Re: getting started with SELinux

To: Forrest L Norvell <ogd@aoaioxxysz.net>, debian-security@lists.debian.org
Subject: Re: getting started with SELinux
From: Russell Coker <russell@coker.com.au>
Date: Fri, 28 Nov 2003 23:06:40 +1100
Message-id: <[🔎] 200311282306.40511.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031128110308.GQ1621@aglaia.aoaioxxysz.net>
References: <[🔎] 20031128110308.GQ1621@aglaia.aoaioxxysz.net>

On Fri, 28 Nov 2003 22:03, Forrest L Norvell <ogd@aoaioxxysz.net> wrote:
> /usr/bin/checkpolicy -o policy policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> ERROR 'attribute file_type is not declared' at token ';' on line 867:
> #
> type device_t, file_type;
> /usr/bin/checkpolicy:  error(s) encountered while parsing

That should be declared at about line 200 in attrib.te.

Try the following:
cd /etc/selinux
make clean
make load

>  2. When I attempt to boot into my SELinux kernel (all packages,
>     versions, and kernel configuration options at the end of this
>     message), I get an error about being unable to find
>     /usr/bin/load_policy, even with an initrd that uses the script
>     provided by selinux-default-policy. Is there anything special I
>     need to know about building the initrd? I imagine this may be

Sounds like you have /usr on a separate file system.  If you upgrade to 
sysvinit 2.85-7.se3 then it should work.

> un  libselinux-dev        <none>                (no description available)
> ii  libselinux1           1.2-1.1               SELinux shared libraries
> un  libselinux1-dev       <none>                (no description available)
> un  old-selinux-policy    <none>                (no description available)
> ii  selinux               2003081307-8          Management utilities for

"selinux" should be removed, it is for the old SE Linux.  It should have been 
automatically removed because of conflicting with the new packages.

> CONFIG_SECURITY_DTE=y

You don't want this.  See the attached document (which will be in the next 
version of the kernel-patch-2.4-lsm package).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

kernel-patch-2.4-lsm for Debian
-------------------------------------

This patch supplies the Linux Security Modules.  It is needed for NSA Security
Enhanced Linux (among other things).

To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.

When configuring your kernel do the following:
        (Under Networking Options, enable Network Packet Filtering.
         Under Security Options, enable Capabilities and enable
         both IP Networking and SELinux as built-in options.)


This means having the following in your /usr/src/linux/.config:
CONFIG_NETFILTER=y
CONFIG_INET=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y

This release of SE Linux depends on XATTR's.  For the Ext3 file system
use the following settings:
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_XATTR_SHARING=y
CONFIG_EXT3_FS_SECURITY=y

The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.

For the DEVPTS file system (required as the new SE Linux does not support
devfs or the old-styly /dev/pty) the following options are needed:
CONFIG_DEVPTS_FS=y
CONFIG_DEVPTS_FS_XATTR=y
CONFIG_DEVPTS_FS_SECURITY=y

In the recent kernel patches MLS should be functional, but I have never tested
it...

Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).

The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
booting).

The CONFIG_SECURITY_SELINUX_BOOTPARAM config option allows you to entirely
disable the SE Linux code.  If you have development mode turned on and boot
with no policy then the machine will give the same behaviour as a non-SE
machine, however there will be a small (maybe 2%) performance hit.  If you
enable this option and boot with "selinux=0" appended to the kernel command
line then SE Linux will be entirely disabled and the performance hit will be
removed.

If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .

Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
russell@coker.com.au

Reply to:

Follow-Ups:
- Re: getting started with SELinux
  - From: Forrest L Norvell <ogd@aoaioxxysz.net>

References:
- getting started with SELinux
  - From: Forrest L Norvell <ogd@aoaioxxysz.net>

Prev by Date: Re: getting started with SELinux
Next by Date: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
Previous by thread: Re: getting started with SELinux
Next by thread: Re: getting started with SELinux
Index(es):
- Date
- Thread