[selinux] HOWTO Install SELinux on Ubuntu

[selinux] HOWTO Install SELinux on Ubuntu

[Lorenzo Hernández García-Hierro]

Hi,

I've written a HOWTO on SELinux installation for Ubuntu Linux, as many
users were requesting it and I thought it may be useful for all of us.

It's currently available at:
http://wiki.tuxedo-es.org/HOWTO_Install_SELinux_on_Ubuntu

If you want to edit something, feel free to do it, but it would be good
if you notify the changes to the list and comment on it.

Any suggestion, critic or recommendation will be appreciated.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] HOWTO Install SELinux on Ubuntu

[Brian T. Sniffen]

Lorenzo Hernández García-Hierro <lorenzo@gnu.org> writes:

> It's currently available at:
> http://wiki.tuxedo-es.org/HOWTO_Install_SELinux_on_Ubuntu
>
> If you want to edit something, feel free to do it, but it would be good

Thanks for writing this up.  I tried to follow the instructions on an
Ubuntu machine, but had serious problems:

* The basic packages (e.g., coreutils) installed fine.  I had some
  difficulties with the selinux-aware PAM 0.78 packages: they
  complained about a missing module in pam_authenticate.  It was
  somewhat annoying to debug this, since it caused login and sudo to
  fail.  I never did solve this problem, because I gave up on:

* The selinux-policy-targeted package in your suggested repository fails to
  install.  There is no appconfig directory.

* The selinux-policy-default package also fails to install.  There are
  many .te files without corresponding .fc files.  The postinst script
  exits with status 1, apparently failing to copy policy/default to
  policy/current.

* Those two policy packages conflict in practice, but have neither
  diversions nor explicit Conflict headers.

* There is no selinux-support package in your selinux/ubuntu apt
  repository---only over in selinux/debian.

This looks like a great project---I'd be very happy to have a second
Desktop SE Linux project for which to develop in parallel with Fedora.
It would help, I think, resolve what are elements of a Desktop SE
Linux install, and what features are really Red Hat's, not necessary
to SE Linux.

But right now, I don't think it's ready for prime time.  Since
unhorking a machine with broken PAM is a bit tricky, perhaps you could
add a note to the top of your web page explaining that the following
instructions may break your machine, and to be exceptionally careful
about having a backout-path before attempting them.

-Brian



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] HOWTO Install SELinux on Ubuntu

[Lorenzo Hernandez Garcia-Hierro]

[-- Attachment #1: Type: text/plain, Size: 3856 bytes --]

El mar, 10-05-2005 a las 15:13 -0400, Brian T. Sniffen escribió:
> Thanks for writing this up.  I tried to follow the instructions on an
> Ubuntu machine, but had serious problems:


First, many thanks for testing and I'm glad that it's helpful even if
some things need to be worked out ;)
> 
> * The basic packages (e.g., coreutils) installed fine.  I had some
>   difficulties with the selinux-aware PAM 0.78 packages: they
>   complained about a missing module in pam_authenticate.  It was
>   somewhat annoying to debug this, since it caused login and sudo to
>   fail.  I never did solve this problem, because I gave up on:

Well, Andrew Mitchell has fixed the packages but until we upload them to
pearls.tuxedo-es.org and refresh the repository, I've removed the PAM
packages from the apt-get'able repository, and moved them into:
http://pearls.tuxedo-es.org/selinux/ubuntu.wip/

> * The selinux-policy-targeted package in your suggested repository fails to
>   install.  There is no appconfig directory.

I'll check. The package is to be updated as of the forthcoming new
upstream release, among that the policies are still under development
and possibly we may use binary policy modules as shown in the diagram at
http://pearls.tuxedo-es.org/selinux/diagrams/selinux-binary-policies-1.png.

Much like Gentoo does but used pre-compiled policies.

> 
> * The selinux-policy-default package also fails to install.  There are
>   many .te files without corresponding .fc files.  The postinst script
>   exits with status 1, apparently failing to copy policy/default to
>   policy/current.

-default which is to be renamed to -strict, is maintained by Russell
Coker, thus, it's refreshed eventually from Debian repositories.
Among that issues, the configuration method needs to be reworked too.

> * Those two policy packages conflict in practice, but have neither
>   diversions nor explicit Conflict headers.

Right, it's to be fixed after -default gets renamed to -strict, and
-default gets converted to a meta-package depending on the final /
approved default policy, among -server and -desktop packages depending
on -strict and -targeted respectively.

> * There is no selinux-support package in your selinux/ubuntu apt
>   repository---only over in selinux/debian.

Right, even if it's "Ubuntu'ized" (version depends and the like).
Thanks for pointing this out too.

> This looks like a great project---I'd be very happy to have a second
> Desktop SE Linux project for which to develop in parallel with Fedora.
> It would help, I think, resolve what are elements of a Desktop SE
> Linux install, and what features are really Red Hat's, not necessary
> to SE Linux.

Right, there's a need of deployment for a well designed and implemented
containment/confinement model and SELinux fits all the needs of a
project of the dimension of Ubuntu Linux.

A specification regarding such deployment and development is in the
writing process, to be released soon (well, I had a few issues that
stopped me to finish it in the expected time, I apologize).

> But right now, I don't think it's ready for prime time.  Since
> unhorking a machine with broken PAM is a bit tricky, perhaps you could
> add a note to the top of your web page explaining that the following
> instructions may break your machine, and to be exceptionally careful
> about having a backout-path before attempting them.

The PAM thing is quite weird, right. Hopefully, fixed packages will get
uploaded soon.

You can feel free to add anything you want to the HOWTO. I will add the
note.

Many thanks again for all the comments and testing, hope to see you here
for a long while ;)

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]