netman4ttm
08-06-2004, 08:53 AM
A while ago; it seems like it was a lot longer, I decided to try SELinux.
This post to to help the next guy/girl who wants to give it a try.
Installation.
There are 2 methods of installing.
The Fedora Core 2 allows installation from the CD's.
At the initial boot prompt for a new install type the following:
linux selinux
this will install the FC 2 version of SELinux
at the firewall configuration screen make sure you change the security level (lower right hand corner) to warn, take my word for it you want a system that complains but doesn't enforce security right off the bat.
The second method is to build your own kernel.
I would recommend that you start with one of these distro's
Debian
Gentoo
SuSE - use a version that was built on a 2.6 kernel
Do not use Fedora Core 2. Even though NSA built their kernel against this distro RedHat changed enough of SELinux to make the use of the NSA kernel problematic.
I'm not going to go into a lot of detail on how to built a 2.6 kernel; however make absolutely positvely sure that you answer the SELinux developement question with a YES. Otherwise you will have a system that on first boot is in full security mode and you really don't want that. I can't emphasize this enough, you really don't want the security system enabled until you get a handle on security.
I answered all the SELinux questions that only gave the choice between yes/no with yes if the module option was available I chose module. This was SWAG, but it worked.
The Fedora gotcha= the su command not only changes who you are but your role.
The traditional process would be as follows:
su root
newrole system_u
the Fedora system is su root and in that su process your role changes at the same time. Whether this is a good idea or not can be debated but the fact that it happens and that it is crappally (is that a word?) documented makes for headaches that you don't need.
The performance cost
RedHat estimates the performance hit at 7% and that is without networking. NSA claims less but I'm betting on RedHat's numbers.
The security system adds the following; what is your role and what is your task. Using Named/Bind as an example we would say the role is to answer domain queries the task requires that we be able to execute the named programs, read the config and database files and use the network card. Easily said but now we need a policy that does that and only that.
The next lines show you the chroot directory for named; first with the normal Linux permissions and then with the SELinux security policies in place.
the -Z option works with ps and id also.
> cd /var/named
> ls -la
total 56
drwxr-x--- 4 root named 4096 Aug 4 18:10 .
drwxr-xr-x 23 root root 4096 Aug 5 08:52 ..
drwxr-xr-x 5 root root 4096 Aug 4 18:10 chroot
-rw-r--r-- 1 named named 195 Feb 15 08:06 localhost.zone
-rw-r--r-- 1 named named 2518 Feb 15 08:06 named.ca
-rw-r--r-- 1 named named 433 Feb 15 08:06 named.local
drwxrwx--- 2 named named 4096 Mar 26 06:28 slaves
> ls -laZ
drwxr-x--- root named system_u:object_r:named_conf_t .
drwxr-xr-x root root system_u:object_r:var_t ..
drwxr-xr-x root root system_u:object_r:named_conf_t chroot
-rw-r--r-- named named system_u:object_r:named_conf_t localhost.zone
-rw-r--r-- named named system_u:object_r:named_conf_t named.ca
-rw-r--r-- named named system_u:object_r:named_conf_t named.local
drwxrwx--- named named system_u:object_r:named_conf_t slaves
Note the user role here is system the object role is the file and the task comes from named.conf. As name.conf is the controlling file for the program no surprises here. And if I figure out this system completely I will have a working named system.
I cheated a lot here. Webmin seems to work and I used it. Now here comes the confession!
ping 192.168.10.1 works
ping dante.mms-va.com does not (yet)
webmin works perfectly (which by the way it shouldn't) but lynx ( the text based web browser ) doesn't I think once the named problem is solved the web browser problem will be solved also.
Fedora's utility fixfiles is not fast nor does it always show that it is in fact working, your drive light is a good indicator. Wait for the done, which was roughly ten minutes after I issued the command fixfiles check.
This link is to the Fedora Core site.
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
The New Zealand site has a lot of policy scripts which may help and is listed in the above site. This site is the best of the bunch and even though it is "unofficial" it beats the official site. Thanks to the Kiwi's.
I tried the yum install policy policy-sources mentioned in the Fedora faq. It did not work for me. You might try it if you have a FC 2 up and running and don't want to do a reinstall. I think the issue that did me in was that I ran up2date before I ran yum, but that is a guess.
My opinion; SELinux is not ready for prime time but I think this is the way Linux security will be going and now is a good time to learn it. As more apps become SELinux aware this process will be a lot easier.
