SELinux Support for Hardy

Caleb Case ccase at tresys.com
Wed Feb 6 04:49:30 GMT 2008 

SELinux Support for Hardy

*** WARNING: EXPERIMENTAL! TESTING/DEVELOPMENT ONLY! ***

Hey everybody!

We've been really busy getting SELinux support ready for Hardy and it is now
possible to boot into an SELinux enabled Hardy using the packages that are
available in the Ubuntu-Hardened PPA on launchpad.

Installing SELinux in Hardy:

 1. Update /etc/apt/sources.list by appending the following:

    deb http://ppa.launchpad.net/ubuntu-hardened/ubuntu hardy main
    deb-src http://ppa.launchpad.net/ubuntu-hardened/ubuntu hardy main

 2. Using your favorite dpkg manager (e.g. aptitude):
    * Update repo
    * Install updated packages:
      * libpam0g [1]
      * openssh-server [2]
      * grub [3]
    * Remove apparmor [4]
    * Remove apparmor-utils [4]
    * Install selinux
    * Install selinux-policy-refpolicy [5]
    * Remove auto-recommended install of selinux-policy-dummy [5]
    * (Commit changes)

 3. Configure /etc/selinux/config:
    * Change SELINUX=enforcing to SELINUX=permissive [6]

 4. Reboot

[1] PAM was using a deprecated method of handling login contexts
<https://bugs.launchpad.net/ubuntu/+source/pam/+bug/187822>. The updated package
fixes this problem by backporting changes in upstream.

[2] OpenSSH Server autoconf scripts were failing to detect the libselinux
functions getseuserbyname and get_default_context_with_level
<https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/188136>. The updated
package fixes the configure bug by correctly setting LIBS before calling
AC_CHECK_FUNCS.

[3] Grub's update-grub lacks a trigger (and update-grub cannot be called
directly due to nested debconf issues). In order to seamlessly switch between
AppArmor and SELinux we need to reconfigure the menu.lst's defoptions. This
patch adds an explicit trigger for update-grub.

[4] apparmor and apparmor-utils need to be removed separately due to a recommend
in ubuntu-standard for apparmor-utils. If just apparmor is removed, then the
auto-resolution attempts to remove ubuntu-standard.

[5] selinux-policy-dummy is auto-picked when selinux is installed. It would be
better if selinux-policy-refpolicy was auto-picked instead and the dummy package
was a second choice. ;o} Suggestions on how to make that happen are very
welcome!

[6] At this time the system will fail to boot in enforcing mode. This will, of
course, be fixed.

More information about the ubuntu-devel mailing list