[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Advice on adding SELinux to Debian Live



(Sorry if some pieces explained here seems too obvious for Debian Live list normal users. I am recycling an former email sent to a non Debian Live person.)

1) Introduction

1.1) I develop Rescatux ( http://www.supergrubdisk.org/rescatux/ ) which it's a live cd aimed at rescue tasks.
1.2) Rescatux is based on Debian Live ( http://live.debian.net/ ).
1.3) Debian Jessie (current Debian stable version) supports SElinux if you install some packages from sid (Debian unstable branch). What I mean by "supports SElinux" is that you can use it from a Debian installation.

2) SElinux permissions problems on Fedora / Centos / RHEL systems.

Rescatux has many options for interacting from itself (as a Debian Live cd) to installed systems.
E.g. you can change root password easily.

These operation involves modifying /etc/shadow file.

As Rescatux does not currently support SElinux the /etc/shadow loses its default SElinux permissions.

As you might know the consequence is that if you did that in a SElinux enforced mode Fedora installation the next time you try to login into your system as root (and actually as another users too) it will fail. Why? Because SElinux refuses whatever library handles login to read the /etc/shadow file.

3) As Rescatux is a Debian Live based system I want to add SElinux support to Debian Live in order to have SElinux support in Rescatux and avoid these problems.

The final target is to have SElinux support and then change selinux policy for the chrooted system's one. As mjg59 suggested in fedora-devel chat it's just running: semodule -R (inside the chroot I guess) which does it.

4) What I have done so far?

4.1) I have added Debian SELinux packages
(
+ libapol4 \
+ libqpol1 \
+ policycoreutils \
+ python-ipy \
+ python-selinux \
+ python-semanage \
+ python-sepolgen \
+ python-sepolicy \
+ python-setools \
+ selinux-utils \
+ selinux-basics \
+ auditd \
)

to both binary and chroot part of Debian Live (binary is what goes into the final iso itself and chroot is what's inside the squashfs).

4.2) When I boot from Rescatux I add to kernel boot command line these parametres: selinux=1 enforcing=0 .

4.3) I have also modified Debian Live to inforce SELinux. (Not fully succesfully but I have done it.)

(Here there is where I got inspiration from Fedora's livecd-tools (https://github.com/rhinstaller/livecd-tools) (https://github.com/rhinstaller/livecd-tools/blob/master/imgcreate/creator.py).

4.3.1) Make sure the directory which it's going to be converted into SElinux has SELinux permissions thanks to:

+ setfiles -F -r chroot /etc/selinux/default/contexts/files/file_contexts chroot
+                               chcon -u system_u chroot/proc
+                               chcon -u system_u chroot/sys

4.3.2) Make sure the mksquashfs puts the SElinux permissions into the big squashfs file (I have checked and it's true that they are there).

+               MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -xattrs"

5) So, well, the problem is that after all these changes Rescatux refuses to boot in SElinux mode thus I cannot load any policy manually and thus the SElinux permissions problems persists.

6) What am I missing?

Is there anything about how livecd-tools prepare the live cd that I am missing? Something that has to be inside the initrd that does not come by default in the Debian or Debian Live's initrds ?

Thank you very much for any insight you might have.

7) Annex A. Rescatux updates:

Jessie branch: http://sourceforge.net/p/rescatux/git/ci/jessie/tree/
Commit: 9f74111d7c5222a739054af1900784481f6496c3

8) Annex B. Debian Live update:

tmp-selinux branch: https://github.com/adrian15/live-build/tree/tmp-selinux
Commit: 42a8f50690be1153285dc8841ec532ac2281e27d


adrian15
--
Support free software. Donate to Super Grub Disk. Apoya el software libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/


Reply to: