openSUSE release 11.1 will be available in a few ticks. I tried the beta5 and RC1 and it seems that 11.1 will run fast, stable and comes with a good set of new software.
11.1 comes with all necessary patches to enable SELinux but unfortunately it does not run by default. I hope to change it for 11.2.
The following steps are needed to enable SELinux on openSUSE 11.1.
- patching mkinitrd to mount /proc
- add boot parameters
- install the selinux-refpolicy RPM files, libraries and tools, mkdir /selinux
- create a config file
1. mkinitrd
To allow the init process to load the SELinux policy the /proc filesystem has to be mounted very early. This can be done as part of the booting process that happens with the initrd ramdisk. All you need to do is adding the line "/root/usr/bin/chroot /root /bin/mount /proc" to /lib/mkinitrd/scripts/boot-boot.sh (see git.opensuse.org for the patch). After you modified the script just run mkinitrd to replace the old initrd in /boot.
(Note: the script /etc/init.d/boot will try to mount /proc again and fails, you can remove the lines if you like)
Update: The line to be added was updated to "/bin/mount /root/proc" (see git and patch)
2. boot parameter
Two boot parameters are needed: selinux and enforcing.
Just use yast2 -> System -> Boot Loader to modify the "Optional Kernel Command Line Parameter" field by adding "selinux=1 enforcing=0" (enforcing should enabled after all policies work smoothly)
3. reference policies
openSUSE 11.1 does not come with default policies but you can add the SELinux openSUSE_Factory repo that provides you with the following RPM files:
- selinux-policy-refpolicy-standard
- selinux-policy-refpolicy-mls
- selinux-policy-refpolicy-mcs
- checkpolicy
- policycoreutils
- selinux-tools
- setools-*
- libselinux1
- libsepol1
- libsemanage1
4. config file
The SELinux config file is at "/etc/selinux/config" and should have the following content:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=refpolicy-standard
Reboot your machine. Log in as root and run setstatus the output should be:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 23
Policy from config file: refpolicy-standard
Now that should be all. Let me know if it does not work or if you have other comments.
4 comments:
"11.1 comes with all necessary patches to enable SELinux but unfortunately it does not run by default. I hope to change it for 11.2."
Default? DEFAULT!?
I hope that is a grammatical mistake, Novell AppArmor should be THE default for all Novell products.
Although I am capable of writing SELinux policy modules for refpol, it's too much hassle on the desktop for a lot of trivial apps like games, wine, IRC client, IM client, browser etc.
Also, AppArmor gets closer to least privilege in more cases than SELinux... don't give up on it =]
-- NthDegree
OpenSuSE Build ID: Unconfined
That it should run by default doesn't mean it should replace AppArmor. AA 3.0 is planned and AFAIK there are no plans to give up on it.
Don't worry, we do the right thing! :-)
Apparmor leaves most of the system unprotected from local users. That's a far cry from least privilege.
Hello "Anonymous",
it would be helpful if you can give me more details about you concerns. Maybe I can clarify things then...
Thomas
Post a Comment