemble the following:

 default 0 timeout 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title=Gentoo SELinux root (hd0,0)  kernel (hd0,0)/boot/bzImage root=/dev/hda3 gentoo=nodevfs

This configuration file assumes that the boot partition is /dev/hda1 and the Linux root partition is /dev/hda3 . It won't work if your hard drive is differently configured. In that case, you must adjust the configuration parameters. If you're unfamiliar with the contents of GRUB's configuration file, or uncertain what values to specify, see the Installation Guide.

If your system fails to boot, it's handy to have available a GRUB boot disk. To create one, put a blank floppy in the drive and issue the following commands:

 #  cd /usr/share/grub/i386-pc/  #  cat stage1 stage2 > /dev/fd0

Update any out-of-date configuration files, by issuing the command:
```
 #  etc-update  
```

Compile the SELinux policy and label the filesystem, by issuing the following commands:

 #  cd /etc/security/selinux/src/policy/  #  make install  #  make chroot_relabel

Exit the chroot ed shell, and reboot the system:

 #  exit  #  cd /  #  umount /mnt/gentoo/boot  #  umount /mnt/gentoo/proc  #  umount /mnt/gentoo/selinux  #  umount /mnt/gentoo  #  reboot

When the system has booted , relabel the filesystem for the second time, so that files created during rebooting will be properly labeled:
```
 #  cd /etc/security/selinux/src/policy  #  make relabel  
```
Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

3.5.2.2 Installing SELinux to an existing Gentoo Linux system

The preceding section explains how to install a Gentoo SELinux system onto a bare-metal system. It's also possible to install SELinux to a working Gentoo Linux system. This section explains how to do so. The "Gentoo Linux SELinux Quick Start Guide," available at http://www.gentoo.org/, gives the official Gentoo instructions for installing Gentoo SELinux to an existing Gentoo Linux system. The online instructions are likely to be more up to date than the following procedure; however, you may find the following procedure helpful in explaining how the Gentoo procedure works. Ideally, when installing SELinux under Gentoo, you should consult both the online instructions and this book.

First, check whether your system is compatible with Gentoo SELinux. Your system should be a server, not a workstation. And, it should use the Linux ext2 or ext3 filesystem rather than a more exotic filesystem such as ReiserFS.

Gentoo SELinux also supports the XFS filesystem. However, this book does not explain how to configure SELinux to work with that filesystem. See the Quick Start Guide for instructions on doing so.

Issue the following instructions to switch to the SELinux profile:

 #  rm -f /etc/make.profile  #  ln -sf /usr/portage/profiles/selinux-x86-1.4 \   /etc/make.profile

Check whether any USE flags need to be reenabled in /etc/make.conf :

 #  emerge info

Edit /etc/make.conf as appropriate, based on any messages you see.

You may see the message "!!! SELinux module not found. Please verify that it was installed," which you may safely ignore. The cause of this message will be fixed by a subsequent step of this procedure.

Check that the C headers are sufficiently up to date:
```
 #  emerge -s linux-headers  
```
If the version of the headers is older than 2.4.20, merge new headers by issuing the command:
```
 #  emerge \>=sys-kernel/linux-headers-2.4.20  
```
Next, recompile the C library, by issuing the command:
```
 #  emerge glibc  
```
This step generally takes a significant amount of time to complete.

Merge an appropriate Linux 2.4 or Linux 2.6 kernel, by issuing any one of the following commands:

 #  emerge sys-kernel/selinux-sources  #  emerge sys-kernel/hardened-sources  #  emerge sys-kernel/gentoo-dev-sources  #  emerge sys-kernel/devlopment-sources  #  emerge sys-kernel/mm-sources

Issue only one of the preceding commands; don't issue all of them.

Now, you're ready to build an SELinux kernel. To begin doing so, issue the following commands:

 #  cd /usr/src/linux  #  make menuconfig

Specify any options needed to support devices or facilities installed on your system. Also, specify the following SELinux-related options. Under Code Maturity, specify:

 Prompt for development and/or incomplete code/drivers

Under Device Drivers Character Devices, specify:

 Unix98 PTY No Legacy (BSD) PTY support

Under File systems, specify:

 Second extended fs support Ext2 extended attributes Ext2 security labels Ext3 journalling file system support Ext3 extended attributes Ext3 security labels

Do not specify POSIX access control lists for either ext2 or ext3 .

Under Pseudo filesystems, specify:

 /dev/pts Extended Attributes /dev/pts Security labels

Do not specify:

 /dev file system support

Finally, under Security options, specify:

 Enable different security models Default Linux capabilities NSA SELinux NSA SELinux boot parameter NSA SELinux Development support

Do not specify:

 Socket and networking security hooks NSA SELinux MLS policy

Compile and install the kernel:

 #  make dep  #  make clean bzImage modules modules_install  #  cp /usr/src/linux/arch/i386/boot/bzImage /boot

Add the following lines to /etc/fstab :
```
 none /selinux selinuxfs gid=5,mode=620 0 0 none /dev/pts devpts    defaults       0 0 
```
The first line causes the system to automatically mount the SELinux pseudofilesystem during system startup. The second line causes the system to automatically mount the devpts pseudofilesystem. This is needed because the current release of Gentoo SELinux uses devpts rather than the Gentoo-default devfs pseudofilesystem.
Edit /boot/grub/grub.conf , adding gentoo=nodevfs to the kernel line; for instance:
```
 kernel /bzImage root=/dev/hda3 gentoo=nodevfs 
```
If your system boots using LILO rather than GRUB, add append="Gentoo=nodevfs " to the proper stanza within /etc/lilo.conf .
Make two directories needed by SELinux:
```
 #  mkdir /selinux  #  mkdir /sys  
```
Reboot the system.