So this is my story (so far) and I'm sticking with it.
This post to to help the next guy/girl who wants to give it a try.
Installation.
There are 2 methods of installing.
The Fedora Core 2 allows installation from the CD's.
At the initial boot prompt for a new install type the following:
linux selinux
this will install the FC 2 version of SELinux
at the firewall configuration screen make sure you change the security level (lower right hand corner) to warn, take my word for it you want a system that complains but doesn't enforce security right off the bat.
The second method is to build your own kernel.
I would recommend that you start with one of these distro's
Debian
Gentoo
SuSE - use a version that was built on a 2.6 kernel
Do not use Fedora Core 2. Even though NSA built their kernel against this distro RedHat changed enough of SELinux to make the use of the NSA kernel problematic.
I'm not going to go into a lot of detail on how to built a 2.6 kernel; however make absolutely positvely sure that you answer the SELinux developement question with a YES. Otherwise you will have a system that on first boot is in full security mode and you really don't want that. I can't emphasize this enough, you really don't want the security system enabled until you get a handle on security.
I answered all the SELinux questions that only gave the choice between yes/no with yes if the module option was available I chose module. This was SWAG, but it worked.
The Fedora gotcha= the su command not only changes who you are but your role.
The traditional process would be as follows:
su root
newrole system_u
the Fedora system is su root and in that su process your role changes at the same time. Whether this is a good idea or not can be debated but the fact that it happens and that it is crappally (is that a word?) documented makes for headaches that you don't need.
The performance cost
RedHat estimates the performance hit at 7% and that is without networking. NSA claims less but I'm betting on RedHat's numbers.
The security system adds the following; what is your role and what is your task. Using Named/Bind as an example we would say the role is to answer domain queries the task requires that we be able to execute the named programs, read the config and database files and use the network card. Easily said but now we need a policy that does that and only that.
The next lines show you the chroot directory for named; first with the normal Linux permissions and then with the SELinux security policies in place.
the -Z option works with ps and id also.
> cd /var/named
> ls -la
total 56
drwxr-x--- 4 root named 4096 Aug 4 18:10 .
drwxr-xr-x 23 root root 4096 Aug 5 08:52 ..
drwxr-xr-x 5 root root 4096 Aug 4 18:10 chroot
-rw-r--r-- 1 named named 195 Feb 15 08:06 localhost.zone
-rw-r--r-- 1 named named 2518 Feb 15 08:06 named.ca
-rw-r--r-- 1 named named 433 Feb 15 08:06 named.local
drwxrwx--- 2 named named 4096 Mar 26 06:28 slaves
> ls -laZ
drwxr-x--- root named system_u:object_r:named_conf_t .
drwxr-xr-x root root system_u:object_r:var_t ..
drwxr-xr-x root root system_u:object_r:named_conf_t chroot
-rw-r--r-- named named system_u:object_r:named_conf_t localhost.zone
-rw-r--r-- named named system_u:object_r:named_conf_t named.ca
-rw-r--r-- named named system_u:object_r:named_conf_t named.local
drwxrwx--- named named system_u:object_r:named_conf_t slaves
Note the user role here is system the object role is the file and the task comes from named.conf. As name.conf is the controlling file for the program no surprises here. And if I figure out this system completely I will have a working named system.
I cheated a lot here. Webmin seems to work and I used it. Now here comes the confession!
ping 192.168.10.1 works
ping dante.mms-va.com does not (yet)
webmin works perfectly (which by the way it shouldn't) but lynx ( the text based web browser ) doesn't I think once the named problem is solved the web browser problem will be solved also.
Fedora's utility fixfiles is not fast nor does it always show that it is in fact working, your drive light is a good indicator. Wait for the done, which was roughly ten minutes after I issued the command fixfiles check.
This link is to the Fedora Core site.
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
The New Zealand site has a lot of policy scripts which may help and is listed in the above site. This site is the best of the bunch and even though it is "unofficial" it beats the official site. Thanks to the Kiwi's.
I tried the yum install policy policy-sources mentioned in the Fedora faq. It did not work for me. You might try it if you have a FC 2 up and running and don't want to do a reinstall. I think the issue that did me in was that I ran up2date before I ran yum, but that is a guess.
My opinion; SELinux is not ready for prime time but I think this is the way Linux security will be going and now is a good time to learn it. As more apps become SELinux aware this process will be a lot easier.
So this is my story (so far) and I'm sticking with it.