[ubuntu-hardened] SELinux Support for Hardy
Caleb Case
ccase at tresys.com
Wed Feb 6 06:18:23 GMT 2008
On Feb 5, 2008 11:49 PM, Caleb Case <ccase at tresys.com> wrote:
> SELinux Support for Hardy
>
> *** WARNING: EXPERIMENTAL! TESTING/DEVELOPMENT ONLY! ***
>
> Hey everybody!
>
> We've been really busy getting SELinux support ready for Hardy and it is now
> possible to boot into an SELinux enabled Hardy using the packages that are
> available in the Ubuntu-Hardened PPA on launchpad.
>
> Installing SELinux in Hardy:
>
> 1. Update /etc/apt/sources.list by appending the following:
>
> deb http://ppa.launchpad.net/ubuntu-hardened/ubuntu hardy main
> deb-src http://ppa.launchpad.net/ubuntu-hardened/ubuntu hardy main
>
The sources are available at:
https://code.launchpad.net/~calebcase/+junk/selinux-support
> 2. Using your favorite dpkg manager (e.g. aptitude):
> * Update repo
> * Install updated packages:
> * libpam0g [1]
> * openssh-server [2]
> * grub [3]
> * Remove apparmor [4]
> * Remove apparmor-utils [4]
> * Install selinux
> * Install selinux-policy-refpolicy [5]
> * Remove auto-recommended install of selinux-policy-dummy [5]
> * (Commit changes)
>
> 3. Configure /etc/selinux/config:
> * Change SELINUX=enforcing to SELINUX=permissive [6]
>
> 4. Reboot
>
> [1] PAM was using a deprecated method of handling login contexts
> <https://bugs.launchpad.net/ubuntu/+source/pam/+bug/187822>. The updated package
> fixes this problem by backporting changes in upstream.
>
> [2] OpenSSH Server autoconf scripts were failing to detect the libselinux
> functions getseuserbyname and get_default_context_with_level
> <https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/188136>. The updated
> package fixes the configure bug by correctly setting LIBS before calling
> AC_CHECK_FUNCS.
>
> [3] Grub's update-grub lacks a trigger (and update-grub cannot be called
> directly due to nested debconf issues). In order to seamlessly switch between
> AppArmor and SELinux we need to reconfigure the menu.lst's defoptions. This
> patch adds an explicit trigger for update-grub.
>
> [4] apparmor and apparmor-utils need to be removed separately due to a recommend
> in ubuntu-standard for apparmor-utils. If just apparmor is removed, then the
> auto-resolution attempts to remove ubuntu-standard.
>
> [5] selinux-policy-dummy is auto-picked when selinux is installed. It would be
> better if selinux-policy-refpolicy was auto-picked instead and the dummy package
> was a second choice. ;o} Suggestions on how to make that happen are very
> welcome!
>
> [6] At this time the system will fail to boot in enforcing mode. This will, of
> course, be fixed.
>
More information about the ubuntu-hardened
mailing list