Merge packages required by SELinux:

 #  emerge libselinux checkpolicy policycoreutils  #  emerge selinux-base-policy

Load the precompiled SELinux policy:

 #  cd /etc/security/selinux/src/policy  #  make load

Merge packages modified to work with SELinux:

 #  emerge baselayout coreutils findutils openssh \   pam pam-login procps psmisc python-selinux shadow \   util-linux

Merge any of the following packages that are already installed:

 #  emerge app-admin/logrotate  #  emerge sys-apps/vixie-cron  #  emerge sys-libs/pwdb

vixie-cron is the only cron package compatible with SELinux. If you have another cron package installed, you should remove it and, optionally , replace it with vixie-cron .

Remove the following packages:

 #  emerge -C fileutils sh-utils textutils

Compile and install the SELinux policy, and label the files:

 #  cd /etc/security/selinux/src/policy  #  make install  #  make relabel

If using GRUB, reinstall GRUB to the MBR:

 #  grub  grub>  root (hd0,0)  grub>  setup (hd0)  grub>  quit

If GRUB is installed to a location other than the MBR, or your system's /boot filesystem resides on a partition other than the first partition of the primary hard drive, see the Quick Start Guide for instructions.

Reboot the system.
Relabel the files again, to ensure that files created during rebooting are properly labeled:
```
 #  cd /etc/security/selinux/src/policy  #  make relabel  
```
Your Gentoo SELinux system should now be ready for use. The information in the following chapters will help you better understand how to use, maintain, and improve it.

3.5.3 RPM-Based Distributions

Installing SELinux using RPM packages is fast and convenient . And assuming that the packages are fully compatible with the target system, it's also effective. SELinux RPM packages are available for two Linux releases: Red Hat Enterprise Linux and SUSE Linux.

3.5.3.1 Red Hat Enterprise Linux

At one time, Red Hat engineer Dan Walsh, who's a member of the team responsible for implementation of SELinux under Fedora Core 2, made available SELinux binary and source RPM packages for RHEL3, on his FTP site, ftp://people.redhat.com/. However, the packages available there at the time of writing are not fully compatible with RHEL3; they have have dependencies unsatisfied by packages available from the site or the RHEL3 release.

Those who are handy with source RPMs can likely hack the packages available at ftp://people.redhat.com/dwalsh/SELinux/srpms/ to work with RHEL3, by tweaking them a bit and by installing updated versions of Autoconf, Automake, and other source code tools available under Fedora Core 2. Alternatively, it's possible to install Fedora Core 2 binary packages that satisfy the dependencies. I have installed SELinux on RHEL3 using both approaches. Nevertheless, I do not include instructions here for doing so, for two reasons:

At the time of writing, the packages are being regularly updated due to ongoing work for Fedora Core 2. Therefore, it's not possible to provide step-by-step instructions that can be expected to be accurate at the time of this book's publication.
Notwithstanding that the SELinux packages for RHEL3 were made by a Red Hat engineer, Red Hat does not support SELinux under RHEL3. Therefore, installation by a user of SELinux under RHEL3 would likely void the user's support agreement with Red Hat.

Those who want to use SELinux with RHEL are likely better served by installing a beta or production release of RHEL4, which should be available by the time of publication of this book.

3.5.3.2 SUSE Linux

The latest SUSE Professional Linux release available at the time of writing, SUSE Professional Linux 9.1, includes an SELinux-capable Linux kernel and SELinux-patched utilities. However, the distribution reportedly does not include the SELinux tools and includes a very old version of the SELinux sample policy. Consistent with that report, searching the SUSE web site for the word SELinux did not return any information about SELinux and SUSE 9.1. And a web search failed to turn up information about using SELinux with SUSE 9.1. However, a Novell representative has announced that a forthcoming SUSE Linux release will include a fully supported implementation of SELinux.

SELinux RPM packages for SUSE 8.2 have been independently released by Paul Dwerryhouse, a system and network engineer employed at the time of this writing by Versatel b.v., in Amsterdam, Netherlands. His work is available at http://leapster.org/linux/selinux/suse.

To install SELinux under SUSE 8.2 using Paul's packages, you must download and install:

His modified kernel (or download his kernel patches and apply them against Linux 2.4).
His modified initrd.
His userspace RPM packages, of which there are currently 27. These are available individually, or combined within a single 78 MB tarball.

Paul provides special instructions for installing his kernel. He also cautions not to use his kernel on production hosts, since ”as Paul himself explains it ”he "cheated in a couple of places when porting the SELinux patch to [the Linux 2.4] kernel," by removing the variable HZ feature and taking other shortcuts.

SELinux for SUSE 8.2 is not officially supported by SUSE. Users who install SELinux under SUSE 8.2 may void any support agreement with SUSE.

Those interested in using SELinux with SUSE may find helpful information on the SELinux Wiki and file repository maintained by Tom Vogt and others. The Wiki is available at http://www.securityenhancedlinux.de, and the file repository is available at http://selinux.lemuria.org. Much of the information in the Wiki is in German, the native language of many SUSE users and developers.