Configuring Fedora Core To Use The MLS SELinux Policy ============================================================================= Paul Moore, paul.moore@hp.com August 18, 2005 Contents ----------------------------------------------------------------------------- 1. Introduction 2. Installation Guide 2.1 Install Fedora Core 2.2 Configure The Network 2.3 Configure RPM And YUM 2.3.1 Import The GPG Keys Into The RPM Database 2.3.2 Add The Rawhide And MLS YUM Repositories 2.4 Update The System 2.5 Install And Configure The MLS Policy 3. Additional Notes And Troubleshooting 3.1 Relabeling '/var/lib/nfs/rpc_pipefs' 3.2 Using YUM/RPM 3.3 Checking Filesystem Labels 3.4 Disabling The 'mDNSResponder' Service 1. Introduction This document is a quick walk-through of how to install the experimental Multi-Level Security (MLS) policy on a Fedora Core based system. The audience is expected to be familiar with Linux, Fedora Core and to some extent SELinux. 2. Installation Guide 2.1 Install Fedora Core The first step is to get a working install of Fedora Core. This document was written using Fedora Core 4 as the base. The steps required to get the MLS policy working on different versions of Fedora Core may be different. The latest version of Fedora Core can be downloaded here: * http://fedora.redhat.com 2.2 Configure The Network You should have configured the network during the install process, but if you didn't now is the time to get it working. If you need to use a proxy to access the Internet you should create a file, '/etc/profile.d/proxy.sh', which looks like this: http_proxy="" HTTP_PROXY="$http_proxy" export http_proxy HTTP_PROXY This will cause the environment variables 'http_proxy' and 'HTTP_PROXY' to be set correctly when you use Bash or any other Bourne based shell. 2.3 Configure RPM And YUM YUM is a utility, built on top of RPM, which is used by Fedora to distribute updates and resolve package dependencies. By default your Fedora install should have YUM installed, but a little bit of extra configuration is needed before it is useful for our purposes. 2.3.1 Import The GPG Keys Into The RPM Database RPM packages can be signed by the packager using GPG to help ensure the integrity of the files. By default YUM on Fedora Core 4 checks the signatures on the RPM packages it installs so you need to have the correct GPG public keys loaded into the RPM database. You can do this with the following command: # rpm --import /usr/share/rhn/RPM-GPG-KEY* 2.3.2 Add The Rawhide And MLS YUM Repositories The next step in configuring YUM is to add two bleeding edge development YUM repositories, the second of which contains the MLS policy. You can add the first repository by creating the file '/etc/yum.repos.d/fedora-rawhide.repo' which looks like this: [rawhide] name=Fedora Rawhide mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-rawhide enabled=1 gpgcheck=0 You can add the second repository by creating the file '/etc/yum.repos.d/rhpeople-dwalsh.repo' which looks like this: [dwalsh] name=Dan Walsh baseurl=ftp://people.redhat.com/dwalsh/SELinux/Fedora enabled=1 gpgcheck=0 2.4 Update The System Now that you have YUM configured it is time to use it to update your system. In order to do that run the following command as root: # yum update After the update has finished, reboot your system and verify that everything is still working as you expect. This is also the time to fix any problems you may have encountered up to this point. Keep in mind that you are now running a bleeding edge system which will most likely have a number of bugs; if you find any especially nasty bugs you might want to check the Fedora Project's Bug Tracking System, Bugzilla, which you can access here: * https://bugzilla.redhat.com/bugzilla as the Bugzilla sometimes has notes on workarounds and fixes. 2.5 Install And Configure The MLS Policy It is finally time to install the MLS policy. You can do this using YUM and the following command: # yum install selinux-policy-mls selinux-policy-mls-sources If you are only interested in the binary MLS policy you can omit the 'selinux-policy-mls-sources' package. However, considering the experimental nature of this policy at the current point in time I would highly recommend you install the MLS policy sources as well to help debug any problems you may encounter. Once you have the new MLS policy installed you should change the file '/etc/selinux/config' such that the two lines below: SELINUX=enforcing SELINUXTYPE=targeted are now set like this: SELINUX=permissive SELINUXTYPE=mls You should now reboot your system into single-user mode so you can relabel your filesystem with the MLS labels. Once the system is rebooted into single-user mode you can relabel the filesystem by running the following command: # /etc/selinux/mls/autorelabel When the command is finished it will reboot the machine automatically. This time you should boot your system into multi-user mode. Once the system is up and running you need to login and edit the file '/etc/selinux/config' such that the line: SELINUX=permissive reads: SELINUX=enforcing and reboot. Once the system reboots you should now have a working Fedora Core system running the MLS policy. However, please keep in mind that your system is now running bleeding edge software and as a result it may experience problems from time to time. It is a good idea to get into the habit on using YUM on a regular basis to get all of the latest fixes. 3. Additional Notes And Troubleshooting 3.1 Relabeling '/var/lib/nfs/rpc_pipefs' Depending on your configuration you may need to do the following before changing into the MLS enforcing mode in section 2.5: # service rpcidmapd stop # umount /var/lib/nfs/rpc_pipefs # chcon system_u:object_r:var_lib_nfs_t:s0 /var/lib/nfs/rpc_pipefs # mount -t rpc_pipefs sunrpc /var/lib/nfs/rpc_pipefs # service rpcidmapd start 3.2 Using YUM/RPM When using YUM or RPM to change the state of the system you should switch to the 'sysadm_r' role, even when in 'permissive' mode, before doing anything. You can verify your role at any time by running the following command: # id -Z You can switch to the 'sysadm_r' role by running the following command when logged in as 'root': # newrole -r sysadm_r 3.3 Checking Filesystem Labels After upgrading the policy or kernel RPMs you should verify that the filesystem is still labeled correctly. You can do this with the following command: # fixfiles check / 3.4 Disabling The 'mDNSResponder' Service The 'mDNSResponder' service will fill up your audit logs with lots of AVC denials as it tries to talk over UDP. Unless you are running a 'Howl' client you probably do not need this service. You can disable it with the following command: # chkconfig mDNSResponder off