Russell Coker’s Documents

14 Aug

Installing SE Linux on Debian/Lenny

Currently Debian/Lenny contains all packages needed to run SE Linux. Development continues so there are periodic updates which sit in Unstable for a while before migrating to Lenny (testing).

I have set up my own APT repository for SE Linux packages. This has packages that need newer versions than in Lenny but which will be in Lenny eventually (which includes the latest policy packages) as well as my own modified packages to fix bugs that won’t be fixed in Lenny. After Lenny is released I will maintain the repository for i386 and AMD64 for bug fixes and new features above what is in Lenny.

gpg --keyserver hkp://subkeys.pgp.net --recv-key F5C75256
gpg -a --export F5C75256 | apt-key add -

To enable the use of my repository you must first run the above two commands to retrieve and install my GPG key (take appropriate measures to verify that you have the correct key).

deb http://www.coker.com.au lenny selinux

Then add the above line to /etc/apt/sources.list and run “apt-get update” to download the list of packages.

Next run the command “apt-get install selinux-policy-default selinux-basics” to install all the necessary packages and then “touch /.autorelabel” to cause the filesystems to be labeled on the next boot. Edit the file /boot/grub/menu.lst and add “selinux=1” to the end of the line which starts with “# kopt=” and then run the command update-grub to apply this change.

Then reboot and the filesystems will be relabeled. The relabel process will cause an automatic reboot of the machine (it needs to be rebooted so that init gets the correct context). After that is finished the machine will be running in “permissive mode“, this means that SE Linux will log the actions that it would deny, but they will still be performed.

To put the machine in “enforcing mode” you can run the command “setenforce 1“, this means that SE Linux actually controls access to the machine. When you are confident that the machine is working correctly you can edit the file /etc/selinux/config and change the SELINUX= line to specify that it is in “enforcing” mode. If you need to override this (for example if critical files get the wrong labels and prevent booting) then the kernel command-line option enforcing=0 will override it. I will add a new command selinux-config-enforcing to the selinux-basics package to manage this (it will hopefully be there for Lenny).

Share This

This entry was posted on Thursday, August 14th, 2008 at 4:18 pm, for similar articles see the category Computers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

« Porting NSA SE Linux to Hand Held devices
RAM Speed according to Memtest86+ »

2 Responses to “Installing SE Linux on Debian/Lenny”

  1. 1
    kamil Says:

    Running apt-get(or aptitude) update gives a warning: “Conflicting distribution: http://www.coker.com.au lenny Release (expected lenny but got )”. However, it seems to download what it should. I have selinux up and running. Do you know what causes this warning?

    September 5th, 2008 at 7:37 am
  2. 2
    etbe Says:

    kamil: That’s a cosmetic error. I haven’t yet worked out how to solve it.

    September 15th, 2008 at 8:59 am

Leave a Reply

© 2008 Russell Coker’s Documents | Entries (RSS) and Comments (RSS)

wordpress logo
Close
E-mail It