[ubuntu-hardened] Re: [selinux] HOWTO Install SELinux on Ubuntu

Lorenzo Hernandez Garcia-Hierro lorenzo at gnu.org
Tue May 10 14:28:14 CDT 2005

El mar, 10-05-2005 a las 15:13 -0400, Brian T. Sniffen escribió:
> Thanks for writing this up.  I tried to follow the instructions on an
> Ubuntu machine, but had serious problems:

First, many thanks for testing and I'm glad that it's helpful even if
some things need to be worked out ;)
> * The basic packages (e.g., coreutils) installed fine.  I had some
>   difficulties with the selinux-aware PAM 0.78 packages: they
>   complained about a missing module in pam_authenticate.  It was
>   somewhat annoying to debug this, since it caused login and sudo to
>   fail.  I never did solve this problem, because I gave up on:

Well, Andrew Mitchell has fixed the packages but until we upload them to
pearls.tuxedo-es.org and refresh the repository, I've removed the PAM
packages from the apt-get'able repository, and moved them into:

> * The selinux-policy-targeted package in your suggested repository fails to
>   install.  There is no appconfig directory.

I'll check. The package is to be updated as of the forthcoming new
upstream release, among that the policies are still under development
and possibly we may use binary policy modules as shown in the diagram at

Much like Gentoo does but used pre-compiled policies.

> * The selinux-policy-default package also fails to install.  There are
>   many .te files without corresponding .fc files.  The postinst script
>   exits with status 1, apparently failing to copy policy/default to
>   policy/current.

-default which is to be renamed to -strict, is maintained by Russell
Coker, thus, it's refreshed eventually from Debian repositories.
Among that issues, the configuration method needs to be reworked too.

> * Those two policy packages conflict in practice, but have neither
>   diversions nor explicit Conflict headers.

Right, it's to be fixed after -default gets renamed to -strict, and
-default gets converted to a meta-package depending on the final /
approved default policy, among -server and -desktop packages depending
on -strict and -targeted respectively.

> * There is no selinux-support package in your selinux/ubuntu apt
>   repository---only over in selinux/debian.

Right, even if it's "Ubuntu'ized" (version depends and the like).
Thanks for pointing this out too.

> This looks like a great project---I'd be very happy to have a second
> Desktop SE Linux project for which to develop in parallel with Fedora.
> It would help, I think, resolve what are elements of a Desktop SE
> Linux install, and what features are really Red Hat's, not necessary
> to SE Linux.

Right, there's a need of deployment for a well designed and implemented
containment/confinement model and SELinux fits all the needs of a
project of the dimension of Ubuntu Linux.

A specification regarding such deployment and development is in the
writing process, to be released soon (well, I had a few issues that
stopped me to finish it in the expected time, I apologize).

> But right now, I don't think it's ready for prime time.  Since
> unhorking a machine with broken PAM is a bit tricky, perhaps you could
> add a note to the top of your web page explaining that the following
> instructions may break your machine, and to be exceptionally careful
> about having a backout-path before attempting them.

The PAM thing is quite weird, right. Hopefully, fixed packages will get
uploaded soon.

You can feel free to add anything you want to the HOWTO. I will add the

Many thanks again for all the comments and testing, hope to see you here
for a long while ;)

Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050510/63666bb3/attachment.pgp

More information about the ubuntu-hardened mailing list