[ubuntu-hardened] Setting up SELinux on Ubuntu Gutsy 7.10

[Chad Sellers]

On 12/10/07 2:34 PM, "Kees Cook" <kees at ubuntu.com> wrote:

> On Sun, Dec 09, 2007 at 02:22:24PM +0530, Ashish Shukla wrote:
>> I wanted to install SELinux on my Ubuntu 7.10 (amd64). Any HOWTOs or
>> pointers for setting up SELinux in Ubuntu 7.10.
>> 
>> And does 'upstart' supports SELinux, hmm... ?
> 
> This is being worked on in SELinux upstream, but I'm not sure what the present
> status is.  Anyone else on the list know if a release is pending yet?
> 
So I wish the status were further along, but this is what it is. I wrote a
small patch to load_policy to make it suitable for calling from initramfs.
That's been merged into upstream policycoreutils as of version 2.0.32. I
contacted Debian to see about getting it merged there, but haven't really
followed up much there.

Beyond that, there's still other integration efforts (automatically
modifying grub.conf to turn on SELinux, creating the initramfs script to
actually call load_policy) and policy. You should see more progress on this
in the coming weeks. The focus of this is to get SELinux ready for Hardy,
but we'll do our best to make sure to provide a way for Gutsy to use it as
well.

Right now, you can enable SELinux manually one of two ways. The first is to
swap out upstart for sysvinit. The second is to install the latest
policycoreutils from upstream and create an initramfs hook in your initrd to
call the new load_policy -i. Then you have to modify your grub.conf to pass
selinux=1 on the kernel command line. You probably also want to disable
loading of the AppArmor kernel module (as SELinux and AppArmor can't both be
enabled).

Christer is correct that the other problem is the policy. The current
policies were written for Debian, and don't entirely work on Ubuntu. So, the
only way to get SELinux enforcing right now is to do a good bit of SELinux
policy work yourself. Otherwise you'll have to wait a little bit till we get
a useable policy.

Thanks,
Chad Sellers