[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

2.6 and SE Linux

I have attached a copy of the README.Debian file from my kernel-patch-2.4-lsm 
package which documents the kernel configuration settings for using SE Linux.

I believe that Debian should do the same thing as Red Hat in terms of SE Linux 
kernel support.  That is 2.6 kernels should be built with SE Linux support 
and let the user decide whether to enable it.  If the 
CONFIG_SECURITY_SELINUX_BOOTPARAM kernel option is enabled and you boot with 
"selinux=0" (or if the Debian kernel source was modified to make selinux=0 
the default and require selinux=1 to boot with SE Linux) then there is no 
performance cost to SE Linux.

The only cost for including SE Linux in the default kernel is a small amount 
of memory and a small amount of disk space for vmlinuz (both less than 50K 
last time I checked).

This has already been done in the 2.6.0-test kernels from Red Hat.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

kernel-patch-2.4-lsm for Debian
-------------------------------------

This patch supplies the Linux Security Modules.  It is needed for NSA Security
Enhanced Linux (among other things).

To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.

When configuring your kernel do the following:
        (Under Networking Options, enable Network Packet Filtering.
         Under Security Options, enable Capabilities and enable
         both IP Networking and SELinux as built-in options.)


This means having the following in your /usr/src/linux/.config:
CONFIG_NETFILTER=y
CONFIG_INET=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y

This release of SE Linux depends on XATTR's.  For the Ext3 file system
use the following settings:
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_XATTR_SHARING=y
CONFIG_EXT3_FS_SECURITY=y

The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.

For the DEVPTS file system (required as the new SE Linux does not support
devfs or the old-styly /dev/pty) the following options are needed:
CONFIG_DEVPTS_FS=y
CONFIG_DEVPTS_FS_XATTR=y
CONFIG_DEVPTS_FS_SECURITY=y

In the recent kernel patches MLS should be functional, but I have never tested
it...

Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).

The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
booting).

The CONFIG_SECURITY_SELINUX_BOOTPARAM config option allows you to entirely
disable the SE Linux code.  If you have development mode turned on and boot
with no policy then the machine will give the same behaviour as a non-SE
machine, however there will be a small (maybe 2%) performance hit.  If you
enable this option and boot with "selinux=0" appended to the kernel command
line then SE Linux will be entirely disabled and the performance hit will be
removed.

If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .

Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
russell@coker.com.au
Reply to: